380 likes | 395 Views
This book explores the various security threats in RFID technology, including tag cloning, privacy invasion, denial of service, location-based attacks, and side-channel attacks. It also discusses current countermeasures and open issues in RFID security.
E N D
CHALLENGING Issues in RFID Security Kwangjo Kim
Contents • Introduction • RFID and its Applications • Korean Status and Auto ID Labs • Security Threats for RFID • Traditional Threats : Tag Cloning, Privacy Invasion, Denial/Disruption of Service • New Threats: Location-based Attacks (Mafia Fraud/Terrorist Attacks), Side Channel Attack • Current Countermeasures for Secure RFID • Cryptographic primitives -based Protocol : Hash-based, LPN-based, CRC-based, • Ultra-lightweight Protocols: XOR, ADD, Rotate, etc. • Provable secure Protocol: Modeling of Adversary, Universal Composability (UC)-Framawork, • Multi Tag Scanning Protocols : Yorking proof or Grouping • Radiation security and non-invasive analysis: Distance-bounding, SCA • Open Issues in RFID Security and Concluding Remarks • Functional LW Cryptographic Primitives • (Im)Possibility of Certain Cryptographic Tasks • New Security Model • Effective Methods against Location-based Attacks • Protection against SCA
I. Introduction What is RFID?
Introduction – RFID (1/3) 3: Send EPC# 2: Reply EPC# 1: Query RF signal (contactless) Range: around 10 meters 4: Receive EPC#: Info EPC-Information Services (EPC-IS) Detailed real-time info about EPC# is constantly updated and maintained in here Share Info Tags Attached to objects, give out their (unique) EPC# via RF signal Readers Query & read EPC# from tags via RF signal Get more info. about EPC# from EPC-IS Update EPC-IS: e.g., EPC# arrived at 10:53pm at location X
Introduction – RFID Applications (2/3) • In future RFID would automate supply-chain management • EPC-IS assists geographically distributed supply-chain partners to share real-time info about RFID-tagged products they are handling RFID-based Supply-Chain Management System * Please view the above figure in full screen mode
Introduction – RFID Applications (3/3) RFID-based Applications for Consumers Smart Home Home-server Mobile RFID: Mobile Phone with RFID-reader chip Consumer shopping RFID-tagged items RFID-Tagged item RFID-Reader Enabled Devices
RFID/USN : Infra for Knowledge-Based Era inKorea RFID + USN RFID USN The technology enabling readers to recognize, process and utilize the information in tags without physical contact Network in which wire/wireless linkage of multiple sensors collects, integrates, processes & utilizes information To be developed into an intelligent infra in the future • RFID/USN developing process: • Tag+ Sensor Intelligent control Creating comfort environment Improving transparency/ productivity Managing facilities efficiently Strengthening monitoring/awareness Enhancing industrial competitiveness RFID/USN Healthy monitoring anytime & anywhere Safe & healthy food Convenient shopping
Current Korean Status of RFID/USN Industry Market size Industry structure Composed of about 360 companies ’Domestic market in 08’: About KW 550 billion(Annual growth rate: RFID -39%, USN -35%) Market trend (Unit: 100Million won) 5,547 176 companies including LS Industrial System& Samgsung Techwin RFID tag · leader RFID 4,333 USN 88 companies including Asiana IDT & SamsungSDS Middleware · SI 2,871 4,145 99 companies including Green Sensor & Nuri Telecom USN(Sensor node) 3,437 2,353 1,402 896 569 ·Most of part & equipment companies are small/medium-sized except for LG Industrial System & Samsung Techwin· focuses on developing & providing services to create new businesses but does not excel in specialization. 2006 2007 2008
Auto-ID Lab, Korea • Joined Auto-ID Labs on April 2005 • ICU merged with KAIST as of March 1, 2009 • Internet of Things • RF, Chip design (air interface for active RFID tag, WSN) • ZigBee transceiver, IR-UWB transceiver, Wake-up circuit, etc. • EPC Sensor Network : Integration of EPCglobal architecture framework and wireless sensor network (WSN) technology • RFID / WSN Privacy & Security • Anti-counterfeiting, Lightweight cryptography, etc. • RFID/WSN Business, Application • BM for food safety system, autonomous vehicles, ubiquitous city, agriculture, healthcare, etc. Daeyoung Kim kimd@kaist Kwangjo Kim kkj@kaist SanggugLee sglee@ee.kaist Seongook Park sopark@ee.kaist Hyuckjae Lee hjlee@ee.kaist JaeJeung Rho jjroh@kaist Junghoon Moon jmoon@kaist MyungryulChoi choimy@asic.hanyang
