contact based fault injections and power analysis on rfid
play

Contact-based Fault Injections and Power Analysis on RFID Tags - PowerPoint PPT Presentation

Dec 01, 2023 •341 likes •514 views

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security Contact-based Fault Injections and Power Analysis on RFID Tags Michael Hutter, Jrn-Marc Schmidt, Thomas Plos ECCTD 2009 Institute for Applied

  1. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Contact-based Fault Injections and Power Analysis on RFID Tags Michael Hutter, Jörn-Marc Schmidt, Thomas Plos ECCTD 2009 Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 1

  2. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Presentation Outline  Introduction  Implementation attacks on RFID  Related work  Contact-based measurement setup  Fault injection setup and results  Power analysis setup and results  Conclusions and future work http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 2

  3. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Introduction  RFID … R adio F requency Id entification  Small microchip attached to an antenna  Reader field is used for  Communication  Power supply  (Clock signal) Reader http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 3

  4. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Implementation Attacks on RFID  Active attacks  Fault attacks  Passive attacks  Physical probing  Side-channel attacks  Power consumption  Electromagnetic radiation  Timing analysis http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 4

  5. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Recent Work  Oren and Shamir 2006  Simple power analysis attacks on UHF tags  Hutter et al. 2007  Differential electromagnetic analysis on HF tags  Plos 2008  Differential electromagnetic analysis on UHF tags  Hutter et al. 2008  Fault attacks on HF and UHF tags  This work  Differential power analysis and fault attacks on UHF and HF tags http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 5

  6. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Our Analysis  Performed fault attacks and power-analysis attacks on different RFID tags  We induced over-voltage spikes into the chip-antenna connections  Analyzed HF and UHF tags  ISO 15693 and ISO 18000-6C (EPC Gen2)  Focus on write operation  Critical in terms of power consumption and execution time  Used a contact-based measurement setup http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 6

  7. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Contact-based Measurement Setup  The chip of the tag is separated from its antenna  Chip and reader are directly connected by 2 wires  No air interface (no inductive/electromagnetic coupling)  The setup allows… PC  … contact-based fault injections  … power-consumption measurements of the chip Reader control RFID Tag R series R term reader chip http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 7

  8. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Basic Communication Process Reader request Response time Tag response http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 8

  9. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Fault-Injection Setup  Two high-speed multiplexers connect the chip to a DC voltage (over-voltage injection)  Trigger device PC FPGA board Trigger µC Switch control Reader control RFID Tag R Term reader chip DC supply http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 9

  10. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Trigger Signal  Trigger device  SASEBO board used to control the trigger delay and duration  A microcontroller is used to listen to the reader communication and to provide a trigger signal after a write command  Fault injections during the response time of the chip (a few milliseconds)  Trigger device was programmed to sweep across the response time (automatic sweep)  Injected spikes in steps of 9ns  Over-voltage was induced for at least 80ns http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 10

  11. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Results  Faults cause the chip to write faulty values into the memory  Tags perform a reset during the writing of data  The faulty value depends on the trigger delay  Different tags have a different writing time  Allows fingerprinting of RFID tags http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 11

  12. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Power-Analysis Setup  For HF tags  Power is measured over a 100 Ohm resistor  For UHF tags  Power is measured over the internal capacity (0.1pF) of the differential probe (no resistor used) PC Oscilloscope control Digital-storage oscilloscope Trigger Reader Differential µC control probe RFID Tag R Meas R Term reader chip http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 12

  13. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Power-Analysis Attacks  Trace acquisition  1000 traces for UHF tags and 10000 traces for HF tags were measured  Sampling rate: 100 MS/s  Post-processing techniques  Calculated the envelope signal (absolute values + 2 MHz low- pass filter  Horizontal and vertical trace alignment  Target of the attack  8-bit value that was written into memory  Different Power models applied http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 13

  14. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Results  All attacks have been successful ISO 15693 HF tag ISO 18006C UHF tag http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 14

  15. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Summary  Performed fault and power-analysis attacks on RFID  Analyzed HF and UHF RFID tags  Contact-based measurement setup used  All attacks have been performed successfully  Security-enabled RFID devices have to include countermeasures to thwart these attacks http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 15

  16. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Thank you for your attention. Questions? Michael.Hutter@iaik.tugraz.at Jörn-Marc.Schmidt@iaik.tugraz.at Thomas.Plos@iaik.tugraz.at http://www.iaik.tugraz.at/content/research/implementation_attacks/ http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Results of the Hardware Injections Results of the Hardware Injections performed on the LIGO

