PEARL Project Hot Topics Hot Topics in RFID Security Pedro Peris-Lopez - TU Delft Security Lab, Faculty of Electrical Engineering, Mathematics and Computer Science, Delft University of Technology June 24, 2010 Leuven, Belgium
PEARL Project Hot Topics
Hot Topics in RFID Security
Pedro Peris-Lopez - TU Delft
Security Lab, Faculty of Electrical Engineering, Mathematics and ComputerScience, Delft University of Technology
June 24, 2010 Leuven, Belgium
PEARL Project Hot Topics
Agenda
1 PEARL Project
2 Hot Topics
PEARL Project Hot Topics
PEARL Project
Title: Privacy Enhanced security Architecture for RFID Labels.
Objectives:
1 Design of security and privacy controls(lightweight-cryptography)
Cryptographic primitivesSecurity protocols
2 Assessment of the security a privacy properties
Modeling propertiesModeling systemsPoliciesVerification
PEARL Project Hot Topics
PEARL Project
Funding: SENTINELS research programme
Research institutes:
Computer Science Department, University of Eindhoven
SoS group, Radboud University Nijmegen
Faculty of Electrical Engineering, Delft University ofTechnology
Industrial partners:
Philips
TNO ICT
PEARL Project Hot Topics
PEARL Project
More Information:
PEARL Project Hot Topics
Research Topics
TU Delft is focused on the research areas listed below:
Lightweight and ultralightweight protocols [1, 2, 3, 4]
Distance-bounding protocols [5, 6, 7]
Yoking-proofs [8, 9]
Lightweight PRNG [10]
PEARL Project Hot Topics
Lightweight and Ultralightweight Protocols (I)
Weaknesses in Two Recent Lightweight RFID AuthenticationProtocols
Privacy for RFID systems to prevent tracking and cloning [11]
Cloning AttackTraceability AttackFull Disclosure Attack
A minimalist mutual authentication protocol for RFID system& BAN logic analysis [12]
Tag/Reader ImpersonationTraceability Attack
PEARL Project Hot Topics
Lightweight and Ultralightweight Protocols (II)
Security Flaws in a Recent Ultralightweight RFID Protocol [13]
Traceability Attack
Full Disclosure Attack
Cloning Attack
Desynchronization Attack
PEARL Project Hot Topics
Lightweight and Ultralightweight Protocols (III)
Cryptanalysis of the David-Prasad RFID UltralightweightAuthentication Protocol [14]
Traceability
Leakage of Stored Secrets
Tango Attack
Passive Cryptanalysis of an Ultralightweight AuthenticationProtocol of RFIDsec’10 Asia [15]
Traceability
Norwegian Attack
Tango Attack
PEARL Project Hot Topics
Lightweight and Ultralightweight Protocols (IV)
Norwegian and Tango Attack: some details ...
PEARL Project Hot Topics
Yeh-Lo-Winata Protocol (I)
Step 1 Reader → Tag: Hello
Step 2 Tag → Reader: IDSt
Step 3 Reader → Tag: A ‖ B ‖ C ‖ flagIf (IDSt = IDStrnew ): flag = 0 and K = Kt .Else: flag = 1 and K = ID.
A = (IDS ⊕ K )⊕ n1
B = (IDS ∨ K )⊕ n2
C = (K̂ ⊕ n1) + n2 K̂ = Rot(K ⊕ n2, n1)
Step 4 Tag extracts {n1, n2}, computes K̂ and verifies C .Then Tag → Reader: D
D = (K̂ ′ ⊕ n2) + n1 K̂ ′ = Rot(K ⊕ n1, n2)
PEARL Project Hot Topics
Yeh-Lo-Winata Protocol (I)
Step 5 Reader computes K̂ ′ and verifies D. If OK, it updates thesecrets:
IDStrold= IDS
IDStrnew = (IDS + (ID ⊕ K̂ ′))⊕ n1 ⊕ n2
Ktr = K̂
Reader → Tag: Update command
Step 6 Tag updates IDS and K
PEARL Project Hot Topics
Full Disclosure Norwegian Attack (I)
1. For i = 0 to L2. Observations[i ] = 03. Repeat a sufficiently high number of times N the following steps:4. Observe an authentication session and get IDS , A, B, C and D5. Check if for these values it holds that C mod L = D mod L6. If this is not the case, go to step 4.7. Perform the following tasks:8. Wait for the authentication session to finish.9. Send to the tag a “Hello” message to obtain IDStrnew .
