challenging issues in rfid security
DESCRIPTION
CHALLENGING Issues in RFID Security. Kwangjo Kim. Contents. Introduction RFID and its Applications Korean Status and Auto ID Labs Security Threats for RFID Traditional Threats : Tag Cloning, Privacy Invasion, Denial/Disruption of Service - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/1.jpg)
CHALLENGING ISSUES IN RFID SECURITYKwangjo Kim
![Page 2: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/2.jpg)
2
Contents Introduction
RFID and its Applications Korean Status and Auto ID Labs
Security Threats for RFID Traditional Threats : Tag Cloning, Privacy Invasion, Denial/Disruption of Service New Threats: Location-based Attacks (Mafia Fraud/Terrorist Attacks), Side Channel Attack
Current Countermeasures for Secure RFID Cryptographic primitives -based Protocol : Hash-based, LPN-based, CRC-based, Ultra-lightweight Protocols: XOR, ADD, Rotate, etc. Provable secure Protocol: Modeling of Adversary, Universal Composability (UC)-
Framawork, Multi Tag Scanning Protocols : Yorking proof or Grouping Radiation security and non-invasive analysis: Distance-bounding, SCA
Open Issues in RFID Security and Concluding Remarks Functional LW Cryptographic Primitives (Im)Possibility of Certain Cryptographic Tasks New Security Model Effective Methods against Location-based Attacks Protection against SCA
![Page 3: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/3.jpg)
What is RFID?
I. Introduction
![Page 4: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/4.jpg)
4
Introduction – RFID (1/3)
TagsAttached to objects, give out their (unique) EPC# via RF signal
Readers 1. Query & read EPC# from tags via
RF signal2. Get more info. about EPC# from
EPC-IS3. Update EPC-IS: e.g., EPC# arrived at
10:53pm at location X
RF signal (contactless)Range: around 10 meters
EPC-Information Services (EPC-IS)Detailed real-time info about EPC# is constantly updated and maintained in here
Share Info
2: Reply EPC# 1: Query3: Send EPC#
4: Receive EPC#: Info
![Page 5: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/5.jpg)
5
Introduction – RFID Applications (2/3)
In future RFID would automate supply-chain management EPC-IS assists geographically distributed supply-chain partners
to share real-time info about RFID-tagged products they are handling
RFID-based Supply-Chain Management System
* Please view the above figure in full screen mode
![Page 6: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/6.jpg)
6
Introduction – RFID Applications (3/3)
RFID-Tagged item
Consumer shopping RFID-tagged items
Smart Home
RFID-Reader Enabled Devices
Mobile RFID: Mobile Phone with RFID-reader chip
RFID
READER
RFID
READER
Home-server
RFID-based Applications for Consumers
![Page 7: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/7.jpg)
RFID/USN : Infra for Knowledge-Based Era in Korea
Network in which wire/wireless linkage of multiple sensors collects, integrates, processes & utilizes information
RFID + USN
To be developed into an intelligent infra in the future
•RFID/USN developing process: Tag + Sensor Intelligent control
The technology enabling readers to recognize, process and utilize the information in tags without physical contact
RFID USN
Healthy monitoring anytime & anywhereSafe & healthy food
Enhancing industrial competitiveness Strengthening monitoring/awareness
Creating comfort environmentManaging facilities efficientlyImproving transparency/productivity
Convenient shopping
RFID/USN
![Page 8: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/8.jpg)
Current Korean Status of RFID/USN Industry
Market size Industry structure
’Domestic market in 08’: About KW 550 billion(Annual growth rate: RFID - 39%, USN - 35%)
(Unit: 100Million won)Market trend
4,333
2,871
5,547
20072006 2008
8965691,402
3,4372,353
4,145
RFID
USN
Composed of about 360 companies
RFID tag · leader
Middleware · SI
USN(Sensor node)
176 companies including LS Industrial System& Samgsung Techwin
88 companies including Asiana IDT & Samsung SDS
99 companies including Green Sensor & Nuri Telecom
· Most of part & equipment companies are small/medium-sized except for LG Industrial System & Samsung Techwin · focuses on developing & providing services to create new businesses but does not excel in specialization.
