1 / 66

RFID : The Problems of Cloning and Counterfeiting

RFID : The Problems of Cloning and Counterfeiting. Ari Juels RSA Laboratories 19 October 2005. RFID devices take many forms. Basic “smart label”. Toll payment plaque. Automobile ignition key. Mobile phone. “RFID” really denotes a spectrum of devices. “74AB8”. “Evian bottle

sabine
Télécharger la présentation

RFID : The Problems of Cloning and Counterfeiting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RFID: The Problems ofCloning and Counterfeiting Ari Juels RSA Laboratories 19 October 2005

  2. RFID devices take many forms

  3. Basic “smart label” Toll payment plaque Automobile ignition key Mobile phone “RFID” really denotes a spectrum of devices

  4. “74AB8” “Evian bottle #949837428” “5F8KJ3” “Smart label” RFID tag • Passive device – receives power from reader • Range of up to several meters • Simply calls out (unique) name and static data

  5. Capabilities of “smart label” RFID tag • Little memory • Static 96-bit+ identifier in current ultra-cheap tags • Hundreds of bits soon • Little computational power • Several thousand gates (mostly for basic functionality) • No real cryptographic functions possible • Pricing pressure may keep it this way for a while, i.e., Moore’s Law will have delayed impact

  6. Fast, automated scanning Line-of-sight Radio contact Specifies object type Uniquely specifies object Provides pointer to database entry for every object, i.e., unique, detailed history The grand vision:EPC (Electronic Product Code) tags Barcode EPC tag

  7. Impending explosion in (EPC) RFID use • EPCglobal • Joint venture of UCC and EAN • Wal-Mart, Procter & Gamble, DoD, etc. • Recently ratified new EPC-tag standard (Class 1 Gen 2) • Pallet and case tagging first • Item-level retail tagging, automated tills, seem years away • Estimated costs • 2008: $0.05 per tag; hundreds of dollars per reader (?) • Beyond: $0.01 per tag; several dollars per reader (?)

  8. Automobile immobilizers Other forms of RFID • Payment devices • Currency?

  9. “Not Really Mad” • Passports Other forms of RFID • Tracking cattle

  10. RFID readers in mobile handsets • Medical compliance Showtimes: 16.00, 19.00 Other forms of RFID

  11. Wig model #4456 (cheap polyester) Replacement hip medical part #459382 Das Kapitaland Communist-party handbook 1500 Euros in wallet Serial numbers: 597387,389473… 30 items of lingerie The privacy problem Bad readers, good tags Mr. Jones in 2015

  12. Counterfeit! Mr. Jones’s car! Mad-cow hamburger lunch Counterfeit! The authentication problem Good readers, bad tags Mr. Jones in 2015 Replacement hip medical part #459382 1500 Euros in wallet Serial numbers: 597387,389473…

  13. RFID and sensors will underpin critical infrastructure Authentication therefore has many facets: • Physical security • Consumer goods and pharmaceuticals safety • Transaction security • Brand value …but it’s getting short shrift I’ll talk about three different projects on RFID authentication

  14. The Digital Signature Transponder (DST) Joint work with S. Bono, M. Green, A. Stubblefield, A. Rubin, and M. Szydlo USENIX Security ‘05

  15. “I’m tag #123” 40-bit challenge C 24-bit response R = fK(C) The Digital Signature Transponder (DST) f Car #123 (simplified) • Helps secure tens of millions of automobiles • Philips claims more than 90% reduction in car theft thanks to RFID! (TI did at one point.) • Also used in millions of payment transponders

  16. The Digital Signature Transponder (DST) “I’m tag #123” f 40-bit challenge C Car #123 24-bit response R = fK(C) (simplified) • The key K is only 40 bits in length!

  17. The Digital Signature Transponder (DST) “I’m tag #123” f 40-bit challenge C Car #123 24-bit response R = fK(C) (simplified) Our aim: Demonstrate security vulnerability by cloning real DSTs

  18. The Digital Signature Transponder (DST) “I’m tag #123” f 40-bit challenge C Car #123 f 24-bit response R = fK(C) (simplified) But what is the cryptographic function f ???

  19. key K C R = fK(C) Black-box cryptanalysis f? Programmable DST

  20. ??? ??? ??? Not implemented this way! Texas Instruments DST40 cipher (not original schematic) Challenge register Routing Network f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f21 f18 f19 f20 Routing Network Key register 400 clocks / 3 cycles

  21. Texas Instruments DST40 cipher (not original schematic) ??? Challenge register Routing Network f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 ??? f17 f21 f18 f19 f20 f17 ??? Routing Network f21 Key register f18 f19 400 clocks / 3 cycles f20 Not implemented this way!

  22. Black-box cryptanalysis

  23. One internal wire Case A

  24. Or two internal wires? Case B

  25. 0 1 1 0 0 0 0 0 0 1 0 0 0 1 1 1 0 0 1 0 0 0 0 0 1 Black-box cryptanalysis

  26. 2 possible values 4 possible values Case A Case B

  27. Same principle applies to more complex structures… f17 f21 f18 f19 f20

  28. Same principle applies to more complex structures…

  29. Consider two particular input wires…

  30. Or do two inputs go to same box? Case A

  31. Do two inputs go to different boxes? Case B

  32. Two internal wires One internal wire Case B Case A

  33. ??? ??? ??? Not implemented this way! f

  34. The full cloning process • Skimming • Key cracking • Simulation

  35. The full cloning process Step 1: Skimming Step 1: Skimming Obtain responses r1,r2 to two challenges, c1, c2 Takes only 1/4 second!

  36. The full cloning process Step 2: Key cracking C Find secret key k such that r1=fk(c1) and r2 = fk(c2) (30 mins. on 16-way parallel cracker; Faster with Hellman table)

  37. The full cloning process Simulate radio protocols with computation of fk Step 3: Simulation

  38. “Human” authentication for RFID tags Joint work with Steve Weis Crypto ‘05

  39. Very limited memory for numbers Very limited ability for arithmetic computation RFID tags are a little like people ≈

  40. Hopper-Blum (HB) Human Identification Protocol

  41. ChallengeA Response f(X,A) Secret X Secret X Hopper-Blum (HB) Human Identification Protocol

  42. ChallengeA R = (X•A) + Nη Secret X Secret X modular dot product noise w.p. η Hopper-Blum (HB) Human Identification Protocol

  43. (0, 4, 7) R = 5 7 X = (3,2,1) X = (3,2,1) HB Protocol Example, mod 10

  44. Learning Parity in the presence of Noise (LPN) • Given multiple rounds of protocol, find X (or other equally good secret) • Given q challenge-response pairs (A1,R1)…(Aq,Rq) ,, find X’ such that Ri = X’ • Ai on at most ηq instances, for constant η > 0 • Binary values • Note that noise is critical! • LPN is NP-hard – even within approx. of 2 • Theoretical and empirical evidence of average-case hardness • Poly. adversarial advantage in HB protocol → LPN

  45. C R HB Protocol X X Problem: Not secure against active adversaries!

  46. D C R = (C• X) (D• Y) + + Nη HB+ Protocol X,Y X,Y

  47. D (D• Y) + +Nη HB+ Protocol X,Y X,Y

  48. D C R = (C• X) (D• Y) + + Nη • Add extra HB protocol with prover-generated challenge • Adversary effectively cannot choose challenge here Intuition: HB+ Protocol X,Y X,Y

  49. In the paper • Most of paper elaborates security reduction from HB+to LPN • Implementation of algorithm seems very practical – just linear number of ANDs and XORs and a little noise! • Looks like EPC might be amenable, but…

More Related