a security and performance evaluation of hash-based rfid protocols tong lee lim, tieyan li &...

A Security and Performance Evaluation of Hash-based RFID

Protocols

Tong Lee Lim, Tieyan Li & Yingjiu Li

Cryptography and Security Department Institute for Infocomm Research (I2R)

17 Dec. 2008

Inscrypt 2008

Inscrypt’08 – RFID Authentication

2

Project Summary - what will be doneOutline Introduction on RFID, and its security & privacy issues

Introduction on hash-based RFID authentication protocols

The Hash chain family of protocols and weaknesses Okhubo – Hash chain Henrici – Triggered hash chain Lim – CRTH, FRTH

The TRAP family of protocols and weaknesses Dimitriou – CR Tsudik – YA-TRAP Burmester – YA-TRAP+, O-TRAP Conti – RIPP-FS

The Tree family of protocols and weaknesses Molnar – TBPA Lu – SPA

Remarks…


3

Project Summary - why should it be done?RFID Debate• Promoters

• Wal-Mart, Gillette, METRO…

• Vendors • Microsoft, IBM, SAP…

• Players • TAGSYS, ALIEN, SAVI…

• New: Mojix, RF controls…

• Governments, industries, researchers …

An age of RFID is coming … But security and privacy?


4

4

Passive RFIDT

ag• The reader has a powerful antenna and a power supply• The reader surrounds itself with an electromagnetic

field• The tag is illuminated by the field, providing it with

power

Reader


5

5

ReaderTag Data Exchange

Tag

• The reader sends commands to the tag via pulse amplitude modulation

• The tag sends responses to the reader via backscatter modulation

Reader


6

Project Summary - why should it be done?RFID Security & Privacy Issues• RFID tags have many technical limitations:

– Limited power consumption (vs. energy consumption of battery powered devices) ~ 10µA average

– Limited area consumption (less problem with evolving Smart Card technologies) < 1mm²

– Limited execution time (set by batch tag reading protocol)– Limited backward channel (initiated by reader only)– Limited memory access (hundreds bits to few kBytes and

slow)– No physical protection possible

• Cryptography is not applicable immediately.– Worst case assumption is not always true for RFID– Weakened adversarial model is typically assumed for RFID

• In RFID, there are many security solutions.– E.g., shielding, killing, tearing, blocking, proxy, policies,

obfuscation, etc. for different scenarios.


7

Project Summary - why should it be done?RFID Security & Privacy Issues• Typically, RFID security means Authentication

and Privacy.

– Authentication:• Tag/reader authentication:

– Both tag and reader need to prove their claimed identities.• Product authentication:

– The secure binding of the tag and product need to be guaranteed.

– Privacy: • Anonymity:

– The identity information of a person of event is not disclosed by reading a tag.

• Untraceability: – The itinerary of a person or a series of events can not be

tracked by reading a tag.


8

Project Summary - why should it be done?Countermeasures• Physical Protection

– Private tag-to-reader channel; e.g., Clipped tag (IBM), Faraday Cage, Shielding…

– Physical tag removal or destruction.– WORM; e.g., ISO/IEC 15963 defines a unique Tag ID.

• Access Control– EPC Gen2 Access and Kill passwords.– ID obfuscation or pseudonym

• Cryptographic Measures– Lightweight primitives (e.g., Present-80, Grain, Trivium, etc.)– Lightweight authentication schemes (e.g., HB family)

• Active Device– Blocker tag– REP, RFIDguardian


9



The Hash chain family of protocols and weaknesses Okhubo – Hash chain Henrici – Triggered hash chain Lim-Li – CRTH, FRTH



Remarks…


10

Project Summary - what will be doneResearch literature• Solutions that used classic cryptographic primitives

– PRNGs alone, (Juels; Piramuthu; Tsudik; Chatmon; Duc; Molnar)– Hashs alone, (Engberg; Avoine; Dimitriou; Yang; Weis; Henrici; Choi)– PRNGs and hashs, (Gao; Rhee; Lee;)– PRNGs and Symmetric crypto, (Molnar; Dimitriou; Bailey; Dominikus)

• In 2002, Sarma et al. first proposed to use hash functions– Hash lock, by Rivest et al. (03)– Randomized hash lock, by Weis et al. (03)