10. Compute IDestimated mod L = (IDStrnew − IDS)⊕ D mod L11. Increment Observations[IDestimated ]12. Filter: find IDconjecture , the maximum of the values in Observations[i ].13. Guess that IDconjecture = ID mod L.
PEARL Project Hot Topics
Full Disclosure Norwegian Attack (II)
0 20 40 60 80 100 1200
50
100
150
200
250
300
350
400
450
500
ID candidates
# of
tim
es ID
is o
bser
ved
ID mod 128 = IDconjecture mod 128
Histogram of ID candidates (L = 128, N = 218)
PEARL Project Hot Topics
Full Disclosure Tango Attack
Can we do it better? Here’s the idea:
How much information about the secrets is leaked out by thepublic messages exchanged during one session?
Let’s consider only very simple combinations of publicmessages after session i :
Lk = a0IDSk⊕a1Ai⊕a2B i⊕a3C i⊕a4D i⊕a5IDSk+1 ai ∈ {0, 1}
and then see whether there’s any correlation between Lk andID
One simple measure: bias w.r.t. optimal Hamming distance
ε =∣∣dH(Lk , ID)− m
2
∣∣
PEARL Project Hot Topics
A Scaled-down Example
ID(base10) = 85 ID =[0, 1, 0, 1, 0, 1, 0, 1
]
Session k:Eavesdropping of vectors {IDSk , Ak , Bk , C k ,Dk , IDSk+1}Computing of an approximation: i.e. IDapprox (1) = [0 1 0 1 1 1 1 1]
Session k + 1:Eavesdropping of vectors {IDSk+1, Ak+1, Bk+1, C k+1,Dk+1, IDSk+2}Computing of an approximation: i.e. IDapprox (2) = [0 1 0 1 0 1 0 0]
Session k + 2:Eavesdropping of vectors {IDSk+2, Ak+2, Bk+2, C k+2,Dk+2, IDSk+3}Computing of an approximation: i.e. IDapprox (3) = [0 1 1 0 0 1 0 1]
Conjecture ID:Sum of the vectors: [0 1 0 1 1 1 1 1]
[0 1 0 1 0 1 0 0][0 1 1 0 0 1 0 1]
+IDapprox = [0 3 1 2 1 3 1 2]
Average value:
{if (id
approxi ≥ γ) id
conjecturei = 1
if (idapproxi < γ) id
conjecturei = 0
i.e. If γ = 1.5 IDconjecture =[0, 1, 0, 1, 0, 1, 0, 1
]
Conjecture: IDconjecture (base10) = 85
PEARL Project Hot Topics
Lightweight and Ultralightweight Protocols: Conclusions
Conclusions
The use of random numbers is necessary but not sufficientcondition to assure untraceability
CRC should be confined to detect error transmissions
Combine simple linear (i.e. bitwise operations) andnon-triangular operations (i.e. rotations) ⇒ i.e. SASI protocol[17] and Gossamer protocol [16]
Rigorous security analyses are necessary
Future work: New Protocols
Security Analysis
Design + Formal proof
PEARL Project Hot Topics
Relay Attacks
c© Avoine et al.
PEARL Project Hot Topics
Distance Bounding Protocols
R ooRange
T
(a) Distance fraud attack
R ooRange
// T R oo // T
(b) Mafia fraud attack
R ooRange
// T oo collaborateT
(c) Terrorist fraud attack
PEARL Project Hot Topics
Hacke and Kuhn’s Protocol
Mafia Fraud Attack: ( 34 )n
Terrorist Fraud Attack: 1
Distance Fraud: ( 34 )n
PEARL Project Hot Topics
Swiss-Knife RFID Distance Bounding Protocol [18]B Basic Distance Bounding Protocol of Kim et al.
