a case against currently used hash functions in rfid
play

A Case Against Currently Used Hash Functions in RFID Protocols - PowerPoint PPT Presentation

Sep 03, 2022 •22 likes •232 views

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security A Case Against Currently Used Hash Functions in RFID Protocols Workshop on RFID Security 2006 RFIDSec06 July 13-14, 2006, Graz, Austria

  1. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security A Case Against Currently Used Hash Functions in RFID Protocols Workshop on RFID Security 2006 – RFIDSec06 July 13-14, 2006, Graz, Austria Martin Feldhofer and Christian Rechberger IAIK – Graz University of Technology Martin.Feldhofer@iaik.tugraz.at www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 1

  2. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Presentation outline Cryptographic primitives in RFID systems Hardware implementation of low-power SHA-256 Synthesis and power simulation results Conclusions http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 2

  3. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Motivation High-end security in RFID systems � standardized algorithms Hash functions are conceptionally easy � mainly used by RFID protocol designers Implementation costs? Comparison of popular hash functions with AES block cipher in context of RFID tags http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 3

  4. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Building blocks for RFID security Authentication and/or anonymity is required Commonly used cryptographic primitives � Hash functions � Block ciphers � Universal hash functions � PRNGs � Public key algorithms � Some “leightweight” solutions (HB, …) We focus on standardized cryptographic primitives � MD4-family (SHA-256, SHA-1, MD5, MD4) � AES-128 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 4

  5. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Survey on existing RFID security protocols Proposal Primitive Authentication Privacy Molnar PRF No Yes Avoine Hash No Yes Choi Hash Yes Yes Henrici Hash Yes Yes Ohkubo Hash No Yes Dimitriou Hash + PRNG Yes Yes Lee Hash + PRNG Yes Yes Rhee Hash + PRNG Yes Yes Weis Hash + PRNG Yes Yes Feldhofer AES + PRNG Yes Yes http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 5

  6. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Design issues for RFID hardware Not relevant for RFID tags RF field � Energy consumption per operation I Supply � Power consumption per operation Relevant for RFID tags � Power consumption per cycle � Mean current consumption must not exceed available energy in V dd capacitor V ddMIN I IC http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 6

  7. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Implementation targets Target Class of tags Passive class 2 (HF 13.56 MHz) Mean power consumption < 15 µA @ 1.5V Hardware resources < 1,000 - 10,000 GEs Data rate of protocol 26 kbps Clock frequency of crypto module ~100 kHz ~50 for immediate answer (0.5ms) � Number of clock cycles (latency) use interleaved protocol instead Available modules No microcontroller or external memory available Technology Standard cells (no dedicated RAM) Costs ~5-50 Cent per tag http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 7

  8. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Outline of SHA-256 IVs Expanded message w Message m State update (64 words) Message (16 words) expansion 64 steps Output o http://www.iaik.tugraz.at (8 words) TU Graz/Computer Science/IAIK/VLSI/Feldhofer 8

  9. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Outline of SHA-256 – Message expansion ⎧ ≤ ≤ ⎪ M ( 0 15 ) for t t = ⎨ W t ⎪ ⎩ σ + + σ + ≤ ≤ ( ) ( ) ( 16 63 ) W W W W for t − − − − 1 t 2 t 7 0 t 15 t 16 σ = ⊕ ⊕ 7 18 3 ( x ) ROTR ( x ) ROTR ( x ) SHR ( x ) 0 σ = ⊕ ⊕ 17 19 10 ( ) ( ) ( ) ( ) x ROTR x ROTR x SHR x 1 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 9

  10. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Outline of SHA-256 – State update H(i) or IV (64 bits) A 0 B 0 C 0 D 0 E 0 F 0 G 0 H 0 Step transformation A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 Message m Step transformation (16x32-bit) (61 identical steps) A 62 B 62 C 62 D 62 E 62 F 62 G 62 H 62 Step transformation A 63 B 63 C 63 D 63 E 63 F 63 G 63 H 63 H(i+1) (64 bits) http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 10

  11. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Outline of SHA-256 – Step transformation http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 11

  12. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Secure RFID tag architecture Controller http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 12

  13. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Architecture of low-power SHA-256 Controller http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 13

  14. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Chip area [in gate equivalents] Total chip area: 10,868 GEs RAM; 8292; 76% others; 407; 4% Controller; 364; 3% Adder; 156; 1% Sigma; 643; 6% Register T1/T2; 394; 4% 1024 bits memory � 8292 GEs !!! Constants; 612; 6% http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 14

