Title: On the Security of RFID
1On the Security of RFID
- Hung-Min Sun (???)
- Information Security Lab.
- Department of Computer Science
- National Tsing Hua University
2What is RFID?
- Radio-Frequency Identification Tag
Reference http//glossary.ippaper.com
3Roles of RFID applications
Secure channel
Tags
Reader
Server(Database)
4Barcode v.s. RFID
Barcode
RFID
- can be read at much greater
- distances
- unique object id
- more expensive
- require a direct line of sight to the
- printed barcode
- have no read/write capability
- cheap
Reference www.cs.utexas.edu/shmat/
5Where Are RFID Used?
- Physical-access cards
- Inventory control
- Gillette Mach3 razor blades, ear tags
- on cows, kid bracelets in waterparks,
- pet tracking
- Logistics and supply-chain management
- Track a product from manufacturing through
shipping to the retail shelf - Gas station and highway toll payment
- Mobile SpeedPass
Reference www.cs.utexas.edu/shmat/
6Commercial Applications of RFID
- RFID cost is dropping dramatically, making it
possible to tag even low-value objects - Around 5c per tag, 100 for a reader
- Logistics and supply-chain management is the
killer application for RFID - Shipping, inventory tracking, shelf stocking,
anti-counterfeiting, anti-shoplifting - Massive deployment of RFID is in the works
- Wal-Mart pushing suppliers to use RFID at pallet
level, Gillette has ordered 500,000,000 RFID tags
Reference www.cs.utexas.edu/shmat/
7Future Applications of RFID
- Location Awareness
- Health Care
- Apparel
- Smart Shelf
Reference http//www.rfidjournal.com/
8RFID Tag Power Sources
- Passive (this is what mostly used now)
- Tags are inactive until the readers
interrogation signal wakes them up - Cheap, but short range only
- Semi-passive
- On-board battery, but cannot initiate
communication - Can serve as sensors, collect information from
environment for example, smart dust for
military applications - More expensive, longer range
- Active
- On-board battery, can initiate communication
Reference www.cs.utexas.edu/shmat/
9Security Problems of RFID
- Eavesdropping
- Hot-listing
- Attacker has special interests in certain items
- Replay attack
- Cloning
- Tracing
- Data forging
- Denial of Service
Fundamental problem Lack of mutual authentication
10Cryptography and Authentication
11Cryptographic System
12Four Basic Services of Cryptography
- Confidentiality (Secrecy) The intruder cannot
read the encrypted message from the ciphertext. - Authentication It should be possible for the
receiver of a message to ascertain its origin an
intruder should not be able to masquerade as
someone else. - Integrity It should be possible for the receiver
of a message to verify that it has not been
modified in transit an intruder cannot
substitute a false message for a legitimate one. - Nonrepudiation A sender should not be able to
falsely deny later that he sent a message.
13Cryptographic System
- Symmetric Cryptosystem The encryption
decryption keys are - the same. (EK(M) C DK(C) M).
- Asymmetric Cryptosystem Encryption
decryption keys are - different. (EK1(M)C DK2(C)M)
- The encryption key is public, while the
decryption key can not be - calculated from the public key.
14Symmetric Cryptosystem
- DES (1977)
- IDEA (1992)
- RC5 (1994)
- AES (2001)
15Asymmetric Cryptosystem
- RSA (1978)
- El-Gamal (1984)
- McEliece (1978)
- Knapsack (1978)
16RSA (Encryption Decryption)
- Public key n pq, p and q are large primes
(512 bit), - e ( gcd (e, (p-1)(q-1)) 1)
- Private key d, where ed 1 mod (p-1)( q-1)
- Encryption CM e mod n
- Decryption M C d mod n
- p47, q71, gt n3337
- e79, gt d 1019
- M688
- Encryption CM e mod n 68879 mod 3337 1570
- Decryption M C d mod n 15701019 mod 3337 688
17One-way hash function
- A hash (also known as a message digest) is a
one-way function. It is considered a one-way
because its not practical to figure out what
input corresponds to a given output. - We will use the term hash and message digest
interchangeably. The NIST message digest function
is called SHA-1, which stands for secure hash
algorithm, whereas the MD in the MD2,MD4,MD5
algorithm stands for message digest.
18One-way hash function
- Input X (unlimited length)
- Output YH(X) (fixed length, e.g., 160 bit)
- Given X, it is easy to compute Y.
- Given Y, and H( ), it is computational infeasible
to compute X. - Given X and Y, it is computational infeasible to
find X such that YH(X).
19One-way hash function
- There certainly will be many message that yield
the same message digest, because a message can be
of arbitrary length and the message digest will
be fixed length, for instance 128bits. - By trying lots of messages, one would eventually
find two that mapped to the same message digest. - The problem is that lots is so many that it is
essentially impossible.
20- The significant difference between a secret key
algorithm and a message digest algorithm is that
a secret key algorithm is designed to be
reversible and a message digest algorithm is
designed to be impossible to reverse. - In this section well use MD as a generic
message digest algorithm.
