hot topics in rfid security - cosic · swiss-knife rfid distance bounding protocol [18] b basic...
TRANSCRIPT
PEARL Project Hot Topics
Hot Topics in RFID Security
Pedro Peris-Lopez - TU Delft
Security Lab, Faculty of Electrical Engineering, Mathematics and ComputerScience, Delft University of Technology
June 24, 2010 Leuven, Belgium
PEARL Project Hot Topics
Agenda
1 PEARL Project
2 Hot Topics
PEARL Project Hot Topics
PEARL Project
Title: Privacy Enhanced security Architecture for RFID Labels.
Objectives:
1 Design of security and privacy controls(lightweight-cryptography)
Cryptographic primitivesSecurity protocols
2 Assessment of the security a privacy properties
Modeling propertiesModeling systemsPoliciesVerification
PEARL Project Hot Topics
PEARL Project
Funding: SENTINELS research programme
Research institutes:
Computer Science Department, University of Eindhoven
SoS group, Radboud University Nijmegen
Faculty of Electrical Engineering, Delft University ofTechnology
Industrial partners:
Philips
TNO ICT
PEARL Project Hot Topics
PEARL Project
More Information:
PEARL Project Hot Topics
Research Topics
TU Delft is focused on the research areas listed below:
Lightweight and ultralightweight protocols [1, 2, 3, 4]
Distance-bounding protocols [5, 6, 7]
Yoking-proofs [8, 9]
Lightweight PRNG [10]
PEARL Project Hot Topics
Lightweight and Ultralightweight Protocols (I)
Weaknesses in Two Recent Lightweight RFID AuthenticationProtocols
Privacy for RFID systems to prevent tracking and cloning [11]
Cloning AttackTraceability AttackFull Disclosure Attack
A minimalist mutual authentication protocol for RFID system& BAN logic analysis [12]
Tag/Reader ImpersonationTraceability Attack
PEARL Project Hot Topics
Lightweight and Ultralightweight Protocols (II)
Security Flaws in a Recent Ultralightweight RFID Protocol [13]
Traceability Attack
Full Disclosure Attack
Cloning Attack
Desynchronization Attack
PEARL Project Hot Topics
Lightweight and Ultralightweight Protocols (III)
Cryptanalysis of the David-Prasad RFID UltralightweightAuthentication Protocol [14]
Traceability
Leakage of Stored Secrets
Tango Attack
Passive Cryptanalysis of an Ultralightweight AuthenticationProtocol of RFIDsec’10 Asia [15]
Traceability
Norwegian Attack
Tango Attack
PEARL Project Hot Topics
Lightweight and Ultralightweight Protocols (IV)
Norwegian and Tango Attack: some details ...
PEARL Project Hot Topics
Yeh-Lo-Winata Protocol (I)
Step 1 Reader → Tag: Hello
Step 2 Tag → Reader: IDSt
Step 3 Reader → Tag: A ‖ B ‖ C ‖ flagIf (IDSt = IDStrnew ): flag = 0 and K = Kt .Else: flag = 1 and K = ID.
A = (IDS ⊕ K )⊕ n1
B = (IDS ∨ K )⊕ n2
C = (K̂ ⊕ n1) + n2 K̂ = Rot(K ⊕ n2, n1)
Step 4 Tag extracts {n1, n2}, computes K̂ and verifies C .Then Tag → Reader: D
D = (K̂ ′ ⊕ n2) + n1 K̂ ′ = Rot(K ⊕ n1, n2)
PEARL Project Hot Topics
Yeh-Lo-Winata Protocol (I)
Step 5 Reader computes K̂ ′ and verifies D. If OK, it updates thesecrets:
IDStrold= IDS
IDStrnew = (IDS + (ID ⊕ K̂ ′))⊕ n1 ⊕ n2
Ktr = K̂
Reader → Tag: Update command
Step 6 Tag updates IDS and K
PEARL Project Hot Topics
Full Disclosure Norwegian Attack (I)
1. For i = 0 to L2. Observations[i ] = 03. Repeat a sufficiently high number of times N the following steps:4. Observe an authentication session and get IDS , A, B, C and D5. Check if for these values it holds that C mod L = D mod L6. If this is not the case, go to step 4.7. Perform the following tasks:8. Wait for the authentication session to finish.9. Send to the tag a “Hello” message to obtain IDStrnew .
