Covert Channels in Privacy-Preserving Identification Systems
Authors: D. Bailley, D. Boneh, E. Goh, and A. Juels
Abstract:
We examine covert channels in privacy-enhanced mobile
identification devices where the devices uniquely identify themselves
to an authorized verifier. Such devices (e.g. RFID tags) are
increasingly commonplace in hospitals and many other environments.
For privacy, the device outputs used for identification should "appear
random" to any entity other than the verifier, and should not allow
physical tracking of device bearers. Worryingly, there already exist
privacy breaches for some devices that allow adversaries to physically
track users.
Ideally, such devices should allow anyone to publicly determine that
the device outputs are covert-channel free (CCF); we say that such
devices are CCF-checkable.
Our main result shows that there is a fundamental tension between
identifier privacy and CCF-checkability; we show that the two
properties cannot co-exist in a single system.
We also develop a weaker privacy model where a continuous observer can
correlate appearances of a given tag, but a sporadic observer
cannot. We also construct a privacy-preserving tag identification
scheme that is CCF-checkable and prove it secure under the weaker
privacy model using a new complexity assumption.
Reference:
In proceedings of the 14'th ACM conference on Computer and
Communications Security (CCS), pp. 297-306, 2007