Embed Size (px)
Citation preview
RFID의 경량 인증 프로토콜과Auto-ID Labs의 위조방지 프로젝트
RFIDRFID의의 경량경량 인증인증 프로토콜과프로토콜과AutoAuto--ID LabsID Labs의의 위조방지위조방지 프로젝트프로젝트
김광조
Cryptology and Information Security Lab.
International Research center for Information Security (IRIS)Information and Communications Univ.(ICU)
KRnet 2006트 랙 RFID/Wireless Sensor Network
세 션 A1-2
발표일시 2006년 6월 27일
Lightweight Authentication Protocol for RFID System and Anti-Counterfeiting Flagship Project in Auto-ID Labs
2
발표자발표자
Professor
Member
Kwangjo Kim
6 Ph. D students/ 6 Master students
• Career1991 : Ph.D. Div. of ECE in Yokohama National Univ., Japan
1979 ~ 1997 : Section Head of Coding Tech. #1 in ETRI (Electronics and Telecommunications Research Institute )
1998 ~ : Professor in the School of Eng., of ICU
2000 ~ 2004 : Director of IACR (International Association for Cryptologic Research) and IIY (Inst. for IT-gifted Youth)
2001 ~ : Director of IRIS (International Research center for Information Security )
2001 ~ : Editor of JCN, IJIS , and IEICE
2005 ~ : Chair of Asiacrypt Steering Committee
2005 : Visiting Scientist@MIT(3M)/Visiting Professor @UCSD(7M)
2006 : Vice-President of KIISC (Korea Inst. Of Information Security & Cryptology)
• Alumni : 29 Masters, 1 Ph. D
Papers International Journal : 45International Conference : 68Domestic : 128
Patents International 6, Domestic 18
Awards 1000 World Leaders of Scientific Influence, ABI2000 Outstanding Intellectuals of 21st Century, IBC, ‘02500 Leaders of Science, ABI, 2003
Research Achievements
3
Our Approach to Ubiquitous SecurityOur Approach to Ubiquitous Security
Ubiquitous Society is ComingUbiquitous Society is Coming
Lightweight RFID Authentication ProtocolLightweight RFID Authentication Protocol
Anti-Counterfeiting Flagship ProjectAnti-Counterfeiting Flagship Project
1
2
3
4
ContentsContents
Concluding RemarksConcluding Remarks5
Ubiquitous Society is ComingUbiquitous Society is ComingUbiquitous Society is Coming
5
Technology- Lifecycle TheoryTechnology- Lifecycle Theory
6
Ubiquitous Computing & NetworkingUbiquitous Computing & Networking
7
Denial of Service
Internet Banking
Attack to Dedicated Targets Attack to Everyday Life
Influence to Everyday Life Influence to Everyday Life Influence to Everyday Life
Home Page Defacement
Damages to Everyday Life
- from PC to real life
8
Homenetwork: intelligent facilities
AM 12:00 Health Information collected and checked
AM 6:00
Toll Gate: Automatic Approval system
AM 8:00
Navigation
Automatic entrance managementAM 9:00
Cyber conference
PM 3:00
PM 6:00
Authentication
Delivery
Internet game with digital TV
PM 9:00
Homenetwork: Analysis of stocks in a
refrigator
Security, Privacy, Trust in Smart EnvironmentsSecurity, Privacy, Trust in Smart Environments
How to manage security, privacy, and trust?
9
Evolution of AttackEvolution of Attack
10
Scope for Information Security
PrivacyTrust
SecuritySafety
홈네트워크
System + Network + Service
System + Network
System
Safety, Trust
Confidentiality,Integrity N/W
Availability Confidentiality
Integrity Availability
Protection from Maliciousbehavior
Safety
Trust
u-Security
Mobility
New Paradigm for u-Security(1) New Paradigm for uNew Paradigm for u--Security(1) Security(1)
11
Trade-Off : Risk, Cost , Performance High Level Dependability without
high cost- Highly interconnected system
Only the right people get access at any time to the right informationwith the best possible performance and at the lowest possible cost
Access!Speed!