10. Compute IDestimated mod L = (IDStrnew − IDS)⊕ D mod L11. Increment Observations[IDestimated ]12. Filter: find IDconjecture , the maximum of the values in Observations[i ].13. Guess that IDconjecture = ID mod L.
PEARL Project Hot Topics
Full Disclosure Norwegian Attack (II)
0 20 40 60 80 100 1200
50
100
150
200
250
300
350
400
450
500
ID candidates
# of
tim
es ID
is o
bser
ved
ID mod 128 = IDconjecture mod 128
Histogram of ID candidates (L = 128, N = 218)
PEARL Project Hot Topics
Full Disclosure Tango Attack
Can we do it better? Here’s the idea:
How much information about the secrets is leaked out by thepublic messages exchanged during one session?
Let’s consider only very simple combinations of publicmessages after session i :
Lk = a0IDSk⊕a1Ai⊕a2B i⊕a3C i⊕a4D i⊕a5IDSk+1 ai ∈ {0, 1}
and then see whether there’s any correlation between Lk andID
One simple measure: bias w.r.t. optimal Hamming distance
ε =∣∣dH(Lk , ID)− m
2
∣∣
PEARL Project Hot Topics
A Scaled-down Example
ID(base10) = 85 ID =[0, 1, 0, 1, 0, 1, 0, 1
]
Session k:Eavesdropping of vectors {IDSk , Ak , Bk , C k ,Dk , IDSk+1}Computing of an approximation: i.e. IDapprox (1) = [0 1 0 1 1 1 1 1]
Session k + 1:Eavesdropping of vectors {IDSk+1, Ak+1, Bk+1, C k+1,Dk+1, IDSk+2}Computing of an approximation: i.e. IDapprox (2) = [0 1 0 1 0 1 0 0]
Session k + 2:Eavesdropping of vectors {IDSk+2, Ak+2, Bk+2, C k+2,Dk+2, IDSk+3}Computing of an approximation: i.e. IDapprox (3) = [0 1 1 0 0 1 0 1]
Conjecture ID:Sum of the vectors: [0 1 0 1 1 1 1 1]
[0 1 0 1 0 1 0 0][0 1 1 0 0 1 0 1]
+IDapprox = [0 3 1 2 1 3 1 2]
Average value:
{if (id
approxi ≥ γ) id
conjecturei = 1
if (idapproxi < γ) id
conjecturei = 0
i.e. If γ = 1.5 IDconjecture =[0, 1, 0, 1, 0, 1, 0, 1
]
Conjecture: IDconjecture (base10) = 85
PEARL Project Hot Topics
Lightweight and Ultralightweight Protocols: Conclusions
Conclusions
The use of random numbers is necessary but not sufficientcondition to assure untraceability
CRC should be confined to detect error transmissions
Combine simple linear (i.e. bitwise operations) andnon-triangular operations (i.e. rotations) ⇒ i.e. SASI protocol[17] and Gossamer protocol [16]
Rigorous security analyses are necessary
Future work: New Protocols
Security Analysis
Design + Formal proof
PEARL Project Hot Topics
Relay Attacks
c© Avoine et al.
PEARL Project Hot Topics
Distance Bounding Protocols
R ooRange
T
(a) Distance fraud attack
R ooRange
// T R oo // T
(b) Mafia fraud attack
R ooRange
// T oo collaborateT
(c) Terrorist fraud attack
PEARL Project Hot Topics
Hacke and Kuhn’s Protocol
Mafia Fraud Attack: ( 34 )n
Terrorist Fraud Attack: 1
Distance Fraud: ( 34 )n
PEARL Project Hot Topics
Swiss-Knife RFID Distance Bounding Protocol [18]B Basic Distance Bounding Protocol of Kim et al.
An authentication protocol combined with a rapid bit exchange is displayedbelow [1].
