260 likes | 394 Views
A Low-Resource Public-Key Identification Scheme for RFID Tags and Sensor Nodes. March 16-18, 2009, Zurich, Switzerland. Martin Feldhofer IAIK – Graz University of Technology Martin.Feldhofer@iaik.tugraz.at www.iaik.tugraz.at. Yossef Oren School of Electrical Engineering Tel-Aviv University.
E N D
A Low-Resource Public-Key Identification Scheme for RFID Tags and Sensor Nodes March 16-18, 2009, Zurich, Switzerland Martin Feldhofer IAIK – Graz University of TechnologyMartin.Feldhofer@iaik.tugraz.atwww.iaik.tugraz.at Yossef Oren School of Electrical Engineering Tel-Aviv University
Outline Motivation Introduction of WIPR Requirements for RFID tag hardware Implementation of WIPR scheme in hardware Comparison of crypto implementations Conclusions
Why Security for RFID Systems? – Threats Counterfeiting • 5 - 7% of world trade • ~$600 billion USD a year (ICC 2009) Privacy violation • Monitoring communication is easy (contactless, broadcast)
How Can Cryptography Help Us? Encrypted communication • Prevents from reading data by unauthorized parties • Prevents tracking by unique identifier Authentication of reader/tag • Proves identity of party • Prevents from cloning tagged goods • Identification • Claim to be somebody / something • Authentication • Prove the claim (by characteristic, shared knowledge, possession)
Tag-Authentication Protocol Challenge-response (strong authentication) • Proves knowledge of shared secret key (or private key) • Requires random “challenge” • “Response” depends on challenge and key (encryption result) • Compatibilitytoexistingstandards rA A B fK( rA ) Key K Key K
State-of-the-Art in Secure RFID Symmetric crypto on tags is feasible • Results of AES-128 hardware module have been shown Disadvantage of symmetric solutions • Key distribution is difficult In open systems public-key cryptography is much better • Many untrusted parties (goods and tag manufacturer, tag integrators, warehouses, retailers, customer etc.) But what about the feasibility on passive RFID tags?
Overview of WIPR Identification Scheme WIPR stands for Weizmann-IAIK Public-Key for RFID 1024-bit RSA-like public key • 80 bits security level Full probabilistic encryption • Anonymity (encryption of ID) • Authentication (prove knowledge of secret) Main features • 4700 gate equivalents (including memory, full functionality) • 600ms / 14µA at 100KHz • Works great with the EPC C1G2 standard • High payload capacity can be used for example in sensor nodes
WIPR in Theory Rabin’s encryption scheme: • Private key: primes p, q. Public key: n = p·q • Encryption: C = P2 (mod n) • Decryption has four possible results (probabilistic) Low-resource version by Naccache and Shamir • Encryption: C = P2 + r·n, random r • Indistinguishable from Rabin’s scheme (if r is appropriately chosen) Ultra-low-resource version (this work): • Specially-formed n stored within 200 GEs • Long random strings created on-the-fly using “Feistel structure“
Security Features Secrecy and privacy • ID is kept secret (by encryption) • Tracking is prevented No private key on tag • Only secret ID • “Crack one – run one” situation Encryption of arbitrary data • Data of sensor nodes No tag rewrites or coupons • No fixed number of uses Reader authentication possible • Secure backward channel is possible
The WIPR Protocol for Authentication But what about the implementation costs?
Hardware Requirements for Passive RFID Tags Power consumption • Determines operating range (~1m required) • Maximum 25 µW • Below 15µA (1.5 V) mean current consumption • 0.35 µm CMOS: ~15 D-FF @ 1MHz Chip area • Die size equals silicon costs (5-20 Cent) • Less than 5000 gate equivalents for security BUT • Very low data rates (10-200 kbps) low clock frequency • High number of available clock cycles
Low-Power Design Power dissipation • PTotal = PStatic + PSC + PDynamic • PDynamic = CL · VDD2 · f Design for power reduction • Lowering VDD • Use lowest possible clock frequency (<100 kHz) • Clock gating • Avoiding glitching activity (sleep-mode logic) Optimization goal • Minimize triple (Imean [µA], Chip area [GE], #Clock cycles) • PDynamic = CL · VDD2 · f · psw
WIPR Hardware Implementation • Tag calculates (rR | rT1 | ID) (rR | rT1 | ID) + rT2 n • Result is calculated and sent byte by byte beginning at least significant byte (no need for storing it)
Implementation of Const n (rR | rT1 | ID) (rR | rT1 | ID) + rT2n • n has special format • Upper half is 0xAAA….AAA • Only 200 GEs to store a 1024-bitconstant
Implementation of Challenge rR (rR | rT1 | ID) (rR | rT1 | ID) + rT2 n • Register-based 8-bit RAM • 1000 GEs to store the 128-bit random challenge
Impl. of Random Strings rT1a, rT1b and rT2 (rR | rT1a| ID) (rR | rT1b| ID) + rT2 n • Random bit strings • Only sequential access • Use reversible stream cipher • Store only short seed values • Use “roll left” and “roll right” function • 2700 GEs to store a 2048-bit random of tag
Comparison of Different Algorithms Hardware implementations • Implemented on same platform WIPR
Conclusions Strong cryptography required for protection of RFID systems Design for low power consumption necessary Symmetric-key crypto is feasible on tags • AES-128 module has been shown WIPR allows public-key crypto on RFID tags • Uses Rabin encryption scheme • Optimized for low gate count and low power consumption Contact information • Martin Feldhofer IAIK – TU Graz Martin.Feldhofer@iaik.tugraz.at