420 likes | 630 Views
I nscrypt 2008. A Security and Performance Evaluation of Hash-based RFID Protocols. Tong Lee Lim, Tieyan Li & Yingjiu Li Cryptography and Security Department Institute for Infocomm Research (I 2 R) 17 Dec. 2008. Project Summary - what will be done. Outline.
E N D
Inscrypt 2008 A Security and Performance Evaluation of Hash-based RFID Protocols Tong Lee Lim, Tieyan Li & Yingjiu Li Cryptography and Security Department Institute for Infocomm Research (I2R) 17 Dec. 2008
Project Summary - what will be done Outline • Introduction on RFID, and its security & privacy issues • Introduction on hash-based RFID authentication protocols • The Hash chain family of protocols and weaknesses • Okhubo – Hash chain • Henrici – Triggered hash chain • Lim – CRTH, FRTH • The TRAP family of protocols and weaknesses • Dimitriou – CR • Tsudik – YA-TRAP • Burmester – YA-TRAP+, O-TRAP • Conti – RIPP-FS • The Tree family of protocols and weaknesses • Molnar – TBPA • Lu – SPA • Remarks…
Project Summary - why should it be done? RFID Debate • Promoters • Wal-Mart, Gillette, METRO… • Vendors • Microsoft, IBM, SAP… • Players • TAGSYS, ALIEN, SAVI… • New: Mojix, RF controls… • Governments, industries, researchers … An age of RFID is coming … But security and privacy?
Passive RFID The reader has a powerful antenna and a power supply The reader surrounds itself with an electromagnetic field The tag is illuminated by the field, providing it with power Reader Tag 4
ReaderóTag Data Exchange The reader sends commands to the tag via pulse amplitude modulation The tag sends responses to the reader via backscatter modulation Reader Tag 5
Project Summary - why should it be done? RFID Security & Privacy Issues • RFID tags have many technical limitations: • Limited power consumption (vs. energy consumption of battery powered devices) ~ 10µA average • Limited area consumption (less problem with evolving Smart Card technologies) < 1mm² • Limited execution time (set by batch tag reading protocol) • Limited backward channel (initiated by reader only) • Limited memory access (hundreds bits to few kBytes and slow) • No physical protection possible • Cryptography is not applicable immediately. • Worst case assumption is not always true for RFID • Weakened adversarial model is typically assumed for RFID • In RFID, there are many security solutions. • E.g., shielding, killing, tearing, blocking, proxy, policies, obfuscation, etc. for different scenarios.
Project Summary - why should it be done? RFID Security & Privacy Issues • Typically, RFID security means Authentication and Privacy. • Authentication: • Tag/reader authentication: • Both tag and reader need to prove their claimed identities. • Product authentication: • The secure binding of the tag and product need to be guaranteed. • Privacy: • Anonymity: • The identity information of a person of event is not disclosed by reading a tag. • Untraceability: • The itinerary of a person or a series of events can not be tracked by reading a tag.
Project Summary - why should it be done? Countermeasures • Physical Protection • Private tag-to-reader channel; e.g., Clipped tag (IBM), Faraday Cage, Shielding… • Physical tag removal or destruction. • WORM; e.g., ISO/IEC 15963 defines a unique Tag ID. • Access Control • EPC Gen2 Access and Kill passwords. • ID obfuscation or pseudonym • Cryptographic Measures • Lightweight primitives (e.g., Present-80, Grain, Trivium, etc.) • Lightweight authentication schemes (e.g., HB family) • Active Device • Blocker tag • REP, RFIDguardian
Project Summary - what will be done Outline • Introduction on RFID, and its security & privacy issues • Introduction on hash-based RFID authentication protocols • The Hash chain family of protocols and weaknesses • Okhubo – Hash chain • Henrici – Triggered hash chain • Lim-Li – CRTH, FRTH • The TRAP family of protocols and weaknesses • Dimitriou – CR • Tsudik – YA-TRAP • Burmester – YA-TRAP+, O-TRAP • Conti – RIPP-FS • The Tree family of protocols and weaknesses • Molnar – TBPA • Lu – SPA • Remarks…
Project Summary - what will be done Research literature • Solutions that used classic cryptographic primitives • PRNGs alone, (Juels; Piramuthu; Tsudik; Chatmon; Duc; Molnar) • Hashs alone, (Engberg; Avoine; Dimitriou; Yang; Weis; Henrici; Choi) • PRNGs and hashs, (Gao; Rhee; Lee;) • PRNGs and Symmetric crypto, (Molnar; Dimitriou; Bailey; Dominikus) • In 2002, Sarma et al. first proposed to use hash functions • Hash lock, by Rivest et al. (03) • Randomized hash lock, by Weis et al. (03) • Hash chain, by Okhubo et al. (RFIDsec’03) • Hash-based ID variation, by Henrici et al. (Percom’04) • Triggered hash chain, by Henrici et al. (Percom’08) • CRTH, FRTH, By Lim and Li (ICPADS’08) • YA-TRAP, by Tsudik et al. (PercomW’06) • YA-TRAP+, O-TRAP (O-FRAP, O-FRAKE), by Burmester et al. (06) • RIPP-FS, by Conti et al. (PercomW’07) • Hash tree, by Molnar et al. (SAC’05) • Dynamic hash tree, by Lu et al. (Percom’07)
Project Summary - what will be done RFID Authentication Characteristics • There are some fundamental characteristics that distinguish RFID authentication from general purpose authentication: • Lightweightness,Many RFID platforms can only implement symmetric key crypto techniques. • Anonymity,General purpose authentication protocols may not support anonymity. For RFID applications, anonymityis essential,because rogue readers can easily track them. • Availability, RFID devices are subject to attacks by rogue readers in which they may assume a state from which they may no longer be able to authenticate themselves. • Forward security, RFID devices may be discarded, are easily captured, and may be highly vulnerable to side channel attacks on the stored keys. It is important to guarantee the privacy of past sessions if key is compromised.
