RFID Security without Extensive Cryptography Sindhu Karthikeyan Mikhail Nesterenko Kent State University SASN November 07, 2005.
Post on 28-Dec-2015
215 Views
Preview:
Transcript
RFID Security without Extensive Cryptography
Sindhu Karthikeyan
Mikhail Nesterenko
Kent State University
SASNNovember 07, 2005
211/7/2005 SASN
RFIDs: Current State
• RFIDs allow effective identification of a large number of tagged items without physical or visual contact.
• RFID systems reduce the time and cost of processing tagged items• adopters:
Wal-Mart stores use RFID tags for tracking and maintaining their inventory Boeing and Airbus plan to use RFID tags to simplify identifying and tracking
the airplane parts Kodak uses RFID to track reusable containers in its manufacturing facilities libraries use RFID tags to track books circulation toll booths can automatically collect toll by inspecting a tag attached to the
windshield of a car
currently: crate/palette tagging even more effective: individual item tagging
311/7/2005 SASN
Security Problems of Individual Item Tagging
• major obstacle to individual item tagging: personal privacy intruder can read tags without authorization or eavesdrop on reader-tag communication
• novel types of security threats [MW04]intruder may track: learn the itinerary of tag holder by periodically querying tag
or eavesdropping on communications between tag and reader hotlist: compile list of items of particular interest and then singles
out individuals in possession of these items profile: learn what items a particular individual has
411/7/2005 SASN
How to Deal with Privacy Threat?
• erase info from tag after scanning does not allow repeated use of tag and
thus limits the utility of the technology
• periodically use secure channels for trust establishment or key refresh limits use of technology
• blocker tag requires the user to carry and manipulate the blocker
which may not be practical
• use (classic) cryptography due to tag resource limits crypto primitives (such as encode/
decode, digital sigs, crypto hash, quality random numbers) are not available tag-side
511/7/2005 SASN
Our Proposal
secure tag authentication algorithm
• based on matrix multiplication, does not use extensive crypto modest tag-side storage and computation requirements
can be implemented using currently available RFID technology
• secure against known-ciphertext attacks RFID-specific attacks
multiple tag sequencing extends the algorithm so that the reader can concurrently
identify multiple tags
611/7/2005 SASN
Outline
• security identification algorithm RFID system outline algorithm description security discussion
• multiple tag sequencing
• resource requirements estimate
• extensions and future work
711/7/2005 SASN
taggeditem
RFID System Overview
• RFID tag – a miniature electronic circuit (500 to 5000 gates) capable of elementary information storage, processing and radio communication
• RFID reader – device designed to identify the tag connected to database containing information about tag and tagged item
• tag and reader communicate over radio channel• intruder - an entity who tries to compromise the RFID system
has complete access to radio channel
radio channel
database
intruder• has access to channel• cannot access memory of reader/tag/database
tag • stores a limited amount of data• performs elementary operations such as byte-size integer addition and multiplication• runs a timer
reader• has sizable communication and storage facilities
tag
reader
811/7/2005 SASN
Secure Tag Authentication
• tag stores square p×p matrices: M1 and M2-1,
• reader maintains another two matrices: M2 and M1-1 of same size
• tag and reader share a key K – a vector of size q = rp• X= KM1 uniquely identifies the tag
• when reader receives X, it can obtain the rest of information about tag and tagged item from its database
• if reader authentication fails or the reader fails to respond before the timeout expires, the tag stops further communication until reset
reader tag
identify tag by matching X
hello
start timerX
computeX ← KM1
K, M1, M2-1K, M1
-1, M2
phase I
Y, Z
verify YM2-1 = (K1K2 …Kr),
get fresh key K ← ZM2-1
stop timer
phase II
pick Knew, computeY← (K1K2 …Kr) M2
Z← KnewM2
911/7/2005 SASN
Security Discussion
• recovering the multiplicand or multiplier from the product of matrix multiplication is computationally difficult the intruder can not discover the key or the matrices
used by the tag and the reader assume no known plaintext can’t find tag id can’t mount hotlisting or profiling attacks
as the intruder cannot deduce either the key or the matrices, he cannot authenticate himself to the tag:
any identification session with the intruder is aborted can’t do effective tracking
1011/7/2005 SASN
Outline
• security identification algorithm RFID system outline algorithm description security discussion
• multiple tag sequencing
• resource requirements estimate
• extensions and future work
1111/7/2005 SASN
Problem Statement & Assumptions
• problem tags share channel don’t have channel arbitration
capabilities
• assume can detect collision can send key one bit at a time
1211/7/2005 SASN
Proposed Scheme
• augments our tag identification algorithm to enable the reader to communicate with multiple tags
• phase I run concurrently the reader learns the keys of all the tags present each tag learns its key's position in the order (e.g., ascending) of
the keys of the tags participating in the identification session
• phase II the reader broadcasts the messages for the tags
in the order of their keys each tag receives the message sent specifically to it and
ignores the rest
1311/7/2005 SASN
a0
b
d
0
0
1
0
f011
c
e
h
0
0
1
0
1
1 1 1
100 101
1
g
• path from root to leaf – tag’s key• growth point – part of path already learned• trial – discover next bit on path after growth point & determine if the paths split
collision
collision
Reader-Side Sequencing
1411/7/2005 SASN
Resource Requirements Estimate
• key size of 8 bytes provides sufficient key space for most RFID applications.
• the matrices of 4×4 bytes provide adequate security.
• a few byte-size integer counters are necessary to implement multiple tag sequencing.
• during the identification session, the reader and the tag exchange a hello-message and two messages of 8 and 9 bytes respectively
• the storage requirements of our algorithm are modestmost of the chip-space is occupied by the byte-multiplier
the requirements are within the current capabilities of RFID tags
1511/7/2005 SASN
Extensions and Future Work
• denial of service attack possible intruder can block the tags from further identification
by botching authentication sessions
need protection
• need secure channel to unblock tags and refresh tag-side info may be time/resource consuming,
especially if items are hard to access (airplane parts?)
need effective secure channel or way to avoid using it
• possible compromise if intruder can track tag over multiple sessions outside radio channel additional key to generate longer non-repeating keys
• brute-force guessing attack potentially possible may need to increase size of matrix/key
RFID Security without Extensive Cryptography
Sindhu KarthikeyanMikhail Nesterenko
thank you
top related