An authentication protocol combined with a rapid bit exchange is displayedbelow [1].
Reader Channel Tag
(x, ID)
� �Pick a random NA
�NA
Pick a random NB
a := fx(CB , NB){Z0 := a
Z1 = a⊕ x
� NB
Start of rapid bit exchangefor i = 1 to n
Pick ci ∈ {0, 1}Start Clock
�c′i
ri :=
{Z0
i , if c′i = 0
Z1i , if c′
i = 1
� ri
Stop ClockStore ri, Δti
End of rapid bit exchange
tB := fx(c′1, ..., c′
n,ID, NA, NB)
� tB , c′1, ...., c′
n
Check ID via DBCompute Z0, Z1.Compute errc := #{i : ci �= c′
i},errr := #{i : ci = c′
i ∧ ri �= Zcii },
errt := #{i : ci = c′i ∧ Δti > tmax.
If errc + errr + errt � T ,then REJECT.
tA := fx(NB)
�tA
Compute and compare tA
Fig. 7. Swiss-Knife RFID Distance Bounding Protocol
PEARL Project Hot Topics
The Hitomi RFID Distance Bounding Protocol [6]
Reader Channel Tag
(x, ID)
� �Pick a random NR
�NR
Pick a random NT1 , NT2 and NT3a := fx(NR, NT1 , W )
b := fa(NT2 , NT3 , W ′){Z0 := a
Z1 = b ⊕ x
�NT1 , NT2 , NT3
Start of rapid bit exchangefor i = 1 to n
Pick ci ∈ {0, 1}Start Clock
�c′i
r′i :=
{Z0
i , if c′i = 0
Z1i , if c′
i = 1
� ri
Stop ClockStore ri, Δti
End of rapid bit exchange
m ={c′
1||c′2||...||c′
n||r′1||r′
2||...||r′n}
tB := fx(m, ID, NR, NT1 ,NT2 , NT3 )
� tB , m
Check ID via DBCompute Z0, Z1, R0, R1
Compute errc := #{i : ci �= c′i},
errr := #{i : ci = c′i ∧ ri �= Z
cii },
errt := #{i : ci = c′i ∧ Δti > tmax.
If errc + errr + errt � τ ,then REJECT.
tA := fx(NR, b)
�tA
Compute and compare tA
PEARL Project Hot Topics
Distance Bounding Protocols: a new idea ...
Cryptographic Puzzles and Distance-bounding Protocols:Practical Tools for RFID Security [7]
Reader → Tag : RequestTag → Reader : Puzzle(ID)
(1)
Drawback:
Rouge readers and honest readers: same effort!
Solution:
Key delegation
Puzzles + Distance Bounding
PEARL Project Hot Topics
Step 1: WSBC Authentication Scheme
Secure Channel
Reader Tag
1 1, m request n=
( ) *2 2 j, , , ,j j jm n kπς ω υ ν=
* *3 4, jm n τ=
Back-end Database
1. R→ T : m1 = request, n1
2. T → R: m2 = n2, 〈ςj , ωπj (k)〉, υj , ν∗j
3. R→ T : m3 = n∗4 , τ∗j (∗Optional)
where {ni}4i=0 are different nonces
ςj = enck (n1||ID||n1||j)ωπj (k) = {kπ(0), kπ(1), . . . , kπ(l−1)} is a l-bitWSBC function and π() is a given permutationυj = h(j ||n1||ID||n2)ν∗j = enck (j ||n3||ID||n1) (Optional)
and τ∗j = enck (j ||n4||ID + 1||n3||n1) (Optional)
PEARL Project Hot Topics
Step 2: WSBC + Distance-Bounding Authen. Scheme
Secure Channel
Reader Tag
1 1, m request n=
( ) *2 2 j, , , ,j j jm n kπς ω υ ν=
* *3 4, jm n τ=
Back-end Database
Secure Channel
Reader Tag
1 1, m request n=
2 2 j, ,m n ς= −
Back-end Database
( )j iα
( ) ( ) ( )j jj i i s iβ α= ⊕
1,
...,
For
it
=
( )3 , , ,j j jm kπω υ ν= −
* *4 4, jm n τ=
PEARL Project Hot Topics
Noent: WSBC + Distance-Bounding Authen. Scheme
Secure Channel
Reader Tag
11 ,, jm request n γ=
Back-end Database
( )j iα
( ) ( ) ( )j jj i i s iβ α= ⊕
1, ..
