660 likes | 841 Views
RFID : The Problems of Cloning and Counterfeiting. Ari Juels RSA Laboratories 19 October 2005. RFID devices take many forms. Basic “smart label”. Toll payment plaque. Automobile ignition key. Mobile phone. “RFID” really denotes a spectrum of devices. “74AB8”. “Evian bottle
E N D
RFID: The Problems ofCloning and Counterfeiting Ari Juels RSA Laboratories 19 October 2005
Basic “smart label” Toll payment plaque Automobile ignition key Mobile phone “RFID” really denotes a spectrum of devices
“74AB8” “Evian bottle #949837428” “5F8KJ3” “Smart label” RFID tag • Passive device – receives power from reader • Range of up to several meters • Simply calls out (unique) name and static data
Capabilities of “smart label” RFID tag • Little memory • Static 96-bit+ identifier in current ultra-cheap tags • Hundreds of bits soon • Little computational power • Several thousand gates (mostly for basic functionality) • No real cryptographic functions possible • Pricing pressure may keep it this way for a while, i.e., Moore’s Law will have delayed impact
Fast, automated scanning Line-of-sight Radio contact Specifies object type Uniquely specifies object Provides pointer to database entry for every object, i.e., unique, detailed history The grand vision:EPC (Electronic Product Code) tags Barcode EPC tag
Impending explosion in (EPC) RFID use • EPCglobal • Joint venture of UCC and EAN • Wal-Mart, Procter & Gamble, DoD, etc. • Recently ratified new EPC-tag standard (Class 1 Gen 2) • Pallet and case tagging first • Item-level retail tagging, automated tills, seem years away • Estimated costs • 2008: $0.05 per tag; hundreds of dollars per reader (?) • Beyond: $0.01 per tag; several dollars per reader (?)
Automobile immobilizers Other forms of RFID • Payment devices • Currency?
“Not Really Mad” • Passports Other forms of RFID • Tracking cattle
RFID readers in mobile handsets • Medical compliance Showtimes: 16.00, 19.00 Other forms of RFID
Wig model #4456 (cheap polyester) Replacement hip medical part #459382 Das Kapitaland Communist-party handbook 1500 Euros in wallet Serial numbers: 597387,389473… 30 items of lingerie The privacy problem Bad readers, good tags Mr. Jones in 2015
Counterfeit! Mr. Jones’s car! Mad-cow hamburger lunch Counterfeit! The authentication problem Good readers, bad tags Mr. Jones in 2015 Replacement hip medical part #459382 1500 Euros in wallet Serial numbers: 597387,389473…
RFID and sensors will underpin critical infrastructure Authentication therefore has many facets: • Physical security • Consumer goods and pharmaceuticals safety • Transaction security • Brand value …but it’s getting short shrift I’ll talk about three different projects on RFID authentication
The Digital Signature Transponder (DST) Joint work with S. Bono, M. Green, A. Stubblefield, A. Rubin, and M. Szydlo USENIX Security ‘05
“I’m tag #123” 40-bit challenge C 24-bit response R = fK(C) The Digital Signature Transponder (DST) f Car #123 (simplified) • Helps secure tens of millions of automobiles • Philips claims more than 90% reduction in car theft thanks to RFID! (TI did at one point.) • Also used in millions of payment transponders
The Digital Signature Transponder (DST) “I’m tag #123” f 40-bit challenge C Car #123 24-bit response R = fK(C) (simplified) • The key K is only 40 bits in length!
The Digital Signature Transponder (DST) “I’m tag #123” f 40-bit challenge C Car #123 24-bit response R = fK(C) (simplified) Our aim: Demonstrate security vulnerability by cloning real DSTs
The Digital Signature Transponder (DST) “I’m tag #123” f 40-bit challenge C Car #123 f 24-bit response R = fK(C) (simplified) But what is the cryptographic function f ???
key K C R = fK(C) Black-box cryptanalysis f? Programmable DST
??? ??? ??? Not implemented this way! Texas Instruments DST40 cipher (not original schematic) Challenge register Routing Network f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 f21 f18 f19 f20 Routing Network Key register 400 clocks / 3 cycles
Texas Instruments DST40 cipher (not original schematic) ??? Challenge register Routing Network f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 ??? f17 f21 f18 f19 f20 f17 ??? Routing Network f21 Key register f18 f19 400 clocks / 3 cycles f20 Not implemented this way!
One internal wire Case A
Or two internal wires? Case B
0 1 1 0 0 0 0 0 0 1 0 0 0 1 1 1 0 0 1 0 0 0 0 0 1 Black-box cryptanalysis
2 possible values 4 possible values Case A Case B
Same principle applies to more complex structures… f17 f21 f18 f19 f20
Two internal wires One internal wire Case B Case A
??? ??? ??? Not implemented this way! f
The full cloning process • Skimming • Key cracking • Simulation
The full cloning process Step 1: Skimming Step 1: Skimming Obtain responses r1,r2 to two challenges, c1, c2 Takes only 1/4 second!
The full cloning process Step 2: Key cracking C Find secret key k such that r1=fk(c1) and r2 = fk(c2) (30 mins. on 16-way parallel cracker; Faster with Hellman table)
The full cloning process Simulate radio protocols with computation of fk Step 3: Simulation
“Human” authentication for RFID tags Joint work with Steve Weis Crypto ‘05
Very limited memory for numbers Very limited ability for arithmetic computation RFID tags are a little like people ≈
Hopper-Blum (HB) Human Identification Protocol
ChallengeA Response f(X,A) Secret X Secret X Hopper-Blum (HB) Human Identification Protocol
ChallengeA R = (X•A) + Nη Secret X Secret X modular dot product noise w.p. η Hopper-Blum (HB) Human Identification Protocol
(0, 4, 7) R = 5 7 X = (3,2,1) X = (3,2,1) HB Protocol Example, mod 10
Learning Parity in the presence of Noise (LPN) • Given multiple rounds of protocol, find X (or other equally good secret) • Given q challenge-response pairs (A1,R1)…(Aq,Rq) ,, find X’ such that Ri = X’ • Ai on at most ηq instances, for constant η > 0 • Binary values • Note that noise is critical! • LPN is NP-hard – even within approx. of 2 • Theoretical and empirical evidence of average-case hardness • Poly. adversarial advantage in HB protocol → LPN
C R HB Protocol X X Problem: Not secure against active adversaries!
D C R = (C• X) (D• Y) + + Nη HB+ Protocol X,Y X,Y
D (D• Y) + +Nη HB+ Protocol X,Y X,Y
D C R = (C• X) (D• Y) + + Nη • Add extra HB protocol with prover-generated challenge • Adversary effectively cannot choose challenge here Intuition: HB+ Protocol X,Y X,Y
In the paper • Most of paper elaborates security reduction from HB+to LPN • Implementation of algorithm seems very practical – just linear number of ANDs and XORs and a little noise! • Looks like EPC might be amenable, but…