160 likes | 294 Views
RFID Security and Privacy Part 2: security example. Zoom in: Authentication. Should be mutual reader should recognise tags tag should recognise readers EMAP: E fficient M utual A uthentication P rotocol for Low-cost RFID Tags.
E N D
RFID Security and Privacy Part 2: security example
Zoom in: Authentication • Should be mutual • reader should recognise tags • tag should recognise readers • EMAP: Efficient Mutual Authentication Protocolfor Low-cost RFID Tags. • proposed by P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, and A. Ribagorda, November 2006.
EMAP model DB Identification ID (m bits) Key (4m bits) = K1||K2||K3||K4 Pseudonym IDS (m bits) Updated after each session || concatenation
EMAP protocol Reader Tag Database hello IDS IDS K1||K2||K3||K4 Check AB.Infer n1,n2 Random n1,n2 A||B||C A = IDS K1 n1 B = (IDS K2) n1 C = IDS K3 n2 D = IDS K4 n2 E = (IDS n1 n2) ID K1 K2 K3 K4 D||E Check D.Update IDS and K1...K4 Update IDS and K1...K4
Update … • IDS’ = IDS n2 K1. • K1’ = K1 n2 (ID1/2 || F(K4) || F(K3)) • ID1/2 – first m/2 bits of ID • F(X)–parity function • Divide X in m/4 4-bit blocks • Compute a parity bit for each block • K2’ = K2 n2 (F(K1) || F(K4) || ID2/2) • K3’ = K3 n1 (ID1/2 || F(K4) || F(K2)) • K4’ = K4 n1 (F(K3) || F(K1) || ID2/2)
EMAP is efficient • Tag memory: • Rewritable memory: 4m bits (keys) + m (IDS) • ROM: m bits (ID) • Very reasonable for m = 96… • Operations: • tag does cheap processing: ,,, || • random number generation – reader only! • no expensive operations(e.g hash function, multiplication)
Further advantages of EMAP • tag anonymity • the same ID but different messages! • forward security • knowledge of K1...K4 does not reveal updated key
Li and Deng: EMAP is vulnerable "Vulnerability Analysis of EMAP-An Efficient RFID Mutual Authentication Protocol " April 2007
Attack 1: Desynchronisation Intruder Tag Reader hello hello IDS j s.t. IDS(j) = 0 IDS random n1,n2 Toggle j in C n2' = n2 ej A||B||C A||B||C' infer n2' instead of n2 Toggle j in D' and E' wrong D'||E' D||E Update IDS and the key Update IDS and the key
Attack 1: Reader accepts D • expected: D = (IDS K4) n2 • received: ( (IDS K4) n2’ ) ej • i.e. (IDS K4) n2 ej ej = D
Attack 1: received E is correct • expected: E = (IDS n1 n2) ID K1 K2 K3 K4 • received: (IDS n1 n2’) ID K1 K2 K3 K4 ej • compare: IDS n1 n2 vs. (IDS n1 n2’) ej • look at jth bit: IDS(j) = 0 (IDS n1 n2)(j)=n2(j)
Attack 1: Tag update • IDS’ = IDS n2 K1. • K1’ = K1 n2 (ID1/2 || F(K4) || F(K3)) • K2’ = K2 n2 (F(K1) || F(K4) || ID2/2) • K3’ = K3 n1 (ID1/2 || F(K4) || F(K2)) • K4’ = K4 n1 (F(K3) || F(K1) || ID2/2) • Desynchronisation on IDS, K1and K2 • You can also attackn1 rather thann2 or both (see the paper)
Quick Quiz • What kind of problem has been demonstrated? • Ethical issues • Illicit tracking of the tags • Skimming • Tag cloning • Cross-contamination • Tag killing • Invasive attack / side channel attack • Jamming
Countermeasure: Error-correcting codes? • Can report/correct a number of 1-0 errors • can detect the attack as presented above • BUT • the attack can be generalised to replace (n1,n2) by (n1’,n2’) toggling multiple bits simultaneously… • … and fooling the error-correcting codes!
Murphy’s Law Just when you think things cannot get any worse, they will.
Attack 2 Full disclosure attack Run EMAP (a number of times) and discover ID and all the keys! Want to know more? Read the paper