Cryptography in Radio Frequency Identification and Fair Exchange - PowerPoint PPT Presentation

Soutenance Publique de Th` ese de Doctorat Cryptography in Radio Frequency Identification and Fair Exchange Protocols Gildas Avoine EPFL, Lausanne, Switzerland ÉCOLE POLYTECHNIQUE December 12, 2005 – www.avoine.net FÉDÉRALE DE LAUSANNE

Summary of my Work ⊲ Fair Exchange AV03a, AV03b, AV04, AGGV05, Avo03. ⊲ Radio Frequency Identification Avo04, ADO05, AO05a, AO05b, CA06, AB06. ⊲ Odds and Ends Avo05, AMP04, AJO05, AJ03, VAJ03, AJO05. 2 / 34

Outline of the Presentation RFID PRIMER IMPERSONATION OF TAGS INFORMATION LEAKAGE MALICIOUS TRACEABILITY TRACEABILITY THROUGHT THE COMMUNICATION LAYERS 3 / 34

RFID PRIMER

RFID Definition and Architecture Definition RFID Radio Frequency IDentification (RFID) is a method of remotely identifying objects or subjects using transponders (tags) queried through a radio frequency channel. tag tag reader tag tag tag database 4 / 34

RFID Tags 5 / 34

RFID Readers 6 / 34

Tag Characteristics tamper−resistance communication distance yes r s e memory e t m . m t i n c e 1024 no 128 computation c r c o i r i x t r e t e m m m m y y s e s v a i s s a p e v i s s a p − i m power source e e v s i t c a 7 / 34

Tag Specificities ⊲ Tags cannot be switched-off ⊲ Tags answer without the agreement of their bearers ⊲ Increasing of the communication range ⊲ Tags can be almost invisible 8 / 34

Daily Life Examples ⊲ Management of stocks ⊲ Libraries ⊲ Anti-counterfeiting ⊲ Access control ⊲ Localization of people ⊲ Electronic documents ⊲ Counting cattle 9 / 34

Security Threat Classification ⊲ Denial of service ⊲ Impersonation ⊲ Information Leakage ⊲ Malicious traceability 10 / 34

IMPERSONATION OF TAGS

Problem and Adversary Means Problem An adversary should not be able to impersonate a tag. Adversary Means The adversary can query the targetted tag or eavesdrop (RFID) communications between the tag and readers. Then the adversary tries to simulate the tag in front of a legitimate reader. 11 / 34

Tag Simulator 12 / 34

Identification vs Authentication Primal goal of RFID is to provide security. Definition Authentication The authentication consists for the reader in obtaining the identity of the tag and a proof that the claimed identity is correct. Primal goal of RFID is to provide functionality. Definition Identification The identification consists for the reader in obtaining the identity of the tag, but no proof is required. 13 / 34

Identification Protocol System Tag request − − − − − − − − − − − − − − − − − → ID ← − − − − − − − − − − − − − − − − − Examples: Counting cattle, localization, stock management. 14 / 34

Authentication Protocol System ( K ) Tag ( K ) r − − − − − − − − − − − − − − − − − → E K ( r ) ← − − − − − − − − − − − − − − − − − Examples: Access control, e-documents, anti-counterfeiting. 15 / 34

Impersonation (Example: Texas Instrument DST Module) ⊲ Attack of Bono et al. on the Digital Signature Transponder manufactured by TI, used in automobile ignition key. Car Key (RFID) r E K ( r ) ⊲ Recovering the 40-bit key requires less than 1 minute using a time-memory trade-off. Recovering the cryptographic key / Impersonating the ignition key / Impersonating the SpeedPass card 16 / 34

Impersonation (Example: Relay Attack) ⊲ The reader believes the tag is within its electromagnetic field. ⊲ The attacker behaves as an extension cord. tag reader adversary database ⊲ The solution consists in using a distance bounding protocol. 17 / 34

INFORMATION LEAKAGE

Problem and Adversary Means Problem An adversary should not be able to obtain useful information about the tagged object. Adversary Means The adversary can query the targetted tag or eavesdrop (RFID) communications between the tag and readers. 18 / 34

Information Leakage Problem ⊲ Tagged books in libraries ⊲ Tagged pharmaceutical products ⊲ Electronic documents like passports, ID cards, etc. 19 / 34

MALICIOUS TRACEABILITY

Problem and Adversary means Problem An adversary should not be able to track people thanks to the RFID tags they carry. Adversary Means The adversary can query the targetted tag and eavesdrop (RFID) communications between his target and readers. 20 / 34

