RFID Security and Privacy Gildas Avoine Information Security Group - - PowerPoint PPT Presentation

RFID Security and Privacy

Gildas Avoine

Information Security Group UCL Belgium April 2011, Rennes, France

Gildas Avoine http://sites.uclouvain.be/security/ 2

Summary

RFID Primer.

Examples. Capabilities. Particularities.

Authentication in RFID.

Theory. Practical Attacks.

Relay Attacks.

Feasibility. Countermeasures: Distance Bounding Protocols.

Gildas Avoine http://sites.uclouvain.be/security/ 3

RFID Primer

Gildas Avoine http://sites.uclouvain.be/security/ 4

RFID Primer

Definition

“Radio frequency identification'' (RFID) means the use of

electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to communicate to or from a tag through a variety of modulation and encoding schemes to uniquely read the identity of a radio frequency tag or

• ther data stored on it.”

[European Commission Recommendation, 12.5.2009]

Gildas Avoine http://sites.uclouvain.be/security/ 5

Supply chain.

Track boxes, palettes, etc. Eg: EPC Global Inc.

Libraries.

Improve book borrowing

procedure and inventory. Pet identification.

Replace common identification

tattoo by electronic one.

Will become mandatory in the EU.

Source: www.dclogistics.com Source: www.rfid-library.com Source: www. flickr.com

RFID Primer

Examples: Basic RFID Applications

Gildas Avoine http://sites.uclouvain.be/security/ 6

RFID Primer

Examples: Evolved RFID Applications

Building access control. Automobile ignition keys. Passports.

Electronic passports since 2004.

Public transportation.

• Eg. Brussels, Boston, Paris, London.

Gildas Avoine http://sites.uclouvain.be/security/ 7

RFID Primer

Capabilities

power frequency communication distance memory capabilities computation capabilities cost

passive active low frequency high frequency ultra-high frequency cm dm m no pwd sym crypto asym crypto UID 1 KB 40 KB 10 cents euros 50 cents

Gildas Avoine http://sites.uclouvain.be/security/ 8

RFID Primer

Capabilities

power frequency communication distance memory capabilities computation capabilities cost

passive active low frequency high frequency ultra-high frequency cm dm m no pwd sym crypto asym crypto UID 1 KB 40 KB 10 cents euros 50 cents

Supply chain

Gildas Avoine http://sites.uclouvain.be/security/ 9

RFID Primer

Capabilities

power frequency communication distance memory capabilities computation capabilities cost

passive active low frequency high frequency ultra-high frequency cm dm m no pwd sym crypto asym crypto UID 1 KB 40 KB 10 cents euros 50 cents

Supply chain Access control

Gildas Avoine http://sites.uclouvain.be/security/ 10

RFID Security Specificities

Low-capabilities.

Calculation, Memory, Bandwidth. Asymmetry.

Wireless.

Easy to skim and eavesdrop.

Answer without holder’s agreement / awareness.

Easier to skim, Attack not detected.

Un-perfect security better than nothing.

Gildas Avoine http://sites.uclouvain.be/security/ 11

Security Threat Classification

Information Leakage Authentication Denial of Service Malicious Traceability

Gildas Avoine http://sites.uclouvain.be/security/ 12

authentication 384 privacy 356 EPC 106 hash function 106 authentication protocol 104 mutual authentication 72 smart card 69 HB 58 eavesdropping 53 IDS 53 cloning 51 AES 50 supply chain 50

RFID Security and Privacy

Keyword Occurrence (since 2002, about 500 scientific papers)

Gildas Avoine http://sites.uclouvain.be/security/ 13

Authentication in RFID

Gildas Avoine http://sites.uclouvain.be/security/ 14

Authentication and Impersonation

Definition (Authentication). Authentication is any process by which a system verifies the identity of a user who wishes to access it. Definition (Impersonation). Impersonation is an attach where a fake tag is authenticated as a genuine one. Examples:

Clone an access control card. Modify your mass transportation pass. Create a fake passport.

Gildas Avoine http://sites.uclouvain.be/security/ 15

Impersonation

Authentication Protocol

Authentication can be done using:

A symmetric cipher, a keyed-hash function, a public-key cipher, a

signature scheme, or a devoted authentication protocol.

• Example: Challenge-Response Protocol.

ISO 9798-4 defines authentication protocols based on a MAC.

We know how to design a secure authentication scheme. nR IDT , Ek ( nR , nT ) Reader Tag

Gildas Avoine http://sites.uclouvain.be/security/ 16

Impersonation

Weaknesses

Cost of the solution.

Require lightweight algorithms (wired logic).