![Page 9: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/9.jpg)
Auto-ID Labs
![Page 10: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/10.jpg)
Auto-ID Lab, Korea
Joined Auto-ID Labs on April 2005 ICU merged with KAIST as of March 1, 2009
Internet of Things RF, Chip design (air interface for active RFID tag, WSN)
ZigBee transceiver, IR-UWB transceiver, Wake-up circuit, etc. EPC Sensor Network : Integration of EPCglobal architecture framework
and
wireless sensor network (WSN) technology RFID / WSN Privacy & Security
Anti-counterfeiting, Lightweight cryptography, etc. RFID/WSN Business, Application
BM for food safety system, autonomous vehicles, ubiquitous city,
agriculture, healthcare, etc.
Daeyoung Kimkimd@kaist
Seongook [email protected]
Sanggug [email protected]
Hyuckjae [email protected]
Kwangjo Kimkkj@kaist
Myungryul [email protected]
JaeJeung Rhojjroh@kaist
Junghoon Moonjmoon@kaist
![Page 11: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/11.jpg)
What are security threats in RFID?
II. Security Threats on RFID
![Page 12: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/12.jpg)
12
RFID Security Threats (1/4)
Cloned Fake Tags
Malicious Readers
Man-in-the-Middle AttackDenial/Disruption of Service
ID#
Privacy Violation
![Page 13: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/13.jpg)
RFID Security Threats: Location-based Attacks (2/4)
RFID Authentication Protocol does not address location of tags: Tags out of communication range of a reader
should not be authenticated. Location-based Attacks[Brands&Cham@EC93]
Mafia Fraud Attack (Distance Fraud Attack): Attacker simply relays messages between two honest parties.
Terrorist Attack: Extended mafia fraud attack in which attacker collaborates with one of dishonest party.
![Page 14: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/14.jpg)
RFID Security Threats: Location-based Attacks (3/4)
Mafia Fraud Attack on RFID:Rouge Tag Reader Challen
ge
Response
Rouge ReaderChalleng
e
Response
Tag
ChallengeResponse
Communication range of the reader
![Page 15: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/15.jpg)
RFID Security Threats: SCA (4/4)
SCA potentially is the most serious threat to RFID tags, which implement cryptographic functions.
Typical side channel information Timing information, computation fault, power consumption and EM radiation EM analysis on HF-RFID, UHF-RFID, UHF-EPC-C1G2Tag
EM radiation based non-invasive analysis becomes more viable than invasive analysis.
Crypto enabled RFID
ComputerOscilloscope
Control, Ciphertext
Control, Side channel information
![Page 16: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/16.jpg)
What have been done to counter security threats?
III. Current Countermeasures
![Page 17: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/17.jpg)
17
Hash-based ProtocolsHash-lock Scheme[3]
metaID = h(k)
Extended Hash-lock Scheme[2,8]
Major Drawback:
The server has to go through the whole tag database and compute the hash chains to identify a tag.
![Page 18: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/18.jpg)
LPN-based Protocols (1/3) Binary inner-product of two k-bit values a and x:
z = a x = (a0 x0) (a1 x1) … (ak-1 xk-1) Binary-inner product can be implemented easily on
low-cost hardware. Question is: where is the hard problem?
Learning Parity with Noise (LPN) Problem: LPN problem: Given a set of (ai, zi) where z = (ai
x) vi and vi is generated at a fixed probability, compute x.a
(ai, zi) appears as a true (k+1)-bit string.
![Page 19: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/19.jpg)
LPN-based Protocols (2/3) HB+ Authentication Protocol by Juels and
WeisTag (k-bit secret x and y; )
Reader (k-bit secret x and y)
a R {0, 1}k
a
z Check z = (a x) (b y)
b R {0, 1}k
b
Repeat above step q times.Accept only if about q responses of Tag are
incorrect
z = (a x) (b y)
{0, 1|Prob[ =1] = }
![Page 20: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/20.jpg)
LPN-based Protocols (3/3) HB+ is not secure against man-in-the-middle
attacks:
Several attempts (HB-MP, HB++, HB#, HB-trusted) to secure HB+ against MIMA have failed.
