On the Security of RFID - PowerPoint PPT Presentation

1 / 59
About This Presentation
Title:

On the Security of RFID

Description:

... function is called SHA-1, which stands for secure hash algorithm, whereas the MD ... Blocker Tag : How Does the Reader Read a Tag? ... – PowerPoint PPT presentation

Number of Views:645
Avg rating:3.0/5.0
Slides: 60
Provided by: vita74
Category:
Tags: rfid | does | for | iso | pet | security | shoplifting | stand | stores | what

less

Transcript and Presenter's Notes

Title: On the Security of RFID


1
On the Security of RFID
  • Hung-Min Sun (???)
  • Information Security Lab.
  • Department of Computer Science
  • National Tsing Hua University

2
What is RFID?
  • Radio-Frequency Identification Tag

Reference http//glossary.ippaper.com
3
Roles of RFID applications
Secure channel
Tags
Reader
Server(Database)
4
Barcode v.s. RFID
Barcode
RFID
  • can be read at much greater
  • distances
  • unique object id
  • more expensive
  • require a direct line of sight to the
  • printed barcode
  • have no read/write capability
  • cheap

Reference www.cs.utexas.edu/shmat/
5
Where Are RFID Used?
  • Physical-access cards
  • Inventory control
  • Gillette Mach3 razor blades, ear tags
  • on cows, kid bracelets in waterparks,
  • pet tracking
  • Logistics and supply-chain management
  • Track a product from manufacturing through
    shipping to the retail shelf
  • Gas station and highway toll payment
  • Mobile SpeedPass

Reference www.cs.utexas.edu/shmat/
6
Commercial Applications of RFID
  • RFID cost is dropping dramatically, making it
    possible to tag even low-value objects
  • Around 5c per tag, 100 for a reader
  • Logistics and supply-chain management is the
    killer application for RFID
  • Shipping, inventory tracking, shelf stocking,
    anti-counterfeiting, anti-shoplifting
  • Massive deployment of RFID is in the works
  • Wal-Mart pushing suppliers to use RFID at pallet
    level, Gillette has ordered 500,000,000 RFID tags

Reference www.cs.utexas.edu/shmat/
7
Future Applications of RFID
  • Location Awareness
  • Health Care
  • Apparel
  • Smart Shelf

Reference http//www.rfidjournal.com/
8
RFID Tag Power Sources
  • Passive (this is what mostly used now)
  • Tags are inactive until the readers
    interrogation signal wakes them up
  • Cheap, but short range only
  • Semi-passive
  • On-board battery, but cannot initiate
    communication
  • Can serve as sensors, collect information from
    environment for example, smart dust for
    military applications
  • More expensive, longer range
  • Active
  • On-board battery, can initiate communication

Reference www.cs.utexas.edu/shmat/
9
Security Problems of RFID
  • Eavesdropping
  • Hot-listing
  • Attacker has special interests in certain items
  • Replay attack
  • Cloning
  • Tracing
  • Data forging
  • Denial of Service

Fundamental problem Lack of mutual authentication
10
Cryptography and Authentication
11
Cryptographic System
12
Four Basic Services of Cryptography
  • Confidentiality (Secrecy) The intruder cannot
    read the encrypted message from the ciphertext.
  • Authentication It should be possible for the
    receiver of a message to ascertain its origin an
    intruder should not be able to masquerade as
    someone else.
  • Integrity It should be possible for the receiver
    of a message to verify that it has not been
    modified in transit an intruder cannot
    substitute a false message for a legitimate one.
  • Nonrepudiation A sender should not be able to
    falsely deny later that he sent a message.

13
Cryptographic System
  • Symmetric Cryptosystem The encryption
    decryption keys are
  • the same. (EK(M) C DK(C) M).
  •  Asymmetric Cryptosystem Encryption
    decryption keys are
  • different. (EK1(M)C DK2(C)M)
  • The encryption key is public, while the
    decryption key can not be
  • calculated from the public key.