21Computing a MAC with a Hash
- The obvious thought is that MD(m) is a MAC for
message m. But it isnt. anyone can compute
MD(m). - We concatenate a shared secret KAB with the
message m, and use MD(KABm) as the MAC. - Some proposals with no known weaknesses are
- Put the secret at the end of the message instead
of at the beginning. - Use only half the bits of the message digest as
the MAC
22- Concatenate the secret to both the front and the
back of the message. - We call any hash combining the secret key and the
data a keyed hash.
23HMAC
- HMAC result from an effect to find a MAC
algorithm that could be proven to be secure if
the underlying message digests compression
function was secure. - They defined secure as having two properties
- Collision resistance
- An attacker doesnt know the key K cannot compute
the proper digest(K,x) for data x, even if the
attacker can see the value of digest(K,y) , for
arbitrary numbers of inputs y, with y no equal to
x.
24How to achieve Mutual Authentication between
two parties?
25Authentication functions
- By Message encryption
- The ciphertext of the entire message serves as
its authenticator - By Message authentication code (MAC)
- A public function of the message and a secret key
that produces a fixed-length value that serves as
the authenticator - By Hash function
- A public function that maps a message of any
length into a fixed-length hash value, which
serves as the authenticator
26Authentication (a)
Stores Key K
Stores Key K
RFID tag is authenticated If M DK(C)
- Confidentiality and authentication
27Authentication (b)
Uses Readers private key
Uses Readers public key
RFID tag is authenticated If M Dprivate_key(C)
28Authentication (c)
Uses tags public key
Uses tags private key
RFID tag is authenticated If M Dpublic_key(C)
- Authentication and signature
29Authentication (d)
Stores key K
Stores key K
RFID tag is authenticated If DK(C)Hash(M)
- Confidentiality and authentication
30Authentication (e)
Authentication (e)
31However, RFID tag
- No or very limited power
- Little memory
- Static 64- or 128-bit identifier in current
5-cent tags - Little computational power
- A few thousand gates at most
- Static keys for read/write access control
- Not enough resources to support public- or
symmetric-key cryptography - Cannot support modular arithmetic (RSA, DSS),
elliptic curves, DES, AES hash functions are
barely feasible - Is resettable
- Passive tag resets when power off
32Physical Solutions for RFID
33Physical Solutions
- Kill tag after purchase
- Faraday cage
- Active jamming
- Disables all RFID, including legitimate
applications - Guardian
- Blocker Tag
34Killing approach
- Special command permanently de-activates tag
after the product is purchased - Disables many futuristic applications
Reference www.rsa.com/rsalabs/staff/bios/ajuels/
35Faraday Cage
- Container made of foil or metal mesh,
impenetrable by radio signals of certain
frequencies - Shoplifters are already known to use foil-lined
bags - Maybe works for a wallet, but huge hassle in
general
Reference www.rsa.com/rsalabs/staff/bios/ajuels/
36Active Jamming (Guardian)
- A mobile battery-powered device that offers
personal RFID security and privacy management.
Reference http// www.rfidguardian.org
37Blocker Tag (The RXA Pharmacy)
Reference http// www.rfidjournal.com
38Blocker Tag How Does the Reader Read a Tag?
- When the reader sends a signal, more than one
RFID tag may respond this is a collision - Reader cannot accurately read information from
more than one tag at a time - Example every tagged item in a supermarket cart
responds to the cashiers RFID reader - Reader must engage in a special singulation
protocol to talk to each tag separately - Tree-walking is a common singulation method
- Used by 915 Mhz tags, expected to be the most
common type in the U.S.
