A survey of RFID privacy approaches

A bewildering number of proposals have offered solutions to the privacy problems inherent in RFID communication. This article tries to give an overview of the currently discussed approaches and their attribute

Identification and Privacy: Zero-Knowledge is not Enough

At first glance, privacy and zero-knowledgeness seem to be similar properties. A scheme is private when no information is revealed on the prover and in a zero-knowledge scheme, communications should not leak provers\u27 secrets. Until recently, privacy threats were only partially formalized and some zero-knowledge (ZK) schemes have been proposed so far to ensure privacy. We here explain why the intended goal is not reached. Following the privacy model proposed by Vaudenay at Asiacrypt 2007, we then reconsider the analysis of these schemes and thereafter introduce a general framework to modify identification schemes leading to different levels of privacy. Our new protocols can be useful, for instance, for identity documents, where privacy is a great issue. Furthermore, we propose efficient implementations of zero-knowledge and private identification schemes based on modifications of the GPS scheme. The security and the privacy are based on a new problem: the Short Exponent Strong Diffie-Hellman (SESDH) problem. The hardness of this problem is related to the hardness of the Strong Diffie-Hellman (SDH) problem and to the hardness of the Discrete Logarithm with Short Exponent (DLSE) problem. The security and privacy of these new schemes are proved in the random oracle paradigm

Security and Performance Analysis for RFID Protocols

Radio Frequency Identification (RFID) is an advanced object identification technology that has already been applied in various industries. However, the insecure nature of the communication channel between readers and tags makes RFID systems vulnerable to various kinds of attacks. In recent years, many new methods have been proposed to improve the security of RFID systems, such as disabling tags, agent management and establishing cryptographic protocols. Among them, we focus on the last approach, which is more economic and convenient in certain cases. The first part of our work is to categorize typical existing RFID protocols according to their security levels. The result is vitally important to RFID system administrators who need to find different protocols to be implemented in their systems. The trade-off to be made in decision is that higher security level typically implies worse performance. We examine the performance in two aspects: the look-up cost in RFID reader’s back-end database and the tag-related cost. The tag-related cost includes the cryptographic operation cost (cryptographic computation cost along with access operatio

An architecture and protocol, an access control model, and a sighting blurring algorithm for improving users' security in the context of location based services operating over the internet

A new type of service, known as a Location Based Service (LBS), is emerging that incorporates users' location information, and many of these LBSs operate over the Internet. However, the potential misuse of this location information is a serious concern. Therefore, the main goal of this thesis is to develop techniques, which increase users' security and privacy, for use with these LBSs. The �rst technique that we propose is a three-party protocol that is used to mutually identify and authenticate users, LBSs, and a trusted middleware infrastructure that is responsible for managing the users' identity and location information. This protocol enables users to simultaneously identify and authenticate themselves to the infrastructure using real identities, and to the LBSs using pseudonyms. This protocol can be subsequently used to securely exchange messages containing location information. The second technique that we propose is an access control model that enables users to create permissions that specify which users and LBSs are entitled to obtain location information about which other users, under what circumstances the location information is released to the users and LBSs, and the accuracy of any location information that is released to the users and LBSs. The third technique that we propose is a blurring algorithm that performs spatial blurring on users' location information. It does not perform temporal blurring, because this reduces an LBS's ability to �offer a useful service. Instead, our blurring algorithm introduces a new parameter that speci�es the frequency with which location information is released for a particular user. This frequency parameter is a function of the size of the blurred location. These three techniques can be used as part of an overall solution for providing users with increased security while using LBSs that operate over the Internet

Record and replay based virtual-machine introspection for system security

Hardware security features need to strike a careful balance between design intrusiveness and completeness of methods. Securing against attacks like Return Oriented Programming (ROP) requires frequent and expensive checks. Complete security defenses have been proposed yet modern systems are still vulnerable to ROP attacks. We provide complete security by decomposing the solution into two stages. The first stage raises alarms based on an imprecise, low cost hardware detector. The second stage applies complete methods in order to accurately distinguish real attacks from false alarms. This decomposition is enabled with Record and Deterministic Replay. The original execution is recorded and subjected to replay analysis as alarms are raised. In this way the Replay infrastructure can compensate for the occasional hardware imprecision. We demonstrate this approach by applying it to thwart ROP attacks on the Linux kernel. We call the design RnR-ROPSafe. It reuses a simple Return Address Stack (RAS) as the hardware detector. The RAS is slightly modified to prevent corruption of the RAS due to multithreading and due to non-procedural returns—improving its performance as a ROP detector. Rare false positives due to underflows are eliminated via replay instead of hardware over-design. RnR-ROPSafe relies on two on-the-fly replayers: an always-on, fast Checkpointing replayer that periodically creates checkpoints, and a detailed-analysis Alarm replayer that is triggered when there is a threat alarm. We find that the first one has execution speed comparable to that of the recorder, and can be replaying all the time, while the latter has to handle only very few false positives

