CHALLENGING ISSUES IN RFID SECURITY Kwangjo Kim
Feb 23, 2016
CHALLENGING ISSUES IN RFID SECURITYKwangjo Kim
2
Contents Introduction
RFID and its Applications Korean Status and Auto ID Labs
Security Threats for RFID Traditional Threats : Tag Cloning, Privacy Invasion, Denial/Disruption of Service New Threats: Location-based Attacks (Mafia Fraud/Terrorist Attacks), Side Channel Attack
Current Countermeasures for Secure RFID Cryptographic primitives -based Protocol : Hash-based, LPN-based, CRC-based, Ultra-lightweight Protocols: XOR, ADD, Rotate, etc. Provable secure Protocol: Modeling of Adversary, Universal Composability (UC)-
Framawork, Multi Tag Scanning Protocols : Yorking proof or Grouping Radiation security and non-invasive analysis: Distance-bounding, SCA
Open Issues in RFID Security and Concluding Remarks Functional LW Cryptographic Primitives (Im)Possibility of Certain Cryptographic Tasks New Security Model Effective Methods against Location-based Attacks Protection against SCA
What is RFID?
I. Introduction
4
Introduction – RFID (1/3)
TagsAttached to objects, give out their (unique) EPC# via RF signal
Readers 1. Query & read EPC# from tags via
RF signal2. Get more info. about EPC# from
EPC-IS3. Update EPC-IS: e.g., EPC# arrived at
10:53pm at location X
RF signal (contactless)Range: around 10 meters
EPC-Information Services (EPC-IS)Detailed real-time info about EPC# is constantly updated and maintained in here
Share Info
2: Reply EPC# 1: Query3: Send EPC#
4: Receive EPC#: Info
5
Introduction – RFID Applications (2/3)
In future RFID would automate supply-chain management EPC-IS assists geographically distributed supply-chain partners
to share real-time info about RFID-tagged products they are handling
RFID-based Supply-Chain Management System
* Please view the above figure in full screen mode
6
Introduction – RFID Applications (3/3)
RFID-Tagged item
Consumer shopping RFID-tagged items
Smart Home
RFID-Reader Enabled Devices
Mobile RFID: Mobile Phone with RFID-reader chip
RFID
READER
RFID
READER
Home-server
RFID-based Applications for Consumers
RFID/USN : Infra for Knowledge-Based Era in Korea
Network in which wire/wireless linkage of multiple sensors collects, integrates, processes & utilizes information
RFID + USN
To be developed into an intelligent infra in the future
•RFID/USN developing process: Tag + Sensor Intelligent control
The technology enabling readers to recognize, process and utilize the information in tags without physical contact
RFID USN
Healthy monitoring anytime & anywhereSafe & healthy food
Enhancing industrial competitiveness Strengthening monitoring/awareness
Creating comfort environmentManaging facilities efficientlyImproving transparency/productivity
Convenient shopping
RFID/USN
Current Korean Status of RFID/USN Industry
Market size Industry structure
’Domestic market in 08’: About KW 550 billion(Annual growth rate: RFID - 39%, USN - 35%)
(Unit: 100Million won)Market trend
4,333
2,871
5,547
20072006 2008
8965691,402
3,4372,353
4,145
RFID
USN
Composed of about 360 companies
RFID tag · leader
Middleware · SI
USN(Sensor node)
176 companies including LS Industrial System& Samgsung Techwin
88 companies including Asiana IDT & Samsung SDS
99 companies including Green Sensor & Nuri Telecom
· Most of part & equipment companies are small/medium-sized except for LG Industrial System & Samsung Techwin · focuses on developing & providing services to create new businesses but does not excel in specialization.
Auto-ID Labs
Auto-ID Lab, Korea
Joined Auto-ID Labs on April 2005 ICU merged with KAIST as of March 1, 2009
Internet of Things RF, Chip design (air interface for active RFID tag, WSN)
ZigBee transceiver, IR-UWB transceiver, Wake-up circuit, etc. EPC Sensor Network : Integration of EPCglobal architecture framework
and
wireless sensor network (WSN) technology RFID / WSN Privacy & Security
Anti-counterfeiting, Lightweight cryptography, etc. RFID/WSN Business, Application
BM for food safety system, autonomous vehicles, ubiquitous city,
agriculture, healthcare, etc.
Daeyoung Kimkimd@kaist
Seongook [email protected]
Sanggug [email protected]
Hyuckjae [email protected]
Kwangjo Kimkkj@kaist
Myungryul [email protected]
JaeJeung Rhojjroh@kaist
Junghoon Moonjmoon@kaist
What are security threats in RFID?
II. Security Threats on RFID
12
RFID Security Threats (1/4)
Cloned Fake Tags
Malicious Readers
Man-in-the-Middle AttackDenial/Disruption of Service
ID#
Privacy Violation
RFID Security Threats: Location-based Attacks (2/4)
RFID Authentication Protocol does not address location of tags: Tags out of communication range of a reader
should not be authenticated. Location-based Attacks[Brands&Cham@EC93]
Mafia Fraud Attack (Distance Fraud Attack): Attacker simply relays messages between two honest parties.