., Fo
ri
t=
( )32 , , , ,j j j jm n kπς ω υ ν=
53 , jm n τ=
( )c i
2, jn s
Main idea: WSBC 〈ςj , ωπj (k)〉 which depends on the distance
(drt) that separates the tag and the reader.
PEARL Project Hot Topics
Yoking Proofs (I)
A pharmacy might want to be able to prove, for instance, that it
dispensed an RFID-tagged prescription bottle along with a required
RFID-tagged booklet containing indications.
c© Juels [19]
PEARL Project Hot Topics
Yoking Proofs (II)
Yooking/Clumping/Grouping Proofs
A proof that a pair of RFID tags has been scannedsimultaneously
Analysis of existing proposals
Design guidelines
Next step: design a new yoking proof
PEARL Project Hot Topics
Yoking Proofs: Analysis of Existing Proposals [8]
y p y g/g p g pTraceability Impersonation Forge Subset Anonymity Replay Multi-proof Useless proofs
proof Replay (Peris-Lopez (DoS) (Burmesteret al. (2007)) et al. 2008)
Juels (2004) x x - - x x - xSaito and Sakurai (2005) - x - x - x - xBolotnyy and Robins (2006) - - - x - - x xPiramuthu (2006) x - - - x - x xLin et al. (2007)∗ x x - - x - - xPeris-Lopez et al. (2007) - - - - - - - xCho et al. (2008) x - - - x - x xLien et al. (2008) x - - - x - - xBurmester et al. (2008) - x - - - - - -Chien and Liu (2009) x - - - - - - -Huang and Ku (2009) x - x - x - - xChien et al. (2010) x - x - x - - xChien et al. (2010)∗ x - - x x - - x
∗ Offline version
ReplaySubset
proofForgeImpersonationTraceability
PEARL Project Hot Topics
Yoking Proofs: Protocol Design [8]
Design Guidelines
Computing capabilities
Dependence
Identification (privacy)
Matching
Verification
Performance (computations + messages)
Forward security (open problem)
PEARL Project Hot Topics
Real Applications: Health care (I)
Errors involving medication administration can be costly, bothin financial and in human terms
Patient safety can be improved by means of properInformation Technology (IT) systems
“Five-right” method: treating the right patient, with the rightdrug, in the right dose, in the correct way and at the righttime
Existing solutions:
RFID + barcodesSecurity and implementation problems
PEARL Project Hot Topics
Real Applications: Health care (II)
4 . Monitoring Procedure
2. Nurse Station Procedure
Nurse Cart
Inpatient
1 . Drug Package Procedure
3 . Safe Drug Administration Procedure
HIS
3.1. Real-time Verification3.2. Evidence Generation
Unit-dose Medications
Figure 4: Phases of IS-RFID
22
PEARL Project Hot Topics
Real Applications: Health care (III)
HIS
Visiting an inpatient
Unit-dose Medication
Inpatient
Nurse
Nursestation
Requ
est
Mut
ual A
uthe
ntica
tion
1Inpatient 1UD 1t…
NInpatient NUD Nt
{ , }Prequest r { , }Prequest r
i P M{ , PRNG(UD , r , r )}Mr
{ }it
i
' 'T i w i Inpatient{ , m = PRNG(Inpatient r PRNG(t ) PRNG(K ))}Wr � � � { }Tm
i
' 'UD i M T UD{ , m = PRNG(UD r PRNG(m ) K ))}Mr � � �{ }UDm
iTUD i T UD Inpatient{m = PRNG(Inpatient PRNG(m ) K )}m� � �
' 'i i i W M TUD{ = {Inpatient , UD , t , r , r , m }ie
Nurse
1Inpatient
1UD
1t1
1{
, sig
n(e
)}e
. . .
