PRIVACY MODELS FOR RFID

7.1The ADO Model

To the best of our knowledge, the rst formal treatment for studying the privacy of RFID systems is due to Avoine, Dysli, and Oechslin [ADO ] who used an ad-hoc model to analyze Molnar and Wagner’s scheme [MW ]. It was subsequently improved by Avoine in his PhD thesis [Avo ]. We refer to this model by ADO.

In short, this model is based on the notion of indistinguishability: A scheme is supposed to preserve privacy if an adversary choosing a target tag and getting either that tag or another one, with both events happening with probability 1/2, cannot tell which tag she received with a better chance than guessing, i.e., deducing the tag’s identity with probability 1/2. To perform the attack, the adversary is given the secret state of another RFID tag and is allowed to interact with the target tag before it is submitted to the challenger.

7.2The Extended-Juels-Weis Model

e ADO model was generalized by Juels and Weis [JW , JW ] who elaborated on ADO’s privacy game to attain a notion that is closer to classical indistinguishability games for encryption schemes. at is, contrarily to the ADO model, the adversary gets to choose both target tags and receives one of them in return. e adversary is also able to corrupt any tag except the two targets and has control over the communication channel. Note that the corruption model of Juels and Weis allows the adversary to set a new key for the corrupted tag.

Juels and Weis model RFID systems as a set of tags interacting with a single reader is set up by an algorithm denoted Gen that outputs n secrets, each one for a tag, and gives the reader the n secrets. e reader can, contrarily to tags, maintain multiple sessions in parallel. For this, the reader binds every running protocol session to a unique session identi er sid that is put in a table containing all the messages belonging to the session.

Attackers are assumed to have complete control over all communications between parties. ey interact with the RFID system through several interfaces.

.

e R I interface allows to trigger protocol sessions and make the reader out-

put the session identi er sid and the rst message for the session. ( e Juels-Weis model assumes that it is always the reader that initiates the communication.)

e T I interface serves to bind a tag to a session. As such, it needs to receive an sid. Once sid has been set for the reader or a tag, the adversary may send messages of the form (sid; m) to which the party answers with a message computed using the previous messages related to sid, sid, its secret, i.e., the tag’s key or the reader’s list of keys, and its internal randomness. Note that when a tag receives a T I , it aborts the current session and deletes all internal data, except for the key K, even if this happens while the tag is in a middle of another protocol session. At some point, the reader performs a veri cation step by computing a function over its entire internal state, including all running sessions and any internal key material to output an “accept” or a “reject” for the session sid and close it. at is, the adversary is always assumed to be able to determine whether a protocol instance is succeeded or failed.

Tag corruption and initialization are done through an interface denoted S K . Upon reception of a S K message with parameter K′, a tag answers with K, its current secret, and replaces it by K′. e tag does not update its secret if the parameter is not speci ed. A tag that has received a S K message is said to be corrupted.

De nition . (Privacy in the Juels-Weis Model)

Let k be a security parameter and A be a polynomial time algorithm that takes as input four parameters n, s, r, t and follows the following privacy experiment.

putation steps and sending S K to Tb . Output b′

Winning condition: b = b′

A scheme is said to be (n; r; s; t)-private if every polynomial-time adversary Aplaying the privacy

. - -

is de nition was also extended to cover the case of forward-privacy, i.e., when the adversary learns about the key of the target tag. is eventuality was included in the privacy experiment by adding a step before the eighth one in which the attacker issues a S K message on Tb .

However, two key concepts were not discussed by Juels and Weis: correctness and soundness. at is, an RFID scheme is useless if a tag having an undisturbed session with the reader does not get authenticated or if an attacker can come up with a way to impersonate a tag to the reader. (In fact, designing a private RFID protocol without both requirements is easy: It su ces to make the tag output random bits.) is issue was adressed by Damgård and Pedersen [DP ] who introduced two notions of correctness and soundness. In short, correctness ensures that whenever a tag and a reader share a protocol session, the tag gets authenticated whereas soundness requires that no polynomial-time adversary who can corrupt all the system’s tags but one can make the reader accept a tag T for a protocol session in which T was not involved.

Damgård and Pedersen also gave further clari cations on the structure of the protocols that are considered in the model. As the Juels-Weis model does not seem to support asymmetric keys (that choice was probably made because public-key cryptography is believed to be too expensive for simple devices as RFID tags), Damgård and Pedersen re ned the de nition of symmetric-key based protocol by giving to each tag, instead of a key Ki, an access to a random oracle Ki . On its side, the reader is given the list of all these keys and hence has access to all the oracles Ki . Moreover, Damgård and Pedersen showed that security for an RFID system mandates that the reader accesses Ki to authenticate a tag Ti. Notice that proceeding in this way implies a linear complexity for the reader in the number of the system’s RFID tag. Consequently, corrupting a tag Ti is modeled by granting access to the oracle Ki . We further note that privacy in the sense of Juels-Weis can only be obtained for systems in which the keys are independent, i.e., when the Gen algorithm is stateless and does not receive any hidden parameter.