Tag (k-bit secret x and y; )
Reader (k-bit secret x and y)
a R {0, 1}ka
z’ = (a’ x) (b y) z’
{0, 1|Prob[ =1] = }
b R {0, 1}k
b
……..
a’ = a
If authentication succeeds, it is likely that (a’ x) (b y) = (a x) (b y) , but (a’ x) = (a ) x = (a x) ( x),
therefore x = 0. Otherwise, x = 1
![Page 21: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/21.jpg)
21
Ultra-lightweight Protocols (1/2)
EPCglobal C-1 Gen-2 Tag: 4 Memory Banks
One-Way Reader to Tag Authentication Proposed by EPCglobal Standard[1]
Not Secure Un-encrypted openly sent random numbers Tag’s Access Password easily exposed
![Page 22: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/22.jpg)
22
Ultra-lightweight Protocols (2/2) Utilize lightweight primitives
RNG, CRC, and bit-wise operators such as XOR, AND, OR, rotate, etc.
Drawbacks De-synchronization of session keys Replay (impersonation) attacks full-disclosure of tag’s secret information
![Page 23: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/23.jpg)
O-FRAP & O-FRAKE (1/2) Optimistic Forward-Secure Authentication Protocol
Mutual Authentication Privacy Protection using Pseudonym Secure key exchange (O-FRAKE) Tag database indexed by tag pseudonym for fast look
up Forward security by updating shared secret after
each successful session Resistant against de-synchronization of secret by
storing two versions of secret in tag database Secure from in Universal Composable(UC) Framework
![Page 24: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/24.jpg)
O-FRAP & O-FRAKE (2/2)
DoS attack: server searches the whole database if receiving an invalid pseudonym (\bar{r}tag).
De-synchronization of secret: modify v3’ to cause tag not to update its secret
F: pseudorandom
function
![Page 25: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/25.jpg)
Multiple Tag Scanning Protocols (1/3)
Reader produces a co-existence proof of multiple tags Scan tags supposed to be near together,
e.g., tags on different parts of a car. Yoking-Proof by Juels: scanning a group
of two tags
![Page 26: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/26.jpg)
Multiple Tag Scanning Protocols (2/3)
Grouping-Proof: scanning a group of n tags
![Page 27: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/27.jpg)
Multiple Tag Scanning Protocols (3/3)
Many multiple tag scanning protocols are subject to replay attack.
All of multiple tag scanning protocols are subject to mafia fraud attack:
![Page 28: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/28.jpg)
Distance-bounding Protocols (1/2) Distance-bounding Protocol:
Prevent mafia fraud attack by verifying location of tags using round-trip time.
Approach: Repeat a simple (and fast) authentication
step multiple times. Measure time taken by each authentication
step Accept only if every authentication step is
successful and the time taken is less than a pre-defined value.
![Page 29: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/29.jpg)
Distance-bounding Protocols (2/2) Hancke-Kuhn distance-bounding Protocol
[6]
![Page 30: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/30.jpg)
Side Channel Analysis and protection on RFID
High frequency (HF) RFID tag (13.56 MHz)
Smart Card regard as RFID•D. Carluccio, K. Lemke, and C. Paar. “Electromag-netic side channel analysis of a contactless smart card: First results”, In the Proceedings of Workshop on RFID and Lightweight Crypto (RFIDSec05), 2005.
•S. Chaumette, D., and Sauveron. “An efficient and simple way to test the security of Java Cards”, In WOSIS 2005, 3rd International Workshop on Secu-rity in Information Systems, April 2005. Miami, Fl., USA, April 2005.
Artificially generated passive HF RFID set-tings•M. Hutter, S. Mangard, and M. Feldhofer, “Power and EM Attacks on Passive 13.56 MHz RFID De-vices”, In the Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems (CHES 2007), LNCS 4727, pp. 320-333, Springer-Verlag, 2007.•Power analysis and EM analysis on their own RFID prototype with AES
Ultra-high frequency (UHF)
RFID tag (900 MHz)Experimental Result without countermea-sures•T. Plos, “Susceptibility of UHF RFID Tags to Elec-tromagnetic Analysis”, CT-RSA 2008, LNCS 4964, pp.288-300, 2008.