Implementation issues.

Both sides: readers and tags. Miss-understanding of the standards.

Architecture of the solution.

Building blocks are not enough: the whole solution must be secure.

Gildas Avoine http://sites.uclouvain.be/security/ 17

RFID Primer

Looking Inside

Many available solutions are weak.

Source : jp.digikey.com Source : www.sirlepaper.com

Gildas Avoine http://sites.uclouvain.be/security/ 18 Source : lirent.net

RFID Primer

Looking Inside

Many available solutions are weak.

Source : jp.digikey.com Source : www.sirlepaper.com

Gildas Avoine http://sites.uclouvain.be/security/ 19

Examples of Weak Solutions

Navigo Pass.

Security sounds fine, personal data not protected.

Texas Instruments DST.

• Broken. 2005.

NXP Mifare Classic.

• Broken. 2008.

Gildas Avoine http://sites.uclouvain.be/security/ 20

Example: Leakage from the MOBIB Card

MOBIB Extractor by G. Avoine, T. Martin, and J.-P. Szikora, 2009

Gildas Avoine http://sites.uclouvain.be/security/ 21

Impersonation

TI: Texas Instruments. DST: Digital Signature Transponder. More than 100 million DST modules sold around the world. Car ignition key (eg. Ford) and payment cards.

Gildas Avoine http://sites.uclouvain.be/security/ 22

Impersonation

Video: Texas Instrument DST

• 1. Query once the car’s key (tag inside).
• 2. Try all the possible keys k until finding the one that

correctly decipher Ek ( r ).

• 3. Steal the car simulating the car’s key.

r Ek ( r ) Reader (k) Tag (k)

Adversary goal: retrieve the secret k in order to make a clone.

Gildas Avoine http://sites.uclouvain.be/security/ 23

Impersonation

Attack on NXP Mifare Classic

Philips Semiconductors (NXP) introduced the Mifare commercial

denomination (1994) that includes the Mifare Classic product.

Applications: public transportation, access control, ticketing… Memory read & write access are protected by some keys. Several hundreds million Mifare Classic tags sold up to now. Several attacks in 2008, Hoepman, Garcia, de Koning Gans, et

• al. reverse-engineered the cipher Crypto1: every Mifare Classic

tag broken in a few minutes.

Gildas Avoine http://sites.uclouvain.be/security/ 24

Relay Attacks

Gildas Avoine http://sites.uclouvain.be/security/ 25

Impersonation

Relay Attacks

Gildas Avoine http://sites.uclouvain.be/security/ 26

Impersonation

Relay Attacks

Gildas Avoine http://sites.uclouvain.be/security/ 27

Impersonation

Relay Attacks

Adv Adv

10’000 km

Gildas Avoine http://sites.uclouvain.be/security/ 28

Reader starts a timer when sending a message.

To avoid half-opened connections.

ISO 14443 “Proximity Cards”.

Used in most secure applications. Default timer is around 4 ms. Tag can require more time, up to…

Impersonation

Relay Attacks: Timing

Gildas Avoine http://sites.uclouvain.be/security/ 29

• Radio link over 50 meters (G. Hancke 05).
• With some locally-connected ACR122 (A. Laurie 09).
• With Nokia cell phones (A. Laurie 10).
• Over Internet (libNFC 10).

Impersonation

Relay Attacks: Feasibility

COUNTERMEASURES

Protocol Aims in General Framework

Definition (Authentication) An authentication is a process whereby one party is assured of the identity of a second party involved in a protocol, and that the second has actually participated (i.e. is active at, or immediately prior to, the time evidence is acquired). [Handbook of Crypto] Definition (Distance Checking) A distance checking is a process whereby one party is assured that a given property on its distance to a second party involved in a protocol is satisfied at some point in the protocol. The area where the property is satisfied is called the neighborhood

• f the verifying party.

2

Protocol Aims in RFID Framework

Definition (Distance Bounding) A distance bounding is a process that consists of an authentication combined with a distance-checking, where the considered property is an upper-bound on the distance between the two parties.

3

Protocol Aims in RFID Framework

Definition (Distance Bounding) A distance bounding is a process that consists of an authentication combined with a distance-checking, where the considered property is an upper-bound on the distance between the two parties. Distance bounding does not avoid relay attacks. Distance bounding check that the distance property between the verifier and the claimed prover is verified (Proximity check).

3

No Fraud

Adversary Reader Tag Reader Tag Adversary Reader Tag 4

Fraud

Adversary Reader Adversary Tag Reader Tag Reader Reader Adversary Tag Reader Adversary 5

Measuring the Distance

How can one measure the distance between reader and tag?

