Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Cardis, August 23-26, 2004
Privacy Issues in RFID Banknote Protection Schemes
Gildas Avoine
EPFL
Lausanne, Switzerland
ÉCOLE POLYTECHNIQUE
FÉDÉRALE DE LAUSANNE
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Outline
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Radio Frequency Identification (RFID) Technology
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
RFID Systems
tag
reader
tag
database
tag
reader
tag
Identification:
-1- A reader broadcasts a request in its communication zone.
-2- Each tag sends back its answer.
-3- The answers are sent to the database.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Emergence of the RFID Technology
The RFID technology is not new, e.g., contactless smartcards were
already RFID devices (public transport, tollways).
The Auto-ID center has been created in 1999 at the MIT in order to promote and establish standards on small and cheap RFID
technology.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
RFID Characteristics
Extremely limited storage and computation capabilities
Not tamper-resistant
No battery
Reader-to-Tag channel: up to 100 meters
Tag-to-Reader channel: up to a few meters
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
RFID Systems vs Bar-Code Systems
RFID tags could replace the bar-codes in the near future. RFID
tags and bar-codes differ from several points:
A tag can be remotely read without optical access.
Several tags can be read at the same time.
While a bar-code represents a lot of items, an RFID tag has
its own unique identifier.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Applications and Issues
These properties open the door to new applications:
Management of stocks and stocktakings
Speed up the checkouts in the shops
Libraries
Recycling
Anti-counterfeiting
Sensor networks
Pets identification
But they also open the door to new security issues, in particular the
problem of traceability.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
The Juels–Pappu Banknote Protection Scheme
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Why?
The European Central Bank said (rumor?) it wants to embed
RFID tags into Euro notes.
To avoid banknote counterfeiting and to track illicit monetary
flows by authorized parties (e.g. airport controls), such that
banknotes can not be traced by unauthorized parties.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Who?
Central bank (B) creates the banknotes and... hates forgers
Law enforcement agency (L) aims at tracking illicit monetary
flows
Banknote bearers want to preserve their privacy and...
...to earn as much money as possible
Merchants want to preserve their clients and therefore they
agree to collaborate to ensure the client’s privacy
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
How?
Serial number of a banknote is signed by B (anti-counterfeiting)
When requested, the tag of a banknote sends the encrypted
value of the serial number and not the serial number itself
(anti-traceability).
Periodic probabilistic re-encryptions of the serial number are
performed (by the merchants).
Re-encryptions require an optical contact with the banknote:
a key, printed on the banknote, is needed to access the content
of the tag.
L can access the content of the tag without this key.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Tags’ requirements
Tags must have an EEPROM consisting of (at least) 780 bits.
Tags must supply the intructions read, write, keyed-read,
and keyed-write.
RFID
γ: read / keyed-write
Gildas Avoine
δ: keyed-read / keyed-write
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Banknote Creation by B
1
Select a serial number S and compute Σ = Sign(SK B , S||den)
2
Compute an access-key D such that D = h(Σ)
3
Encrypt C = Enc(PKL , Σ||S, r ) where r is a random number
4
Put C into γ-cell and r into δ-cell
5
Print S and Σ on the banknote
Optical
RFID
S
Σ
γ: read / keyed-write
δ: keyed-read / keyed-write
C
r
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Re-Encryption by Merchants
1
Read S and Σ and compute D = h(Σ)
2
Read C and keyed-read r using D
3
Check that Enc(PKL , Σ||S, r ) = C
4
Choose randomly a new r and keyed-writes it into δ
5
Compute the new C := Enc(PKL , Σ||S, r ) and put it into γ
Optical
RFID
S
Σ
γ: read / keyed-write
δ: keyed-read / keyed-write
C
r
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Banknote Tracing by L
1
Obtain freely C from cell γ
2
Decrypt C using SKL and obtain Dec(SKL , C ) = Σ||S
3
Check whether or not Σ is a valid signature
Optical
RFID
S
Σ
γ: read / keyed-write
δ: keyed-read / keyed-write
C
r
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Encryption Scheme
Juels and Pappu suggest to use an ElGamal-based encryption
scheme (over elliptic curves).
Let G denote an elliptic-curve-based group with prime order
q and let P be a generator of G. Let SKL = x ∈R Zq be the law
enforcement private key and PKL = Y = xP the corresponding
public key. A message m is encrypted with the ElGamal scheme
under the random number r as follows:
Enc(PKL , m, r ) = (m + rY , rP).
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Fujisaki/Okamoto Integration Method
With the Fujisaki/Okamoto secure integration method, a message
m is encrypted with the public key pk as follows:
E ∗ (pk, m) = (E asym (pk, r , h1 (r , m)) , E sym (h2 (r ), m))
Where
E sym (key , mes) is a symmetric encryption of mes with key .
E asym (key , mes, rand) is an asymmetric encryption of mes
with key and a random value.
h1 and h2 denote hash functions.