Project Summary - what will be done RFID Authentication Properties • Besides the characteristics, in RFID authentications, we ensure some major security properties: • Session Unlinkability: Any two protocol sessions involving the same tag can not be linked. • Tag Authenticity: The authenticity of a tag is verified to prevent an adversary from impersonating the tag. • Reader Authenticity: A reader needs to be authenticated before it can be allowed to access confidential data on tags. • Desynchronization Resilience: An adversary is not able to bring an inconsistent state to the tag and its backend database.
Project Summary - what will be done Security model Byzantine threat model • All entities (tags, readers, back-end server) including the adversary (the attackers) have polynomial bounded resources. • The adversary controls the delivery schedule of all communication channels, and may eavesdrop into, or modify their contents. • The adversary may also instantiate new communication channels and directly interact with honest parties. • However, the reader-server channels are assumed to be secure. In this paper, we classify 4 levels of adversaries: • Level 1 (Passive attack): Ability to perform passive eavesdropping overlegitimate protocol sessions. • Level 2 (Active attack with protocol participation): Ability to communicatewith a legitimate tag or reader by following the steps specifiedunder the protocol and to replay messages. • Level 3 (Active attack with protocol disruption): Ability to activelycorrupt, block or inject (replace) messages exchanged during a protocol sessionbetween a legitimate tag and an authorized reader. • Level 4 (Active attack with secret compromise): Ability to capturea legitimate tag and extract its secrets through physical and side channelattacks.
Project Summary - what will be done Outline • Introduction on RFID, and its security & privacy issues • Introduction on hash-based RFID authentication protocols • The Hash chain family of protocols and weaknesses • Okhubo – Hash chain • Henrici – Triggered hash chain • Lim – CRTH, FRTH • The TRAP family of protocols and weaknesses • Dimitriou – CR • Tsudik – YA-TRAP • Burmester – YA-TRAP+, O-TRAP • Conti – RIPP-FS • The Tree family of protocols and weaknesses • Molnar – TBPA • Lu – SPA • Remarks…
Project Summary - what will be done OSK: Hash Chain
Project Summary - what will be done OSK: Hash Chain • Process • Elegant approach (simple, forward secure, etc.), but: • Problems: • no synchronization between tag and “backend” • does not provide authentication (mimicking possible) • Protocol cannot be used in practice
Project Summary - what will be done Henrici: Hash-based ID Variation • Process
Project Summary - what will be done Henrici: Hash-based ID Variation • Based on a message exchange • Keep two database records for each tag to cope with message loss • Hash values are used for mutual authentication and ensuringmessage integrity • Transaction counter “t” prevents replay attacks and helps insynchronization between tag and backend • Transmitting differences between transaction counters prevents thelatter to be abused for recognition and tracking • New identifier is not transmitted in clear;instead, calculate new identifier using old internal identifier andtransmitted random number
Project Summary - what will be done Henrici: Triggered hash chain
Project Summary - what will be done Henrici: Triggered hash chain • Process
Project Summary - what will be done Henrici: Triggered hash chain • Relation to Hash Chains • Self-refreshment of internal tag identifier • Simple and elegant • Relation to Hash-based ID Variation • Message exchange • Two database records for each tag in backend • Authentication by running protocol twice • But improvements: • No transaction counter “hacks” (like in Hash-based ID Variation) • No need to stay online (like in Hash-based ID Variation) • No synchronization problems (like in Hash Chains)
Project Summary - what will be done CRTH (Lim et al.) • Challenge-Response Triggered Hash
Project Summary - what will be done FRTH (Lim et al.) • Forward-Rolling Triggered Hash
Project Summary - what will be done Comparison (security) All 5 protocols support: • Tag anonymity • Forward security