6

Measuring the Distance

How can one measure the distance between reader and tag? Global Positioning System (GPS). Received Signal Strength (RSS). Round Trip Time (RTT).

6

Distance Bounding Based on the Speed of Light

Measure the round-trip-time (RTT) of a given message.

• Provide a bound on the distance.
• Idea introduced by Beth and Desmedt [Crypto90].

Tag Reader Neighborhood Computation 7

Distance Bounding Based on the Speed of Light

Measure the round-trip-time (RTT) of a given message.

• Provide a bound on the distance.
• Idea introduced by Beth and Desmedt [Crypto90].

Reader Neighborhood computation Accelerated Tag 7

Distance Bounding

The verifier calculates the round trip time of a message.

• Message needs to be authenticated.
• Authentication is time-consuming.
• Round trip time is noised.

8

Simplified Hancke and Kuhn’s Protocol

Description

Reader Tag (secret K) (secret K) Pick a random Na

Na

− − − − − − − → h(K, Na) =

• v0

= 1 1 1 1 1 v1 = 1 1 1 1 1 Start of fast bit exchange for i = 1 to n Pick Ci ∈R {0, 1} Start Clock

Ci

− − − − − − − → Ri = v0

i , if Ci = 0

v1

i , if Ci = 1

Stop Clock

Ri

← − − − − − − − Check: △ti ≤ tmax Check: correctness of Ri End of fast bit exchange

9

Simplified Hancke and Kuhn’s Protocol

Description

Reader Tag (secret K) (secret K) Pick a random Na

Na

− − − − − − − → h(K, Na) =

• v0

= 1 1 1 1 1 v1 = 1 1 1 1 1 Start of fast bit exchange for i = 1 to n Pick Ci ∈R {0, 1} Start Clock

Ci

− − − − − − − → Ri = v0

i , if Ci = 0

v1

i , if Ci = 1

Stop Clock

Ri

← − − − − − − − Check: △ti ≤ tmax Check: correctness of Ri End of fast bit exchange

What is the adversary’s success probability (relay attack)?

9

ATTACK SCENARIOS

Attack Scenarios

Mafia Fraud

Definition (Mafia Fraud) A mafia fraud is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and an honest tag located outside the neighborhood.

11

Attack Scenarios

Mafia Fraud

Definition (Mafia Fraud) A mafia fraud is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and an honest tag located outside the neighborhood. Mafia fraud: Desmedt, Goutier, Bengio [Crypto87]. Shamir about Fiat-Shamir protocol [Crypto86]: “I can go to a Mafia-owned store a million successive times and they still will not be able to misrepresent themselves as me.” (The NY Times, February 17, 1987, James Gleick). A.k.a., relay attack, chess grandmaster, wormhole problem, passive man-in-the-middle, middleman attack...

11

Attack Scenarios

Distance Fraud

Definition (Terrorist Fraud) Given a two party protocol executed between Alice and Bob, a terrorist fraud is a MITM, where Alice actively helps Eve to maximize her attack success probability, without giving any advantage to Eve for future attacks. Definition (Distance Fraud) A distance Fraud is a deception whereby one entity purports to be in the neighborhood of a second one.

12

HANCKE AND KUHN’S PROTOCOL

Simplified Hancke and Kuhn’s Protocol

Description

Reader Tag (secret K) (secret K) Pick a random Na

Na

− − − − − − − → h(K, Na) =

• v0

= 1 1 1 1 1 v1 = 1 1 1 1 1 Start of fast bit exchange for i = 1 to n Pick Ci ∈R {0, 1} Start Clock

Ci

− − − − − − − → Ri = v0

i , if Ci = 0

v1

i , if Ci = 1

Stop Clock

Ri

← − − − − − − − Check: △ti ≤ tmax Check: correctness of Ri End of fast bit exchange

14

Simplified Hancke and Kuhn’s Protocol

Description

Reader Tag (secret K) (secret K) Pick a random Na

Na

− − − − − − − → h(K, Na) =

• v0

= 1 1 1 1 1 v1 = 1 1 1 1 1 Start of fast bit exchange for i = 1 to n Pick Ci ∈R {0, 1} Start Clock

Ci

− − − − − − − → Ri = v0

i , if Ci = 0

v1

i , if Ci = 1

Stop Clock

Ri

← − − − − − − − Check: △ti ≤ tmax Check: correctness of Ri End of fast bit exchange

What is the adversary’s success probability (mafia fraud)?

14

Hancke and Kuhn Protocol

Common Adversary Strategies

Pre-ask strategy. The adversary queries the prover before he starts the fast phase with the legitimate verifier.

