RFID Security Gildas Avoine UCL, Louvain-la-Neuve, Belgium - - PowerPoint PPT Presentation
Ecole Internationale de Printemps Syst` emes R epartis : METIS2008 RFID Security Gildas Avoine UCL, Louvain-la-Neuve, Belgium Department of Computing Science and Engineering RFID Security gildas.avoine@uclouvain.be Introduction Outline
Ecole Internationale de Printemps Syst` emes R´ epartis : METIS2008
RFID Security
Gildas Avoine
UCL, Louvain-la-Neuve, Belgium Department of Computing Science and Engineering
gildas.avoine@uclouvain.be RFID Security
Introduction Outline of this Talk Part 1: RFID primer Part 2: Security threats in RFID systems Part 3: Ensuring Privacy
gildas.avoine@uclouvain.be RFID Security
Part 1: RFID Primer
gildas.avoine@uclouvain.be RFID Security
Outline
1 First Step 2 Daily Life Examples 3 Tags Characteristics 4 Identification and Authentication Protocols gildas.avoine@uclouvain.be RFID Security
First Step
gildas.avoine@uclouvain.be RFID Security
Definition Radio Frequency IDentification (RFID) is a method of storing and remotely retrieving data (typically an identifier) using devices called RFID tags or transponders. An RFID tag is a small object that can be attached to or incorpo- rated into a product, animal, or person. RFID tags contain antennas to enable them to receive and respond to radio-frequency queries from an RFID transceiver.
gildas.avoine@uclouvain.be RFID Security
Architecture and Definitions Infrastructure
Identifier Request
− − − − − − − − − − − − − − − − − →
Unique Identifier
← − − − − − − − − − − − − − − − − −
Data Request (+ Auth)
− − − − − − − − − − − − − − − − − →
Data (Encrypted)
← − − − − − − − − − − − − − − − − −
gildas.avoine@uclouvain.be RFID Security
History RFID exists since the forties (IFF, Russian spy). Commercial RFID applications appeared in the early eigthies. Boom which RFID technology is enjoying today relies on the willingness to develop small and cheap RFID tags. Auto-ID Center created in 1999 at the MIT. (EPC code)
gildas.avoine@uclouvain.be RFID Security
Daily Life Examples
gildas.avoine@uclouvain.be RFID Security
Daily Life Examples Applications Management of stocks (Wal-Mart, US DoD, etc.) Libraries (Santa Clara Library, etc.) Pets identification Anti-counterfeiting (luxury articles, etc.) Sensor networks (Michelin’s tyres, etc.) Acess control (Building, ⋆Famous Baja Beach Club, etc.) Automobile ignition keys (TI DST Module, etc.) Localization of people⋆ (Amusement parks, etc.) Electronic documents (IDs, Passports, etc.) Public transportation (Paris, Boston, etc.)
gildas.avoine@uclouvain.be RFID Security
Quelques formats de tags
gildas.avoine@uclouvain.be RFID Security
Daily Life Examples Readers
gildas.avoine@uclouvain.be RFID Security
Tags Characteristics
gildas.avoine@uclouvain.be RFID Security
Tag Characteristics
communication distance computation tamper−resistance
I S O 1 5 6 9 3
power source cost meters memory a s y m m e t r i c standard frequency
I S O 1 4 4 4 3 1 2 4 − 1 3 5 K H z 2 . 4 G H z $ . 2 $ . 8 $ 3
no yes
1 2 8 1 2 4
x
s y m m e t r i c s e m i − p a s s i v e a c t i v e p a s s i v e centim.