Reader Channel Tag
(x, ID)
� �Pick a random NA
�NA
Pick a random NB
a := fx(CB , NB){Z0 := a
Z1 = a⊕ x
� NB
Start of rapid bit exchangefor i = 1 to n
Pick ci ∈ {0, 1}Start Clock
�c′i
ri :=
{Z0
i , if c′i = 0
Z1i , if c′
i = 1
� ri
Stop ClockStore ri, Δti
End of rapid bit exchange
tB := fx(c′1, ..., c′
n,ID, NA, NB)
� tB , c′1, ...., c′
n
Check ID via DBCompute Z0, Z1.Compute errc := #{i : ci �= c′
i},errr := #{i : ci = c′
i ∧ ri �= Zcii },
errt := #{i : ci = c′i ∧ Δti > tmax.
If errc + errr + errt � T ,then REJECT.
tA := fx(NB)
�tA
Compute and compare tA
Fig. 7. Swiss-Knife RFID Distance Bounding Protocol
PEARL Project Hot Topics
The Hitomi RFID Distance Bounding Protocol [6]
Reader Channel Tag
(x, ID)
� �Pick a random NR
�NR
Pick a random NT1 , NT2 and NT3a := fx(NR, NT1 , W )
b := fa(NT2 , NT3 , W ′){Z0 := a
Z1 = b ⊕ x
�NT1 , NT2 , NT3
Start of rapid bit exchangefor i = 1 to n
Pick ci ∈ {0, 1}Start Clock
�c′i
r′i :=
{Z0
i , if c′i = 0
Z1i , if c′
i = 1
� ri
Stop ClockStore ri, Δti
End of rapid bit exchange
m ={c′
1||c′2||...||c′
n||r′1||r′
2||...||r′n}
tB := fx(m, ID, NR, NT1 ,NT2 , NT3 )
� tB , m
Check ID via DBCompute Z0, Z1, R0, R1
Compute errc := #{i : ci �= c′i},
errr := #{i : ci = c′i ∧ ri �= Z
cii },
errt := #{i : ci = c′i ∧ Δti > tmax.
If errc + errr + errt � τ ,then REJECT.
tA := fx(NR, b)
�tA
Compute and compare tA
PEARL Project Hot Topics
Distance Bounding Protocols: a new idea ...
Cryptographic Puzzles and Distance-bounding Protocols:Practical Tools for RFID Security [7]
Reader → Tag : RequestTag → Reader : Puzzle(ID)
(1)
Drawback:
Rouge readers and honest readers: same effort!
Solution:
Key delegation
Puzzles + Distance Bounding
PEARL Project Hot Topics
Step 1: WSBC Authentication Scheme
Secure Channel
Reader Tag
1 1, m request n=
( ) *2 2 j, , , ,j j jm n kπς ω υ ν=
* *3 4, jm n τ=
Back-end Database
1. R→ T : m1 = request, n1
2. T → R: m2 = n2, 〈ςj , ωπj (k)〉, υj , ν∗j
3. R→ T : m3 = n∗4 , τ∗j (∗Optional)
where {ni}4i=0 are different nonces
ςj = enck (n1||ID||n1||j)ωπj (k) = {kπ(0), kπ(1), . . . , kπ(l−1)} is a l-bitWSBC function and π() is a given permutationυj = h(j ||n1||ID||n2)ν∗j = enck (j ||n3||ID||n1) (Optional)
and τ∗j = enck (j ||n4||ID + 1||n3||n1) (Optional)
PEARL Project Hot Topics
Step 2: WSBC + Distance-Bounding Authen. Scheme
Secure Channel
Reader Tag
1 1, m request n=
( ) *2 2 j, , , ,j j jm n kπς ω υ ν=
* *3 4, jm n τ=
Back-end Database
Secure Channel
Reader Tag
1 1, m request n=
2 2 j, ,m n ς= −
Back-end Database
( )j iα
( ) ( ) ( )j jj i i s iβ α= ⊕
1,
...,
For
it
=
( )3 , , ,j j jm kπω υ ν= −
* *4 4, jm n τ=
PEARL Project Hot Topics
Noent: WSBC + Distance-Bounding Authen. Scheme
Secure Channel
Reader Tag
11 ,, jm request n γ=
Back-end Database
( )j iα
( ) ( ) ( )j jj i i s iβ α= ⊕
1, ..