Terrorist Attack: Extended mafia fraud attack in which attacker collaborates with one of dishonest party.
RFID Security Threats: Location-based Attacks (3/4)
Mafia Fraud Attack on RFID:Rouge Tag Reader Challen
ge
Response
Rouge ReaderChalleng
e
Response
Tag
ChallengeResponse
Communication range of the reader
RFID Security Threats: SCA (4/4)
SCA potentially is the most serious threat to RFID tags, which implement cryptographic functions.
Typical side channel information Timing information, computation fault, power consumption and EM radiation EM analysis on HF-RFID, UHF-RFID, UHF-EPC-C1G2Tag
EM radiation based non-invasive analysis becomes more viable than invasive analysis.
Crypto enabled RFID
ComputerOscilloscope
Control, Ciphertext
Control, Side channel information
What have been done to counter security threats?
III. Current Countermeasures
17
Hash-based ProtocolsHash-lock Scheme[3]
metaID = h(k)
Extended Hash-lock Scheme[2,8]
Major Drawback:
The server has to go through the whole tag database and compute the hash chains to identify a tag.
LPN-based Protocols (1/3) Binary inner-product of two k-bit values a and x:
z = a x = (a0 x0) (a1 x1) … (ak-1 xk-1) Binary-inner product can be implemented easily on
low-cost hardware. Question is: where is the hard problem?
Learning Parity with Noise (LPN) Problem: LPN problem: Given a set of (ai, zi) where z = (ai
x) vi and vi is generated at a fixed probability, compute x.a
(ai, zi) appears as a true (k+1)-bit string.
LPN-based Protocols (2/3) HB+ Authentication Protocol by Juels and
WeisTag (k-bit secret x and y; )
Reader (k-bit secret x and y)
a R {0, 1}k
a
z Check z = (a x) (b y)
b R {0, 1}k
b
Repeat above step q times.Accept only if about q responses of Tag are
incorrect
z = (a x) (b y)
{0, 1|Prob[ =1] = }
LPN-based Protocols (3/3) HB+ is not secure against man-in-the-middle
attacks:
Several attempts (HB-MP, HB++, HB#, HB-trusted) to secure HB+ against MIMA have failed.
Tag (k-bit secret x and y; )
Reader (k-bit secret x and y)
a R {0, 1}ka
z’ = (a’ x) (b y) z’
{0, 1|Prob[ =1] = }
b R {0, 1}k
b
……..
a’ = a
If authentication succeeds, it is likely that (a’ x) (b y) = (a x) (b y) , but (a’ x) = (a ) x = (a x) ( x),
therefore x = 0. Otherwise, x = 1
21
Ultra-lightweight Protocols (1/2)
EPCglobal C-1 Gen-2 Tag: 4 Memory Banks
One-Way Reader to Tag Authentication Proposed by EPCglobal Standard[1]
Not Secure Un-encrypted openly sent random numbers Tag’s Access Password easily exposed
22
Ultra-lightweight Protocols (2/2) Utilize lightweight primitives
RNG, CRC, and bit-wise operators such as XOR, AND, OR, rotate, etc.
Drawbacks De-synchronization of session keys Replay (impersonation) attacks full-disclosure of tag’s secret information
O-FRAP & O-FRAKE (1/2) Optimistic Forward-Secure Authentication Protocol
Mutual Authentication Privacy Protection using Pseudonym Secure key exchange (O-FRAKE) Tag database indexed by tag pseudonym for fast look
up Forward security by updating shared secret after
each successful session Resistant against de-synchronization of secret by
storing two versions of secret in tag database Secure from in Universal Composable(UC) Framework
O-FRAP & O-FRAKE (2/2)
DoS attack: server searches the whole database if receiving an invalid pseudonym (\bar{r}tag).
De-synchronization of secret: modify v3’ to cause tag not to update its secret
F: pseudorandom
function
Multiple Tag Scanning Protocols (1/3)
Reader produces a co-existence proof of multiple tags Scan tags supposed to be near together,
e.g., tags on different parts of a car. Yoking-Proof by Juels: scanning a group
of two tags
Multiple Tag Scanning Protocols (2/3)
Grouping-Proof: scanning a group of n tags
Multiple Tag Scanning Protocols (3/3)
Many multiple tag scanning protocols are subject to replay attack.
All of multiple tag scanning protocols are subject to mafia fraud attack:
Distance-bounding Protocols (1/2) Distance-bounding Protocol:
Prevent mafia fraud attack by verifying location of tags using round-trip time.
Approach: Repeat a simple (and fast) authentication
step multiple times. Measure time taken by each authentication
step Accept only if every authentication step is
successful and the time taken is less than a pre-defined value.