– Hash chain, by Okhubo et al. (RFIDsec’03)– Hash-based ID variation, by Henrici et al. (Percom’04)– Triggered hash chain, by Henrici et al. (Percom’08)– CRTH, FRTH, By Lim and Li (ICPADS’08)

– YA-TRAP, by Tsudik et al. (PercomW’06)– YA-TRAP+, O-TRAP (O-FRAP, O-FRAKE), by Burmester et al. (06)– RIPP-FS, by Conti et al. (PercomW’07)

– Hash tree, by Molnar et al. (SAC’05)– Dynamic hash tree, by Lu et al. (Percom’07)


11

Project Summary - what will be doneRFID Authentication Characteristics

• There are some fundamental characteristics that distinguish RFID authentication from general purpose authentication:

– Lightweightness, Many RFID platforms can only implement symmetric key crypto techniques.

– Anonymity, General purpose authentication protocols may not support anonymity. For RFID applications, anonymity is essential, because rogue readers can easily track them.

– Availability, RFID devices are subject to attacks by rogue readers in which they may assume a state from which they may no longer be able to authenticate themselves.

– Forward security, RFID devices may be discarded, are easily captured, and may be highly vulnerable to side channel attacks on the stored keys. It is important to guarantee the privacy of past sessions if key is compromised.


12

Project Summary - what will be doneRFID Authentication Properties

• Besides the characteristics, in RFID authentications, we ensure some major security properties:

– Session Unlinkability: Any two protocol sessions involving the same tag can not be linked.

– Tag Authenticity: The authenticity of a tag is verified to prevent an adversary from impersonating the tag.

– Reader Authenticity: A reader needs to be authenticated before it can be allowed to access confidential data on tags.

– Desynchronization Resilience: An adversary is not able to bring an inconsistent state to the tag and its backend database.


13

Project Summary - what will be doneSecurity modelByzantine threat model

– All entities (tags, readers, back-end server) including the adversary (the attackers) have polynomial bounded resources.

– The adversary controls the delivery schedule of all communication channels, and may eavesdrop into, or modify their contents.

– The adversary may also instantiate new communication channels and directly interact with honest parties.

– However, the reader-server channels are assumed to be secure.

In this paper, we classify 4 levels of adversaries:

– Level 1 (Passive attack): Ability to perform passive eavesdropping over legitimate protocol sessions.

– Level 2 (Active attack with protocol participation): Ability to communicate with a legitimate tag or reader by following the steps specified under the protocol and to replay messages.

– Level 3 (Active attack with protocol disruption): Ability to actively corrupt, block or inject (replace) messages exchanged during a protocol session between a legitimate tag and an authorized reader.

– Level 4 (Active attack with secret compromise): Ability to capture a legitimate tag and extract its secrets through physical and side channel attacks.


14






Remarks…


15

Project Summary - what will be doneOSK: Hash Chain


16

Project Summary - what will be doneOSK: Hash Chain• Process

• Elegant approach (simple, forward secure, etc.), but:

• Problems: – no synchronization between tag and “backend”– does not provide authentication (mimicking

possible)

• Protocol cannot be used in practice


17

Project Summary - what will be doneHenrici: Hash-based ID Variation

• Process


18

Project Summary - what will be doneHenrici: Hash-based ID Variation

• Based on a message exchange• Keep two database records for each tag to cope with

message loss• Hash values are used for mutual authentication and

ensuring message integrity• Transaction counter “t” prevents replay attacks and

helps in synchronization between tag and backend• Transmitting differences between transaction counters

prevents the latter to be abused for recognition and tracking

• New identifier is not transmitted in clear; instead, calculate new identifier using old internal identifier and transmitted random number


19

Project Summary - what will be doneHenrici: Triggered hash chain


20

Project Summary - what will be doneHenrici: Triggered hash chain

• Process


21

Project Summary - what will be doneHenrici: Triggered hash chain• Relation to Hash Chains

– Self-refreshment of internal tag identifier– Simple and elegant

• Relation to Hash-based ID Variation– Message exchange– Two database records for each tag in backend– Authentication by running protocol twice

• But improvements:– No transaction counter “hacks” (like in Hash-

based ID Variation)– No need to stay online (like in Hash-based ID

Variation)– No synchronization problems (like in Hash

Chains)


22

Project Summary - what will be doneCRTH (Lim et al.)• Challenge-Response Triggered Hash


23

Project Summary - what will be doneFRTH (Lim et al.)• Forward-Rolling Triggered Hash


24

Project Summary - what will be doneComparison (security)All 5 protocols support:

– Tag anonymity– Forward security

Level 3attacker

Tag authenticit

y

Reader authenticity

Session unlinkabilit

y

Desynchronization

Resilience

Hash chain x x xHash ID x x

Triggered Hash

x x CRTH x FRTH


25






Remarks…


26

Project Summary - what will be doneCR protocols• Typical Challenge-Response RFID protocol

Pass 1: the Reader sends a challenge that may include a timestamp, a random nonce, or other information.