., Fo
ri
t=
( )32 , , , ,j j j jm n kπς ω υ ν=
53 , jm n τ=
( )c i
2, jn s
Main idea: WSBC 〈ςj , ωπj (k)〉 which depends on the distance
(drt) that separates the tag and the reader.
PEARL Project Hot Topics
Yoking Proofs (I)
A pharmacy might want to be able to prove, for instance, that it
dispensed an RFID-tagged prescription bottle along with a required
RFID-tagged booklet containing indications.
c© Juels [19]
PEARL Project Hot Topics
Yoking Proofs (II)
Yooking/Clumping/Grouping Proofs
A proof that a pair of RFID tags has been scannedsimultaneously
Analysis of existing proposals
Design guidelines
Next step: design a new yoking proof
PEARL Project Hot Topics
Yoking Proofs: Analysis of Existing Proposals [8]
y p y g/g p g pTraceability Impersonation Forge Subset Anonymity Replay Multi-proof Useless proofs
proof Replay (Peris-Lopez (DoS) (Burmesteret al. (2007)) et al. 2008)
Juels (2004) x x - - x x - xSaito and Sakurai (2005) - x - x - x - xBolotnyy and Robins (2006) - - - x - - x xPiramuthu (2006) x - - - x - x xLin et al. (2007)∗ x x - - x - - xPeris-Lopez et al. (2007) - - - - - - - xCho et al. (2008) x - - - x - x xLien et al. (2008) x - - - x - - xBurmester et al. (2008) - x - - - - - -Chien and Liu (2009) x - - - - - - -Huang and Ku (2009) x - x - x - - xChien et al. (2010) x - x - x - - xChien et al. (2010)∗ x - - x x - - x
∗ Offline version
ReplaySubset
proofForgeImpersonationTraceability
PEARL Project Hot Topics
Yoking Proofs: Protocol Design [8]
Design Guidelines
Computing capabilities
Dependence
Identification (privacy)
Matching
Verification
Performance (computations + messages)
Forward security (open problem)
PEARL Project Hot Topics
Real Applications: Health care (I)
Errors involving medication administration can be costly, bothin financial and in human terms
Patient safety can be improved by means of properInformation Technology (IT) systems
“Five-right” method: treating the right patient, with the rightdrug, in the right dose, in the correct way and at the righttime
Existing solutions:
RFID + barcodesSecurity and implementation problems
PEARL Project Hot Topics
Real Applications: Health care (II)
4 . Monitoring Procedure
2. Nurse Station Procedure
Nurse Cart
Inpatient
1 . Drug Package Procedure
3 . Safe Drug Administration Procedure
HIS
3.1. Real-time Verification3.2. Evidence Generation
Unit-dose Medications
Figure 4: Phases of IS-RFID
22
PEARL Project Hot Topics
Real Applications: Health care (III)
HIS
Visiting an inpatient
Unit-dose Medication
Inpatient
Nurse
Nursestation
Requ
est
Mut
ual A
uthe
ntica
tion
1Inpatient 1UD 1t…
NInpatient NUD Nt
{ , }Prequest r { , }Prequest r
i P M{ , PRNG(UD , r , r )}Mr
{ }it
i
' 'T i w i Inpatient{ , m = PRNG(Inpatient r PRNG(t ) PRNG(K ))}Wr � � � { }Tm
i
' 'UD i M T UD{ , m = PRNG(UD r PRNG(m ) K ))}Mr � � �{ }UDm
iTUD i T UD Inpatient{m = PRNG(Inpatient PRNG(m ) K )}m� � �
' 'i i i W M TUD{ = {Inpatient , UD , t , r , r , m }ie
Nurse
1Inpatient
1UD
1t1
1{
, sig
n(e
)}e
. . .
NInpatient
NUD
NtN
{, s
ign(
e)}
Ne
isign(e )i, i{e sign(e )}
1
Inpatient
1UD1t
. . .