Distance-bounding Protocols (2/2) Hancke-Kuhn distance-bounding Protocol
[6]
Side Channel Analysis and protection on RFID
High frequency (HF) RFID tag (13.56 MHz)
Smart Card regard as RFID•D. Carluccio, K. Lemke, and C. Paar. “Electromag-netic side channel analysis of a contactless smart card: First results”, In the Proceedings of Workshop on RFID and Lightweight Crypto (RFIDSec05), 2005.
•S. Chaumette, D., and Sauveron. “An efficient and simple way to test the security of Java Cards”, In WOSIS 2005, 3rd International Workshop on Secu-rity in Information Systems, April 2005. Miami, Fl., USA, April 2005.
Artificially generated passive HF RFID set-tings•M. Hutter, S. Mangard, and M. Feldhofer, “Power and EM Attacks on Passive 13.56 MHz RFID De-vices”, In the Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems (CHES 2007), LNCS 4727, pp. 320-333, Springer-Verlag, 2007.•Power analysis and EM analysis on their own RFID prototype with AES
Ultra-high frequency (UHF)
RFID tag (900 MHz)Experimental Result without countermea-sures•T. Plos, “Susceptibility of UHF RFID Tags to Elec-tromagnetic Analysis”, CT-RSA 2008, LNCS 4964, pp.288-300, 2008.
Experimental Result with common coun-termeasures•Y. Oren and A. Shamir, “Remote Password Extrac-tion from RFID Tags”, IEEE Transactions on Com-puters, 56(9):1292-1296, 2007. •Show a successful analysis result which can be used to extract kill password remotely from a UHF EPC tag.
•Suggest common countermeasures to prevent the analysis with examples•Add Noise to power consumption•Consume the same amount of power every clock cycle
31
Map of Current Countermeasures
Security for RFID SystemPhysical Security
Kill tag
Blocker tag
Active Jamming
PUF
SCA
Cryptographic Protocol
Authentication Proto-col
Password-based
Kill PW
Access PW
Hash-based
Static ID
Dynamic ID
(Pseudonym)
LPN-based
HB+
HB#
Ultra lightweight-based
RNG
XOR AND
CRC
ROT
Encryption-based
Symmet-ric
Key
Stream (LFSR)
Block (TEA, AES)
Asymmet-ricKey
ECCHECC
Universal Reencryp-
tion
Multi-tag scanning
Yorking
Secure (EPCglobal) Architecture Frame-
workSecure Reader Proto-
col
Middleware Security
Server Security
Database Security
ONS(DNS) Security
Network Security
Key Management
Certificate Profile* All 7 Auto ID labs work together now.
What are the remaining issues in RFID Security?
Open Issues in RFID Security
Open Issues: Functional LW Crypto- Primitives
Many conventional crypto-primitives are not suitable for low-cost RFID Tags Find efficient implementation of
conventional primitives for low-cost tags Design new lightweight primitives
Both of above works require large attention Rigorous analysis and implementation of
cryptographic primitives (Hashing, MAC, PRNG, AIA) for RFID
Open Issues: (Im)Possibility of Certain Cryptographic Tasks
Before designing a cryptographic task Possible to realize the task at all? If yes, what is the minimal assumption/primitive required
to realize the task ? Vaudenay showed that strong forward security is im-
possible and Gilbert [eprint95] no security on MIMA Impossibility of robust interactive key-evolving ?
In RFID, forward security requires interactive key-evolving between reader and tag.
Possible to realize a robust interactive key-evolving against de-synchronization of secret ?
Identify controversial requirements
Open Issues: Security Models
Known security models of “reader” and “server”. Security of protocols heavily depend on
level of trust on RFID reader and server. If not considered, we would significantly
separate “theoretical security” and “real-world security”.
No security model for multiple-tag scanning One has to consider mafia fraud attack in a
security model. Otherwise, security cannot be proved.
Open Issues: Countermeasures against Location-based Attacks
Mafia fraud attack is simple yet serious Attacker steals a tagged item then executes the
attack to make the reader believes that the item is actually nearby.
Few researches on countermeasures against location-based attacks. We have surveyed only Hancke-Kuhn protocol
and a few of its variations. We also need theoretical analysis of
(im)possibility of countermeasure against location-based attacks.
Open Issues: Protection against SCA
Few published works on SCA on RFID tag Need to find more approaches of differential
electromagnetic analysis (DEMA) and its countermeasures.
Hiding and Masking methods for RFID Invent countermeasures at the logic cell-level Consider Trade-off between tag cost and security
Establish the common criteria(CC) for secure RFID tag.
Build up the standard for cryptographic primitives, protocols for RFID tags.
Concluding Remarks• We didn’t survey all publications, but
suggested pros and cons of previous main researches.
• “No panacea”, but require tradeoff between level of security and performance.
• SCA will be one of emerging attacks.• New primitives: time-released crypto,
etc.