NInpatient
NUD
NtN
{, s
ign(
e)}
Ne
isign(e )i, i{e sign(e )}
1
Inpatient
1UD1t
. . .
N
Inpatient
NUDNt
� Matching Verification
� Evidence Generation
1
Inpatient
1UD
1t…
N
Inpatient
NUD
Nt
i{ , PRNG( , , )}W P Wr Inpatient r r
Figure 5: IS-RFID Protocol
23
PEARL Project Hot Topics
Pseudo-random Number Generator
Design a new lightweight PRNG
Security Analysis
Hardware requirements1
1Department of Electrical Engineering, Carlos III University of Madrid. (Spain)
PEARL Project Hot Topics
Lightweight PRNG
Security requirements:
Cryptanalysis
Statistical tests (i.e. ENT, DIEHARD, NIST)
Hardware requirements:
Gate Equivalents < 4K
Clock cycles < 500-600
Operation frequency: 100 KHz
Power consumption: µW
PEARL Project Hot Topics
AKARI-1 and AKARI-2
Figure1
AKARI-1 AKARI-2
Initialize x0 and x1 of m-bits
x0 = x0 + ((x0 * x0) ∨ 5)
x1 = x1 + ((x1 * x1) ∨ 13)
z = x0
for r from 0 to 63
z = (z >>1) + (z << 1) + z + x1
%Output m/2 bits
Lower half of z
Initialize x0 and x1 of m-bits
x0 = x0 + ((x0 * x0) ∨ 5)
x1 = x1 + ((x1 * x1) ∨ 13)
z = x0 ^ x1
for r from 0 to 24
z = (z << 1) + ((z + (0x56AB0A)) >1)
y = x1 ^ z
for r from 0 to 24
y = (y >> 1) + (y << 1) + y +
(0x72A4FB))
%Output m/2 bits
Lower half of y
Figure 2
PEARL Project Hot Topics
AKARI-1 and AKARI-2: EPC tags
m = 32 bits Gate Equivalents Power (µW) Clock cycles
AKARI-1 880 16.86 66
AKARI-2 1629 29.91 51
PEARL Project Hot Topics
AKARI-1 and AKARI-2: Low-cost RFID tags
mmaximal = 128 bits Gate Equivalents Power (µW) Clock cycles
AKARI-1A 3358 62.4 66
AKARI-1B 3822 73.48 450
mmaximal = 64 bits Gate Equivalents Power (µW) Clock cycles
AKARI-2A 3259 58.26 51
AKARI-2B 3135 57.42 290
AKARI-2C 2993 55.87 530
PEARL Project Hot Topics
Questions?
Thank you
More information:http://www.lightweightcryptography.com/
http://www.cs.ru.nl/pearl/
PEARL Project Hot Topics
P. Peris-Lopez, J. C. Hernandez-Castro, J. M. E. Tapiador, T. Li and J. C. A.van der Lubbe. “Weaknesses in Two Recent Lightweight RFID AuthenticationProtocols”. In INSCRYPT’09 (In Cooperation with IACR), Beijing, December,2009
P. Peris-Lopez, J. C. Hernandez-Castro, J. M. E. Tapiador and J. C. A. van derLubbe. “Security Flaws in a Recent Ultralightweight RFID Protocol”. InWorkshop on RFID Security (RFIDSec Asia10), Volume 4 of Cryptology andInformation Security Series, pages 83-93. IOS Press, 2010.
J. C. Hernandez-Castro, P. Peris-Lopez, R. C.-W. Phan, J. M. E. Tapiador.“Cryptanalysis of the David-Prasad RFID Ultralightweight AuthenticationProtocol”. In Workshop on RFID Security (RFIDSec10), Istanbul, June, 2010.
P. Peris-Lopez, J. C.Hernandez-Castro, R. C.-W. Phan, J. M. E. Tapiador, T. Li.“Passive Cryptanalysis of an Ultralightweight Authentication Protocol ofRFIDsec’10 Asia (Poster)”. In Workshop on RFID Security (RFIDSec10),Istanbul, June, 2010.