  15. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Power consumption [in µA @ 100kHz; 3.3V] Mean current consumption: 15.87 µA RAM; 7,73; 49% others; 1,54; 10% Controller; 1,1; 7% Constants;0,18; 1% Adder; 2,74; 17% Register T1/T2; 1,6; 10% Sigma; 0,98; 6% http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 15

  16. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison of chip area and power consumption Area distribution Power consumption distribution RAM; 8292; 76% RAM; 7,73; 49% others; 1,54; 10% others; 407; 4% Controller; 364; 3% Controller; 1,1; 7% Adder; 156; 1% Sigma; 643; 6% Constants;0,18; 1% Register T1/T2; Adder; 2,74; 17% Register T1/T2; 1,6; Constants; 612; 6% 394; 4% 10% Sigma; 0,98; 6% http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 16

  17. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison of SHA-256, SHA1, MD5, MD4 and AES – Chip area 12000 SHA-256 10000 MD5 Gate equivalents [GEs] SHA-1 MD4 8000 6000 AES 4000 2000 0 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 17

  18. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison of SHA-256, SHA1, MD4, MD5 and AES – Mean current consumption 18 SHA-256 16 Current consumption [µA@100kHZ] 14 12 3.3V !!! 10 AES 8 6 4 2 SHA-1 MD5 MD4 0 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 18

  19. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Implications of this work Two dominating factors decide on the suitability of a symmetric primitive for RFID tags � The required number of registers (state variables, chaining variables and message words) � SHA-256 (1024 bits) vs. AES (256 bits) � The underlying word size of the used primitive � How many flip flops have to be clocked at the same time � SHA-256 (32 bits) vs. AES (8 bits) Input for future design of cryptographic primitives http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 19

  20. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison with parallel work Kaps et al. state that SHA-1 is more energy- efficient than AES � Stated chip area: 4276 GEs � This seems to contradict our conclusions But: 1. Low energy consumption is not a main concern in RFID tag design 2. Necessary external memory for message expansion is not available on RFID tags (requires additional 3722 GEs) http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 20

  21. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Conclusions We analyzed implementations of commonly used cryptographic primitives for RFID tags Comparison of SHA-256 with AES-128 because of same level of security � AES-128 requires less chip area � AES-128 has less mean power consumption Even older MD4-family hash functions (SHA-1, MD5, MD4) do not change conclusion http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
(username, password) ? x ? ? ? ? but (username,hash(password))

(username, password) ? x ? ? ? ? but (username,hash(password))

Hash Functions - Bart Preneel June 2016 Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 Introduction to the SHA-512 SHA-1 Design and Cryptanalysis of Cryptographic Hash Functions This is an input to a crypto-

517 views • 10 slides
Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David

Hash Pile Ups: Using Collisions to Identify Unknown Hash Functions R. Joshua Tobin and David Malone 11 October 2012 Hash Functions We are talking about hash functions for consistent assignment. For example, Hash tables, Network

448 views • 18 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.37k views • 120 slides
Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

1.68k views • 129 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

787 views • 23 slides
Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message

Cryptography Hash Functions and MACs Introduction to Hash Functions Hash Functions and MACs Properties of Cryptographic Hash Functions Introduction to Message Cryptography Authentication Codes School of Engineering and Technology

338 views • 23 slides
Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography

Outline Hash Functions 1 Iterated Hash Functions CPSC 418/MATH 318 Introduction to Cryptography SHA-1 SHA-3 (Keccak) Hash Functions, SHA-3, Message Authentication Codes 2 Sponge Construction Keccak Overview Renate Scheidler Keccak

888 views • 14 slides
Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and

CSS441 Hash Functions Hash Functions Authentication Cryptographic Hash Functions Signatures Requirements MD5 and SHA CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

1.04k views • 24 slides
References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding

References Cryptographic Hash Functions Hash Functions, Chapter 11 of Understanding Cryptography by Paar &amp; Pelzl. &amp; Mathematical Cryptography , by Keijo Ruohonen, http://math.tut.fi/~ruohonen/MC.pdf , pages 9899. Signature

255 views • 10 slides
CSE 373: Hash functions and hash tables Michael Lee Monday, Jan 22, 2018 1 Warmup Warmup:

CSE 373: Hash functions and hash tables Michael Lee Monday, Jan 22, 2018 1 Warmup Warmup:

CSE 373: Hash functions and hash tables Michael Lee Monday, Jan 22, 2018 1 Warmup Warmup: Consider the following method. output of this method. worst-case runtime of this method. With your neighbor, answer the following. 2 private int mystery(

706 views • 49 slides
Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations

Overview Hash Functions On Building Hash Functions From Multivariate Quadratic Equations Multivariate quadratic equations Olivier Billet, Thomas Peyrin, and Matt Robshaw Hash functions and multivariate quadratic equations Orange Labs

299 views • 3 slides
Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 11 Hash Functions Hash Functions Main syntactic feature: Variable input length to fixed length output Hash Functions Main syntactic feature: Variable input length to fixed length

1.76k views • 147 slides
Hash Functions in Action Hash Functions in Action Lecture 12 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 12 Hash Functions Hash Functions

Hash Functions in Action Hash Functions in Action Lecture 12 Hash Functions Hash Functions Main syntactic feature: Variable input length to fixed length output Hash Functions Main syntactic feature: Variable input length to fixed length

1.85k views • 147 slides
HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D { 0 , 1 } n that is compressing, meaning | D | &gt; 2 n . E.g. D = { 0 , 1 } 2 64 is the set of all strings of length at most 2 64 . h n MD4

1.13k views • 78 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
Recent Results on Stream Ciphers Subhamoy Maitra Applied Statistics Unit Indian Statistical

Recent Results on Stream Ciphers Subhamoy Maitra Applied Statistics Unit Indian Statistical

Recent Results on Stream Ciphers Subhamoy Maitra Applied Statistics Unit Indian Statistical Institute, Kolkata subho@isical.ac.in 26 August, 2020 Subhamoy Maitra Recent Results on Stream Ciphers Slide 1 of 71 Stream Cipher Subhamoy Maitra

993 views • 71 slides
Hardware Acceleration for Programs in SSA Form Manuel Mohr, Artjom Grudnitsky, Tobias

Hardware Acceleration for Programs in SSA Form Manuel Mohr, Artjom Grudnitsky, Tobias

saarland university computer science Hardware Acceleration for Programs in SSA Form Manuel Mohr, Artjom Grudnitsky, Tobias Modschiedler, Lars Bauer, Sebastian Hack, Jrg Henkel Institute for Program Structures and Data Organization, Karlsruhe

879 views • 66 slides
Discourse BSc Artificial Intelligence, Spring 2011 Raquel Fernndez Institute for Logic,

Discourse BSc Artificial Intelligence, Spring 2011 Raquel Fernndez Institute for Logic,

Discourse BSc Artificial Intelligence, Spring 2011 Raquel Fernndez Institute for Logic, Language &amp; Computation University of Amsterdam Raquel Fernndez Discourse BSc AI 2011 1 / 35 Summary from Last Week Overview of the main

615 views • 35 slides
Neural Networks Marco Chiarandini Department of Mathematics &amp; Computer Science University of

Neural Networks Marco Chiarandini Department of Mathematics &amp; Computer Science University of

SRP Neural Networks Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Neural Science Artificial Neural Networks Goals Other Applications Goals of the meeting: Give an overview of applications

896 views • 76 slides
Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin

Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin

Departm ent Physics &amp; Astronom y The University of Texas at Brow nsville Spin- -orbit interactions in black hole orbit interactions in black hole binaries binaries Spin Carlos Lousto with Manuela Campanelli &amp; Yosef Zlochower

365 views • 20 slides
Lecture 9: More on predicate logic Prof. Julia Hockenmaier juliahmr@illinois.edu

Lecture 9: More on predicate logic Prof. Julia Hockenmaier juliahmr@illinois.edu

CS440/ECE448: Intro to Artificial Intelligence Lecture 9: More on predicate logic Prof. Julia Hockenmaier juliahmr@illinois.edu http://cs.illinois.edu/fa11/cs440 Quick upgrade on quizzes Review:

864 views • 59 slides
Incremental Quantification and the Dynamics of Pair-List Phenomena Dylan Bumford New York

Incremental Quantification and the Dynamics of Pair-List Phenomena Dylan Bumford New York

Intro Universals and pair-lists Incremental quantification Deriving the readings Conclusion Incremental Quantification and the Dynamics of Pair-List Phenomena Dylan Bumford New York

670 views • 30 slides
Slides thanks to Martin Henz Aquinas Hobor CS 3234: Logic and Formal Systems Review: Syntax and

Slides thanks to Martin Henz Aquinas Hobor CS 3234: Logic and Formal Systems Review: Syntax and

Slides thanks to Martin Henz Aquinas Hobor CS 3234: Logic and Formal Systems Review: Syntax and Semantics Predicates, Functions, Terms, Formulas Proof Theory Models Equivalences and Properties Satisfaction and Entailment Predicates Example

1.15k views • 103 slides

More recommend