Tamper Detection & Discrimination in Passive RFID Systems using Steganography

Tamper Detection & Discrimination in Passive RFID Systems using

SteganographyBy,

Giridhar RMahadevan SMManishgant A P

Under the guidance of

Dr.E.Janardhanan

Objective

• To develop an algorithm to detect and discriminate tampered RFID data.

• To scale the algorithm in such a way as to require fewer arithmetic operations and memory overhead

• To implement the same on a low cost hardware interfaced to the RFID reader.

Motivation• Unlike other types of IT systems where the data is stored in a physically

secure location such as a data server in a server room, RFID systems store some of its sensitive data on the RFID tag itself, which is in turn affixed to physical objects that travel along the supply chain.

• This means that’s its relatively easy for potential attackers to gain physical access to the RFID tags and mount an attack.

• As physical access to the tags grant direct access to the memory area of the RFID tag, attackers who successfully gain physical access can then alter data easily on the tag

• These attackers can also carry out those attacks a lot more easily as they can easily circumvent any security measures put in place by security protocols to protect against remote access attacks.

General Passive RFID Memory banks

• The Header, is fully used for identifying the EAN.UCC key and the partitioning scheme

• The EPC Manager, is used to identify the manufacturer uniquely.

• The Object Class, is used to identify the product manufactured by the manufacturer

• The Serial Number, which is the last partition, is used to uniquely identify an item, which belongs to a particular Object Class

Literature SurveyPaper Title Content

Recovering and Restoring Tampered RFID Datausing Steganographic Principles

A theoretical approach to embed secret pattern inside RFID Serial Number Partition to recover tampered data in Object Class.

A Watermarking Based Tamper Detection Solution for RFID Tags

Embedding a watermark in RFID to detect tampering on any of the data fields of the tag.

Tamper Discrimination in RFID tags using Chaotic Watermarking

Original Chaotic Watermarking is applied to RFID tags. This provides for Tamper detection as well as discrimination.

Disadvantages of Existing Methods

METHOD DISADVANTAGE

Tamper Detection in RFID Tags using Fragile Watermarking

• Provides only for detection of tamper overall and does not specify where the tamper has occurred.

A Watermarking Based Tamper Detection Solution for RFID Tags

• This method provides for identifying the area of attack, but does not delve upon recovery.

• Uses reserved Kill Bit field for storage.

Tamper detection in ubiquitous RFID Supply Chains

• Only a Generic function described to generate pattern.

Our Approach

• The “Object Class” (24 bits) is used to uniquely identify one product. if product A (Orange) has cheaper transportation cost compared to product

• B (Mango), the attacker might attempt to change OC of product B, to gain an economic benefit.

• However if the attacker changes the serial number (SN), which is used to identify one item of a specific product, he/she cannot gain any economic benefit,

EPC C1G2 Data Structure

• Electronic Product Code (EPC) was first developed by Auto-ID Center in MIT in 1999.

• This centre developed the initial RFID standard and later transferred to EPCGlobal for commercialization in late 2003.

• Two data structures were designed by EPC, – 64 bit EPC was designed primarily for testing and – 96 bit EPC were designed for commercialization.

EPC C1G2 Data Structure

Principles of Chaotic Systems• Chaotic theory has been established since 1970s from many different

research areas, such as physics, mathematics, biology and chemistry, etc.

• The most well-known characteristics of chaos are the so-called “butterfly-effect” (the sensitivity to the initial condition), and the pseudo-randomness generated by deterministic equations.

• A chaotic dynamical system is an unpredictable, deterministic and uncorrelated system that exhibits noise-like behavior through its sensitive dependence on its initial conditions which generates sequences similar to PN sequence.

• The chaotic dynamics have been successfully employed to various engineering applications such as automatic control, signals processing and watermarking.

Principles of Chaotic Systems

• Chaotic systems can be applied to any of the number systems.

• Chaotic sequences can range from few bits to few thousand bits, based on the equation and the number of iterations.

• This dynamic range of the sequences is beneficial in RFID systems, where the memory on the tag is a huge constraint.

• Watermark generated using chaotic sequences can be used in such cases.