Reference www.cs.utexas.edu/shmat/
39Blocker Tag Tree Walking
Reference www.cs.utexas.edu/shmat/
prefix0
prefix1
Reader broadcasts current prefix
Each tag with this prefix responds with its next
bit
prefix00
prefix01
prefix10
prefix11
If responses dont collide, reader adds 1 bit to
current prefix, otherwise tries both
possibilities
000
001
010
011
100
101
110
111
Every tag has a k-bit identifier
This takes O(k ? number of tags)
40Blocker Tag Example
Reference www.cs.utexas.edu/shmat/
1. Prefixempty
prefix0
prefix1
1a. Prefix0
1b. Prefix1
2. Prefix00
2. Prefix11
prefix00
prefix01
prefix10
prefix11
000
001
010
011
100
101
110
111
41Blocker Tag
Reference www.cs.utexas.edu/shmat/
Rivest, Juels, Szydlo
- A form of jamming broadcast both 0 and 1 in
response to any request from an RFID reader - Guarantees collision no matter what tags are
present - To talk to a tag, reader must traverse every tree
path - With 128-bit IDs, reader must try 2128 values
infeasible! - To prevent illegitimate blocking, make blocker
tag selective (block only certain ID ranges) - E.g., blocker tag blocks all IDs with first bit1
- Items on supermarket shelves have first bit0
- Cant block tags on unpurchased items
(anti-shoplifting) - After purchase, flip first bit on the tag from 0
to 1
42EPCglobal Class 1 Generation 2
- Most popular in long-range RFID applications
- Frequency 860-960 MHz
- Reading range10-20 Feet
- ISO 18000-6C
Reader
RFID tag
Memory Read/Write Other commands
43Problems in EPCglobal C1G2
- Long reading range
- A naïve protection
- Use of 16-bit random number
- Tag ID is transmitted in plaintext
- Lack of reader-to-tag authentication
Malicious Reader
RFID tag
Memory Read/Write Other commands
44Secure Protocols for RFID
45Secure RFID Protocols
- Hash-based Approaches
- 1 S. Weis, Security and Privacy in
Radio-Frequency Identification Devices, masters
thesis, Massachusetts Inst. of Technology (MIT),
Massachusetts, USA, May 2003. - 8 M. Ohkubo, K. Suzuki, and S. Kinoshita,
Cryptographic Approach to Privacy-Friendly
Tags, RFID Privacy Workshop, MIT, Massachusetts,
USA, Nov. 2003. - 9 T. Dimitriou, A Lightweight RFID Protocol to
protect against Traceability and Cloning
Attacks, Proc. 1st IEEE Conf. Security and
Privacy for Emerging Areas in Comm. Networks
(SecureComm 05), Sep. 2005. - 12 G. Tsudik, YA-TRAP Yet Another Trivial
RFID Authentication Protocol, Proc. 4th IEEE
Intl Conf. Pervasive Computing and Comm.
(PerCom06), Mar. 2006. - 13 G. Avoine and P. Oechslin, A Scalable and
Provably Secure Hash Based RFID Protocol, Proc.
3rd IEEE Intl Workshop Pervasive Computing and
Comm. Security (PERCOMW 05), Mar. 2005. - 14 D. Henrici and P. M uller, Hash-Based
Enhancement of Location Privacy for
Radio-Frequency Identification Devices Using
Varying Identifiers, Proc. First IEEE Intl
Workshop Pervasive Computing - and Comm. Security (PerSec 04), Mar. 2004.
- 36 Ohkubo, M., Suzuki, K., and Kinoshita, "RFID
privacy issues and technical challenges," Commun.
ACM 48, 9 (Sep. 2005).
46Secure RFID Protocols
- Lightweight Approaches
- 23 A. Juels, Strengthening EPC Tags Against
Cloning, Manuscript, RSA Laboratories, Mar.
2005. - 24 Y.C. Chen, W.L. Wang, and M.S. Hwang, RFID
Authentication Protocol for Anti-Counterfeiting
and Privacy Protection, Proc. 9th IEEE Intl
Conf. Advanced Comm. Technology (ICACT 07), Feb.
2007. - 25 A. Juels, Minimalist Cryptography for
Low-Cost RFID Tags, Proc. 4th Intl Conf. on
Security in Comm. Networks (SCN 04), Sep. 2004. - 26 Y.Z. Li et al., Security and Privacy on
Authentication Protocol for Low-cost RFID, Proc.
Intl Conf. Computational Intelligence and
Security (CIS 06), Nov. 2006. - 27 P. Peris-Lopez et al., M2AP A Minimalist
Mutual-Authentication Protocol for Low-Cost RFID
Tags, Proc. 3rd Intl Conf. Ubiquitous
Intelligence and Computing (UIC-06), Sep. 2006. - 29 H.Y. Chien, SASI A New Ultralightweight
RFID Authentication Protocol Providing Strong
Authentication and Strong Integrity, IEEE T.
Dependable Secure Comput., vol. 4, no. 4, pp.
337340, 2007. - 32 D.N. Duc et al., Enhancing Security of
EPCglobal Gen2 RFID Tag against Traceability and
Cloning, - Proc. 3rd Conf. Symp. Cryptography and Inf.
Security (SCIS06), Jan. 2006. - 35 A. Juels and S. Weis, Authenticating
Pervasive Devices with Human Protocols. Crypto,
Aug. 2005.
47Security Analysis of RFID Protocols
48SoHow to design a secure protocol for low-end
RFID Tag?
49Hung-Min Sun and Wei-Chih Ting , A Gen2-based
RFID Authentication Protocol for Security and
Privacy, accepted by IEEE Transactions on
Mobile Computing, Dec. 2008.
50Gen2
- Setup at manufacturer
- After sold
Write Tag keypool
M
Write Tag keypool
M
Tag keypool
U
End users or companies
51Gen2
Reader
RFID tag
U
End users or companies
52Gen2
a
b
(a,b)
U
53Gen2
- Results before enhancement
54Gen2
Reader
RFID tag
U
End users or companies
55- Results after enhancement
lt 10 rounds
56Possible applications
- Scenario A (Express gate)
ck
Verify ck
57Possible applications
- Scenario B (Indoor self management)
mobile RFID (reader embedded) e.g. ETRI WCDMA
phone
Payment, advertisement, touretc
Documents, drugs, foodetc
58Possible applications
- Scenario C (Outdoor passive blocking)
???
Query
59Thank YouQ A