180 likes | 265 Views
Evaluation of Side-Channel Preprocessing Techniques on Cryptographic-Enabled HF and UHF RFID-Tag Prototypes. Thomas Plos, Michael Hutter, Martin Feldhofer Workshop on RFID Security 2008 09. - 11.07.2008, Budapest, Hungary. Outline. Motivation Prevalent countermeasures
E N D
Evaluation of Side-Channel Preprocessing Techniques on Cryptographic-Enabled HF and UHF RFID-Tag Prototypes Thomas Plos, Michael Hutter, Martin Feldhofer Workshop on RFID Security 2008 09. - 11.07.2008, Budapest, Hungary
Outline • Motivation • Prevalent countermeasures • Hiding in time dimension • Attacking techniques on hiding • Arguments for using FFT • Conducted attacks • Tag prototypes • Measurement setup • Results • Conclusion
Motivation (1) > 1 billion RFID tags sold in 2006 Movement towards “internet of things” Current low-cost tags cannot prevent fake products Enhanced functionality opens field for new applications Sensors Actuators Weakest link of the system determines security crypto on tags
Motivation (2) It was long believed that strong crypto is unfeasible on passive RFID tags Meanwhile great effort to bring standardized crypto on low-cost tags Secure algorithm secure implementation Side-channel analysis (SCA) exploits implementation weaknesses Protection via countermeasures necessary
Prevalent Countermeasures Make power consumption independent of intermediate values Principally two ‘types’ of countermeasures: Hiding In time dimension: random insertion of dummy cycles shuffling In amplitude dimension: increase noise reduce signal Masking Boolean masking (e.g. ) Arithmetic masking (e.g. +, *)
Hiding in Time Dimension Highly suitable for low-resource devices like RFID tags Mainly effects control logic Cost efficient in terms of hardware Time is not a critical parameter in RFID due to rather low data rates in protocols Using the example of AES: Dummy operations Byte shuffling
Attacking Techniques on Hiding Filtering (amplitude dimension) Attenuation of disturbing signals Requires knowledge of wanted signal/disturbing signal Integration techniques (time dimension) Summing up “specific points” defined by a comb or a window Requires knowledge of “specific points” Identification of parameters for filtering/integration techniques could be challenging Can FFT help us?
Arguments for Using FFT FFT is time-shift invariant Efficiency of randomization is diminished Influence of misaligned traces during measurements is reduced Filtering of disturbing signals not necessary (e.g. carrier signal of RFID reader) Differential Frequency Analysis (DFA) first mentioned by C. Gebotys (CHES 2005)
Conducted Attacks Analysis of RFID devices (HF and UHF) Current low-cost RFID tags do not contain strong crypto + randomization Using self-made tag prototypes Integration of 128-bit AES with randomization Comparing DEMA with DFA Disturbing carrier signal: DEMA + filtering vs. DFA Disturbing carrier signal + randomization of AES: DEMA + filtering + windowing vs. DFA
Tag Prototypes HF tag prototype 13.56MHz ISO14443-A Semi passive UHF tag prototype 868MHz ISO18000-6C Semi passive
Results (1) HF tag prototype Disturbing 13.56 MHz carrier signal DEMA + filtering DFA
Results (2) UHF tag prototype Disturbing 868 MHz carrier signal DEMA + filtering DFA
Results (3) HF tag prototype Disturbing 13.56 MHz carrier signal + randomization of AES enabled DEMA + filtering + windowing DFA
Results (4) UHF tag prototype Disturbing 868 MHz carrier signal + randomization of AES enabled DEMA + filtering + windowing DFA
Conclusion Evaluation of SCA pre-processing techniques on RFID devices using hiding in time domain HF and UHF RFID-tag prototypes implementing 128-bit AES with randomization DEMA + filtering (+windowing) vs. DFA All attacks successful DFA offers good resultswithout furtherknowledge about implementation Hiding alone as countermeasure for RFID tags not sufficient
Thomas.Plos@iaik.tugraz.at Michael.Hutter@iaik.tugraz.at Martin.Feldhofer@iaik.tugraz.at http://www.iaik.tugraz.at/research/sca-lab