II. Security Threats on RFID What are security threats in RFID?
RFID Security Threats (1/4) Cloned Fake Tags Man-in-the-Middle Attack Denial/Disruption of Service ID# Malicious Readers Privacy Violation
RFID Security Threats: Location-based Attacks (2/4) • RFID Authentication Protocol does not address location of tags: • Tags out of communication range of a reader should not be authenticated. • Location-based Attacks[Brands&Cham@EC93] • Mafia Fraud Attack (Distance Fraud Attack): Attacker simply relays messages between two honest parties. • Terrorist Attack: Extended mafia fraud attack in which attacker collaborates with one of dishonest party.
RFID Security Threats: Location-based Attacks (3/4) • Mafia Fraud Attack on RFID: Reader Rouge Tag Rouge Reader Tag Challenge Challenge Challenge Response Response Response Communication range of the reader
RFID Security Threats: SCA (4/4) • SCA potentially is the most serious threat to RFID tags, which implement cryptographic functions. • Typical side channel information • Timing information, computation fault, power consumption and EM radiation • EM analysis on HF-RFID, UHF-RFID, UHF-EPC-C1G2Tag • EM radiation based non-invasive analysis becomes more viable than invasive analysis. Control, Ciphertext Crypto enabled RFID Control, Side channel information Oscilloscope Computer
III. Current Countermeasures What have been done to counter security threats?
Hash-based Protocols Hash-lock Scheme[3] metaID = h(k) • Major Drawback: • The server has to go through the whole tag database and compute the hash chains to identify a tag. Extended Hash-lock Scheme[2,8]
LPN-based Protocols (1/3) • Binary inner-product of two k-bit values a and x: z = a x = (a0 x0) (a1 x1) … (ak-1 xk-1) • Binary-inner product can be implemented easily on low-cost hardware. Question is: where is the hard problem? • Learning Parity with Noise (LPN) Problem: • LPN problem: Given a set of (ai, zi) where z = (aix) viand vi is generated at a fixed probability, compute x.a • (ai, zi) appears as a true (k+1)-bit string.
LPN-based Protocols (2/3) • HB+ Authentication Protocol by Juels and Weis Tag (k-bit secret x and y; ) Reader (k-bit secret x and y) b R {0, 1}k b a R {0, 1}k {0, 1|Prob[ =1] = } a z = (a x) (b y) z Check z= (a x) (b y) Repeat above step q times. Accept only if about qresponses of Tag are incorrect
LPN-based Protocols (3/3) • HB+ is not secure against man-in-the-middle attacks: • Several attempts (HB-MP, HB++, HB#, HB-trusted) to secure HB+ against MIMA have failed. Tag (k-bit secret x and y; ) Reader (k-bit secret x and y) b R {0, 1}k b a R {0, 1}k {0, 1|Prob[ =1] = } a a’ = a …….. z’ = (a’ x) (b y) z’ If authentication succeeds, it is likely that (a’ x) (b y) = (a x) (b y) , but (a’ x) = (a ) x = (a x) ( x), therefore x = 0. Otherwise, x = 1
Ultra-lightweight Protocols (1/2) EPCglobal C-1 Gen-2 Tag: 4 Memory Banks One-Way Reader to Tag Authentication Proposed by EPCglobal Standard[1] • Not Secure • Un-encrypted openly sent random numbers • Tag’s Access Password easily exposed
Ultra-lightweight Protocols (2/2) • Utilize lightweight primitives • RNG, CRC, and bit-wise operators such as XOR, AND, OR, rotate, etc. • Drawbacks • De-synchronization of session keys • Replay (impersonation) attacks • full-disclosure of tag’s secret information
O-FRAP & O-FRAKE (1/2) • Optimistic Forward-Secure Authentication Protocol • Mutual Authentication • Privacy Protection using Pseudonym • Secure key exchange (O-FRAKE) • Tag database indexed by tag pseudonym for fast look up • Forward security by updating shared secret after each successful session • Resistant against de-synchronization of secret by storing two versions of secret in tag database • Secure from in Universal Composable(UC) Framework