In our case, E asym is the ElGamal encryption scheme and E sym is
the ⊕ operation.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Privacy Issues in the Juels–Pappu Scheme
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Attacks
Pickpocketing attack
Denial of service attack
Sleeping and dead banknotes
Cookies threat
Access-key tracing
Data recovery attack
Ciphertext tracing
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Access Key Tracing
Goal: Tracing a banknote that the attacker saw once.
Sketch: If the attacker can have an optical contact with the
banknote once then thanks to the access-key D (which is a static
key) he is able to trace the banknote by just trying to read
the δ-cell: the tag responds if and only if the key D is the good
one; we determine so whether or not the banknote is the traced one.
Moral of the story: As soon as a tag owns a unique access-key and
responds if and only if the key sent by the reader is the good one,
this key can be used to trace the tag.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Data Recovery Attack
Goal: Obtaining the serial number of the banknote without optical
access.
Sketch:
Step 1: Obtaining the access-key D and then the random
number r which is stored in the δ-cell;
Step 2: Exploiting a misapplication of the secure integration
method of Fujisaki and Okamoto used with a probabilistic encryption scheme, in order to recover S and Σ.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Data Recovery Attack (Step 1)
A merchant who is willing to re-encrypt the banknote sends the
access-key D = h(Σ) (obtained by optical reading): the attacker
can just eavesdrop this (static) key (channel from reader-to-tag is
much easier to eavesdrop than the tag-to-reader channel).
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Data Recovery Attack (Step 2)
By (freely) reading the γ-cell, we obtain C = Enc ∗ (PKL , m, r )
where m = Σ||S. We have:
Enc∗ (PKL , m, r ) = (E asym (pk, r , h1 (r , m)) , E sym (h2 (r ), m))
= (Enc(PKL , r , h1 (r ||m)) , h2 (r ) ⊕ mh)2 (r ) ⊕ m
| {z }
ξ
We have Σ||S = ξ ⊕ h2 (r ) where ξ, r , and h2 are known (r is
supplied by Step 1).
Moral of the story: We should never use the Fujisaki/Okamoto
integration method with a probabilistic encryption scheme when
the random value is public.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Ciphertext Tracing (Example)
“Bar X wishes to sell information about its patrons to local Merchant Y. The bar requires patrons to have their drivers’ licenses
scanned before they are admitted [...].At the same time, Bar X
scans the serial numbers of the RFID tags of banknotes carried by
its patrons, [...] Merchant Y similarly records banknote serial numbers of customers from RFID tags. Bar X sells to Merchant Y the
address and birth-date data it has collected [...]. In cases where Bar
X and Merchant Y hold common serial numbers, Merchant Y can
send mailings directly to customers [...].”
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Ciphertext Tracing
We consider firstly a milder version of the attack: bar X cannot read
the optical data on the banknotes of his customers. But, he stores
in a database all the γ-values (i.e., C = Enc(PK L , Σ||S, r )) that
he is able to collect matched with the name and address of their
handlers. Merchant Y also reads the γ-values of his clients and
stores them. Bar X and merchant Y can merge their databases: if
a γ-value appears in both databases, they can be almost sure that
it is the same client.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Ciphertext Tracing
We consider now a stronger attack: when bar X gives back change
to a client, he re-encrypts banknotes with a fixed random number,
denoted r0 also known by merchant Y.
When a customer arrives in Merchant Y’s store, Y reads the
γ-values of the customer’s banknotes and computes Σ 0 using r0
(thanks to the misapplication of the integation method). He then
computes D0 = h(Σ0 ) and tries to read δ with D0 ; if the tag
agrees this means that r0 was the appropriate random number and
merchant Y can be almost sure that this client comes from Bar X.
Note that Merchant Y does not “touch” the banknotes here: he
has just to scan the people when their pass through the store door
for instance.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Ciphertext Tracing
Moral of the story: Since re-encryptions cannot be performed
with sufficient frequency, it is possible to trace the tags with the
(encrypted) RFID values universally readable (even if this attacker
cannot obtain the plain value).
Note that even with a higher frequency, the attack still remains if
the re-encryptions are performed by the merchants, and not by the
users themselves.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Conclusion
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Conclusion
Several mistakes have been done in the design of this scheme.
In this state, the scheme is null and void and should not be used.
The fact that the re-encryption comes from an external entity
(and not the tag itself) allow to trace the tag between two
correct re-encryptions (i.e., performed by honest parties)
and brings out potential weaknesses: [Henri, Müller], [Golle,
Jakobsson, Juels, Syverson], and [Saito, Ryou, Sakurai]
The fact that a predetermined access-key is used transforms the
tag into an oracle which says whether or not it is the traced
tag.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
Radio Frequency Identification (RFID) Technology
The Juels–Pappu Banknote Protection Scheme
Privacy Issues in the Juels–Pappu Scheme
Conclusion
Conclusion (Cont.)
Only few works tried to prove the security or to exhibit
weaknesses in the existing RFID protocols.
Formalization of the privacy and of the adversary model.
Gildas Avoine
Privacy Issues in RFID Banknote Protection Schemes
© Copyright 2026 Paperzz