1 / 59

On the Security of RFID

On the Security of RFID. Hung-Min Sun ( 孫宏民 ) Information Security Lab. Department of Computer Science National Tsing Hua University. What is RFID?. R adio- F requency Id entification Tag. Reference http://glossary.ippaper.com. Roles of RFID applications. Secure channel. Tags. Reader.

shannad
Télécharger la présentation

On the Security of RFID

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On the Security of RFID Hung-Min Sun (孫宏民) Information Security Lab. Department of Computer Science National Tsing Hua University

  2. What is RFID? • Radio-Frequency Identification Tag Reference http://glossary.ippaper.com

  3. Roles of RFID applications Secure channel Tags Reader Server(Database)

  4. Barcode v.s. RFID Barcode RFID • can be read at much greater distances • unique object id • more expensive • require a direct line of sight to the printed barcode • have no read/write capability • cheap Reference www.cs.utexas.edu/~shmat/

  5. Where Are RFID Used? • Physical-access cards • Inventory control • Gillette Mach3 razor blades, ear tags on cows, kid bracelets in waterparks, pet tracking • Logistics and supply-chain management • Track a product from manufacturing through shipping to the retail shelf • Gas station and highway toll payment • Mobile SpeedPass Reference www.cs.utexas.edu/~shmat/

  6. Commercial Applications of RFID • RFID cost is dropping dramatically, making it possible to tag even low-value objects • Around 5c per tag, $100 for a reader • Logistics and supply-chain management is the killer application for RFID • Shipping, inventory tracking, shelf stocking, anti-counterfeiting, anti-shoplifting • Massive deployment of RFID is in the works • Wal-Mart pushing suppliers to use RFID at pallet level, Gillette has ordered 500,000,000 RFID tags Reference www.cs.utexas.edu/~shmat/

  7. Future Applications of RFID • Location Awareness • Health Care • Apparel • Smart Shelf Reference http://www.rfidjournal.com/

  8. RFID Tag Power Sources • Passive (this is what mostly used now) • Tags are inactive until the reader’s interrogation signal “wakes” them up • Cheap, but short range only • Semi-passive • On-board battery, but cannot initiate communication • Can serve as sensors, collect information from environment: for example, “smart dust” for military applications • More expensive, longer range • Active • On-board battery, can initiate communication Reference www.cs.utexas.edu/~shmat/

  9. Security Problems of RFID • Eavesdropping • Hot-listing • Attacker has special interests in certain items • Replay attack • Cloning • Tracing • Data forging • Denial of Service Fundamental problem: Lack of mutual authentication

  10. Cryptography and Authentication

  11. Cryptographic System

  12. Four Basic Services of Cryptography: • Confidentiality (Secrecy): The intruder cannot read the encrypted message from the ciphertext. • Authentication: It should be possible for the receiver of a message to ascertain its origin; an intruder should not be able to masquerade as someone else. • Integrity: It should be possible for the receiver of a message to verify that it has not been modified in transit; an intruder cannot substitute a false message for a legitimate one. • Nonrepudiation: A sender should not be able to falsely deny later that he sent a message.

  13. Cryptographic System • Symmetric Cryptosystem: The encryption & decryption keys are the same. (EK(M)= C & DK(C)= M). • Asymmetric Cryptosystem: Encryption & decryption keys are different. (EK1(M)=C & DK2(C)=M) The encryption key is public, while the decryption key can not be calculated from the public key.

  14. Symmetric Cryptosystem • DES (1977) • IDEA (1992) • RC5 (1994) • AES (2001)

  15. Asymmetric Cryptosystem • RSA (1978) • El-Gamal (1984) • McEliece (1978) • Knapsack (1978)

  16. RSA (Encryption & Decryption) • Public key: n = pq, p and q are large primes(512 bit), e ( gcd (e, (p-1)(q-1)) =1) • Private key: d, where ed = 1 mod (p-1)( q-1) • Encryption: C=M e mod n • Decryption: M= C d mod n p=47, q=71, => n=3337 e=79, => d = 1019 M=688 Encryption: C=M e mod n = 68879 mod 3337 = 1570 Decryption: M= C d mod n =15701019 mod 3337 = 688

  17. One-way hash function • A hash (also known as a message digest) is a one-way function. It is considered a one-way because it’s not practical to figure out what input corresponds to a given output. • We will use the term hash and message digest interchangeably. The NIST message digest function is called SHA-1, which stands for secure hash algorithm,whereas the MD in the MD2,MD4,MD5 algorithm stands for message digest.

  18. One-way hash function • Input: X (unlimited length) • Output: Y=H(X) (fixed length, e.g., 160 bit) • Given X, it is easy to compute Y. • Given Y, and H( ), it is computational infeasible to compute X. • Given X and Y, it is computational infeasible to find X’ such that Y=H(X’).

  19. One-way hash function • There certainly will be many message that yield the same message digest, because a message can be of arbitrary length and the message digest will be fixed length, for instance 128bits. • By trying lots of messages, one would eventually find two that mapped to the same message digest. • The problem is that “lots” is so many that it is essentially impossible.