9 M H z 1 3 . 5 6 M H z EPC Gen2
gildas.avoine@uclouvain.be RFID Security
Tags Characteristics Communication Model
physical application session network data link presentation transport transport application internet physical physical application communication OSI TCP / IP RFID
gildas.avoine@uclouvain.be RFID Security
Tags Characteristics Standards ISO International Organization for Standardization (www.iso.org) EPC Electronic Product Code (http://www.epcglobalinc.org/)
gildas.avoine@uclouvain.be RFID Security
Tags Characteristics ISO Standards Generalities There exist numerous ISO standards on contactless identification
11785 24721 10536 117363 18185 15434 15459 17365 17367 15961 15693 17358 10374 17364 24710 15418 11784 11785 19789 19762 15963 18046 18000 17366 14443 15962 18047
gildas.avoine@uclouvain.be RFID Security
Tags Characteristics About EPCglobal “The EPCglobal NetworkTM was developed by the Auto-ID Centre, a global research team directed through the Massachusetts Institute
“Our mission is to make organizations more effective by enabling true visibility of information about items in the supply chain. To that end, EPCglobal develops and oversees standards (...)” “EPCglobal is a neutral, consensus-based, not-for-profit standards
gildas.avoine@uclouvain.be RFID Security
Tags Characteristics EPCglobal Specifications 900 MHz Class-0 13.56 MHz ISM Band Class-1 860MHz – 930 MHz Class-1 Class-1 Generation-2 UHF (RFID Conformance Requirements) EPCglobal Architecture Framework Version 1.0 EPC Tag Data Standard Version 1.1 rev 1.27 Class-1 Generation 2 UHF Standard Version 1.0.9 Class-1 Gen 2 EPC Standard is now part of ISO 18000-6 Standard
gildas.avoine@uclouvain.be RFID Security
Identification and Authentication Protocols
gildas.avoine@uclouvain.be RFID Security
RFID Goal
What should be the primaryGOAL of the protocol?
gildas.avoine@uclouvain.be RFID Security
Protocols Identification vs Authentication 2/ Management of stocks (Wal-Mart, US DoD, etc.) Libraries (Santa Clara Library, etc.) Pets identification Anti-counterfeiting (luxury articles, etc.) Sensor networks (Michelin’s tyres, etc.) Access control (Famous Baja Beach Club, etc.) Automobile ignition keys (Texas Instruments, etc.) Localization of people (Amusement parks, etc.) Electronic documents (Passports, etc.) Transport Ticketing (Metro in Paris, etc.) Counting cattle Faciliting sorting of recyclable material
gildas.avoine@uclouvain.be RFID Security
Authentication vs Identification Identification: Get Identity of remote party. Authentication: Get Identity + Proof of remote party
gildas.avoine@uclouvain.be RFID Security
Classification of the Applications
gildas.avoine@uclouvain.be RFID Security
Part 2: Security Threats in RFID Systems
gildas.avoine@uclouvain.be RFID Security
Outline Classification of the threats Analysis of the threats Relationship between threats and communication model
gildas.avoine@uclouvain.be RFID Security
Classification
gildas.avoine@uclouvain.be RFID Security
Classification Impersonation Information Leakage Malicious Traceability Denial of Service
gildas.avoine@uclouvain.be RFID Security
Impersonation
gildas.avoine@uclouvain.be RFID Security
Impersonation Definition
Definition (resistance to impersontation)
The probability is negligible that any adversary distinct from the tag, carrying out the protocol playing the role of the tag, can cause the reader to complete and accept the tag’s identity. Speaking about impersonation when dealing with identification does not make sense Impersonation is related to authentication.
gildas.avoine@uclouvain.be RFID Security
Impersonation Reader Tag
r
− − − − − − − − − − − − − − − − − →
ID ID, EK (r)
← − − − − − − − − − − − − − − − − − Danger: lightweight protocols and algorithms (wired logic instead of microprocessor), problem of key management, tags are not fully tamper-resistant, etc. Do not cut the prices by using weak algorithms or weak keys. R read the standards, hire good engineers and programmers.
gildas.avoine@uclouvain.be RFID Security
Impersonation MIT Authentication System (MIT) Theory vs Real Life: authentication is sometimes done using an identification protocol! Example: The RFID-based MIT ID Card.
gildas.avoine@uclouvain.be RFID Security
Impersonation KeeLoq Attack (KUL, Technion, Hebrew Inst.) KeeLoq: Car locks and alarms, sold by Microchip R
Inc.,
used by Chrysler, Daewoo, Honda, BMW, Jaguar, Fiat, GM, Volvo,... Attack with 244.5 crypt. op. (secure at least 280, recom. 2128). Two days on 50 Dual Core machines. The poor design allows to recover the master key.
gildas.avoine@uclouvain.be RFID Security
Impersonation Texas Instrument (RSA Labs & Johns Hopkins) Attack against the Digital Signature Transponder manufactured by Texas Instrument, used in automobile ignition keys (there exist more than 130 millions such keys).
