CHALLENGING Issues in RFID Security

CHALLENGING ISSUES IN RFID SECURITYKwangjo Kim

2

Contents Introduction

RFID and its Applications Korean Status and Auto ID Labs

Security Threats for RFID Traditional Threats : Tag Cloning, Privacy Invasion, Denial/Disruption of Service New Threats: Location-based Attacks (Mafia Fraud/Terrorist Attacks), Side Channel Attack

Current Countermeasures for Secure RFID Cryptographic primitives -based Protocol : Hash-based, LPN-based, CRC-based, Ultra-lightweight Protocols: XOR, ADD, Rotate, etc. Provable secure Protocol: Modeling of Adversary, Universal Composability (UC)-

Framawork, Multi Tag Scanning Protocols : Yorking proof or Grouping Radiation security and non-invasive analysis: Distance-bounding, SCA

Open Issues in RFID Security and Concluding Remarks Functional LW Cryptographic Primitives (Im)Possibility of Certain Cryptographic Tasks New Security Model Effective Methods against Location-based Attacks Protection against SCA

What is RFID?

I. Introduction

4

Introduction – RFID (1/3)

TagsAttached to objects, give out their (unique) EPC# via RF signal

Readers 1. Query & read EPC# from tags via

RF signal2. Get more info. about EPC# from

EPC-IS3. Update EPC-IS: e.g., EPC# arrived at

10:53pm at location X

RF signal (contactless)Range: around 10 meters

EPC-Information Services (EPC-IS)Detailed real-time info about EPC# is constantly updated and maintained in here

Share Info

2: Reply EPC# 1: Query3: Send EPC#

4: Receive EPC#: Info

5

Introduction – RFID Applications (2/3)

In future RFID would automate supply-chain management EPC-IS assists geographically distributed supply-chain partners

to share real-time info about RFID-tagged products they are handling

RFID-based Supply-Chain Management System

* Please view the above figure in full screen mode

6

Introduction – RFID Applications (3/3)

RFID-Tagged item

Consumer shopping RFID-tagged items

Smart Home

RFID-Reader Enabled Devices

Mobile RFID: Mobile Phone with RFID-reader chip

RFID

READER

RFID

READER

Home-server

RFID-based Applications for Consumers

RFID/USN : Infra for Knowledge-Based Era in Korea

Network in which wire/wireless linkage of multiple sensors collects, integrates, processes & utilizes information

RFID + USN

To be developed into an intelligent infra in the future

•RFID/USN developing process: Tag + Sensor Intelligent control

The technology enabling readers to recognize, process and utilize the information in tags without physical contact

RFID USN

Healthy monitoring anytime & anywhereSafe & healthy food

Enhancing industrial competitiveness Strengthening monitoring/awareness

Creating comfort environmentManaging facilities efficientlyImproving transparency/productivity

Convenient shopping

RFID/USN

Current Korean Status of RFID/USN Industry

Market size Industry structure

’Domestic market in 08’: About KW 550 billion(Annual growth rate: RFID - 39%, USN - 35%)

(Unit: 100Million won)Market trend

4,333

2,871

5,547

20072006 2008

8965691,402

3,4372,353

4,145

RFID

USN

Composed of about 360 companies

RFID tag · leader

Middleware · SI

USN(Sensor node)

176 companies including LS Industrial System& Samgsung Techwin

88 companies including Asiana IDT & Samsung SDS

99 companies including Green Sensor & Nuri Telecom

· Most of part & equipment companies are small/medium-sized except for LG Industrial System & Samsung Techwin · focuses on developing & providing services to create new businesses but does not excel in specialization.

Auto-ID Labs

Auto-ID Lab, Korea

Joined Auto-ID Labs on April 2005 ICU merged with KAIST as of March 1, 2009

Internet of Things RF, Chip design (air interface for active RFID tag, WSN)

ZigBee transceiver, IR-UWB transceiver, Wake-up circuit, etc. EPC Sensor Network : Integration of EPCglobal architecture framework

and

wireless sensor network (WSN) technology RFID / WSN Privacy & Security

Anti-counterfeiting, Lightweight cryptography, etc. RFID/WSN Business, Application

BM for food safety system, autonomous vehicles, ubiquitous city,

agriculture, healthcare, etc.

Daeyoung Kimkimd@kaist

Seongook [email protected]

Sanggug [email protected]

Hyuckjae [email protected]

Kwangjo Kimkkj@kaist

Myungryul [email protected]

JaeJeung Rhojjroh@kaist

Junghoon Moonjmoon@kaist

What are security threats in RFID?

II. Security Threats on RFID

12

RFID Security Threats (1/4)

Cloned Fake Tags

Malicious Readers

Man-in-the-Middle AttackDenial/Disruption of Service

ID#

Privacy Violation

RFID Security Threats: Location-based Attacks (2/4)

RFID Authentication Protocol does not address location of tags: Tags out of communication range of a reader

should not be authenticated. Location-based Attacks[Brands&Cham@EC93]

Mafia Fraud Attack (Distance Fraud Attack): Attacker simply relays messages between two honest parties.

