180 likes | 413 Views
Bono, S.C., et al, Security Analysis of a Cryptographically-Enabled RFID Device. In P. McDaniel, ed., USENIX Security '05, pp. 1-16. 2005. RFID Devices and Cryptography Analysis of the DST40. A review of the article:. Dennis Galvin Practical Aspects of Modern Cryptography 07-Mar-2006.
E N D
Bono, S.C., et al, Security Analysis of a Cryptographically-Enabled RFID Device. In P. McDaniel, ed., USENIX Security '05, pp. 1-16. 2005 RFID Devices and CryptographyAnalysis of the DST40 A review of the article: Dennis Galvin Practical Aspects of Modern Cryptography 07-Mar-2006
DST40 • Texas Instruments • Cryptographically Secured RFID system • DST :: Digital Signature Transponder • 40-bit key • Used in a number of applications • Exxon Mobil SpeedPass(TM) • Automotive Immobilizers • 2005 Ford • Some European Mfgrs. 2000 – 2005 TI spec sheet photo
Sample TI DST40 Based Immobilizer Systemfrom: http://rfid.bluestarinc.com/resources/Immobilizer_Systems.pdf
Sample TI DST40 Based Immobilizer Systemfrom: http://rfid.bluestarinc.com/resources/Immobilizer_Systems.pdf
Breaking the DST40 • Reverse engineer the cipher • Build a key cracker • Build the whole system – proof is in the pudding • What's the big deal? • Black box • Use DST as oracle
Reverse engineering the cipher Kaiser, U. Universal immobilizer crypto engine. In Fourth Conference on the Advanced Encryption Standard (AES) (2004). Guest Presentation.: http://www.aes4.org/english/events/aes4/downloads/AES4_UICE_slides.pdf
Reverse engineering the cipher What's missing? Kaiser, U. Universal immobilizer crypto engine. In Fourth Conference on the Advanced Encryption Standard (AES) (2004). Guest Presentation.: http://www.aes4.org/english/events/aes4/downloads/AES4_UICE_slides.pdf
Reverse engineering the cipher What's missing? Routing Networks Key Scheduling Alg f-box internals g-box internals h-box internals Theory vs practice Kaiser, U. Universal immobilizer crypto engine. In Fourth Conference on the Advanced Encryption Standard (AES) (2004). Guest Presentation.: http://www.aes4.org/english/events/aes4/downloads/AES4_UICE_slides.pdf
Build the key cracker • High end Intel based PC (3.4 GHz)
Build the key cracker • High end Intel based PC (3.4 GHz) • Hardware based • Xilinx FPGA • parallelize operations • put 32 cores down on an FPGA • each core does full encryption in 200 clock cycles • 100 Mhz clock • now can search whole 40-bit keyspace in 21 hrs • on average only need to search half of the space
Build the key cracker • High end Intel based PC (3.4 GHz) • Hardware based • Xilinx FPGA • parallelize operations • put 32 cores down on an FPGA • each core does full encryption in 200 clock cycles • 100 Mhz clock • now can search whole 40-bit keyspace in 21 hrs • on average only need to search half of the space • Parallelize again • put 16 FPGA's to the task • 512 cores • Cracked 5 DSTs from TI in less than 2 hrs.
Build the key cracker • High end Intel based PC (3.4 GHz) • Hardware based • Xilinx FPGA • parallelize operations • put 32 cores down on an FPGA • each core does full encryption in 200 clock cycles • 100 Mhz clock • now can search whole 40-bit keyspace in 21 hrs • on average only need to search half of the space • Parallelize again • put 16 FPGA's to the task • 512 cores • Cracked 5 DSTs from TI in less than 2 hrs. • Hellman Time-Memory Tradeoff (future work)
Putting it all together: RF Protocol • Easiest Piece of the puzzle • Build the device to actively interrogate DST • Antenna from TI's development kit • 12-bit DAC/ADC board capable of 1 Mhz • From this can actively interrogate responses to known challenges, feed back into the key cracker
Putting it all together: RF Protocol • Easiest Piece of the puzzle • Build the device to actively interrogate DST • Antenna from TI's development kit • 12-bit DAC/ADC board capable of 1 Mhz • From this can actively interrogate responses to known challenges, feed back into the key cracker • Build the device to simulate a DST • Use the same physical setup as above • Now can take information from the active attack plus the cracked keys and use it • Start the car • Buy gas
What happenned • What went wrong? • 40 bits too weak • Security by Obscurity • LFSR, only 80-bits state
What happenned • What went wrong? • 40 bits too weak • Security by Obscurity • LFSR, only 80-bits state • How to fix • Use bigger key • Don't use LFSR • SHA1, maybe even SHA256
Implications • Other Crypto enabled applications of RFID • RFID Scheduled for Passports • Possible use in Identity cards • Medical Insurance Cards • Hospital Bracelets?
Web sites: • http://rfid-analysis.org/ (authors' web site) • http://www.ti.com/rfid/default.htm (Texas Instr.)