Information Security

Homework: 1 2 3 4
5 6 7

Assignment 4: Toll transponder design

Logistics

Your report should take the form of a Web page, or a set of linked pages. You should submit a zip-file which unzips into a single directory. The "home page" or "main page" of your report should be named "index.html".

You must work in a group on this assignment.

You may not collaborate with anybody outside your group.

Introduction

You have been hired by TollCorp to design a toll transponder system, like the EZ-Pass system that is used to collect highway tolls in New Jersey and neighboring states.

Your task in this assignment is to write a report describing your proposed design, and discussing how well your design meets the requirements set out below. You will be graded partly on your design, and partly on your analysis and critique of your own design.

How Toll Transponder Systems Work

These systems operate by giving each driver a small "tag" device, about the size of a deck of playing cards, to put on the dashboard of the driver's car. As the car approaches a highway tollbooth, a reader device in the tollbooth broadcasts a radio signal, and the tag responds with a radio signal that lets the reader uniquely identify the tag. This information is used by the toll agency to determine which cars have passed through which tollbooths, and this information is used to charge drivers' credit cards for the tolls due on their driving.

Sometimes a driver is charged a fixed fee to pass through a given tollbooth. Sometimes (as on the New Jersey Turnpike) the system notes where a driver entered a toll road (by reading the tag at an entrance tollbooth) and where the driver left the toll road (by reading the tag at an exit tollbooth), and computes the toll according to the distance driven.

Some transponder systems use a simple protocol in which the tollbooth emits a fixed "beacon" signal, and whenever the tag hears a beacon, it responds by broadcasting its unique tag-ID number. This design is simple and inexpensive to implement.

Unfortunately, this design poses privacy risks, because it allows anybody to read the tag-IDs of cars that pass them. Anybody can build a listening post that emits the beacon and reads the tag-IDs that are sent back in response, thereby gathering information about who drives past the listening post at which times. A would-be snooper would have to build a database matching tag-IDs to individual people or cars, but that information could be gathered once and re-used.

Some listening posts have been used for legitimate purposes. For example, engineers built a system that reads tags at various places in the freeway system in Houston, Texas. By observing when the same tag passes two points in the system, they can determine the average speed between those two points. This allows them to determine, in real time, the speed of traffic on various segments of freeway. Drivers can get this information on a website.

Privacy Requirements

Your goal is to design a system that reduces the privacy risks of toll transponders, while allowing legitimate Houston-style traffic monitoring. You will design the protocol to be used between readers and tags, along with any required key management procedures.

Your system must allow TollCorp, which operates readers in tollbooths, to charge individual tag-owners tolls. The system must handle both styles of tolls: those that charge a fixed fee for passing through a single tollbooth, and those that use separate entrance and exit tollbooths and charge based on distance driven.

The system must also allow independent traffic monitors -- but only those approved by TollCorp -- to build readers that let them compute the travel time for individual cars between various points on a highway system. But, to the extent possible, it must not allow those monitors to tie the data they collect to any individual tag, car, or owner.

The system should also minimize the amount of information that other people (i.e., people other than TollCorp and the authorized traffic monitors) can learn, even if they build their own reader devices.

Of course, we would like the design to be simple and cheap to build.

Advice

We realize that the requirements given above lack mathematical clarity and are a bit ambiguous. This kind of ambiguity in requirements happens all the time in real life. Figuring out how to deal with it is part of the assignment. In your report, be sure to explain any decisions you made regarding how to interpret the requirements and put them into practice.

When the requirements say that you should do something "to the extent possible", be sure to say precisely what your design manages to achieve in that area.

Your report should be very precise about what the protocol is for communication between the reader and the tag, and about how any cryptographic keys are generated, stored, and used.

Don't forget to say something about the cost of implementing your proposal. Look at the complexity of computations, and the amount of storage required, in the reader and the tag. Remember that the goal is to reduce the cost of the entire system as operated by TollCorp. You don't need to give a dollar cost estimate for the system or its parts, but you should justify your design by explaining what you get in exchange for the resources your design uses.
Copyright 2004, Edward W. Felten.