RFID Authentification Protocols using Symmetric Cryptography

Radio Frequency IDentification (RFID) is emerging in a variety of applications as an important technology for identifying and tracking goods and assets. The spread of RFID technology, however, also gives rise to significant user privacy and security issues. One possible solution to these challenges is the use of a privacy-enhancing cryptographic protocol to protect RFID communications. This thesis considers RFID authentication protocols that make use of symmetric cryptography. We first identify the privacy, security and performance requirements for RFID systems. We then review recent related work, and assess the capabilities of previously proposed protocols with respect to the identified privacy, security and performance properties. The thesis makes four main contributions. First, we introduce server impersonation attacks as a novel security threat to RFID protocols. RFID tag memory is generally not tamper-proof, since tag costs must be kept low, and thus it is vulnerable to compromise by physical attacks. We show that such attacks can give rise to desynchronisation between server and tag in a number of existing RFID authentication protocols. We also describe possible countermeasures to this novel class of attacks. Second, we propose a new authentication protocol for RFID systems that provides most of the identified privacy and security features. The new protocol resists tag information leakage, tag location tracking, replay attacks, denial of service attacks and backward traceability. It is also more resistant to forward traceability and server impersonation attacks than previously proposed schemes. The scheme requires less tag-side storage than existing protocols and requires only a moderate level of tag-side computation. Next, we survey the security requirements for RFID tag ownership transfer. In some applications, the bearer of an RFID tag might change, with corresponding changes required for the RFID system infrastructure. We propose novel authentication protocols for tag ownership and authorisation transfer. The proposed protocols satisfy the requirements presented, and have desirable performance characteristics. Finally, we address the issue of scalability in anonymous RFID authentication protocols. Many previously proposed protocols suffer from scalability issues because they require a linear search to identify or authenticate a tag. Some RFID protocols, however, only require constant time for tag identification; unfortunately, all previously proposed schemes of this type have serious shortcomings. We propose a novel RFID pseudonym protocol that takes constant time to authenticate a tag, and meets the identified privacy, security and performance requirements. The proposed scheme also supports tag delegation and ownership transfer in an efficient way

Emergency first response to a crisis event a multi-agent simulation approach

Homeland Security Presidential Directive #8 led to the establishment of the National Exercise Program and the Top Officials exercise series to test and evaluate first response agency integration and effectiveness. The last TOPOFF exercise cost $16M and involved over 10,000 people, but did not effectively leverage simulation techniques to make efficient use of resources. This research adapts an existing organizational learning process, integrating low- and high resolution simulation to provide decision support. This process led to the development of a multi-agent simulation methodology for emergency first response, specifically applied to analyze a notional vehicle bomb attack during a festival in the Baltimore Inner Harbor. This simulation demonstrates the potential benefits of low resolution simulation, using efficient experimental design and high-performance computing. Combined, these two ideas result in examining a 48-dimensional response surface and using over 156 CPU centuries of computer time. All experiments were completed in less than three weeks. The analysis of this data set provided insight into several areas, including the importance of standing operating procedures in the early moments of a crisis. Analysis showed that effective procedures may even be more important than the effectiveness of communications devices early in a first response operation.http://archive.org/details/emergencyfirstre109452800Outstanding ThesisUS Army (USA) author.Approved for public release; distribution is unlimited.Approved for public release; distribution is unlimited

