Vamsikrishna Ambati

1
Security in RFID
Presented By NetSecurity-Spring07
Vamsikrishna Ambati Kokil Bhalerao Chandra
S.Cheruku HariPriya Chintalapati NagaKalyani
Padakanti Shveta Shahi
2
Presentation Objectives
What is RFID?? RFID System Components Architec
ture Applications Security Issues and
Challenges Conclusion
3
What is RFID ??
RFID (Radio Frequency Identification) uses a
micro-chip in a tag to transmit stored
data when the tag is exposed to radio waves of
the correct frequency.
System of tags, readers, antennas, and software.
Tag wirelessly sends bits of data when it is
triggered by a reader.

• Reader transmits radio frequency energy
• Provides power for the tag.
• Enables communications to and from the tag.
• Different operating frequencies are possible.

4
RFID System Architecture

• RFID systems are composed of three key
  components..
• The RFID tag, or transponder, carries object
  identifying data.
• The RFID tag reader, or transceiver, reads and
  writes tag data.
• The back-end database stores records
  associated with tag contents.

5
RFID Tags..
Tags can be active or passive.
Passive RFID Active RFID
Tag Battery No Yes
Availability of power Only in field of reader Continuous
Signal Strength Very High Very Low
Range Up to 3-5m Up to 100m
Antenna
Active
Passive
6
RFID Applications..
Personal Productivity

• Automatic toll collection
• Ticketing and event access
• Library checkout

Other Applications

• Automobile Keyless entry
• E-Passport

7
RFID Challenges..
Wig model 143 (cheap polyester)

• The Privacy Problem

Hacking BOA
1000 in wallet
30 Items of candies

• Security
• Reader Collision
• Tag Collision
• Signal Interference in noise
• Inconsistent data

8
RFID Security Issues

• User Privacy
• Replay Attack
• Virus Injection
• Denial of service
• Tag Cloning

9
User Privacy

• Few concerns related to user privacy
• Products labeled with insecure tags may reveal
  sensitive information.
• Location privacy violation which may lead to
  tracking of individual by the tags they carry.

Replay Attack

• RFID passport have signed biometric stored in
  RFID chip. When there read request it just
  return the stored value. This signal can be
  captured and a device can be made to replay the
  same signal which may seem to come from valid
  RFID passport.

Security Concern with replay attack
10
Virus Injection

• Virus can be injected while data is in transit
• Concerns with virus injection
• Tags scanned after the database is infected can
  also be infected with the virus.
• A malicious activity like dropping database
  tables is possible.

Denial Of Service
Concerns with denial of service

• Thieves could remove tags or put in
  foil-lined booster bag that will block RFID
• readers request and temporarily deactivate
  the tag.
• An attacker could attach RFID on other items
  causing RFID system to record
• useless data which will flood an RFID system
  with more data then it can handle.

11
Tag Cloning
Ability to spoof tags to overwrite the data in
tags, overwrite the tag ID. A data integrity
attack.

• Few security concerns
• Replace the tag for an expensive item with the
  tag of cheaper item.
• Switching two books RFID data or changing the
  security status of the tags.

12
Solutions to security issues

• Kill Tag
• Smart RFID Tag
• Blocker Tag
• DST Tag
• Authentication Protocol

• Simplified Authentication protocol
• Enhanced Authentication protocol

13
The Kill Tag Approach.

• Used to protect consumer privacy.
• The RFID tag of the object is killed by sending a
  special kill command to the tag.
• A killed tag can never be reactivated.
• Example
• An RFID tag is killed by check out clerk
  before the object is given to customer.
• Drawback

• It is undesirable in many environments.
• Many applications require the tag to be
  active even after purchase.

14
Smart RFID Tags

• Protect consumer privacy while RFID tag remains
  active.
• Types of smart RFID tag
• Hash Lock Approach.
• Simple access control mechanism based on
  one way hash function.
• Randomization Hash Lock Approach.
• Similar to hash lock but a random number
  generator is also
• embedded along with one way hash
  function.

Hash Lock Locking protocol

1. Reader R selects a random key and computes metaID
   hash(key).
2. R writes metaID to tag T.
3. T enters the locked state.
4. R stores the pair(metaID, key) locally.

15
Hash Lock Approach unlock
database
query
Reader
Tag
metaID
metaID
(key,metaID)
Key
ID

• Strength of Hash lock Approach
• Prevent unauthorized reader from reading the tag
  because of one-wayness of hash
• Weakness of Hash lock Approach
• The unauthorized reader can keep track of tag
  using metaID.

16
Randomized Hash lock unlock
database
query
Reader
Tag
Get all IDs
R,h(IDkR)
ID1, ID2.IDk
IDk
Strength of Randomized Hash lock Approach
Address the problem of tracking tags by their
metaID Weakness of Randomized Hash lock
Approach Impractical for reader with large
number of IDs
17
Blocker Tag..

• A blocker tag prevents RFID tags from being read
• RFID reader can read one tag at a time
• Reader will unable to read information if more
  than one tag responses
• A blocker tag takes advantage of this technique
  to block the reader
• When a reader try to read a tag belonging to a
  privacy zone, then the blocker tag confuses the
  reader by always responding
• This way, blocker tag blocks any tag from being
  read.
• Weakness of Blocker tag
• It can be used as malicious tool.

Digital Signature Transponder

• It uses cryptographic mechanism in wireless
  authentication applications
• It acts as a passive transponder and implements a
  challenge-response authentication using block
  cipher
• A DST tag contains non-volatile RAM to store
  40-bit encryption key.

18
DST algorithm
Reader (40-bit encrypt. Key)
Tag (40-bit encrypt. Key)
1.40-bit challenge
2. Encipher to 40-bit Cipher text
3. Truncates to 24-bit response
4. 24-bit response
5. Calculates expected challenge
6. Compares calculated challenge with tag
response
19
Simplified Authentication Protocol
ID h(ID)
XXX yyy
aaa bbb
Tag
Reader

• Strength of Simplified Authentication Protocol
• Provides protection against tracking, tag cloning
  and it also provides forward security.
• Weakness of Simplified Authentication Protocol
• Replay Attack
• Database De-synchronization

20
Enhanced Authentication Protocol
ID h(ID)
XXX yyy
aaa bbb
Tag
Strength of Enhanced Authentication Protocol
Reader

• Tag cannot be attacked because if attacker is
  masquerading as reader then he will not know the
  shared secret which is ID of the tag.
• Reader cannot be attacked because of the shared
  secret.
• Which protects against replay and database
  de-synchronization attack.
• The communication between tag and reader cannot
  be attacked because of one-way of hash.
• User privacy cannot be attacked because no
  identity is released by the tag.
• Location privacy cannot be attacked because ID
  value changes with every read.

21
Conclusion

• RFID definitely has some security issues that
  need to be addressed.
• According to latest report from Texas Instruments
  there is no fraud reported with DST approach in
  last eight years.
• In enhanced authentication protocol, both reader
  and tag are authenticated by each other.
• Enhanced authentication protocol is most secure
  solution and uptill now we didnt identify any
  weakness associated with this protocol.

22
References

• http//www.rfidjournal.com/article/articleview/549
  /1/1/
• http//en.wikipedia.org/wiki/Digital_Signature_Tra
  nsponder
• Stephens August Weis, " Security and Privacy in
  Radio-Frequency Identification Devices
• Ari Juels and Ronald L. Rivest and Michael
  Szydlo, "The Blocker Tag Selective Blocking of
  RFID Tags for Consumer Privacy

23
Any Questions
Thank U..