15

Simplified Hancke and Kuhn’s Protocol

Analysis

Question Compute the success probability in the following cases:

1 Mafia fraud, pre-ask strategy. 2 Terrorist fraud, pre-ask strategy. 3 Distance fraud.

16

Simplified Hancke and Kuhn’s Protocol

Analysis

Question Compute the success probability in the following cases:

1 Mafia fraud, pre-ask strategy. 2 Terrorist fraud, pre-ask strategy. 3 Distance fraud.

Answer 1, 3

4

n, 1.

16

Hancke and Kuhn’s Protocol

Description

Reader Tag (secret K) (secret K) Pick a random Na Pick a random Nb

Na

− − − − − − − →

Nb

← − − − − − − − h(K, Na, Nb) =

• v0

= 1 1 1 1 1 v1 = 1 1 1 1 1 Start of fast bit exchange for i = 1 to n Pick Ci ∈R {0, 1} Start Clock

Ci

− − − − − − − → Ri = v0

i , if Ci = 0

v1

i , if Ci = 1

Stop Clock

Ri

← − − − − − − − Check: △ti ≤ tmax Check: correctness of Ri End of fast bit exchange

17

Hancke and Kuhn’s Protocol

Analysis

Question Compute the success probability in the following cases:

1 Mafia fraud, pre-ask strategy. 2 Terrorist fraud, pre-ask strategy. 3 Distance fraud.

18

Hancke and Kuhn’s Protocol

Analysis

Question Compute the success probability in the following cases:

1 Mafia fraud, pre-ask strategy. 2 Terrorist fraud, pre-ask strategy. 3 Distance fraud.

Answer 3

4

n, 1, 3

4

n.

18

Hancke and Kuhn’s Protocol

Drawbacks

Security of the protocol depends on n.

• On-the-fly authentication should take less than 200 ms.
• Turn-around time does not allow a large n.
• Security is degraded.

Security of the protocol is (3/4)n instead of (1/2)n.

19

FUTURE OF DISTANCE BOUNDING

Existing Protocols

Brands and Chaum (Eurocrypt 1993) Hancke and Kuhn (SecureComm 2005) Munilla, Ortiz, and Peinado (RFIDsec 2006) Reid, Neito, Tang, and Senadji (ASIACCS 2007) Singel´ ee and Preneeld (ESAS 2007) Tu and Piramuthu (EURASIP RFID Technologie 2007) Munilla and Peinado (Wireless Com. and Mobile Comp. 2008) Kim, Avoine, Koeune, Standaert, and Pereira (ICISC 2008) Nikov and Vauclair (eprint 2008) Avoine and Tchamkerten (ISC 2009) Kim and Avoine (CANS 2009) Peris-Lopez, Hernandez-Castro, et al. (arXiv.org 2009) Avoine, Floerkemeier, and Martin (Indocrypt 2009) . . .

21

Conclusion

Limits of Distance Bounding

Using a tight timeout.

• Timeout depends on the communication layer (standardized).
• In a closed system, reader could refuse to increase their timeout.
• This approach is only a short-term patch.

Which parameters can be modified?

• What is the practical radius of the neighborhood?
• Why sending only one bit?
• Is it more expensive to send 1 × n bits than n × 1 bit?

No practical distance bounding available yet. Relay attacks are practicable.

22

Gildas Avoine http://sites.uclouvain.be/security/ 30

Conclusion

Gildas Avoine http://sites.uclouvain.be/security/ 31

Conclusion

Privacy and Security from the Outset

Because of its potential to be both ubiquitous and practically

invisible, particular attention to privacy and data protection issues is required in the deployment of RFID. Consequently, privacy and information security features should be built into RFID applications before their widespread use (principle of security and privacy by design).

[Viviane Reding, EC Recommendation, 12.5.2009]

Gildas Avoine http://sites.uclouvain.be/security/ 32

RFID Security and Privacy

Future Formalization, formalization, and formalization. Pseudo-random generators. Public-key cryptography without microprocessor. Side channel attacks. Distance bounding. Path checking. Group authentication. Compromised readers. Privacy certification. Practical attacks.

Gildas Avoine http://sites.uclouvain.be/security/ 33

RFID Security and Privacy

A Large Body of Literature

Publications in RFID Security and Privacy

10 20 30 40 50 60 70 80 90 100 2002 2003 2004 2005 2006 2007 2008 2009 2010 year number of publications

Gildas Avoine http://sites.uclouvain.be/security/ 34

Conclusion

RFID Security: A Large Body of Literature http://sites.uclouvain.be/security/ gildas.avoine@uclouvain.be