N
Inpatient
NUDNt
� Matching Verification
� Evidence Generation
1
Inpatient
1UD
1t…
N
Inpatient
NUD
Nt
i{ , PRNG( , , )}W P Wr Inpatient r r
Figure 5: IS-RFID Protocol
23
PEARL Project Hot Topics
Pseudo-random Number Generator
Design a new lightweight PRNG
Security Analysis
Hardware requirements1
1Department of Electrical Engineering, Carlos III University of Madrid. (Spain)
PEARL Project Hot Topics
Lightweight PRNG
Security requirements:
Cryptanalysis
Statistical tests (i.e. ENT, DIEHARD, NIST)
Hardware requirements:
Gate Equivalents < 4K
Clock cycles < 500-600
Operation frequency: 100 KHz
Power consumption: µW
PEARL Project Hot Topics
AKARI-1 and AKARI-2
Figure1
AKARI-1 AKARI-2
Initialize x0 and x1 of m-bits
x0 = x0 + ((x0 * x0) ∨ 5)
x1 = x1 + ((x1 * x1) ∨ 13)
z = x0
for r from 0 to 63
z = (z >>1) + (z << 1) + z + x1
%Output m/2 bits
Lower half of z
Initialize x0 and x1 of m-bits
x0 = x0 + ((x0 * x0) ∨ 5)
x1 = x1 + ((x1 * x1) ∨ 13)
z = x0 ^ x1
for r from 0 to 24
z = (z << 1) + ((z + (0x56AB0A)) >1)
y = x1 ^ z
for r from 0 to 24
y = (y >> 1) + (y << 1) + y +
(0x72A4FB))
%Output m/2 bits
Lower half of y
Figure 2
PEARL Project Hot Topics
AKARI-1 and AKARI-2: EPC tags
m = 32 bits Gate Equivalents Power (µW) Clock cycles
AKARI-1 880 16.86 66
AKARI-2 1629 29.91 51
PEARL Project Hot Topics
AKARI-1 and AKARI-2: Low-cost RFID tags
mmaximal = 128 bits Gate Equivalents Power (µW) Clock cycles
AKARI-1A 3358 62.4 66
AKARI-1B 3822 73.48 450
mmaximal = 64 bits Gate Equivalents Power (µW) Clock cycles
AKARI-2A 3259 58.26 51
AKARI-2B 3135 57.42 290
AKARI-2C 2993 55.87 530
PEARL Project Hot Topics
Questions?
Thank you
More information:http://www.lightweightcryptography.com/
http://www.cs.ru.nl/pearl/
PEARL Project Hot Topics
P. Peris-Lopez, J. C. Hernandez-Castro, J. M. E. Tapiador, T. Li and J. C. A.van der Lubbe. “Weaknesses in Two Recent Lightweight RFID AuthenticationProtocols”. In INSCRYPT’09 (In Cooperation with IACR), Beijing, December,2009
P. Peris-Lopez, J. C. Hernandez-Castro, J. M. E. Tapiador and J. C. A. van derLubbe. “Security Flaws in a Recent Ultralightweight RFID Protocol”. InWorkshop on RFID Security (RFIDSec Asia10), Volume 4 of Cryptology andInformation Security Series, pages 83-93. IOS Press, 2010.
J. C. Hernandez-Castro, P. Peris-Lopez, R. C.-W. Phan, J. M. E. Tapiador.“Cryptanalysis of the David-Prasad RFID Ultralightweight AuthenticationProtocol”. In Workshop on RFID Security (RFIDSec10), Istanbul, June, 2010.
P. Peris-Lopez, J. C.Hernandez-Castro, R. C.-W. Phan, J. M. E. Tapiador, T. Li.“Passive Cryptanalysis of an Ultralightweight Authentication Protocol ofRFIDsec’10 Asia (Poster)”. In Workshop on RFID Security (RFIDSec10),Istanbul, June, 2010.
A. Mitrokotsa, C. Dimitrakakis, P. Peris-Lopez, J. C. Hernandez-Castro. “Reid etal.’s Distance Bounding Protocol and Mafia Fraud Attacks over Noisy Channels”.In IEEE Communications Letters, Volume 14, Issue 2, pp. 121-123, 2010.