Experimental Result with common coun-termeasures•Y. Oren and A. Shamir, “Remote Password Extrac-tion from RFID Tags”, IEEE Transactions on Com-puters, 56(9):1292-1296, 2007. •Show a successful analysis result which can be used to extract kill password remotely from a UHF EPC tag.
•Suggest common countermeasures to prevent the analysis with examples•Add Noise to power consumption•Consume the same amount of power every clock cycle
![Page 31: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/31.jpg)
31
Map of Current Countermeasures
Security for RFID SystemPhysical Security
Kill tag
Blocker tag
Active Jamming
PUF
SCA
Cryptographic Protocol
Authentication Proto-col
Password-based
Kill PW
Access PW
Hash-based
Static ID
Dynamic ID
(Pseudonym)
LPN-based
HB+
HB#
Ultra lightweight-based
RNG
XOR AND
CRC
ROT
Encryption-based
Symmet-ric
Key
Stream (LFSR)
Block (TEA, AES)
Asymmet-ricKey
ECCHECC
Universal Reencryp-
tion
Multi-tag scanning
Yorking
Secure (EPCglobal) Architecture Frame-
workSecure Reader Proto-
col
Middleware Security
Server Security
Database Security
ONS(DNS) Security
Network Security
Key Management
Certificate Profile* All 7 Auto ID labs work together now.
![Page 32: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/32.jpg)
What are the remaining issues in RFID Security?
Open Issues in RFID Security
![Page 33: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/33.jpg)
Open Issues: Functional LW Crypto- Primitives
Many conventional crypto-primitives are not suitable for low-cost RFID Tags Find efficient implementation of
conventional primitives for low-cost tags Design new lightweight primitives
Both of above works require large attention Rigorous analysis and implementation of
cryptographic primitives (Hashing, MAC, PRNG, AIA) for RFID
![Page 34: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/34.jpg)
Open Issues: (Im)Possibility of Certain Cryptographic Tasks
Before designing a cryptographic task Possible to realize the task at all? If yes, what is the minimal assumption/primitive required
to realize the task ? Vaudenay showed that strong forward security is im-
possible and Gilbert [eprint95] no security on MIMA Impossibility of robust interactive key-evolving ?
In RFID, forward security requires interactive key-evolving between reader and tag.
Possible to realize a robust interactive key-evolving against de-synchronization of secret ?
Identify controversial requirements
![Page 35: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/35.jpg)
Open Issues: Security Models
Known security models of “reader” and “server”. Security of protocols heavily depend on
level of trust on RFID reader and server. If not considered, we would significantly
separate “theoretical security” and “real-world security”.
No security model for multiple-tag scanning One has to consider mafia fraud attack in a
security model. Otherwise, security cannot be proved.
![Page 36: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/36.jpg)
Open Issues: Countermeasures against Location-based Attacks
Mafia fraud attack is simple yet serious Attacker steals a tagged item then executes the
attack to make the reader believes that the item is actually nearby.
Few researches on countermeasures against location-based attacks. We have surveyed only Hancke-Kuhn protocol
and a few of its variations. We also need theoretical analysis of
(im)possibility of countermeasure against location-based attacks.
![Page 37: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/37.jpg)
Open Issues: Protection against SCA
Few published works on SCA on RFID tag Need to find more approaches of differential
electromagnetic analysis (DEMA) and its countermeasures.
Hiding and Masking methods for RFID Invent countermeasures at the logic cell-level Consider Trade-off between tag cost and security
Establish the common criteria(CC) for secure RFID tag.
Build up the standard for cryptographic primitives, protocols for RFID tags.
![Page 38: CHALLENGING Issues in RFID Security](https://reader036.vdocuments.net/reader036/viewer/2022062520/5681639e550346895dd49b57/html5/thumbnails/38.jpg)
Concluding Remarks• We didn’t survey all publications, but
suggested pros and cons of previous main researches.
• “No panacea”, but require tradeoff between level of security and performance.
• SCA will be one of emerging attacks.• New primitives: time-released crypto,
etc.