1

Ch. 17:Ch. 17:Security of RFIDSecurity of RFID

•slide 1

2

Roles of RFID applicationsRoles of RFID applications

•slide 2

Tags Reader Server(Database)

Secure

channel

Slides modified from presentation by Prof. HM

Sun

3

Security Problems of RFIDSecurity Problems of RFID

EavesdroppingHot-listing

◦Attacker has special interests in certain items

Replay attackCloningTracingData forgingDenial of Service

•slide 3

Fundamental problem:

Lack of mutual authentication

4

Physical Solutions for RFIDPhysical Solutions for RFID

•slide 4

5

Physical SolutionsPhysical Solutions

Kill tag after purchaseFaraday cageActive jamming

◦Disables all RFID, including legitimate applications

◦GuardianBlocker Tag

•slide 5

6

Special command permanently de-activates tag after the product is purchased

Disables many futuristic applications

Killing approachKilling approach

•slide 6

Referencewww.rsa.com/rsalabs/staff/bios/ajuels/

7

Container made of foil or metal mesh, impenetrable by radio signals of certain frequencies◦ Shoplifters are already known to use foil-lined bags

Maybe works for a wallet, but huge hassle in general

Faraday CageFaraday Cage

•slide 7

Referencewww.rsa.com/rsalabs/staff/bios/ajuels/

8

Blocker Tag Blocker Tag (The R(The RXXA Pharmacy)A Pharmacy)

•slide 8

Referencehttp:// www.rfidjournal.com

9

Active Jamming Active Jamming (Guardian)(Guardian)A mobile battery-powered device

that offers personal RFID security and privacy management.

•slide 9

Referencehttp:// www.rfidguardian.org

10

How Does the Reader Read a Tag?How Does the Reader Read a Tag?

When the reader sends a signal, more than one RFID tag may respond: this is a collision◦ Reader cannot accurately read information from more

than one tag at a timeReader must engage in a special singulation

protocol to talk to each tag separatelyTree-walking is a common singulation method

◦ Used by 915 Mhz tags, expected to be the most common type in the U.S.

•slide 10

Referencewww.cs.utexas.edu/~shmat/

11

Blocker Tag : Tree WalkingBlocker Tag : Tree Walking

•slide 11

000 001 010 011 100 101 110 111

Every tag has a k-bit identifier

prefix=0

prefix=00 prefix=01

prefix=10 prefix=11

prefix=1Reader broadcastscurrent prefix

Each tag with this prefixresponds with its next bit

If responses don’t collide,reader adds 1 bit to currentprefix, otherwise tries both possibilities

This takes O(k number of tags)

Referencewww.cs.utexas.edu/

~shmat/

12

Blocker Tag : ExampleBlocker Tag : Example

•slide 12

000 001 010 011 100 101 110 111

prefix=0

prefix=00 prefix=01

prefix=10 prefix=11

prefix=1

1. Prefix=“empty”

Next=0Next=1

Next=1

Collision!

1a. Prefix=0

Next=0

No collision

2. Prefix=00

1b. Prefix=1

2. Prefix=11

No collision

Next=1

3. ID=001

Talk to tag 001

No collision

Next=1

Next=1

Collision!

Next=1

Next=0

3a. ID=110

Talk to tag 110

3b. ID=111

Talk to tag 111

Referencewww.cs.utexas.edu/

~shmat/

13

Blocker TagBlocker Tag

A form of jamming: broadcast both “0” and “1” in response to any request from an RFID reader◦Guarantees collision no matter what tags are

presentTo prevent illegitimate blocking, make

blocker tag selective (block only certain ID ranges)◦E.g., blocker tag blocks all IDs with first bit=1◦ Items on supermarket shelves have first bit=0

Can’t block tags on unpurchased items (anti-shoplifting)◦After purchase, flip first bit on the tag from 0 to

1•slide 13

[Rivest, Juels, Szydlo]

Referencewww.cs.utexas.edu/

~shmat/

1414

行動票券之安全議題

* slides modified from presentation by 何煒華

高鐵車票

1515

安全議題

竄改偽造盜用複製、重複使用移轉 (vs. 複製 )

16

Summary

Security Concerns of RFIDSecurity Concerns of 行動票券