O-FRAP & O-FRAKE (2/2) • DoS attack: server searches the whole database if receiving an invalid pseudonym (\bar{r}tag). • De-synchronization of secret: modify v3’ to cause tag not to update its secret F: pseudorandom function
Multiple Tag Scanning Protocols (1/3) • Reader produces a co-existence proof of multiple tags • Scan tags supposed to be near together, e.g., tags on different parts of a car. • Yoking-Proof by Juels: scanning a group of two tags
Multiple Tag Scanning Protocols (2/3) • Grouping-Proof: scanning a group of n tags
Multiple Tag Scanning Protocols (3/3) • Many multiple tag scanning protocols are subject to replay attack. • All of multiple tag scanning protocols are subject to mafia fraud attack:
Distance-bounding Protocols (1/2) • Distance-bounding Protocol: • Prevent mafia fraud attack by verifying location of tags using round-trip time. • Approach: • Repeat a simple (and fast) authentication step multiple times. • Measure time taken by each authentication step • Accept only if every authentication step is successful and the time taken is less than a pre-defined value.
Distance-bounding Protocols (2/2) • Hancke-Kuhn distance-bounding Protocol [6]
Map of Current Countermeasures * All 7 Auto ID labs work together now.
Open Issues in RFID Security What are the remaining issues in RFID Security?
Open Issues: Functional LW Crypto- Primitives • Many conventional crypto-primitives are not suitable for low-cost RFID Tags • Find efficient implementation of conventional primitives for low-cost tags • Design new lightweight primitives • Both of above works require large attention • Rigorous analysis and implementation of cryptographic primitives (Hashing, MAC, PRNG, AIA) for RFID
Open Issues: (Im)Possibility of Certain Cryptographic Tasks • Before designing a cryptographic task • Possible to realize the task at all? • If yes, what is the minimal assumption/primitive required to realize the task ? • Vaudenay showed that strong forward security is im- possible and Gilbert [eprint95] no security on MIMA • Impossibility of robust interactive key-evolving ? • In RFID, forward security requires interactive key-evolving between reader and tag. • Possible to realize a robust interactive key-evolving against de-synchronization of secret ? • Identify controversial requirements
Open Issues: Security Models • Known security models of “reader” and “server”. • Security of protocols heavily depend on level of trust on RFID reader and server. • If not considered, we would significantly separate “theoretical security” and “real-world security”. • No security model for multiple-tag scanning • One has to consider mafia fraud attack in a security model. Otherwise, security cannot be proved.
Open Issues: Countermeasures against Location-based Attacks • Mafia fraud attack is simple yet serious • Attacker steals a tagged item then executes the attack to make the reader believes that the item is actually nearby. • Few researches on countermeasures against location-based attacks. • We have surveyed only Hancke-Kuhn protocol and a few of its variations. • We also need theoretical analysis of (im)possibility of countermeasure against location-based attacks.
Open Issues: Protection against SCA • Few published works on SCA on RFID tag • Need to find more approaches of differential electromagnetic analysis (DEMA) and its countermeasures. • Hiding and Masking methods for RFID • Invent countermeasures at the logic cell-level • Consider Trade-off between tag cost and security • Establish the common criteria(CC) for secure RFID tag. • Build up the standard for cryptographic primitives, protocols for RFID tags.
Concluding Remarks • We didn’t survey all publications, but suggested pros and cons of previous main researches. • “No panacea”, but require tradeoff between level of security and performance. • SCA will be one of emerging attacks. • New primitives: time-released crypto, etc.