1 / 18

RFID Devices and Cryptography Analysis of the DST40

Bono, S.C., et al, Security Analysis of a Cryptographically-Enabled RFID Device. In P. McDaniel, ed., USENIX Security '05, pp. 1-16. 2005. RFID Devices and Cryptography Analysis of the DST40. A review of the article:. Dennis Galvin Practical Aspects of Modern Cryptography 07-Mar-2006.

aldis
Download Presentation

RFID Devices and Cryptography Analysis of the DST40

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bono, S.C., et al, Security Analysis of a Cryptographically-Enabled RFID Device. In P. McDaniel, ed., USENIX Security '05, pp. 1-16. 2005 RFID Devices and CryptographyAnalysis of the DST40 A review of the article: Dennis Galvin Practical Aspects of Modern Cryptography 07-Mar-2006

  2. DST40 • Texas Instruments • Cryptographically Secured RFID system • DST :: Digital Signature Transponder • 40-bit key • Used in a number of applications • Exxon Mobil SpeedPass(TM) • Automotive Immobilizers • 2005 Ford • Some European Mfgrs. 2000 – 2005 TI spec sheet photo

  3. Sample TI DST40 Based Immobilizer Systemfrom: http://rfid.bluestarinc.com/resources/Immobilizer_Systems.pdf

  4. Sample TI DST40 Based Immobilizer Systemfrom: http://rfid.bluestarinc.com/resources/Immobilizer_Systems.pdf

  5. Breaking the DST40 • Reverse engineer the cipher • Build a key cracker • Build the whole system – proof is in the pudding • What's the big deal? • Black box • Use DST as oracle

  6. Reverse engineering the cipher Kaiser, U. Universal immobilizer crypto engine. In Fourth Conference on the Advanced Encryption Standard (AES) (2004). Guest Presentation.: http://www.aes4.org/english/events/aes4/downloads/AES4_UICE_slides.pdf

  7. Reverse engineering the cipher What's missing? Kaiser, U. Universal immobilizer crypto engine. In Fourth Conference on the Advanced Encryption Standard (AES) (2004). Guest Presentation.: http://www.aes4.org/english/events/aes4/downloads/AES4_UICE_slides.pdf

  8. Reverse engineering the cipher What's missing? Routing Networks Key Scheduling Alg f-box internals g-box internals h-box internals Theory vs practice Kaiser, U. Universal immobilizer crypto engine. In Fourth Conference on the Advanced Encryption Standard (AES) (2004). Guest Presentation.: http://www.aes4.org/english/events/aes4/downloads/AES4_UICE_slides.pdf

  9. Build the key cracker • High end Intel based PC (3.4 GHz)

  10. Build the key cracker • High end Intel based PC (3.4 GHz) • Hardware based • Xilinx FPGA • parallelize operations • put 32 cores down on an FPGA • each core does full encryption in 200 clock cycles • 100 Mhz clock • now can search whole 40-bit keyspace in 21 hrs • on average only need to search half of the space

  11. Build the key cracker • High end Intel based PC (3.4 GHz) • Hardware based • Xilinx FPGA • parallelize operations • put 32 cores down on an FPGA • each core does full encryption in 200 clock cycles • 100 Mhz clock • now can search whole 40-bit keyspace in 21 hrs • on average only need to search half of the space • Parallelize again • put 16 FPGA's to the task • 512 cores • Cracked 5 DSTs from TI in less than 2 hrs.

  12. Build the key cracker • High end Intel based PC (3.4 GHz) • Hardware based • Xilinx FPGA • parallelize operations • put 32 cores down on an FPGA • each core does full encryption in 200 clock cycles • 100 Mhz clock • now can search whole 40-bit keyspace in 21 hrs • on average only need to search half of the space • Parallelize again • put 16 FPGA's to the task • 512 cores • Cracked 5 DSTs from TI in less than 2 hrs. • Hellman Time-Memory Tradeoff (future work)

  13. Putting it all together: RF Protocol • Easiest Piece of the puzzle • Build the device to actively interrogate DST • Antenna from TI's development kit • 12-bit DAC/ADC board capable of 1 Mhz • From this can actively interrogate responses to known challenges, feed back into the key cracker

  14. Putting it all together: RF Protocol • Easiest Piece of the puzzle • Build the device to actively interrogate DST • Antenna from TI's development kit • 12-bit DAC/ADC board capable of 1 Mhz • From this can actively interrogate responses to known challenges, feed back into the key cracker • Build the device to simulate a DST • Use the same physical setup as above • Now can take information from the active attack plus the cracked keys and use it • Start the car • Buy gas

  15. What happenned • What went wrong? • 40 bits too weak • Security by Obscurity • LFSR, only 80-bits state

  16. What happenned • What went wrong? • 40 bits too weak • Security by Obscurity • LFSR, only 80-bits state • How to fix • Use bigger key • Don't use LFSR • SHA1, maybe even SHA256

  17. Implications • Other Crypto enabled applications of RFID • RFID Scheduled for Passports • Possible use in Identity cards • Medical Insurance Cards • Hospital Bracelets?

  18. Web sites: • http://rfid-analysis.org/ (authors' web site) • http://www.ti.com/rfid/default.htm (Texas Instr.)

More Related