Confidence& ControlRisk CostPerformance
Performance vs. Cost
New Paradigm for u-Security(2) New Paradigm for uNew Paradigm for u--Security(2) Security(2)
12
VulnerabilitiesVulnerabilities
Risks Type of Intrusion Problem Countermeasures
Theft or Stolen ConfidentialityAuthentication
Device holders have authentication information
Entity (or device) authentication/Cryptography
Illegal Access Point Authentication 1-way authentication Mutual authentication
IP Spoofing Confidentiality Radiation of RF signal to unwanted user
Cryptography
(D)DoS Availability Degraded availability Availability
Trojan Horse, Worm, Virus
Availability, Confidentiality, Integrity
Degraded availability & integrity
Anti-Virus program
Attack by harmful signal
Availability Interfered communication channel
Spread Spectrum-Frequency Hopping
Resource consumption attack
Availability Out of battery power Availability
Revealing Location or ID- information
Confidentiality Privacy Anonymity
13
Security Engineering in U-NetworkSecurity Engineering in U-Network
Security requirement Special Requirement in U-network
Authentication Mutual authentication, use of dynamic key, Wireless PKI, device authentication, Central authentication, QoS
Confidentiality Key management, light weight cryptography, secure DB, mobile cryptography
Integrity Integrity mechanism for U-network
Availability DoS attack, Priority management in access control, Differentiated service
Control of delegate
Entity authentication and authorizationAccess control
Anonymity Transfer of real ID information
Safe roaming Global roaming, DRM, Seamless secure roaming
Additional
Basic
Our Approach to Ubiquitous SecurityOur Approach to Ubiquitous SecurityOur Approach to Ubiquitous Security
15
Research Achievements (1)Research Achievements (1)
Research on Provably Secure Cryptographic Primitives– Secret Key Cryptography
▪ Primitives : S-box, P-box, resilient functions▪ Analysis of standard algorithms : SEED, AES, NESSIE, etc.
– Public Key Cryptography▪ Non-abelian group PKC▪ Provably secure PKC▪ Digital signatures
◦ proxy signature, blind signature, multi signature, group signature▪ Braid group PKC
Cryptographic Theory and PrimitivesCryptographic Theory and PrimitivesCryptographic Theory and Primitives
•More secure than the original ElGamal scheme (IND-CCA2)•Provable secure under the computational DH assumption•Shorter ciphertext length compared to previous schemes
•ID-based Blind Signature for E-cash, E-voting, etc.•ID-based Ring Signature for Group Signing•ID-based Proxy Signature for Delegation of Signing•ID-based Threshold Signature for Distributed Signing
ID-based primitives on bi-linearity
NTRU Signature Scheme Transitive Signature Scheme Forward Secure Signature Schemes
Length-saving ElGamal Encryption
16
Research Achievements (2)Research Achievements (2)
Typical RFID system
Characteristics– Air interface – Asymmetric communication channel– Tag cost
▪ 5-cents tag, IC cost < 2 cents
Secure authentication protocol for low-cost RFID system– Using a rewritable memory like EEPROM, hash in tags– Satisfy confidentiality, anonymity, and integrity– Robust against attacks
▪ Man-in-the-middle attack, replay attack, etc.– Forgery resistance
▪ Providing the linkage between the authentication data & the tag▪ Forward security and indistinguishability against cloning
Authentication of RFID tagsAuthentication of RFID tagsAuthentication of RFID tags
17
Research Achievements (3)Research Achievements (3)
Capability-based Privacy Preserving Scheme for Ubiquitous Environments
Security for Location Based Services
Security Architecture for Ubiquitous Computing EnvironmentsSecurity Architecture for Ubiquitous Computing EnvironmentsSecurity Architecture for Ubiquitous Computing Environments
Users Mobile Phone
Control Sever
C1: LoginEnter ID & Pwd
C2: Issue Capability based on Users Role
Authorized to Access:
1. Room 5042. Library3. Vending Machine: 5th Floor4. Microwave: 5th Floor5. Copier: 2nd Floor..
Vending Machine: 5th Floor
Users Mobile Phone
S1: Submit Capability
Accept
18
RFIDRFID
Wirelessly and Automatically identify objects nearby:
A multi-tier system: RFID tag, reader and backend server A typical RFID tag
@ Pictures are adapted from Internet
19
Security of RFID/USNSecurity of RFID/USN
RFIDRFID--tagtag– Data confidentiality– Tag Anonymity– Data integrity– Mutual authentication – Reader authentication
Ubiquitous Computing EnvironmentsUbiquitous Computing Environments– User Privacy Protection– Authentication
▪ Users, Devices, Messages– Authorization
▪ Role-based Access Control▪ Context-based Access Control
– Security Policies– Availability
▪ Prevention of Denial of Service Attacks
– Data Security▪ Confidentiality▪ Integrity▪ Cryptographic key management &
distribution– Light-Weight Cryptographic Protocols
▪ Symmetric & Asymmetric Schemes▪ Hash Functions & Digital Signatures
Security RequirementsSecurity RequirementsSecurity Requirements
20
Security and Privacy in RFIDSecurity and Privacy in RFID
Risks– Eavesdropping between T & R– DB Desynchronization B & R– Active Query– Hardware attack
Lack of authentication:– Malicious reading (skimming): – Captured information aids
duplicating genuine tags.– Denial-of-Service (DOS) due to
deployment of cloned tags.
Privacy invasion:– Information leakage of user’s
belongings– Static ID is subject to tracking
such as behaviour tracking
@ picture is credited to Juels et. al.
21
Road Map in Secure RFID/USNRoad Map in Secure RFID/USN
Jeongkyu Yang, Jaemin Park, Hyunrok Lee, Kui Ren and Kwangjo Kim , "Mutual Authentication Protocol for Low-cost RFID", Proc. of Workshop on RFID and Lightweight Crypto, Jul.14~15, 2005, Graz, Austria.
Lightweight RFID Authentication Protocol Lightweight RFID Authentication Protocol Lightweight RFID Authentication Protocol
23
Secure authentication protocol for low-cost RFID system– Using a rewritable memory like EEPROM, hash in tags
NewAnonymous ID
Data
Back-end Server Reader(Not TTP)
RFID Tag
Query
Anonymous ID
Anonymous ID
Insecure Channel
Anonymous IDUpdate
Anonymous ID
Insecure Channel
– Meet low-cost RFID environment
– Guarantee privacy for tag bearers
– Satisfy confidentiality, anonymity, and integrity
– Robust against attacks
Design background
24
– Man-in-the-middle attack
▪ The attacker can impersonate as a legitimate R and get the information from T. He can impersonate as the legitimate T responding to R.
– Replay attack
▪ The attackers eavesdrop the response message from T, and can retransmit the message to the legitimate R.
– Forgery
▪ The simple copy of T information by eavesdropping.
– Data loss
▪ DoS, power interruption, and hijacking, etc.
– Do not consider side-channel attack
Attack Model
25
– Data confidentiality
▪ To prevent the data privacy of T from the insecure data
– Tag anonymity
▪ To prevent the location privacy of tag bearers
– Data integrity
▪ Data integrity between T and B against data loss
▪ Linkage between the authentication info. of T and T itself Simple forgery is prevented
– Detection for an illegitimate R
▪ Replay attack and Man-in-the-middle attack are prevented.