Key (RFID) Car r k E (r)
Cipher (proprietary) uses 40-bit keys: recovering a key takes less than 1 minute using a time-memory trade-offs.
gildas.avoine@uclouvain.be RFID Security
Mifare Classic 1/ Cards Readers Controllers Back-end
gildas.avoine@uclouvain.be RFID Security
Mifare Classic 2/ Each card shares a key with the reader. The encryption algorithm – Crypto 1 – is not public. The authentication protocol is neither public. Crypto1 uses 48 bit keys.
gildas.avoine@uclouvain.be RFID Security
Mifare Classic 3/ Tag
ID, r1
− − − − − − − − − − − − − − − − − → Reader
Ek(r1)
← − − − − − − − − − − − − − − − − −
Ek(data)
− − − − − − − − − − − − − − − − − →
gildas.avoine@uclouvain.be RFID Security
Mifare Classic 4/ Crypto1 is weak: each key can be recovered within less than 1’. The communication can be decrypted. The tag can be cloned using a blank Mifare Classic tag. E.g. one can copy an electronic wallet. The same key is sometimes used for all the tags.
gildas.avoine@uclouvain.be RFID Security
Impersonation Relay Attack The reader believes that the tag is in its field while it is not the case: the adversary acts as an extension cord.
reader database tag adv adv
The countermeasure consists in measuring the round trip time between the reader and the tag (do-able in practice?).
gildas.avoine@uclouvain.be RFID Security
Information Leakage
gildas.avoine@uclouvain.be RFID Security
Information Leakage Examples The information leakage problem emerges when the data sent by the tag reveals information intrinsic to the marked object. Tagged books in libraries Tagged pharmaceutical products, as advocated be the US Food and Drug Administration E-documents (passports, ID cards, etc.) Directory of identifiers (eg. EPC Code)
gildas.avoine@uclouvain.be RFID Security
Information Leakage Californian Senate Bill In California, the Senate Bill 682 plans to limit use of RFID in ID
See Senate Bill 682, version February 22, 2005 “The act would prohibit identity documents created, man- dated, or issued by various public entities from containing a contactless integrated circuit or other device that can broad- cast personal information or enable personal information to be scanned remotely.”
gildas.avoine@uclouvain.be RFID Security
Information Leakage Tag holder is threatened. RFID system is threatened.
gildas.avoine@uclouvain.be RFID Security
Information Leakage More and more data collected = valuable target (eg. during the manufacturing). Unaware information leakage (backup, HD thrown out, housekeeping). Abusive use (eg. French police’s confidential files, Charlie Card in Boston). Do not figure out that some privacy is disclosed
gildas.avoine@uclouvain.be RFID Security
Information Leakage ABIEC
gildas.avoine@uclouvain.be RFID Security
Malicious Traceability
gildas.avoine@uclouvain.be RFID Security
Traceability Definition
Definition (untraceability)
Given a set of readings between tags and readers, an adversary must not be able to find any relation between any readings of a same tag or set of tags. E.g., tracking of employees by the boss, tracking of children in an amusement park, tracking of military troops, etc.
gildas.avoine@uclouvain.be RFID Security
Malicious Traceability 1/ An adversary should not be able to track a tag holder, ie, he should not be able to link two interactions tag–reader.
Identifier Request
− − − − − − − − − − − − − − − − − →
Unique Identifier
← − − − − − − − − − − − − − − − − −
Data Request (+ Auth)
− − − − − − − − − − − − − − − − − →
Data (Encrypted)
← − − − − − − − − − − − − − − − − − Example: tracking military troops, tracking of employees by the boss, tracking of children in an amusement park.
gildas.avoine@uclouvain.be RFID Security
Traceability Characteristics Differences between RFID and the other technologies e.g. video, credit cards, GSM, Bluetooth. Tags cannot be switched-off Tags answer without the agreement of their bearers Easy to analyze the logs of the readers Increasing of the communication range Tags can be almost invisible
gildas.avoine@uclouvain.be RFID Security
Traceability Hidden Tags
Videos and heavy pictures have been removed from this version. gildas.avoine@uclouvain.be RFID Security
Traceability Your Tags How many tags doyou carry?
gildas.avoine@uclouvain.be RFID Security
Traceability My Own Tags
gildas.avoine@uclouvain.be RFID Security
Traceability Liberty Rights Organizations Even if you do not think that privacy is important, some people think so and they are rather influential (CASPIAN, FoeBud, etc.)
gildas.avoine@uclouvain.be RFID Security
Traceability in Lower Layers
gildas.avoine@uclouvain.be RFID Security
Traceability in Lower Layers Communication Model
physical application session network data link presentation transport transport application internet physical physical application communication OSI TCP / IP RFID
gildas.avoine@uclouvain.be RFID Security
Traceability in Lower Layers Privacy vs Classical Properties The main concepts of cryptography, i.e, confidentiality, integrity, and authentication, are treated without any practical considerations. If one of these properties is theoretically ensured, it remains ensured in practice whatever the layer we choose to implement the protocol. Privacy needs to be ensured at each layer. All efforts to prevent traceability in the application layer may be useless if no care is taken at the lower layers.
gildas.avoine@uclouvain.be RFID Security
Traceability in Lower Layers RFID Model Communication layer: Medium access (Collision avoidance).