14
Symmetric Cryptosystem
  • DES (1977)
  • IDEA (1992)
  • RC5 (1994)
  • AES (2001)

15
Asymmetric Cryptosystem
  • RSA (1978)
  • El-Gamal (1984)
  • McEliece (1978)
  • Knapsack (1978)

16
RSA (Encryption Decryption)
  • Public key n pq, p and q are large primes
    (512 bit),
  • e ( gcd (e, (p-1)(q-1)) 1)
  • Private key d, where ed 1 mod (p-1)( q-1)
  • Encryption CM e mod n
  • Decryption M C d mod n
  • p47, q71, gt n3337
  • e79, gt d 1019
  • M688
  • Encryption CM e mod n 68879 mod 3337 1570
  • Decryption M C d mod n 15701019 mod 3337 688

17
One-way hash function
  • A hash (also known as a message digest) is a
    one-way function. It is considered a one-way
    because its not practical to figure out what
    input corresponds to a given output.
  • We will use the term hash and message digest
    interchangeably. The NIST message digest function
    is called SHA-1, which stands for secure hash
    algorithm, whereas the MD in the MD2,MD4,MD5
    algorithm stands for message digest.

18
One-way hash function
  • Input X (unlimited length)
  • Output YH(X) (fixed length, e.g., 160 bit)
  • Given X, it is easy to compute Y.
  • Given Y, and H( ), it is computational infeasible
    to compute X.
  • Given X and Y, it is computational infeasible to
    find X such that YH(X).

19
One-way hash function
  • There certainly will be many message that yield
    the same message digest, because a message can be
    of arbitrary length and the message digest will
    be fixed length, for instance 128bits.
  • By trying lots of messages, one would eventually
    find two that mapped to the same message digest.
  • The problem is that lots is so many that it is
    essentially impossible.

20
  • The significant difference between a secret key
    algorithm and a message digest algorithm is that
    a secret key algorithm is designed to be
    reversible and a message digest algorithm is
    designed to be impossible to reverse.
  • In this section well use MD as a generic
    message digest algorithm.

21
Computing a MAC with a Hash
  • The obvious thought is that MD(m) is a MAC for
    message m. But it isnt. anyone can compute
    MD(m).
  • We concatenate a shared secret KAB with the
    message m, and use MD(KABm) as the MAC.
  • Some proposals with no known weaknesses are
  • Put the secret at the end of the message instead
    of at the beginning.
  • Use only half the bits of the message digest as
    the MAC

22
  • Concatenate the secret to both the front and the
    back of the message.
  • We call any hash combining the secret key and the
    data a keyed hash.

23
HMAC
  • HMAC result from an effect to find a MAC
    algorithm that could be proven to be secure if
    the underlying message digests compression
    function was secure.
  • They defined secure as having two properties
  • Collision resistance
  • An attacker doesnt know the key K cannot compute
    the proper digest(K,x) for data x, even if the
    attacker can see the value of digest(K,y) , for
    arbitrary numbers of inputs y, with y no equal to
    x.

24
How to achieve Mutual Authentication between
two parties?
25
Authentication functions
  • By Message encryption
  • The ciphertext of the entire message serves as
    its authenticator
  • By Message authentication code (MAC)
  • A public function of the message and a secret key
    that produces a fixed-length value that serves as
    the authenticator
  • By Hash function
  • A public function that maps a message of any
    length into a fixed-length hash value, which
    serves as the authenticator

26
Authentication (a)
  • Symmetric encryption

Stores Key K
Stores Key K
RFID tag is authenticated If M DK(C)
  • Confidentiality and authentication

27
Authentication (b)
  • Public-key encryption

Uses Readers private key
Uses Readers public key
RFID tag is authenticated If M Dprivate_key(C)
  • Only Confidentiality

28
Authentication (c)
  • Public-key encryption

Uses tags public key
Uses tags private key
RFID tag is authenticated If M Dpublic_key(C)
  • Authentication and signature

29
Authentication (d)
  • Hash function

Stores key K
Stores key K
RFID tag is authenticated If DK(C)Hash(M)
  • Confidentiality and authentication

30
Authentication (e)
Authentication (e)
  • 30

31
However, RFID tag
  • No or very limited power
  • Little memory
  • Static 64- or 128-bit identifier in current
    5-cent tags
  • Little computational power
  • A few thousand gates at most
  • Static keys for read/write access control
  • Not enough resources to support public- or
    symmetric-key cryptography
  • Cannot support modular arithmetic (RSA, DSS),
    elliptic curves, DES, AES hash functions are
    barely feasible
  • Is resettable
  • Passive tag resets when power off