P. Peris-Lopez, J. C. Hernandez-Castro, C. Dimitrakakis, A. Mitrokotsa, J. M. E.Tapiador. “Shedding Some Light on RFID Distance Bounding Protocols andTerrorist Attacks”. In CoRR, volume abs/0906.461, 2009.(http://arxiv.org/abs/0906.4618)
PEARL Project Hot Topics
P. Peris-Lopez and J. C. Hernandez-Castro and J. M. E. Tapiador and E.Palomar and J. C.A. van der Lubbe. “Cryptographic Puzzles andDistance-bounding Protocols: Practical Tools for RFID Security”. In IEEEInternational Conference on RFID, Orlando, 2010.
P. Peris-Lopez, A. Orfila, J. C. Hernandez-Castro, J. C. A. van der Lubbe.“Flaws on RFID Grouping-Proofs. Guidelines for Future Sound Protocols”. InJournal of Network and Computer Applications (In Press). Available online 1May 2010. (http://dx.doi.org/10.1016/j.jnca.2010.04.008 )
P. Peris-Lopez, J. Cesar Hernandez-Castro, J. M. Estevez-Tapiador, and A.Ribagorda. “Solving the Simultaneous Scanning Problem Anonymously:Clumping Proofs for RFID Tags”. In the 3rd International Workshop on Security,Privacy and Trust in Pervasive and Ubiquitous Computing(SecPerU07), pages55-60. IEEE Computer Society Press, Istanbul (Turkey), July, 2007.
P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, and A.Ribagorda. “LAMED A PRNG for EPC Class-1 Generation-2 RFIDSpecification”. In Computer Standards & Interfaces, Volume 31, Issue 1, pp.88-97, January 2009.
Mitra, M.:Privacy for RFID systems to prevent tracking and cloning.International Journal of Computer Science and Network Security 8(1) (January2008) 1–5
Qingling, C., Yiju, Z., Yonghua, W.
PEARL Project Hot Topics
A minimalist mutual authentication protocol for RFID system & BAN logicanalysis.In: Proc. of CCCM ’08, IEEE Computer Society (2008) 449–453
Y.-C. Lee, Y.-C. Hsieh, P.-S. You, T.-C. Chen.A New Ultralightweight RFID Protocol with Mutual Authentication,In Proc. of WASE’09, Volume 2 of ICIE, pages 58-61, 2009.
M. David and N. R. Prasad.Providing Strong Security and High Privacy in Low-Cost RFID Networks.In Proc. of Security and Privacy in Mobile Information and CommunicationSystems, MobiSec’09, pages 172–179. Springer Berlin Heidelberg, September2009.
K.-H. Yeh, N.W. Lo, E. Winata. “An Efficient Ultralightweight AuthenticationProtocol for RFID Systems”. Proc. of RFIDSec Asia’10, volume 4 of Cryptologyand Information Security Series, pages 49–60, IOS Press, 2010.
P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, andA. Ribagorda.Advances in Ultralightweight Cryptography for Low-cost RFID Tags: GossamerProtocol.In Proc. of Workshop on Information Security Applications, volume 5379 ofLNCS, pages 56–68. Springer-Verlag, Jeju Island (Korea), September 23-25,2008.
PEARL Project Hot Topics
H.-Y. Chien. “SASI: A New Ultralightweight RFID Authentication ProtocolProviding Strong Authentication and Strong Integrity”. IEEE Transactions onDependable and Secure Computing 4(4):337–340. Oct.-Dec. 2007.
C. H. Kim, G. Avoine, F. Koeune, F.-X. Standaert, and O. Pereira.The Swiss-Knife RFID Distance Bounding Protocol.In International Conference on Information Security and Cryptology – ICISC,Lecture Notes in Computer Science. Springer-Verlag, December 2008.
A. Juels. “Yoking-Proofs” for RFID Tags”. In First International Workshop onPervasive Computing and Communication Security. IEEE Press, pp.138143.2004.