Block Diagram

Generate Secret Pattern

Embed pattern in [SN] using Chaotic

watermarking

Also Chaotically embed OC data across several

tags.

Chaotically arrange select bits in [SN]

in reservedTampering occurs

Extracted pattern is compared at

receiver side for a match

The variation in watermark will

indicate the field of attack

Basic approach

• The embedding algorithm begins by selecting a set of one way functions F {f1, f2, f3}.

• Each one way function is applied to the values within the RFID tags partition to generate a secret value as shown

Basic approach

• This secret value is then embedded at predefined location within the Serial Number partition by appending it to the original Serial Number Value (SNorg) to generate the appended Serial Number (SNapp).

Generating the Watermark• STEP 1 – Two different chaotic sequences (as given below) are taken as the keys for encryption

- (1)

– (2)

Where,n = 1,2,3… map iteration index= system parameter (3.57< <4) and are chaotic sequences with initial values and (-

1.5< , <1.5)

Generation(Contd..)

• STEP 2 – Map 8 bits of Header, anterior 14 bits of EM, latter 14 bits of EM, anterior 12 bits of OC, latter

12 bits of OC as decimal fractions, d1,d2,d3,d4,

d5 respectively. If b7b6b5b4b3b2b1b0 is the header

• STEP 3 – For the length of Header is 8 bits, when Header is tampered, d1 is variational.

Generation (Contd..)

STEP 4 - Use d1 as the initial value of (1) will generate various chaotic sequences.

STEP 5 - The sequence is converted to binary and any 2 bits from it is designated as W1

STEP 6 - The EM is divided into two parts and each part is mapped into two decimal fractions d2 and d3.

STEP 7 - Since the length of each part is 14 bits, when each part is tampered, d2 and d3 will be variational.

Generation (Contd…)

STEP 8 – d2 and d3 are used as initial condition for (1) and (2) respectively and any 5 bits from the obtained binary

sequence is taken as W2

STEP 9 – Similar method described above is used to generate watermark W3 for OC

STEP 10 – Connect W1,W2 and W3 to form final watermark Wf

Embedding and Detection

STEP 1 – Chaotic scheme is again used to determine 12 positions inside the 36 bit SN field and the 12 bits are embedded in the respective positions.

STEP 2 – Chaotic watermark algorithm discussed previously is used to generate the watermark Wg at the reader side. The

watermark Wf is compared.

• If they are same, then no data tamper is observed;• If anterior 2 bits are different, then Header in RFID tags is tampered• If middle 5 bits are different, then EM in RFID tags is tampered• If latter 5 bits are different, then OC in RFID tags is tampered.

Watermark Generation

Header EPC Manager Object ClassSerial

Number

CCS CCS CCS

+

Watermark

Header EPC Manager Object ClassSerial

Number

Embedding Process

Header EPC Manager Object ClassSerial

Number

Attack

Header EPC Manager Object ClassSerial

Number

CCS CCS CCS

+

Watermark

Extracted Watermark

Match?

Tamper!

Results

Tamper detection after OC data is changed

Results

Tamper detection after EM data is changed

Implementation

RFID TAG

RFID READER/WRITER MCU

RFID TAG

Hardware Description of Components

• The choice of the microcontroller is the Atmel ATMega89S52 8 bit controller.

• The AT89S52 is a low-power, high-performance CMOS 8-bit microcontroller with 8K bytes of in-system programmable Flash memory.

• The device is compatible with the industry-standard 80C51 instruction set and pinout. The on-chip Flash allows the program memory to be reprogrammed in-system or by a conventional nonvolatile memory programmer.

AT89S52 Properties

• 8K bytes of Flash, • 256 bytes of RAM, • 32 I/O lines, • Watchdog timer, • 2 data pointers, • Three 16-bit timer/counters, • A six-vector two-level interrupt architecture, • A full duplex serial port, • On-chip oscillator and clock circuitry.

AT89S52 Pinout Diagram

RFID Reader/Writer

• HY502 series of RFID reader/writer modules are based on non-contact card reader ASCI chip compatible with ISO14443 standard.