  20. The significant difference between a secret key algorithm and a message digest algorithm is that a secret key algorithm is designed to be reversible and a message digest algorithm is designed to be impossible to reverse. • In this section we’ll use MD as a “generic” message digest algorithm.

  21. Computing a MAC with a Hash • The obvious thought is that MD(m) is a MAC for message m. But it isn’t. anyone can compute MD(m). • We concatenate a shared secret KAB with the message m, and use MD(KAB|m) as the MAC. • Some proposals with no known weaknesses are: • Put the secret at the end of the message instead of at the beginning. • Use only half the bits of the message digest as the MAC

  22. Concatenate the secret to both the front and the back of the message. • We call any hash combining the secret key and the data a keyed hash.

  23. HMAC • HMAC result from an effect to find a MAC algorithm that could be proven to be secure if the underlying message digest’s compression function was secure. • They defined secure as having two properties: • Collision resistance • An attacker doesn’t know the key K cannot compute the proper digest(K,x) for data x, even if the attacker can see the value of digest(K,y) , for arbitrary numbers of inputs y, with y no equal to x.

  24. How to achieve “Mutual Authentication” between two parties?

  25. Authentication functions • By … Message encryption • The ciphertext of the entire message serves as its authenticator • By … Message authentication code (MAC) • A public function of the message and a secret key that produces a fixed-length value that serves as the authenticator • By … Hash function • A public function that maps a message of any length into a fixed-length hash value, which serves as the authenticator

  26. C = EK(M) Authentication (a) • Symmetric encryption Stores Key K Stores Key K RFID tag is authenticated If M == DK(C) • Confidentiality and authentication

  27. Epublic_key(M) Authentication (b) • Public-key encryption Uses Reader’s private key Uses Reader’s public key RFID tag is authenticated If M == Dprivate_key(C) • Only Confidentiality

  28. Eprivate_key(M) Authentication (c) • Public-key encryption Uses tag’s public key Uses tag’s private key RFID tag is authenticated If M == Dpublic_key(C) • Authentication and signature

  29. C=EK(M||Hash(M)) Authentication (d) • Hash function Stores key K Stores key K RFID tag is authenticated If DK(C)==Hash(M) • Confidentiality and authentication

  30. Authentication (e) Authentication (e) • 30

  31. However, RFID tag … • No or very limited power • Little memory • Static 64- or 128-bit identifier in current 5-cent tags • Little computational power • A few thousand gates at most • Static keys for read/write access control • Not enough resources to support public- or symmetric-key cryptography • Cannot support modular arithmetic (RSA, DSS), elliptic curves, DES, AES; hash functions are barely feasible • Is resettable • Passive tag resets when power off

  32. Physical Solutions for RFID

  33. Physical Solutions • Kill tag after purchase • Faraday cage • Active jamming • Disables all RFID, including legitimate applications • Guardian • Blocker Tag

  34. Killing approach • Special command permanently de-activates tag after the product is purchased • Disables many futuristic applications Reference www.rsa.com/rsalabs/staff/bios/ajuels/

  35. Faraday Cage • Container made of foil or metal mesh, impenetrable by radio signals of certain frequencies • Shoplifters are already known to use foil-lined bags • Maybe works for a wallet, but huge hassle in general Reference www.rsa.com/rsalabs/staff/bios/ajuels/

  36. Active Jamming (Guardian) • A mobile battery-powered device that offers personal RFID security and privacy management. Reference http:// www.rfidguardian.org

  37. Blocker Tag (The RXA Pharmacy) Reference http:// www.rfidjournal.com

  38. Blocker Tag : How Does the Reader Read a Tag? • When the reader sends a signal, more than one RFID tag may respond: this is a collision • Reader cannot accurately read information from more than one tag at a time • Example: every tagged item in a supermarket cart responds to the cashier’s RFID reader • Reader must engage in a special singulation protocol to talk to each tag separately • Tree-walking is a common singulation method • Used by 915 Mhz tags, expected to be the most common type in the U.S. Reference www.cs.utexas.edu/~shmat/

  39. Reference www.cs.utexas.edu/~shmat/ Blocker Tag : Tree Walking prefix=0 prefix=1 Reader broadcasts current prefix Each tag with this prefix responds with its next bit prefix=00 prefix=01 prefix=10 prefix=11 If responses don’t collide, reader adds 1 bit to current prefix, otherwise tries both possibilities 000 001 010 011 100 101 110 111 Every tag has a k-bit identifier This takes O(k  number of tags)

  40. Collision! No collision No collision No collision Collision! 3. ID=001 3a. ID=110 Talk to tag 001 Talk to tag 110 3b. ID=111 Talk to tag 111 Next=1 Next=1 Next=1 Next=1 Next=0 Next=1 Next=1 Next=0 Next=0 Reference www.cs.utexas.edu/~shmat/ Blocker Tag : Example 1. Prefix=“empty” prefix=0 prefix=1 1a. Prefix=0 1b. Prefix=1 2. Prefix=00 2. Prefix=11 prefix=00 prefix=01 prefix=10 prefix=11 000 001 010 011 100 101 110 111