Security Requirement
26
Our Protocol( (), (), )kh h ⊕
R TB
k1 k1 ⊕ ID'k2 k2 ⊕ ID
Verify ID' =? h(k2) (abort if not)then
k1 k1 ⊕ ID'k2 k2 ⊕ ID
Insecure Channel Insecure Channel
1 2, ,k k C 1 2, ,k k C
1( )ID h k S C= ⊕ ⊕1) challenge
query with S
( , ())kRNG h ( (), )h ⊕, ( )kr S h r=
2) T-R response
ID
3) R-B response
ID, S, rVerify S =? hk(r)(abort if not)then
Retrieve <k1,k2,C>from <T1,T2,CN> D
Verify ID =? h(k1⊕ hk(r)⊕C)(abort if not)then ID' = h(k2)
∈
T1 T2 AE CN DATA ID k1 k2
4) R-B reply
( )', ( )kh SID E DATA
5) R-T reply
'ID
( ) ( )kh SD DATA
27
Security Comparison
Comparison (1/2)
* S. Weis, S. Sarma, R. Rivest, and D. Engels, “Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems", Proc. of the 1st Security in Pervasive Computing, LNCS, vol.2802, pp.201-212, 2004.** D. Henrici and P. MÄuller, “Hash-based Enhancement of Location Privacy for Radio-Frequency Identification Devices using Varying Identifiers", PerSec'04 at IEEE PerCom, pp.149-153, Mar. 2004.
28
Performance Comparison
• L bits is assumed for the sizes of all components between protocols• The outputs of hash function is ½L bits• Comparison for DATA is excluded since its size is depended on application.
Comparison (2/2)
Anti-Counterfeiting Flagship ProjectAntiAnti--Counterfeiting Flagship ProjectCounterfeiting Flagship Project
30
Auto-ID Labs Organization (1/3)
TechnologySteering Committee
Public PolicySteering CommitteeAuto-ID Labs
Business ActionGroup - CP
Business SteeringCommittee
President,EPCglobal
GS1 GS1 USEPCglobal Boardof Governors
StaffArchitecturalReview Committee
Work Groups
Hardware ActionGroup
Software ActionGroup
Work Groups
Work Groups
Business ActionGroup - HLS
Work Groups
Virtual organization > 1500 people
31
Auto-ID Labs Organization (2/3)
32
Auto-ID Labs Organization (3/3)
미국(MIT)
최초창시제조업/물류
영국(켐브리지대)제조업/물류
스위스(세인트갤런대)비즈니스 모델링
중국(푸단대)
: RFID Chip (HW)
호주(아델레이드대)
Application/Security
일본(게이오대)
Network&Middleware
한국한국((ICU)ICU)
RFID Chip/Sensor RFID Chip/Sensor Network/SecurityNetwork/Security
http://autoidlab.eleceng.adelaide.edu.au
http://vsgr.inf.ethz.ch/autoidlabs.ch/
http://autoid.mit.edu/web/
http://www.autoidlabs.org.uk/
http://www.autoidcenter.cn/
https://auto-id.powerplay.jp/
33
Auto-ID Labs in KoreaAuto-ID Labs in Korea
Cellular Phone +RFID Reader
Antenna Technology•Tag antenna
•Mobile reader antenna
•Mobile USN interface antenna
Radio Environment
RF Transceiver• Small, low-power transceiver
•SDR transceiver for mobile reader
RFID/USN MAC & Network• Low-power RFID/USN MAC
• Low-power RFID/USN Network
Privacy and Security•Tag/Reader authentication