Albeit the description given above can be used to describe most protocols based on conventional cryptography, it may be that there are more e cient ways for the reader to verify a protocol session. is is especially the case for correlated tags’ secrets where the complexity can be reduced to a logarithmic factor [MW ] at the cost of a weaker model of privacy in which the adversary may not be allowed to corrupt every tag from the system. Despite its limitations, the weaker model has its bene ts in practical settings. So, it was taken into account by Damgård and Pedersen who introduced a h parameter for the adversary in the privacy experiment that de nes the maximal numbers of tags the adversary can corrupt in order to retain privacy.

.

IfanRFIDschemeiscorrect, simpleprivate, andusesindependentkeys, thentheschemeisprivate.

Proof. We assume, without loss of generality, that once the adversary corrupts a tag, she does not query it anymore. Instead, she uses her access to the oracle to simulate her interactions with corrupted tags. To simulate the nal outcome of a protocol session, i.e., the last message from the reader, the adversary checks with the list of oracles she obtained from her S K queries. Correctness ensures that if the reader authenticates a corrupted tag, the adversary’s simulation does the same.

If a er trying with all these queries, the adversary is still unable to nd the session partner, she forwards the request to the reader. Clearly, the latter will not identify a corrupted tag so simulation is perfect.

. - -

7.3Zero-Knowledge Privacy

e formulation of zero-knowledge privacy [DLYZ ], abbreviated zk-privacy, is derived from the literature on zero-knowledge [GMR , GMR ] with the idea of linking privacy and zero-knowledge. e link between these two notions is done by noticing the fact that privacy requires an adversary interacting with a random tag not to learn anything else than what she could have deduced herself is reminiscent of the fact that a veri er should not learn anything from interacting with the prover in zero-knowledge interactive proofs (with the difference that in RFID protocols the malicious attacker is not one of the scheme’s entities). Consequently, the privacy de nition follows the simulation paradigm: An adversary is considered not to have learnt anything from interacting with a tag if every outputs it makes can be produced by another polynomial-time algorithm, called simulator, that does not have access to that tag.

Adversaries in zk-privacy are placed in the center of the RFID system and have complete control over communication channels, except for the one between the reader and its database server. To interact with the system, the adversary has access to a set of four interfaces denoted I R , to create a protocol instance, S T, to send a message to a tag, S R, to send a message to a reader, and C , for corruption (which reveals the content of the tag’s permanent and volatile memory to the adversary). ZK-Privacy assumes that protocol sessions end with a message from the reader telling whether the session succeeded or failed. It is therefore unnecessary to de ne an interface for the outcome of a protocol.

e privacy experiment is composed of two phases. A er the creation of the reader and a number of tags by a procedure denoted Setup, the adversary A interacts with the system through the oracles mentionned above. At the end of this phase, she outputs her state and a set C composed of so-called clean tags. Clean tags are uncorrupted tags that are currently at thestatusofwaitingforthe rst-roundmessagefromthereadertostartanewsession. Atarget tag, denoted Tg, is then randomly chosen from the set C. In a second stage, the adversary can still interact with all the tags that are not in C and additionally has blind access to Tg, i.e., it cannot corrupt it.

Simulators are also composed of two phases. e rst phase of the attack for the simulator is identical to the attack of the adversary described above. However, when it gets the randomly chosen target tag, and a er interacting with the tags not in C, the simulator outputs a simulated view, denoted sview. Note that the simulator does not have access to Tg. ZK-privacy

.

requires sview to include all oracle answers to the queries made by the simulator. A protocol is said to be zk-private if for every adversary there exists a simulator such that the view of the former is computationally indistinguishable from the sview computed by the latter. Extensions to forward-zk-privacy and backward-zk-privacy were also de ned. Herea er, we give a de nition of zk-privacy but we refer the reader to the original papers for a more complete de nition, especially for the other properties of completeness and soundness.

De nition . (ZK-Privacy)

An RFID protocol satis es zk-privacy, if for any polynomial-time adversary A = (A1; A2) there exists a polynomial-time simulator S = (S1; S2) such that for all su ciently large k, the outputs om the following games are indistinguishable. (C is a set of clean RFID tags.)

Note that sview must contain all oracle answers to the queries made by S.

It is worth mentioning that zk-privacy’s notion of privacy is stronger than the one of the eJW model: Any zk-private protocol is private in the sense of [JW ].

In the next chapter, we study the relationship between zk-privacy and our privacy models. Loosely speaking, we exploit the fact that zk-privacy’s simulators only need to deal with the removal of one target tag and ensure that privacy is still preserved. However, cases may be that an adversary needs two tags to defeat privacy. We show that in these settings zk-privacy fails to detect any information leakage. At the same time, we show that our model successfully deals with those situations.

. -