A. Mitrokotsa, C. Dimitrakakis, P. Peris-Lopez, J. C. Hernandez-Castro. “Reid etal.’s Distance Bounding Protocol and Mafia Fraud Attacks over Noisy Channels”.In IEEE Communications Letters, Volume 14, Issue 2, pp. 121-123, 2010.
P. Peris-Lopez, J. C. Hernandez-Castro, C. Dimitrakakis, A. Mitrokotsa, J. M. E.Tapiador. “Shedding Some Light on RFID Distance Bounding Protocols andTerrorist Attacks”. In CoRR, volume abs/0906.461, 2009.(http://arxiv.org/abs/0906.4618)
PEARL Project Hot Topics
P. Peris-Lopez and J. C. Hernandez-Castro and J. M. E. Tapiador and E.Palomar and J. C.A. van der Lubbe. “Cryptographic Puzzles andDistance-bounding Protocols: Practical Tools for RFID Security”. In IEEEInternational Conference on RFID, Orlando, 2010.
P. Peris-Lopez, A. Orfila, J. C. Hernandez-Castro, J. C. A. van der Lubbe.“Flaws on RFID Grouping-Proofs. Guidelines for Future Sound Protocols”. InJournal of Network and Computer Applications (In Press). Available online 1May 2010. (http://dx.doi.org/10.1016/j.jnca.2010.04.008 )
P. Peris-Lopez, J. Cesar Hernandez-Castro, J. M. Estevez-Tapiador, and A.Ribagorda. “Solving the Simultaneous Scanning Problem Anonymously:Clumping Proofs for RFID Tags”. In the 3rd International Workshop on Security,Privacy and Trust in Pervasive and Ubiquitous Computing(SecPerU07), pages55-60. IEEE Computer Society Press, Istanbul (Turkey), July, 2007.
P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, and A.Ribagorda. “LAMED A PRNG for EPC Class-1 Generation-2 RFIDSpecification”. In Computer Standards & Interfaces, Volume 31, Issue 1, pp.88-97, January 2009.
Mitra, M.:Privacy for RFID systems to prevent tracking and cloning.International Journal of Computer Science and Network Security 8(1) (January2008) 1–5
Qingling, C., Yiju, Z., Yonghua, W.
PEARL Project Hot Topics
A minimalist mutual authentication protocol for RFID system & BAN logicanalysis.In: Proc. of CCCM ’08, IEEE Computer Society (2008) 449–453
Y.-C. Lee, Y.-C. Hsieh, P.-S. You, T.-C. Chen.A New Ultralightweight RFID Protocol with Mutual Authentication,In Proc. of WASE’09, Volume 2 of ICIE, pages 58-61, 2009.
M. David and N. R. Prasad.Providing Strong Security and High Privacy in Low-Cost RFID Networks.In Proc. of Security and Privacy in Mobile Information and CommunicationSystems, MobiSec’09, pages 172–179. Springer Berlin Heidelberg, September2009.
K.-H. Yeh, N.W. Lo, E. Winata. “An Efficient Ultralightweight AuthenticationProtocol for RFID Systems”. Proc. of RFIDSec Asia’10, volume 4 of Cryptologyand Information Security Series, pages 49–60, IOS Press, 2010.
P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, andA. Ribagorda.Advances in Ultralightweight Cryptography for Low-cost RFID Tags: GossamerProtocol.In Proc. of Workshop on Information Security Applications, volume 5379 ofLNCS, pages 56–68. Springer-Verlag, Jeju Island (Korea), September 23-25,2008.
PEARL Project Hot Topics
H.-Y. Chien. “SASI: A New Ultralightweight RFID Authentication ProtocolProviding Strong Authentication and Strong Integrity”. IEEE Transactions onDependable and Secure Computing 4(4):337–340. Oct.-Dec. 2007.
C. H. Kim, G. Avoine, F. Koeune, F.-X. Standaert, and O. Pereira.The Swiss-Knife RFID Distance Bounding Protocol.In International Conference on Information Security and Cryptology – ICISC,Lecture Notes in Computer Science. Springer-Verlag, December 2008.
A. Juels. “Yoking-Proofs” for RFID Tags”. In First International Workshop onPervasive Computing and Communication Security. IEEE Press, pp.138143.2004.