Results of the Hardware Injections Results of the Hardware Injections performed on the LIGO

Results of the Hardware Injections Results of the Hardware Injections performed on the LIGO Interferometers Interferometers performed on the LIGO Myungkee Sung for the LIGO Science Collaboration 11th Gravitational Wave Data Analysis Workshop

331 views • 18 slides
MAS.S61: Emerging Wireless & Mobile Technologies Lecture 4: Low-power communica2on, RFID

MAS.S61: Emerging Wireless & Mobile Technologies Lecture 4: Low-power communica2on, RFID

MAS.S61: Emerging Wireless & Mobile Technologies Lecture 4: Low-power communica2on, RFID RFID (Radio Frequency IDentification) Inventory control Access Control Security Sensitive Applications Tracking & Localization Long-Range

546 views • 35 slides
Smart Sensing RFID Technology Passi sive, Activ ive e RFID, , Barcode code & BLE based

Smart Sensing RFID Technology Passi sive, Activ ive e RFID, , Barcode code & BLE based

Smart Sensing RFID Technology Passi sive, Activ ive e RFID, , Barcode code & BLE based ed Hybri rid d Asset set Trac acking ing syst stem em Smart Sensing RFID Technology and Management Consultancy Every day, our work helps

579 views • 27 slides
AI-based Low Computational Power Actuator/ Sensor Fault Detection Applied on a MAGLEV Suspension

AI-based Low Computational Power Actuator/ Sensor Fault Detection Applied on a MAGLEV Suspension

AI-based Low Computational Power Actuator/ Sensor Fault Detection Applied on a MAGLEV Suspension K. Michail, K. Deliparaschos, A. Zolotas, S. G. Tzafestas 21 st Mediterranean Conference on Control and Automation Crete, Greece, 25-28 June 2013

945 views • 23 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Injections Injections for the Upper Extremity Treatment Tortures, Voodoo or Magic Bullet

Injections Injections for the Upper Extremity Treatment Tortures, Voodoo or Magic Bullet

Injections Injections for the Upper Extremity Treatment Tortures, Voodoo or Magic Bullet Anti-inflammatory Viscosupplementation C. Benjamin Ma, MD Diagnostic Lidocaine injection Professor in Residence Differential

425 views • 4 slides
Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

March 2, 2014 Monte Jade's RFID Seminar Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight RFID 4. Current Airport RFID Deployments 5. Atlanta International Airport Activity with IATA RFID

912 views • 35 slides
LIGO S2 Inspiral Hardware Injections Steve Fairhurst University of Wisconsin-Milwaukee LSC

LIGO S2 Inspiral Hardware Injections Steve Fairhurst University of Wisconsin-Milwaukee LSC

LIGO S2 Inspiral Hardware Injections Steve Fairhurst University of Wisconsin-Milwaukee LSC Inspiral Working Group GWDAW December 19, 2003. LIGO-G030688-00-Z Introduction Hardware injections provide a good test of the entire analysis

315 views • 13 slides
CLICK HERE.exe SQL Injections Security Meetup Month 1 of 12 (January) This month: SQL

CLICK HERE.exe SQL Injections Security Meetup Month 1 of 12 (January) This month: SQL

CLICK HERE.exe SQL Injections Security Meetup Month 1 of 12 (January) This month: SQL Injections Next month: XSS / CSRF Meetup Group for times/dates Plan of Attack History of SQL Basic Injections Protections

890 views • 58 slides
IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing Tag Oslo, 28 November 2007 IntelliSense RFID Workshop IntelliSense RFID RESEARCH PROJECT FOR TECHNOLOGY DEVELOPMENT WITHIN THE FIELDS OF RFID

788 views • 13 slides
The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio Frequency Identification Modern RFID Applications VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips

628 views • 29 slides
Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
How Earthquake Risk Depends on the Closeness to a Fault: Symmetry-Based Geometric Analysis Aaron

How Earthquake Risk Depends on the Closeness to a Fault: Symmetry-Based Geometric Analysis Aaron

How Earthquake Risk Depends on the Closeness to a Fault: Symmetry-Based Geometric Analysis Aaron Velasco 1 , Solymar Ayala Cortez 1 Olga Kosheleva 2 , and Vladik Kreinovich 3 1 Department of Geological Sciences 2 Department of Teacher Education 3

562 views • 23 slides
Outline Knee Shoulder and Knee Injections Indications for Injections/Aspirations