• It uses 600nm CMOS EEPROM technology, supports ISO14443 typeA protocol, and also supports the MIFARE standard encryption algorithm.

• HY502 series supports Mifare One S50, S70, Ultra Light & Mifare Pro, FM11RF08 and other compatible cards.

HY502 Reader/Writer

RFID Tags

• The MIFARE Classic 1K offers 1024 bytes of data storage, split into 16 sectors.

• It has namely 3 major blocks, the RF section for transmitting and receiving data. The EEPROM memory is for storage and a DCU is present for authentication and control.

• They can be programmed for operations like reading, writing, increasing value blocks, etc.

• The cards are contactless and operate at 13.56 MHz

Ehouyan RFID card

Interfacing

• Interfacing of the RFID Reader/Writer with the Microcontroller is done using the MAX232 IC.

• The MAX232 is an integrated circuit that converts signals from an RS-232 serial port to signals suitable for use in TTL compatible digital logic circuits.

• The MAX232 is a dual driver/receiver and typically converts the RX, TX, CTS and RTS signals.

MAX232 Interfacing

Circuit Diagram of the Motherboard

Keil IDE

• Keil C51 development environment is used for developing applications on the 8051 microcontroller architecture.

• Keil has tools to directly compile the source code (both in C and in assembly) into the standard Intel .hex format.

• The tools also have the facility to directly burn the code onto the controller using a non-volatile programmer.

Keil IDE

ProgISP

• ProgISP is a Flash/EEPROM burner software designed specifically for writing the Intel Hex files into the 8051 family of Microcontrollers designed by Atmel

• There are various functions available to erase and program the chip as desired

• There are also the standard debug utilities to verify the chip I/O and also verify and lock the program inside the IC

ProgISP

Results

• The hardware is tested real time by using two RFID read/write cards which can be written and read many times over.

• The system is initialized and made to run the algorithm and write the watermark onto the card.

• After the writing part, the algorithm checks for the authenticity of the watermark and displays the output accordingly on the LCD display.

Results

RFID INITIALIZATION

Results

Watermark Validation success

Results

Watermark Validation failed

Conclusions

• The proposed algorithm aims to address the security fault in RFID in 2 ways.

• The algorithm gives a fool proof way to detect tamper in the passive

RFID cards.

• The algorithm effectively runs on a low cost hardware so that it can be employed along with the reader/writer for portable security.

References[1] M. I. Youssef, M. Zahara, A. E. Emam, and M. Abd ElGhany; Chaotic Sequences Implementations on Residue Number Spread Spectrum System; International Journal Of Communications, Issue 2, Volume 2, 2008

[2] Noman, Curran, Lunney; Watermarking Based Tamper Detection for RFID tags; IIH-MSP Sixth International Conference 2011.

[3] Mohan, M.; Potdar, V.; Chang, E.; Recovering and Restoring Tampered RFID Data Using Steganographic Principles;IEEE International Conference On Industrial Technology (ICIT) 2006

References

[4] Bogdan Cristea ; Statistical Properties of Chaotic Binary Sequences ; IEEE Transactions on Information Theory ; 2008

[5] Harinda Fernando and Jemal Abawajy ; A Taxonomy of Security in Very Large Scale Networked RFID Systems; Deakin’s University; 2009

[6] Government of Honkong Special Administrative Region ; RFID Security; 2008

[7] Kirk Wong, Patrick Hui, Allan Chan, “Cryptography and authentication on RFID passive tags for apparel products,” Computers in Industry, 2006.

References[8] Stephen Weis, Sanjay Sarma, Ronald Rivest, et al, “Security and privacy

aspects of low-cost radio frequency identification systems”

[9]D.Molnar and D. Wagner, “Privacy and security in library RFID: Issues, practices, and architectures” In Conference on Computer and Communications Security – CCS, ACM Press, 2004 pp. 210-219

[10]S. A. Weis, S. E. Sarma, R. L. Rivest, D. W. Engels, “Security and Privacy Aspects of Low-cost Radio Frequency Identification Systems”, in D. Hutter et al. Edn. Security in Pervasive Computing 2003, LNCS 2802, pp. 201-212, 2004

THANK YOU