•RFID/USN light-weight crypto-graphyand key management
Service/Business Model •RFID/USN next-generation mobile communication services model /
EPC Sensor Network•Ubiquitous business model
ICU
Research Institutes • 900MHz RFID Reader SoC•RFID Readers/Tags
• Antenna
Industries
•RFID Middleware for Mobile Reader
•Tags and Readers•Cellular phone•Smart Active Label• Sensor Network
Auto-ID Labs
• MIT, USA•Cambridge, UK•Adelaide, AUS• Keio, JPN• Fudan, CHN• St. Gallen, SWI
Future RFID/USN
• USN
34
Anti-Counterfeiting Flagship Project(1/3)
Anti-Counterfeiting Flagship Project 소개
– 위조방지(Anti-Counterfeiting) 필요성 증가
▪ 의약품, 자동차.항공기 부품, 귀금속 등의 고가상품을 취급하는 물류시스템에서 위조방지(Anti-Counterfeiting)에 대한 필요성 증가
▪ EPC 태그기반의 백서(White Paper)를 작성 중
▪ 목 표 : 안전하고, 종합적이며, 효율적인 비용으로 편리하게 상품에 대한 인증 메커니즘을 개발
– (2006. 7월 중 ICU에서 완성 편집작업을 위한 Workshop 개최예정)
35
Anti-Counterfeiting Flagship Project(2/3)
Anti-Counterfeiting Flagship Project 연구방향 (백서내용)– 1장. 서론
▪ 상품들의 위조 규모에 대한 세계 각국의 통계
▪ 산업별 위조에 의한 피해규모
▪ 기술의 발전, 국제교역의 증가, 시장 및 상품의 다양화, 귀금속 및 브랜드 상품의요구, 복잡한 공급망 등의 다양한 측면에서의 위조에 대한 분석
▪ 각 산업계에서 일어나는 실제사례에 대한 검토
– 2장. 비즈니스 처리과정과 응용
▪ 불법 시장의 구조와 운영절차
▪ 위조방지 절차와 응용에 대한 현재의 기술 및 전략
▪ 기존 위조방지 방법의 문제점
▪ 안전한 상품을 위한 보안기술, 절차, 전략, 서비스에 대한 기술
▪ 기술적, 경제적, 사회적 관점에서의 요구사항 분석
36
Anti-Counterfeiting Flagship Project(3/3)
– 3장. 소프트웨어와 네트워크에 관련된 연구▪ EPC 네트워크의 현재 상황
▪ 보안을 지원하기 위한 확장된 EPC 구조에 추가적으로 요구되는 기능들
▪ 보안 상품 인증 서비스, 센서통합을 위한 소프트웨어 지원
▪ 설계 및 시뮬레이션
▪ EPC 상품인증 서비스 (EPC-PAS: EPC Product Authentication Service) ▪ 기존 EPC 정보서비스 (EPC-IS: EPC Information Service)와의 호환
▪ 사용자 인증 개념과 데이터 교환 명세
▪ 키 관리 및 시스템 관리
– 4장. 하드웨어와 관련된 연구▪ 현재 RFID 태그와 리더의 하드웨어 기술 상황
▪ 보안기능을 위해 하드웨어적으로 요구되는 추가적인 기능들
▪ EPC-PAS 기능을 위한 태그 설계
▪ 리더와 시스템 통합을 위한 리더 자체 및 프로토콜의 설계
37
Anti-Counterfeiting Flagship Project(3/3)
– 3장. 소프트웨어와 네트워크에 관련된 연구▪ EPC 네트워크의 현재 상황
▪ 보안을 지원하기 위한 확장된 EPC 구조에 추가적으로 요구되는 기능들
▪ 보안 상품 인증 서비스, 센서통합을 위한 소프트웨어 지원
▪ 설계 및 시뮬레이션
▪ EPC 상품인증 서비스 (EPC-PAS: EPC Product Authentication Service) ▪ 기존 EPC 정보서비스 (EPC-IS: EPC Information Service)와의 호환
▪ 사용자 인증 개념과 데이터 교환 명세
▪ 키 관리 및 시스템 관리
– 4장. 하드웨어와 관련된 연구▪ 현재 RFID 태그와 리더의 하드웨어 기술 상황
▪ 보안기능을 위해 하드웨어적으로 요구되는 추가적인 기능들
▪ EPC-PAS 기능을 위한 태그 설계
▪ 리더와 시스템 통합을 위한 리더 자체 및 프로토콜의 설계
38
Concluding RemarksConcluding Remarks
Ubiquitous-Society makes Ubiquitous-Vulnerability– U-Security is pervasive to everywhere and indispensable
component to build secure U-society
Technical Challenges to secure RFID/USN– Light-weight cryptography– Dynamic key management– Secure routing against DDoS– IDS and IPS– U-privacy, etc.
U-safe and U-comfortable in anywhere, anydevice, anytime, anyservice and to anyone !!
39
Thank you for your attention
Q&A