Terrorist Attack: Extended mafia fraud attack in which attacker collaborates with one of dishonest party.

RFID Security Threats: Location-based Attacks (3/4)

Mafia Fraud Attack on RFID:Rouge Tag Reader Challen

ge

Response

Rouge ReaderChalleng

e

Response

Tag

ChallengeResponse

Communication range of the reader

RFID Security Threats: SCA (4/4)

SCA potentially is the most serious threat to RFID tags, which implement cryptographic functions.

Typical side channel information Timing information, computation fault, power consumption and EM radiation EM analysis on HF-RFID, UHF-RFID, UHF-EPC-C1G2Tag

EM radiation based non-invasive analysis becomes more viable than invasive analysis.

Crypto enabled RFID

ComputerOscilloscope

Control, Ciphertext

Control, Side channel information

What have been done to counter security threats?

III. Current Countermeasures

17

Hash-based ProtocolsHash-lock Scheme[3]

metaID = h(k)

Extended Hash-lock Scheme[2,8]

Major Drawback:

The server has to go through the whole tag database and compute the hash chains to identify a tag.

LPN-based Protocols (1/3) Binary inner-product of two k-bit values a and x:

z = a x = (a0 x0) (a1 x1) … (ak-1 xk-1) Binary-inner product can be implemented easily on

low-cost hardware. Question is: where is the hard problem?

Learning Parity with Noise (LPN) Problem: LPN problem: Given a set of (ai, zi) where z = (ai

x) vi and vi is generated at a fixed probability, compute x.a

(ai, zi) appears as a true (k+1)-bit string.

LPN-based Protocols (2/3) HB+ Authentication Protocol by Juels and

WeisTag (k-bit secret x and y; )

Reader (k-bit secret x and y)

a R {0, 1}k

a

z Check z = (a x) (b y)

b R {0, 1}k

b

Repeat above step q times.Accept only if about q responses of Tag are

incorrect

z = (a x) (b y)

{0, 1|Prob[ =1] = }

LPN-based Protocols (3/3) HB+ is not secure against man-in-the-middle

attacks:

Several attempts (HB-MP, HB++, HB#, HB-trusted) to secure HB+ against MIMA have failed.

Tag (k-bit secret x and y; )

Reader (k-bit secret x and y)

a R {0, 1}ka

z’ = (a’ x) (b y) z’

{0, 1|Prob[ =1] = }

b R {0, 1}k

b

……..

a’ = a

If authentication succeeds, it is likely that (a’ x) (b y) = (a x) (b y) , but (a’ x) = (a ) x = (a x) ( x),

therefore x = 0. Otherwise, x = 1

21

Ultra-lightweight Protocols (1/2)

EPCglobal C-1 Gen-2 Tag: 4 Memory Banks

One-Way Reader to Tag Authentication Proposed by EPCglobal Standard[1]

Not Secure Un-encrypted openly sent random numbers Tag’s Access Password easily exposed

22

Ultra-lightweight Protocols (2/2) Utilize lightweight primitives

RNG, CRC, and bit-wise operators such as XOR, AND, OR, rotate, etc.

Drawbacks De-synchronization of session keys Replay (impersonation) attacks full-disclosure of tag’s secret information

O-FRAP & O-FRAKE (1/2) Optimistic Forward-Secure Authentication Protocol

Mutual Authentication Privacy Protection using Pseudonym Secure key exchange (O-FRAKE) Tag database indexed by tag pseudonym for fast look

up Forward security by updating shared secret after

each successful session Resistant against de-synchronization of secret by

storing two versions of secret in tag database Secure from in Universal Composable(UC) Framework

O-FRAP & O-FRAKE (2/2)

DoS attack: server searches the whole database if receiving an invalid pseudonym (\bar{r}tag).

De-synchronization of secret: modify v3’ to cause tag not to update its secret

F: pseudorandom

function

Multiple Tag Scanning Protocols (1/3)

Reader produces a co-existence proof of multiple tags Scan tags supposed to be near together,

e.g., tags on different parts of a car. Yoking-Proof by Juels: scanning a group

of two tags

Multiple Tag Scanning Protocols (2/3)

Grouping-Proof: scanning a group of n tags

Multiple Tag Scanning Protocols (3/3)

Many multiple tag scanning protocols are subject to replay attack.

All of multiple tag scanning protocols are subject to mafia fraud attack:

Distance-bounding Protocols (1/2) Distance-bounding Protocol:

Prevent mafia fraud attack by verifying location of tags using round-trip time.

Approach: Repeat a simple (and fast) authentication

step multiple times. Measure time taken by each authentication

step Accept only if every authentication step is

successful and the time taken is less than a pre-defined value.