  41. Reference www.cs.utexas.edu/~shmat/ Blocker Tag [Rivest, Juels, Szydlo] • A form of jamming: broadcast both “0” and “1” in response to any request from an RFID reader • Guarantees collision no matter what tags are present • To talk to a tag, reader must traverse every tree path • With 128-bit IDs, reader must try 2128 values – infeasible! • To prevent illegitimate blocking, make blocker tag selective (block only certain ID ranges) • E.g., blocker tag blocks all IDs with first bit=1 • Items on supermarket shelves have first bit=0 • Can’t block tags on unpurchased items (anti-shoplifting) • After purchase, flip first bit on the tag from 0 to 1

  42. Query RN16 (16-bit random number) Tag ID ACK (RN16) EPCglobal Class 1 Generation 2 • Most popular in long-range RFID applications • Frequency: 860-960 MHz • Reading range:10-20 Feet • ISO 18000-6C Reader RFID tag Memory Read/Write & Other commands • slide 42

  43. Query RN16 (16-bit random number) Tag ID ACK (RN16) Problems in EPCglobal C1G2 • Long reading range • A naïve protection: • Use of 16-bit random number • Tag ID is transmitted in plaintext • Lack of “reader-to-tag” authentication Malicious Reader RFID tag Memory Read/Write & Other commands • slide 43

  44. Secure Protocols for RFID

  45. Secure RFID Protocols Hash-based Approaches • [1] S. Weis, “Security and Privacy in Radio-Frequency Identification Devices,” master’s thesis, Massachusetts Inst. of Technology (MIT), Massachusetts, USA, May 2003. • [8] M. Ohkubo, K. Suzuki, and S. Kinoshita, “Cryptographic Approach to “Privacy-Friendly” Tags,” RFID Privacy Workshop, MIT, Massachusetts, USA, Nov. 2003. • [9] T. Dimitriou, “A Lightweight RFID Protocol to protect against Traceability and Cloning Attacks,” Proc. 1st IEEE Conf. Security and Privacy for Emerging Areas in Comm. Networks (SecureComm ’05), Sep. 2005. • [12] G. Tsudik, “YA-TRAP: Yet Another Trivial RFID Authentication Protocol,” Proc. 4th IEEE Int’l Conf. Pervasive Computing and Comm. (PerCom’06), Mar. 2006. • [13] G. Avoine and P. Oechslin, “A Scalable and Provably Secure Hash Based RFID Protocol,” Proc. 3rd IEEE Int’l Workshop Pervasive Computing and Comm. Security (PERCOMW ’05), Mar. 2005. • [14] D. Henrici and P. M¨ uller, “Hash-Based Enhancement of Location Privacy for Radio-Frequency Identification Devices Using Varying Identifiers,” Proc. First IEEE Int’l Workshop Pervasive Computing • and Comm. Security (PerSec ’04), Mar. 2004. • [36] Ohkubo, M., Suzuki, K., and Kinoshita, "RFID privacy issues and technical challenges," Commun. ACM 48, 9 (Sep. 2005).

  46. Secure RFID Protocols Lightweight Approaches • [23] A. Juels, “Strengthening EPC Tags Against Cloning,” Manuscript, RSA Laboratories, Mar. 2005. • [24] Y.C. Chen, W.L. Wang, and M.S. Hwang, “RFID Authentication Protocol for Anti-Counterfeiting and Privacy Protection,” Proc. 9th IEEE Int’l Conf. Advanced Comm. Technology (ICACT ’07), Feb. 2007. • [25] A. Juels, “Minimalist Cryptography for Low-Cost RFID Tags,” Proc. 4th Int’l Conf. on Security in Comm. Networks (SCN ’04), Sep. 2004. • [26] Y.Z. Li et al., “Security and Privacy on Authentication Protocol for Low-cost RFID,” Proc. Int’l Conf. Computational Intelligence and Security (CIS ’06), Nov. 2006. • [27] P. Peris-Lopez et al., “M2AP: A Minimalist Mutual-Authentication Protocol for Low-Cost RFID Tags,” Proc. 3rd Int’l Conf. Ubiquitous Intelligence and Computing (UIC-06), Sep. 2006. • [29] H.Y. Chien, “SASI: A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity,” IEEE T. Dependable Secure Comput., vol. 4, no. 4, pp. 337–340, 2007. • [32] D.N. Duc et al., “Enhancing Security of EPCglobal Gen2 RFID Tag against Traceability and Cloning,” • Proc. 3rd Conf. Symp. Cryptography and Inf. Security (SCIS’06), Jan. 2006. • [35] A. Juels and S. Weis, “Authenticating Pervasive Devices with Human Protocols.” Crypto, Aug. 2005.

  47. Security Analysis of RFID Protocols

  48. So…How to design a secure protocol for low-end RFID Tag?

  49. Hung-Min Sun and Wei-Chih Ting , “A Gen2-based RFID Authentication Protocol for Security and Privacy,” accepted by IEEE Transactions on Mobile Computing, Dec. 2008.

  50. Gen2+ • Setup at manufacturer • After sold Write Tag keypool Write Tag keypool M M Tag keypool U End users or companies

More Related