Outline Knee Shoulder and Knee Injections Indications for Injections/Aspirations

Outline Knee Shoulder and Knee Injections Indications for Injections/Aspirations Outcomes Brian Feeley, MD How to do a knee injection easily Sports Medicine and Shoulder Surgery Shoulder UC San Francisco Indications

326 views • 13 slides
A 45 W Bias Power, 34 dB Gain Reflection Amplifier Exploiting the Tunneling Effect for RFID

A 45 W Bias Power, 34 dB Gain Reflection Amplifier Exploiting the Tunneling Effect for RFID

A 45 W Bias Power, 34 dB Gain Reflection Amplifier Exploiting the Tunneling Effect for RFID Applications Francesco Amato, Christopher W. Peterson, Brian D. Degnan, Gregory D. Durgin School of Electrical and Computer Engineering Georgia

635 views • 28 slides
TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown &

TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown &

TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown & Blaine McDonnell Using RFID for Model Railroad Operations What is RFID? How does RFID Work? RFID Frequencies and Type of Tags

853 views • 25 slides
Seminar 6: Side-Channel Attacks Aleksei Ivanov Tartu University aivanov@math.ut.ee MTAT.07.006

Seminar 6: Side-Channel Attacks Aleksei Ivanov Tartu University aivanov@math.ut.ee MTAT.07.006

MTAT.07.006 Research Seminar in Cryptography Seminar 6: Side-Channel Attacks Aleksei Ivanov Tartu University aivanov@math.ut.ee MTAT.07.006 Research Seminar in Cryptography, 24.10.2005 Seminar 6: Side-Channel Attacks, Aleksei Ivanov 1

382 views • 16 slides
Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security

Side-Channel & Fault Attacks Ruggero Susella System Research & Applications Security Rodmap STMicroelectronics 2018/12/06 2 ST Who are we ? STMicroelectronics 3 A global semiconductor leader 2017 revenues of $8.35B

1.32k views • 107 slides
Partial Key Exposure: Generalized Framework to Attack RSA Santanu Sarkar Cryptology Research

Partial Key Exposure: Generalized Framework to Attack RSA Santanu Sarkar Cryptology Research

Partial Key Exposure: Generalized Framework to Attack RSA Santanu Sarkar Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Santanu Sarkar Partial Key Exposure: Generalized Framework to Attack RSA Outline of the

478 views • 24 slides
Concurrent Fault Detection for Secure QDI Asynchronous Circuits Konrad J. Kulikowski, Mark G.

Concurrent Fault Detection for Secure QDI Asynchronous Circuits Konrad J. Kulikowski, Mark G.

Concurrent Fault Detection for Secure QDI Asynchronous Circuits Konrad J. Kulikowski, Mark G. Karpovsky, Alexander Taubin, Zhen Wang, Adrian Kulikowski Boston University Reliable Computing Laboratory 6/27/2008 Outline Side Channel

293 views • 18 slides
Differentially-Private Network Trace Analysis Frank McSherry and Ratul Mahajan Microsoft

Differentially-Private Network Trace Analysis Frank McSherry and Ratul Mahajan Microsoft

Differentially-Private Network Trace Analysis Frank McSherry and Ratul Mahajan Microsoft Research Overview . 1 Overview Question : Is it possible to conduct network trace analyses in a way that provides strict formal differential

496 views • 20 slides
SPAE A Single Pass Authenticated Encryption scheme Philippe Elbaz-Vincent 1 , Cyril Hugounenq 1 ,

SPAE A Single Pass Authenticated Encryption scheme Philippe Elbaz-Vincent 1 , Cyril Hugounenq 1 ,

Motivations Design of SPAE Security of the scheme Performances SPAE A Single Pass Authenticated Encryption scheme Philippe Elbaz-Vincent 1 , Cyril Hugounenq 1 , Sbastien Riou 2 1 Univ. Grenoble Alpes / Institut Fourier,

519 views • 27 slides
Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System

Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System

Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System Microprocessor used as a component in a device and is designed for a specific control function within a device Used In: Cell Phones

560 views • 31 slides
Design Automation for Cryptography Anupam Chattopadhyay Assistant Professor, School of Computer

Design Automation for Cryptography Anupam Chattopadhyay Assistant Professor, School of Computer

Design Automation for Cryptography Anupam Chattopadhyay Assistant Professor, School of Computer Science and Engineering School of Physical and Mathematical Sciences, Nanyang Technological University June 7, 2017 Motivation Security not a

669 views • 27 slides

More recommend