Distance-bounding Protocols (2/2) Hancke-Kuhn distance-bounding Protocol

[6]

Side Channel Analysis and protection on RFID

High frequency (HF) RFID tag (13.56 MHz)

Smart Card regard as RFID•D. Carluccio, K. Lemke, and C. Paar. “Electromag-netic side channel analysis of a contactless smart card: First results”, In the Proceedings of Workshop on RFID and Lightweight Crypto (RFIDSec05), 2005.

•S. Chaumette, D., and Sauveron. “An efficient and simple way to test the security of Java Cards”, In WOSIS 2005, 3rd International Workshop on Secu-rity in Information Systems, April 2005. Miami, Fl., USA, April 2005.

Artificially generated passive HF RFID set-tings•M. Hutter, S. Mangard, and M. Feldhofer, “Power and EM Attacks on Passive 13.56 MHz RFID De-vices”, In the Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems (CHES 2007), LNCS 4727, pp. 320-333, Springer-Verlag, 2007.•Power analysis and EM analysis on their own RFID prototype with AES

Ultra-high frequency (UHF)

RFID tag (900 MHz)Experimental Result without countermea-sures•T. Plos, “Susceptibility of UHF RFID Tags to Elec-tromagnetic Analysis”, CT-RSA 2008, LNCS 4964, pp.288-300, 2008.

Experimental Result with common coun-termeasures•Y. Oren and A. Shamir, “Remote Password Extrac-tion from RFID Tags”, IEEE Transactions on Com-puters, 56(9):1292-1296, 2007. •Show a successful analysis result which can be used to extract kill password remotely from a UHF EPC tag.

•Suggest common countermeasures to prevent the analysis with examples•Add Noise to power consumption•Consume the same amount of power every clock cycle

31

Map of Current Countermeasures

Security for RFID SystemPhysical Security

Kill tag

Blocker tag

Active Jamming

PUF

SCA

Cryptographic Protocol

Authentication Proto-col

Password-based

Kill PW

Access PW

Hash-based

Static ID

Dynamic ID

(Pseudonym)

LPN-based

HB+

HB#

Ultra lightweight-based

RNG

XOR AND

CRC

ROT

Encryption-based

Symmet-ric

Key

Stream (LFSR)

Block (TEA, AES)

Asymmet-ricKey

ECCHECC

Universal Reencryp-

tion

Multi-tag scanning

Yorking

Secure (EPCglobal) Architecture Frame-

workSecure Reader Proto-

col

Middleware Security

Server Security

Database Security

ONS(DNS) Security

Network Security

Key Management

Certificate Profile* All 7 Auto ID labs work together now.

What are the remaining issues in RFID Security?

Open Issues in RFID Security

Open Issues: Functional LW Crypto- Primitives

Many conventional crypto-primitives are not suitable for low-cost RFID Tags Find efficient implementation of

conventional primitives for low-cost tags Design new lightweight primitives

Both of above works require large attention Rigorous analysis and implementation of

cryptographic primitives (Hashing, MAC, PRNG, AIA) for RFID

Open Issues: (Im)Possibility of Certain Cryptographic Tasks

Before designing a cryptographic task Possible to realize the task at all? If yes, what is the minimal assumption/primitive required

to realize the task ? Vaudenay showed that strong forward security is im-

possible and Gilbert [eprint95] no security on MIMA Impossibility of robust interactive key-evolving ?

In RFID, forward security requires interactive key-evolving between reader and tag.

Possible to realize a robust interactive key-evolving against de-synchronization of secret ?

Identify controversial requirements

Open Issues: Security Models

Known security models of “reader” and “server”. Security of protocols heavily depend on

level of trust on RFID reader and server. If not considered, we would significantly

separate “theoretical security” and “real-world security”.

No security model for multiple-tag scanning One has to consider mafia fraud attack in a

security model. Otherwise, security cannot be proved.

Open Issues: Countermeasures against Location-based Attacks

Mafia fraud attack is simple yet serious Attacker steals a tagged item then executes the

attack to make the reader believes that the item is actually nearby.

Few researches on countermeasures against location-based attacks. We have surveyed only Hancke-Kuhn protocol

and a few of its variations. We also need theoretical analysis of

(im)possibility of countermeasure against location-based attacks.

Open Issues: Protection against SCA

Few published works on SCA on RFID tag Need to find more approaches of differential

electromagnetic analysis (DEMA) and its countermeasures.

Hiding and Masking methods for RFID Invent countermeasures at the logic cell-level Consider Trade-off between tag cost and security

Establish the common criteria(CC) for secure RFID tag.

Build up the standard for cryptographic primitives, protocols for RFID tags.

Concluding Remarks• We didn’t survey all publications, but

suggested pros and cons of previous main researches.

• “No panacea”, but require tradeoff between level of security and performance.

• SCA will be one of emerging attacks.• New primitives: time-released crypto,

etc.