Andrew Moti Ari Jacques David Noise Are there any questions?
gildas.avoine@uclouvain.be RFID Security
Collision Avoidance The computational power of the tags is very limited and they are unable to communicate with each other. The reader must deal with the collision avoidance itself. Collision avoidance protocols are often (non-open source) proprietary algorithms. Standards appear: ISO and EPC. Two large families: deterministic protocols and probabilistic protocols.
gildas.avoine@uclouvain.be RFID Security
Lack of Randomness With deterministic protocols, the attacker can track the tag because the identifier is static. The straightforward solution is... to renew the identifier (of the communication layer) each time the tag is identified by a reader.
gildas.avoine@uclouvain.be RFID Security
Lack of Randomness With probabilistic protocols, the attacker can track the tag if... it always answers during the same time slot, or if the choice is biased.
gildas.avoine@uclouvain.be RFID Security
Practical Example: EPC draft The EPC draft “specification for a 900 mhz class 0 radio frequency identification tag” proposes to use short identifiers (used during the deterministic collision avoidance process) which are refreshed using a PRNG. The used identifiers are short for efficiency reasons since there are usually only few tags in a given field. If the number of tags in the field is large, the reader can impose to use additional static identifiers, available in the tag, set by the manufacturer! The benefit of using PRNG is therefore totally null and void.
gildas.avoine@uclouvain.be RFID Security
Traceability in Lower Layers Diversity of Standards Physical layer Signals from tags using different standards are easy to distin- guish. A problem arises when we consider sets of tags rather than a single tag. Threats due to radio fingerprints No benefit for the manufacturers in producing tags that use exactly the same technology.
gildas.avoine@uclouvain.be RFID Security
Denial of Service
gildas.avoine@uclouvain.be RFID Security
Denial of Service Definition and Examples A DoS attack aims at preventing the target from fulfilling its normal service.
gildas.avoine@uclouvain.be RFID Security
Denial of Service Threatened by DoS attacks if:
wireless technology (if reader/devices close to public zone), there is an interface inside / outside.
Hard to thwart such attacks.
gildas.avoine@uclouvain.be RFID Security
Denial of Service Goal in RFID For fun For disturbing a competitor For proving that RFID is not secure Other ideas?
gildas.avoine@uclouvain.be RFID Security
Denial of Service A Few Techniques in RFID Kill-command Blocker tag Electronic noise kill or hide tags (electronics, etc.) Bug in the Reader/Back-end System Viruses
gildas.avoine@uclouvain.be RFID Security
Denial of Service Bugs in Passport Readers Lucas Grunwald, German security expert, found a buffer-overflow attack against two ePassport readers made by different manufacturers. He copied the content of a passport, modified the JPEG2000 face picture, and wrote the modified data in a writable chip. The reader crashed.
gildas.avoine@uclouvain.be RFID Security
Part 3: Ensuring Privacy
gildas.avoine@uclouvain.be RFID Security
Outline Palliative Techniques Thwarting Malicious Traceability The Passport Case
gildas.avoine@uclouvain.be RFID Security
Palliative Techniques
gildas.avoine@uclouvain.be RFID Security
Information Leakage Palliative Techniques kill-command Faraday cages Blocker tags Bill of Rights Removable antenna Tag must be pressed
gildas.avoine@uclouvain.be RFID Security
Thwarting Malicious Traceability
gildas.avoine@uclouvain.be RFID Security
Malicious Traceability Privacy-Friendly Protocol How designing an RFID protocol such that only an authorized party is able to identify (or authenticate) a tag while an adversary is neither able to identify it nor to trace it? The protocol must suit large-scale applications.
gildas.avoine@uclouvain.be RFID Security
Malicious Traceability Challenge-Response Reader Tag Pick r
r
− − − − − − − − − − − − − − − − − →
identifier, Ek(r)Ek(r)Ek(r,s)
← − − − − − − − − − − − − − − − − − Pick s
gildas.avoine@uclouvain.be RFID Security
Malicious Traceability Complexity Issue Private Challenge-Response protocols are not efficient. Tag are not tamper-resistant: using the same key for all tags is not secure. Every tag should have a unique key:
One system / one tag (eg. automobile ignition key): Identifying one tag requires O(1) operations One system / n tags (eg. library): Identifying one tag requires O(n)
requires O(n2) operations.