Schutz der Privatsphäre in kontext- und ortsbezogenen Diensten

Mit der immensen Verbreitung von Smartphones als leistungsstarke, mobile Endgeräte nimmt auch die Nutzung kontext- und insbesondere ortsbezogener Dienste stetig zu. Derartige Anwendungen vereinfachen die Interaktion mit dem eigenen Endgerät oder externen Systemen, ermöglichen neuartige Nutzungserlebnisse und innovative Dienste, die auf den aktuellen Nutzungskontext zugeschnitten sind. Bei einem Großteil der hierfür an Dritte kommunizierten Informationen handelt es sich jedoch um persönliche Daten, deren unkontrollierte Herausgabe aus Sicht der Privatsphäre problematisch erscheint. In der vorliegenden Arbeit werden drei unterschiedliche Möglichkeiten zum Datenschutz von Kontextinformationen vorgestellt. Allen Verfahren ist gemein, dass sie im Gegensatz zu vielen bestehenden Systemen ohne die Existenz einer als vertrauenswürdig deklarierten dritten Partei auskommen. Stattdessen wird jeweils eine rein clientseitige Durchsetzung von Privatsphärepräferenzen angestrebt, wodurch eine personalisierte Dienstnutzung ermöglicht und die Gefahr eines zentralen Datenlecks vermieden wird. Der erste Ansatz beschäftigt sich damit, dem Benutzer ein effektives, allgemeingültiges Werkzeug zur feingranularen, situations- und rezipientenabhängigen Verwaltung von Kontextinformationen zur Verfügung zu stellen. Es wird ein Ontologie-basiertes Kontextmodell entwickelt, auf dessen Grundlage die Definition und konsistente Durchsetzung situationsabhängiger Freigaberegeln möglich ist. Zudem wird eine vollständige Systemarchitektur zur Kontextverwaltung sowie deren Integration in ein mobiles Betriebssystem beschrieben. Der zweite Ansatz ermöglicht die privatsphäreschonende Umsetzung der verkehrsadaptiven Online-Routenplanung. Unter Verwendung standardmäßig zur Verfügung stehender Dienstschnittstellen wird dafür gesorgt, dass keine externe Komponente den exakten Start- und Zielpunkt einer Routenanfrage in Erfahrung bringen kann. Anhand einer umfangreichen Evaluation werden der Trade-Off zwischen Privatsphäre, Kommunikationsaufwand und Dienstqualität untersucht und verschiedene Optimierungsmöglichkeiten aufgezeigt. Als drittes wird ein umfassendes Konzept zur Herstellung von Standortanonymität vorgestellt, das sich generisch für die privatsphärekonforme Positionsfreigabe in unterschiedlichen Ausprägungen ortsbezogener Dienste eignet. Hierfür werden die topologiebasierte Erstellung k-anonymer Verschleierungszonen sowie verschiedene Freigabestrategien entwickelt, die auch die zeitliche Korrelation aufeinanderfolgender Ortsangaben berücksichtigen. Dies ermöglicht den effektiven Schutz persönlicher Daten selbst bei kontinuierlichen Positionsupdates gegenüber einem Angreifer mit umfangreichem Kartenwissen.With the widespread prevalence of smartphones as powerful ultra-mobile devices, also the usage of context-aware applications and location-based services continually grows. Such applications improve the way a user interacts with his own device and external systems. Furthermore, they enable previously unknown user experiences and offer innovative services tailored to the user's current situation. The majority of context information that has to be communicated to external parties in order to use such services, however, is considered personal data. From a privacy oriented perspective, the release of this kind of information hence has to be controlled and leakage must be prevented. This work presents three different means for protecting a user's context information. In contrast to many existing approaches, each of the proposed systems has been designed to operate without the existence of an omniscient, trusted third party acting as an anonymizer. Instead, enforcement of a user's privacy preferences is executed locally on the user's device, which allows for personalized services and avoids the perils of a central privacy bottleneck. The first approach proposes an effective and generally applicable tool allowing the user to manage his context information in a fine-grained, context-aware and recipient-dependent way. To this end, a new ontology-based context model will be developed, which forms the foundation for the definition and assertion of situation-dependent access control rules set up by the user. Additionally, the overall system architecture as well as its integration into a modern mobile operating system will be described. The second approach presents a client-side implementation for using traffic-adaptive online route planning services in a privacy-preserving manner. Only using the unmodified standard query interfaces of existing services, the system assures that no external party is able to learn the exact endpoints of the user's route request. By means of empirical evaluation on the actual road network, the trade off between privacy, communication overhead, and quality of service will be analyzed. Also, different optimizations will be discusssed. Thirdly, a holistic concept for continuously protecting a user's location privacy will be presented, which is generally applicable to the release of location information and all different kinds of location-based services. A topology-aware creation of k-anonymous cloaking regions will be developed as well as different strategies for the release of location information, which also take into account the spatiotemporal correlation of successive location updates. These allow for an effective protection of a user's location privacy even for continuous location updates and in face of a strong attacker with extensive map knowledge

Colored model based testing for software product lines (CMBT-SWPL)

Over the last decade, the software product line domain has emerged as one of the mostpromising software development paradigms. The main benefits of a software product lineapproach are improvements in productivity, time to market, product quality, and customersatisfaction.Therefore, one topic that needs greater emphasis is testing of software product lines toachieve the required software quality assurance. Our concern is how to test a softwareproduct line as early as possible in order to detect errors, because the cost of error detectedIn early phases is much less compared to the cost of errors when detected later.The method suggested in this thesis is a model-based, reuse-oriented test technique calledColored Model Based Testing for Software Product Lines (CMBT-SWPL). CMBT-SWPLis a requirements-based approach for efficiently generating tests for products in a soft-ware product line. This testing approach is used for validation and verification of productlines. It is a novel approach to test product lines using a Colored State Chart (CSC), whichconsiders variability early in the product line development process. More precisely, the vari-ability will be introduced in the main components of the CSC. Accordingly, the variabilityis preserved in test cases, as they are generated from colored test models automatically.During domain engineering, the CSC is derived from the feature model. By coloring theState Chart, the behavior of several product line variants can be modeled simultaneouslyin a single diagram and thus address product line variability early. The CSC representsthe test model, from which test cases using statistical testing are derived.During application engineering, these colored test models are customized for a specificapplication of the product line. At the end of this test process, the test cases are generatedagain using statistical testing, executed and the test results are ready for evaluation. Inxaddition, the CSC will be transformed to a Colored Petri Net (CPN) for verification andsimulation purposes.The main gains of applying the CMBT-SWPL method are early detection of defects inrequirements, such as ambiguities incompleteness and redundancy which is then reflectedin saving the test effort, time, development and maintenance costs