Project Summary - what will be done Outline • Introduction on RFID, and its security & privacy issues • Introduction on hash-based RFID authentication protocols • The Hash chain family of protocols and weaknesses • Okhubo – Hash chain • Henrici – Triggered hash chain • Lim – CRTH, FRTH • The TRAP family of protocols and weaknesses • Dimitriou – CR • Tsudik – YA-TRAP • Burmester – YA-TRAP+, O-TRAP • Conti – RIPP-FS • The Tree family of protocols and weaknesses • Molnar – TBPA • Lu – SPA • Remarks…
c f(k, c, …) Project Summary - what will be done CR protocols • Typical Challenge-Response RFID protocol • Pass 1: the Reader sends a challenge that may include a timestamp, a random nonce, or other information. • Pass 2: the Tag responds by evaluating a function f (k; c; ) on the challenge. • Its input may include a value r that may embed a nonce, and an identifier or a (mutable) pseudonym for tag recognition. Reader RFID tag Stores secret Stores secret for each tag
Project Summary - what will be done CR (Dimitriou)
Project Summary - what will be done YA-TRAP • YA-TRAP [Tsudik] Assumptions: • Reader shares a secret with each tag • Reader has database with entry <hash(secret, time), secret> for each tag Server (K, Table(K,r)) Tag (HK , ttag) S activates the tag with tsys tsys Iftsys < ttag or tsys > tmax, send r. Else send HK(tsys) h = HK(tsys) ttag tsys
Project Summary - what will be done YA-TRAP • YA-TRAP [Tsudik] • Reader looks up hash in database to get secret • Issue: time must only increase • Drawback: • DoS attack; bogus reader sends t’sys = tmax • Future time attack; bogus reader sends t’sys, i < tsys
Project Summary - what will be done YA-TRAP+ • YA-TRAP+[Chatmon]
Project Summary - what will be done O-TRAP • Optimistic Trivial RFID Authentication Protocol Server (K, Table(K,r)) Tag (HK , rtag) S updates rsys at regular periods rsys rtag , h = HK(rsys,rtag) rtag HK(rtag) If (K,rtag)Table(K,r) & h=HK(rsys,rtag), Or KK : h=HK(rsys,rtag) accept update Table(K,r): rtag HK(rtag) Else reject
Project Summary - what will be done O-TRAP Table(K,r) • When the adversary is not active, the server gets the key of the tag from the look-up Table(K,r). • Otherwise the value of rK stored in the table may be out-of-sync with the value of the tag. • In this case the server must search exhaustively by hashing the pairs (rsys, rtag) for each key value.
Project Summary - what will be done RIPP-FS RIPP-FS[Conti] • Lamport hash value to authenticate the reader. Drawback: • Replay attack • Infinite hash chain
Project Summary - what will be done Comparison (security) All 5 protocols support: • Tag anonymity • Session unlinkability (except Dimitriou’s CR protocol)
Project Summary - what will be done Outline • Introduction on RFID, and its security & privacy issues • Introduction on hash-based RFID authentication protocols • The Hash chain family of protocols and weaknesses • Okhubo – Hash chain • Henrici – Triggered hash chain • Lim – CRTH, FRTH • The TRAP family of protocols and weaknesses • Dimitriou – CR • Tsudik – YA-TRAP • Burmester – YA-TRAP+, O-TRAP • Conti – RIPP-FS • The Tree family of protocols and weaknesses • Molnar – TBPA • Lu – SPA • Remarks…
Project Summary - what will be done TBPA (Molnar et al.)
Project Summary - what will be done SPA (Lu et al.)
Project Summary - what will be done Comparison (security) All 2 protocols support: • Tag anonymity • Tag authenticity • Reader authenticity
Project Summary - what will be done Comparison (computation)
Project Summary - what will be done Comparison (storage)
Project Summary - what will be done Comparison (communication)
Project Summary - why should it be done? Remarks… • We have reviewed a class of hash based authentication protocols. • Note that hash functions can be implemented using lightweight block ciphers, which can be implemented more efficiently. • Can we design an elegant protocol fulfilling all properties in RFID context? • RFID will be deployed “unawarely” anywhere in our daily life, new threats are to be addressed and defended with “balanced” security & privacy solutions. • We have no backyard but to prevent the unforeseen threats beforehand. Thank you!