This approach differs from all the other authentication protocols because we usually assume that the verifier knows the identity of the prover.
gildas.avoine@uclouvain.be RFID Security
The Passport Case
gildas.avoine@uclouvain.be RFID Security
Passport Characteristics
communication distance computation memory tamper−resistance power source s y m m e t r i c s e m i − p a s s i v e 128 1024 m e t e r s c e n t i m . no yes p a s s i v e a c t i v e a s y m m e t r i c x
gildas.avoine@uclouvain.be RFID Security
Passport Logical Data Structure
gildas.avoine@uclouvain.be RFID Security
Passport Data on the Belgian Passport
gildas.avoine@uclouvain.be RFID Security
Passport Required Security Properties What/How do we want to protect? State’s protection Passport owner’s protection Integrity of the data Passive authentication Forging a passport from scratch Passive authentication Cloning an existing passport Active authentication Information leakage: Basic Access Control Secure Messaging Radio-blocking shield Malicious traceability: Protocols well-designed Random UID
gildas.avoine@uclouvain.be RFID Security
Passport Passive Authentication ... ... signature certificat donnée hash donnée hash donnée hash donnée hash
gildas.avoine@uclouvain.be RFID Security
Passport Active Authentication Passeport Lecteur
(clef publique) (clef privée)
Cr Sign(Cr,Cp)
gildas.avoine@uclouvain.be RFID Security
Passport Basic Access Control and Secure Messaging MRZ
Requete (je veux lire) + preuve auth Données chiffrées
Lecteur Passeport
Clef de MAC de session
Secure Messaging
Clef de chiffrement de session
Basic Access Control Lecteur Passeport
Cp Clef de MAC Clef de chiffrement a = ENC(Cp, Cr, Kr), MAC(a) b = ENC(Cp, Cr, Kp), MAC(b) Kr, Kp
gildas.avoine@uclouvain.be RFID Security
Passport Low Entropy BAC keys are derived from the MRZ, especially date of birth, date
Country Effective Birth date known Germany 55 40 USA 54 39 Netherlands 50 35 Belgium 38 23
gildas.avoine@uclouvain.be RFID Security
Passport Heuristics on Belgian Passport
gildas.avoine@uclouvain.be RFID Security
Passport Heuristics on Belgian Passport
gildas.avoine@uclouvain.be RFID Security
Passport Still Worse Off-line vs on-line attack First vs second generation
gildas.avoine@uclouvain.be RFID Security
Passport That’s it
gildas.avoine@uclouvain.be RFID Security
Discovering the Nationality Error messages are not clearly standardized and so depends on the
error messages may reveal nationality of the passport.
gildas.avoine@uclouvain.be RFID Security
Conclusion
gildas.avoine@uclouvain.be RFID Security
What are we able to do? We know how to avoid impersonation, information leakage.
Use open-source algorithms, define what you want and then pay what is required, no “shortcut”, be careful with the error messages.
We do not have efficient privacy-compliant RFID protocols. We do not have solution against denial of service.
gildas.avoine@uclouvain.be RFID Security
Tarnished Reputation RFID may tarnish a company’s reputation when something becomes out of control. Secure RFID solution broken (eg. NXP Mifare). Database containing personal data leaks. Boycott campaign (eg. Benetton, Gilette). Poor communication (eg. Navigo).
gildas.avoine@uclouvain.be RFID Security
Conclusion Who is the victim? Who is the attacker “The ‘authorized parties’ pose a greater threat to privacy than the criminals” (K. Albrecht, 2007)
gildas.avoine@uclouvain.be RFID Security
Conclusion Further Readings: Books RFID Security and Privacy Lounge: http://lasecwww.epfl.ch/∼gavoine/rfid/ RFID Handbook: Fundamentals and Applications in Contactless Smart Cards and Identification. By Klaus Finkenzeller. Spychips: How Major Corporations and Govern- ment Plan to Track Your Every Move with RFID. By Katherine Albrecht and Liz McIntyre
gildas.avoine@uclouvain.be RFID Security