32
Physical Solutions for RFID
33
Physical Solutions
  • Kill tag after purchase
  • Faraday cage
  • Active jamming
  • Disables all RFID, including legitimate
    applications
  • Guardian
  • Blocker Tag

34
Killing approach
  • Special command permanently de-activates tag
    after the product is purchased
  • Disables many futuristic applications

Reference www.rsa.com/rsalabs/staff/bios/ajuels/
35
Faraday Cage
  • Container made of foil or metal mesh,
    impenetrable by radio signals of certain
    frequencies
  • Shoplifters are already known to use foil-lined
    bags
  • Maybe works for a wallet, but huge hassle in
    general

Reference www.rsa.com/rsalabs/staff/bios/ajuels/
36
Active Jamming (Guardian)
  • A mobile battery-powered device that offers
    personal RFID security and privacy management.

Reference http// www.rfidguardian.org
37
Blocker Tag (The RXA Pharmacy)
Reference http// www.rfidjournal.com
38
Blocker Tag How Does the Reader Read a Tag?
  • When the reader sends a signal, more than one
    RFID tag may respond this is a collision
  • Reader cannot accurately read information from
    more than one tag at a time
  • Example every tagged item in a supermarket cart
    responds to the cashiers RFID reader
  • Reader must engage in a special singulation
    protocol to talk to each tag separately
  • Tree-walking is a common singulation method
  • Used by 915 Mhz tags, expected to be the most
    common type in the U.S.

Reference www.cs.utexas.edu/shmat/
39
Blocker Tag Tree Walking
Reference www.cs.utexas.edu/shmat/
prefix0
prefix1
Reader broadcasts current prefix
Each tag with this prefix responds with its next
bit
prefix00
prefix01
prefix10
prefix11
If responses dont collide, reader adds 1 bit to
current prefix, otherwise tries both
possibilities
000
001
010
011
100
101
110
111
Every tag has a k-bit identifier
This takes O(k ? number of tags)
40
Blocker Tag Example
Reference www.cs.utexas.edu/shmat/
1. Prefixempty
prefix0
prefix1
1a. Prefix0
1b. Prefix1
2. Prefix00
2. Prefix11
prefix00
prefix01
prefix10
prefix11
000
001
010
011
100
101
110
111
41
Blocker Tag
Reference www.cs.utexas.edu/shmat/
Rivest, Juels, Szydlo
  • A form of jamming broadcast both 0 and 1 in
    response to any request from an RFID reader
  • Guarantees collision no matter what tags are
    present
  • To talk to a tag, reader must traverse every tree
    path
  • With 128-bit IDs, reader must try 2128 values
    infeasible!
  • To prevent illegitimate blocking, make blocker
    tag selective (block only certain ID ranges)
  • E.g., blocker tag blocks all IDs with first bit1
  • Items on supermarket shelves have first bit0
  • Cant block tags on unpurchased items
    (anti-shoplifting)
  • After purchase, flip first bit on the tag from 0
    to 1

42
EPCglobal Class 1 Generation 2
  • Most popular in long-range RFID applications
  • Frequency 860-960 MHz
  • Reading range10-20 Feet
  • ISO 18000-6C

Reader
RFID tag
Memory Read/Write Other commands
  • slide 42

43
Problems in EPCglobal C1G2
  • Long reading range
  • A naïve protection
  • Use of 16-bit random number
  • Tag ID is transmitted in plaintext
  • Lack of reader-to-tag authentication

