 |
|
My research on RFID security and privacy led me to a much broader problem of securing medical treatments and keeping medical information private. Implantable medical devices increasingly use wireless communication for monitoring patients in hospitals and homes. Such medical devices include heart rate sensors, pacemakers, defibrillators, drug delivery systems, and neurostimulators. These devices can contain sensitive personal data and other health-related information. In addition to sensing events, pacemakers and implantable cardiac defibrillators (ICDs) treat chronic disease with electrical therapy that can be wirelessly modified. Thus, patients will desire strong security and privacy to gain confidence in these emerging therapies and infrastructure for collecting telemetry. Yet there is little understanding of how to model or mitigate malicious threats against such untrusted infrastructure.
My research investigates security and privacy for pervasive computation by analyzing the limits of computation on RFID-based systems and discovering methods to adapt cryptographic systems to this constrained environment. RFID tags belong to a class of inexpensive wireless devices that identify and authenticate objects and people --- in short, devices that must label things securely. Radio-Frequency Identification (RFID) tags, contactless smartcards, and low-resource sensors represent a class of computing devices that promises to be the most numerous in the world. A unifying characteristic of these devices is that they do not perform autonomous computation and often lack internal power sources. Nomadic tags respond automatically to reader interrogation, and thus they have highly sporadic network connectivity. Extending the network to new physical dimensions, pervasive devices promise to serve as the fingertips of the next-generation Internet.
My approach to RFID security and privacy begins with a security analysis of present-day, RFID-enabled credit cards in order to assess the resilience of critical infrastructure to traditional adversaries. To determine the feasibility of designing secure RFID systems, my next line of research investigates the previously unknown limits of computation and cryptography on an RF-powered, Ultra-High Frequency RFID tag. My third line of RFID research evaluates practical and inexpensive ways to harvest true random numbers and fingerprints that identify tags based on subtle manufacturing variations between tags.
Maximalist cryptography and computation on the WISP UHF RFID tag.
by
Hee-Jin Chae,
Daniel J. Yeager,
Joshua R. Smith, and
Kevin Fu.
In Proceedings of the Conference on RFID Security, July
2007.
Initial SRAM state as a fingerprint and source of true random numbers for RFID tags.
by
Daniel E. Holcomb,
Wayne P. Burleson, and
Kevin Fu.
In Proceedings of the Conference on RFID Security, July
2007.
Cryptanalysis of two lightweight RFID authentication schemes.
by
Benessa Defend,
Kevin Fu, and
Ari Juels.
In Fourth IEEE International Workshop on Pervasive Computing and Communication Security (PerSec) Workshop, March
2007.
Vulnerabilities in First-Generation RFID-enabled Credit Cards.
by
Thomas S. Heydt-Benjamin,
Dan V. Bailey,
Kevin Fu,
Ari Juels, and
Tom O'Hare.
In Proceedings of Eleventh International Conference on Financial Cryptography and Data Security, Lowlands, Scarborough, Trinidad/Tobago, February
2007.
Privacy for public transportation.
by
Thomas S. Heydt-Benjamin,
Hee-Jin Chae,
Benessa Defend, and
Kevin Fu.
In Proceedings of Privacy Enhancing Technologies workshop (PET 2006), June
2006.
In proxy re-encryption, a semi-trusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. The proxy does not have access to any private key material, yet it can assist in atomically re-encrypting content. Our research demonstrates the usefulness of proxy re-encryption as a method of adding access control to the SFS read-only file system.
Our on-going research analyzes constructions for proxy re-encryption that use an untrusted third party to grant access to a protected resource. However, future work must address the challenge of having an untrusted third party efficiently revoke access to encrypted storage. This problem is more challenging than granting access because revoking access involves re-encrypting the stored data itself rather than the metadata. Asymmetric cryptography can efficiently protect metadata, but efficient methods for protecting data involves symmetric cryptography, for which no proxy re-encryption schemes are known to exist. In the longer term, my goal is to investigate efficient methods for providing security and privacy in applications built on top of untrusted infrastructure.