Avoiding Malicious Traceability ⊲ The information sent back by the tag must be indistinguishable (by an adversary) from a random value. ⊲ The information must be refreshed at each new identification. 21 / 34

Protocols Protocol Weaknesses pointed out by [JuelsP03] [Avoine04], [ZhangK05] [VadjaB03] [VadjaB03] [GolleJJS04] [Avoine05], [SaitoRS04] [Juels04] [Juels04] [HenriciM04] [AvoineO05] [SaitoRS04] [Avoine05] [JuelsW05] [GilbertRS05] [WeisSRE02] [OhkuboSK03] [FeldhoferDW04] [MolnarW04] [RheeKKW05] 22 / 34

Feldhofer, Dominikus, and Wolkerstorfer’s Protocol System ( K ) Tag ( K ) a pick a − − − − − − − − − − − − − − − − − → pick b and compute σ find K in its σ = AES K ( a , b ) ← − − − − − − − − − − − − − − − − − database s.t. AES − 1 K ( σ ) is valid 23 / 34

Computation Complexity of Challenge-Response Protocols ⊲ An exhaustive search in the system’s database is required to identify one tag. ⊲ Complexity too high in particular in case of inventory. ⊲ Is it possible to design an RFID protocol with a complexity better than linear? ⊲ Molnar and Wagner proposed a solution that reduces the complexity of any challenge-response from O ( n ) to O (log n ). 24 / 34

Molnar and Wagner’s Tree-Based Technique ⊲ Each tag stores log δ ( n ) keys. K 1 K 2 K 3 K 4 K 5 K 6 K 7 K 8 K 9 K 10 K 11 K 12 K 13 K 14 K 15 K 16 K 17 K 18 K 19 K 20 T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 T 11 T 12 T 13 T 14 T 15 T 16 ⊲ A challenge-response is applied at each level of the tree. ⊲ Instead of carrying out 1 exhaustive search in a set of size n , log δ ( n ) exhaustive searches are performed in sets of size δ . 25 / 34

Drawbacks ⊲ Tags share some keys. ⊲ Tampering with tags gives information about the other tags. known keys unknown keys K 1 K 2 K 3 K 4 K 5 K 6 K 7 K 8 K 9 K 10 K 11 K 12 K 13 K 14 K 15 K 16 K 17 K 18 K 19 K 20 T 1 T 2 T 3 T 4 T 5 T 6 T 7 T 8 T 9 T 10 T 11 T 12 T 13 T 14 T 15 T 16 26 / 34

How to Trace a Tag (1) Tamper with k tags. (2) Choose any target T and query it at will. (3) Query T 1 and T 2 to determine which of the two is T . (3) ? T 1 T 2 (2) RFID RFID T RFID A tamper with (1) 27 / 34

Five Cases to Analyze ⊲ T 1 on known branch and T 2 on unknown branch: success. ⊲ T 2 on known branch and T 1 on unknown branch: success. ⊲ T 1 and T 2 both on known but different branches: success. ⊲ T 1 and T 2 both on unknown: failure. ⊲ T 1 and T 2 both the same known branch: failure at level i but the attack moves on to level i + 1. 28 / 34

Probability of Success 1 0.9 0.8 Probability of tracing tag T 0.7 0.6 k = 200 0.5 0.4 k = 100 0.3 k = 50 0.2 k = 20 0.1 k = 1 0 100 200 300 400 500 600 700 800 900 1000 Branching factor δ 29 / 34

Using a Time-Memory Trade-Off ⊲ Time complexity can be reduced against a memory cost. ⊲ [AO05] as efficient as [MW04]. ⊲ [AO05] does not degrade security. 30 / 34

TRACEABILITY THROUGHT THE COMMUNICATION LAYERS

Problem and Adversary Means Problem An adversary should not be able to track people thanks to the RFID tags they carry. Adversary Means The adversary takes benefit of a side channel instead of using the RFID protocol. This side channel can be in any layer of the communication model. 31 / 34

Malicious Traceability in the Communication Layer request Noise 32 / 34

Collision-Avoidance Protocols (Example: Slotted Aloha) ⊲ The access to the communication channel is split into time slots. ⊲ The number of slots is chosen by the reader which informs the tags they will have n slots to answer. ⊲ Each tag randomly chooses one slot among the n and replies to the reader when its slot arrives. ⊲ If n is not sufficiently large, then some collisions occur. ⊲ Example: Philips ICode1 Label. 33 / 34

CONCLUSION

Conclusion ⊲ Will low cost RFID become an ubiquitous technology? ⊲ Is malicious traceability a problem? ⊲ Is it too late to deal with this problem? ⊲ Are there existing solutions? ⊲ Shall we have a drink after the presentation? 34 / 34