Malicious Reader
RFID tag
Memory Read/Write Other commands
  • slide 43

44
Secure Protocols for RFID
45
Secure RFID Protocols
  • Hash-based Approaches
  • 1 S. Weis, Security and Privacy in
    Radio-Frequency Identification Devices, masters
    thesis, Massachusetts Inst. of Technology (MIT),
    Massachusetts, USA, May 2003.
  • 8 M. Ohkubo, K. Suzuki, and S. Kinoshita,
    Cryptographic Approach to Privacy-Friendly
    Tags, RFID Privacy Workshop, MIT, Massachusetts,
    USA, Nov. 2003.
  • 9 T. Dimitriou, A Lightweight RFID Protocol to
    protect against Traceability and Cloning
    Attacks, Proc. 1st IEEE Conf. Security and
    Privacy for Emerging Areas in Comm. Networks
    (SecureComm 05), Sep. 2005.
  • 12 G. Tsudik, YA-TRAP Yet Another Trivial
    RFID Authentication Protocol, Proc. 4th IEEE
    Intl Conf. Pervasive Computing and Comm.
    (PerCom06), Mar. 2006.
  • 13 G. Avoine and P. Oechslin, A Scalable and
    Provably Secure Hash Based RFID Protocol, Proc.
    3rd IEEE Intl Workshop Pervasive Computing and
    Comm. Security (PERCOMW 05), Mar. 2005.
  • 14 D. Henrici and P. M uller, Hash-Based
    Enhancement of Location Privacy for
    Radio-Frequency Identification Devices Using
    Varying Identifiers, Proc. First IEEE Intl
    Workshop Pervasive Computing
  • and Comm. Security (PerSec 04), Mar. 2004.
  • 36 Ohkubo, M., Suzuki, K., and Kinoshita, "RFID
    privacy issues and technical challenges," Commun.
    ACM 48, 9 (Sep. 2005).

46
Secure RFID Protocols
  • Lightweight Approaches
  • 23 A. Juels, Strengthening EPC Tags Against
    Cloning, Manuscript, RSA Laboratories, Mar.
    2005.
  • 24 Y.C. Chen, W.L. Wang, and M.S. Hwang, RFID
    Authentication Protocol for Anti-Counterfeiting
    and Privacy Protection, Proc. 9th IEEE Intl
    Conf. Advanced Comm. Technology (ICACT 07), Feb.
    2007.
  • 25 A. Juels, Minimalist Cryptography for
    Low-Cost RFID Tags, Proc. 4th Intl Conf. on
    Security in Comm. Networks (SCN 04), Sep. 2004.
  • 26 Y.Z. Li et al., Security and Privacy on
    Authentication Protocol for Low-cost RFID, Proc.
    Intl Conf. Computational Intelligence and
    Security (CIS 06), Nov. 2006.
  • 27 P. Peris-Lopez et al., M2AP A Minimalist
    Mutual-Authentication Protocol for Low-Cost RFID
    Tags, Proc. 3rd Intl Conf. Ubiquitous
    Intelligence and Computing (UIC-06), Sep. 2006.
  • 29 H.Y. Chien, SASI A New Ultralightweight
    RFID Authentication Protocol Providing Strong
    Authentication and Strong Integrity, IEEE T.
    Dependable Secure Comput., vol. 4, no. 4, pp.
    337340, 2007.
  • 32 D.N. Duc et al., Enhancing Security of
    EPCglobal Gen2 RFID Tag against Traceability and
    Cloning,
  • Proc. 3rd Conf. Symp. Cryptography and Inf.
    Security (SCIS06), Jan. 2006.
  • 35 A. Juels and S. Weis, Authenticating
    Pervasive Devices with Human Protocols. Crypto,
    Aug. 2005.

47
Security Analysis of RFID Protocols
48
SoHow to design a secure protocol for low-end
RFID Tag?
49
Hung-Min Sun and Wei-Chih Ting , A Gen2-based
RFID Authentication Protocol for Security and
Privacy, accepted by IEEE Transactions on
Mobile Computing, Dec. 2008.
50
Gen2
  • Setup at manufacturer
  • After sold

Write Tag keypool
M
Write Tag keypool
M
Tag keypool
U
End users or companies
51
Gen2
  • In use

Reader
RFID tag
U
End users or companies
52
Gen2
a
b
(a,b)
U
53
Gen2
  • Results before enhancement

54
Gen2
  • In use

Reader
RFID tag
U
End users or companies
55
  • Results after enhancement

lt 10 rounds
56
Possible applications
  • Scenario A (Express gate)

ck
Verify ck
57
Possible applications
  • Scenario B (Indoor self management)

mobile RFID (reader embedded) e.g. ETRI WCDMA
phone
Payment, advertisement, touretc
Documents, drugs, foodetc
58
Possible applications
  • Scenario C (Outdoor passive blocking)

???
Query
59
Thank YouQ A
Write a Comment
User Comments (0)
About PowerShow.com