Privacy in location-based services

Während der letzten Jahre erfuhren mobile Geräte durch grössere Speicher, der Entwicklung schnellerer Prozessoren und höherer Übertragungsraten, um nur einige der wichtigsten Performanceparameter zu nennen, einen enormen Entwicklungsschub. Gleichzeitig sind die unterschiedlichen Positionierungssysteme mittlerweile ausgereift und klein genug, um in mobile Geräte verbaut werden zu können. Erst durch die Möglichkeit der Zusammenführung von solchen ausgereiften Positionierungs- mit existierenden Telekommunikationstechnologien kann die Basis für eine neue Generation kontextsensitiver Anwendungen und entsprechender Geschaeftsmodelle geschaffen werden. Abgesehen von den technischen Massnahmen die zum Schutz gegen Attacken, Verfaelschungen und Missbrauch sensitiver Daten eingesetzt werden, müssen diese auch allen rechtlichen Aspekten und Rahmenbedingungen von Telekommunikationssystemen entsprechen. In diesem Sinne muss das Ziel von Forschungen im Bereich neuer kontext-sensitiver Systeme und Anwendungen die mit Positionsdaten operieren der Schutz der Privatheit jedes einzelnen Nutzers sein. Diese Dissertation beginnt mit einer Diskussion über verschiedene Aspekte von Location-Based Systemen. Es werden weiters unterschiedliche Anforderungen aufgezeigt deren Erfüllung notwendig sind, um flexible Systeme anbieten zu können und die zudem den Schutz der Privatheit der Nutzer garantieren können. Der wohl wichtigste Beitrag dazu ist ein Mechanismus der auf dem Begriff des Pseudonyms basiert.Dieses Verfahren garantiert maximale Sicherheit und Schutz der Privatheit der Benutzer während der Nutzung von Diensten. Der zweite Beitrag der Dissertation ist eine Telekom Service Architektur die den erwähnten Pseudonym-basierten Mechanismus integriert. Durch Einbeziehen dedizierter Dienste von Telekommunikationsanbietern bildet diese Architektur die Basis für die Realisierung neuer Geschäftsmodelle und ermöglicht die Implementierung des pay-as-you-go Konzeptes. Dieses ermöglicht Kunden anonym mobile Dienste von Drittanbietern zu konsumieren, ähnlich dem anonymen Kauf von Gütern mit realem Geld. Schliesslich wird mit der Implementierung einer Service Platform sowohl die Funktionsweise des Pseudonym Mechanismus sowie die Interaktionen der in der System Architektur vorgesehenen Dienste und Komponenten die zur Realisierung von Location-Based Anwendungen benötigt werden demonstriert.During the last years the development of mobile devices has gained significant progress with respect to memory capabilities, advanced processing power and higher transfer rates to name only a few performance parameters. At the same time eclectic positioning and localization technologies are meanwhile mature enough to be integrated into mobile devices. Not until positioning, localization and telecommunication technologies can be combined, seamlessly the basis for the proliferation of a new generation of context-aware applications and business models can be build. In this respect, location and position information foster novel future context-awareapplications. But, if this information is in the wrong hands such applications may by the same token pose severe threat. Therefore, apart from technical means against attacks, forgery and misuse of sensitive user information the interaction of all these systems must comply with legal requirements that precisely prescribe all aspects of telecommunication systems. In this spirit, the main research ob jective addressed for the design of new context- aware and location-based systems must be the protection of the user’s privacy. This dissertation discusses first various aspects of location-based systems and out of it the various needs that have to be addressed to be able to provide flexible location-based services to mobile users by preserving privacy. The main contribution of this work is a mechanism that is based on the notion of pseudonyms. The use of this kind of pseudonyms provides maximum security and privacy for users during communication. The second contribution is a telecommunication service architecture that is tightly coupled with the pseudonym mechanism. It allows new business models to be applied by leveraging the use of some services of the telcos’ infrastructure. This service application further allows the implementation of the so called pay-as-you-go concept. This allows customers to anonymously consume mobile services that are offered by third party application providers similarly to buying physical goods with cash. Finally, we demonstrate the implementation of a service platform that allows us to illustrate the operation of the pseudonym mechanism and the interworking of the system architecture’s components that are tailored for the realization of location-based applications