Pass 2: the Tag responds by evaluating a function f (k; c; ) on the challenge. Its input may include a value r that may embed a nonce, and an identifier or a

(mutable) pseudonym for tag recognition.

Reader RFID tag

Stores secret for each tag

Stores secret

c

f(k, c, …)


27

Project Summary - what will be doneCR (Dimitriou)


28

Project Summary - what will be doneYA-TRAP

Server (K, Table(K,r)) Tag (HK , ttag)

S activates the tag with tsys tsys

If tsys < ttag or tsys > tmax,

send r. Else send HK(tsys)

h = HK(tsys)

ttag tsys

• YA-TRAP [Tsudik] Assumptions: Reader shares a secret with each tag Reader has database with entry <hash(secret, time), secret> for each tag


29

Project Summary - what will be doneYA-TRAP

• YA-TRAP [Tsudik]

– Reader looks up hash in database to get secret– Issue: time must only increase

• Drawback:– DoS attack; bogus reader sends t’sys = tmax

– Future time attack; bogus reader sends t’sys, i < tsys


30

Project Summary - what will be doneYA-TRAP+

• YA-TRAP+ [Chatmon]


31

Project Summary - what will be doneO-TRAP• Optimistic Trivial RFID Authentication Protocol

Server (K, Table(K,r)) Tag (HK , rtag)

S updates rsys at regular periods rsys

rtag , h = HK(rsys,rtag)

rtag HK(rtag)

If (K,rtag) Table(K,r) & h=HK(rsys,rtag),

Or K K : h=HK(rsys,rtag) accept

update Table(K,r): rtag HK(rtag)

Else reject


32

Project Summary - what will be doneO-TRAP

• When the adversary is not active, the server gets the key of the tag from the look-up Table(K,r).

• Otherwise the value of rK stored in the table may be out-of-sync with the value of the tag.

• In this case the server must search exhaustively by hashing the pairs (rsys, rtag) for each key value.

nKKK

n

rrrstrings

KKKkeys

...

...

21

21

Table(Table(K,rK,r) )


33

Project Summary - what will be doneRIPP-FS

RIPP-FS [Conti]• Lamport hash

value to authenticate the reader.

Drawback:• Replay attack• Infinite hash chain


34

Project Summary - what will be doneComparison (security)All 5 protocols support:

– Tag anonymity– Session unlinkability (except Dimitriou’s CR protocol)

Level 3/4 attacker

Tag authenticity

Reader authenticity

Forward security

Deynchronization

Resilience

CR xYA-TRAP x x x xYA-TRAP+ x x *O-TRAP x x *RIPP-FS x


35






Remarks…


36

Project Summary - what will be doneTBPA (Molnar et al.)


37

Project Summary - what will be doneSPA (Lu et al.)


38

Project Summary - what will be doneComparison (security)

All 2 protocols support:– Tag anonymity– Tag authenticity– Reader authenticity

Level 3attacker

Forward security

Session unlinkabilit

y

Desynchronization

Resilience

TBPA x SPA x x


39

Project Summary - what will be doneComparison (computation)


40

Project Summary - what will be doneComparison (storage)


41

Project Summary - what will be doneComparison (communication)


42

Project Summary - why should it be done?Remarks…• We have reviewed a class of hash based authentication

protocols.

• Note that hash functions can be implemented using lightweight block ciphers, which can be implemented more efficiently.

• Can we design an elegant protocol fulfilling all properties in RFID context?

• RFID will be deployed “unawarely” anywhere in our daily life, new threats are to be addressed and defended with “balanced” security & privacy solutions.

• We have no backyard but to prevent the unforeseen threats beforehand.

Thank you!

a security and performance evaluation of hash-based rfid protocols tong lee lim, tieyan li &...

Documents

inscrypt08 rfid authentication

age of rfid

passive rfid

reader tag data exchange

batch tag

unique tag

product authentication

power reader slide