Improved proxy re-encryption schemes with applications to secure distributed storage.
by
Giuseppe Ateniese,
Kevin Fu,
Matthew Green, and
Susan Hohenberger.
ACM Transactions on Information and System Security (TISSEC), 9(1), February
2006. An early version appeared in Proceedings of the Network and Distributed Systems Security Symposium (2005).
[Abstract]
Through replication and careful positioning, content distribution networks (CDNs) increase the availability of content to consumers of information. Already millions of people benefit from CDNs. However, these CDNs traditionally use centrally-managed, trusted replicas to distribute content. A secure CDN that works without trusting replicas would satisfy a stronger notion of security while also making new storage resources available for replication.
My dissertation investigates how to maintain security of content served by untrusted replicas. Two objectives guided our research in secure content distribution. First, clients must be able to verify that content from replicas are what the content owner intended. Our approach in the SFS read-only file system is to use a Merkle hash tree mapped over the directory structure of a file system. Second, content owners should not trust replicas to mediate access to restricted content. Our Chefs file system uses key regression to let content owners control access to private content served by untrusted replicas. Key regression relies on one-way functions and trapdoor permutations to enable decentralized access control.
Key regression coalesces many versions of a shared, symmetric key into one short key. A client can easily unwind one version of the key to derive past versions of the key. Only the group manager can wind a key forward to produce new versions of the key. Key regression is helpful when key distribution is not possible because a group manager is offline or has nearly zero throughput.
The SFS read-only file system and the Chefs file system provide respectively integrity and access control in single-writer, many-reader content distribution using untrusted servers.
Key regression: Enabling efficient key distribution for secure distributed storage.
by
Kevin Fu,
Seny Kamara, and
Tadayoshi Kohno.
In Proceedings of the Symposium on Network and Distributed Systems Security, February
2006.
[Key regression abstract]
Integrity and access control in untrusted content distribution networks.
by
Kevin Fu.
PhD thesis, MIT, September
2005.
Plutus: Scalable secure file sharing on untrusted storage.
by
Mahesh Kallahalla,
Erik Riedel,
Ram Swaminathan,
Qian Wang, and
Kevin Fu.
In Proc. USENIX Conference on File and Storage Technologies, San Francisco, CA, December
2003.
Fast and secure distributed read-only file system.
by
Kevin Fu,
M. Frans Kaashoek, and
David Mazieres.
ACM Transactions on Computer Systems, 20(1):1--24, February
2002.
[SFS Web site]
Group sharing and random access in cryptographic storage file systems.
by
Kevin Fu.
Master's thesis, Massachusetts Institute of Technology, May
1999.
[Lazy revocation reduces the performance cost of re-encryption in cryptographic storage.]
Client authentication has been a continuous source of problems on the Web. Although many well-studied techniques exist for authentication, Web sites continue to use extremely weak authentication schemes, especially in non-enterprise environments such as store fronts. These weaknesses often result from careless use of authenticators within Web cookies. Of the twenty-seven sites we investigated, we weakened the client authentication on two systems, gained unauthorized access on eight, and extracted the secret key used to mint authenticators from one.
We provide a description of the limitations, requirements, and security models specific to Web client authentication. This includes the introduction of the interrogative adversary, a surprisingly powerful adversary that can adaptively query a Web site.
We propose a set of hints for designing a secure client authentication scheme. Using these hints, we present the design and analysis of a simple authentication scheme secure against forgeries by the interrogative adversary. In conjunction with SSL, our scheme is secure against forgeries by the active adversary.
Web cookies: Not just a privacy risk.
by
Emil Sit and
Kevin Fu.
Communications of the ACM, 44(9), September
2001.
Dos and don'ts of client authentication on the web.
by
Kevin Fu,
Emil Sit,
Kendra Smith, and
Nick Feamster.
In Proceedings of the 10th USENIX Security Symposium, Washington, D.C., August
2001. An extended version is available as MIT-LCS-TR-818 (Best Student Paper Award)
