the future security challenges in rfid
play

The Future Security Challenges in RFID Gildas Avoine, UCL Belgium - PowerPoint PPT Presentation

Feb 29, 2024 •448 likes •880 views

The Future Security Challenges in RFID Gildas Avoine, UCL Belgium Workshop in Information Security Theory and Practices 1 4 September 2009, Brussels, Belgium Summary A brief reminder about RFID. Description of the threats, state of

  1. The Future Security Challenges in RFID Gildas Avoine, UCL Belgium Workshop in Information Security Theory and Practices 1 – 4 September 2009, Brussels, Belgium

  2. Summary � A brief reminder about RFID. � Description of the threats, state of the art, and future challenges. � Impersonation. � Information leakage. � Malicious traceability. � Denial of service. Gildas Avoine 2 http://www.uclouvain.be/rfid/

  3. A Brief Reminder Gildas Avoine 3 http://www.uclouvain.be/rfid/

  4. Definition � Radio Frequency IDentification (RFID) is a method of storing and remotely retrieving data using devices called RFID tags. � An RFID tag can be a low-capability device e.g. for pet identification, but also a powerful contactless smartcard e.g. for biometric passports. Gildas Avoine 4 http://www.uclouvain.be/rfid/

  5. Basic RFID � Supply chain. � Track boxes, palettes, etc. � Libraries. � Improve book borrowing Source: www.dclogistics.com procedure and inventory. � Pet identification. � Replace common identification tattoo by electronic one. Source: www.rfid-library.com � Will become mandatory in the EU. Gildas Avoine 5 http://www.uclouvain.be/rfid/ Source: www. flickr.com

  6. Evolved RFID � Building access control. � Automobile ignition keys. � Passports. Electronic passports since 2004. � � Public transportation. � Eg. Brussels, Boston, Paris, London. � Anti-counterfeiting. � Eg. luxurious items. Gildas Avoine 6 http://www.uclouvain.be/rfid/

  7. Typical Configurations Gildas Avoine 7 http://www.uclouvain.be/rfid/

  8. Classification of the Security Issues Impersonation Information Leakage Malicious Traceability Denial of Service Gildas Avoine 8 http://www.uclouvain.be/rfid/

  9. Impersonation Gildas Avoine 9 http://www.uclouvain.be/rfid/

  10. Detection, Identification, and Authentication � A major issue when designing a protocol is defining its purpose. � Detection. � Identification. � Authentication. Detection Get the proof that someone is present. � Examples: � Access control. Identification � Management of stocks. Get identity of remote party. � Electronic documents. � Counting cattle. Authentication � Pets identification. � Anti-cloning system. Get identity + proof of remote party Gildas Avoine 10 http://www.uclouvain.be/rfid/

  11. Authentication � Authentication can be done using: � A symmetric cipher, a keyed-hash function, a public-key cipher, a signature scheme, or a devoted authentication protocol (eg. ZK). Example: Challenge-Response Protocol. � � ISO 9798-4 defines authentication protocols based on a MAC. � SKID 2 is a variant of ISO 9798-4 Protocol 3. T ← R n R SKID2 T → R H k TR (n R , n T , R) , n T Gildas Avoine 11 http://www.uclouvain.be/rfid/

  12. Main Issues � We know how to design a secure authentication protocol. � Practical challenges in the real life: � Authentication is sometimes done using an identification protocol. � Keys are sometimes too short. � Algorithms are sometimes not public, poorly designed, and not audited. Gildas Avoine 12 http://www.uclouvain.be/rfid/

  13. Bad Example: MIT � The MIT access control card includes an RFID tag. � Frequency of the tag is 125 KHz. � No cryptographic features available on the tag. � Eavesdropping twice the communication gives the same broadcast. � The broadcast contains 224 bits. � Only 32 bits of them vary from card to card. Source: http://groups.csail.mit.edu/mac/classes/6.805 /student-papers/fall04- papers/mit_id/mit_id.html Gildas Avoine 13 http://www.uclouvain.be/rfid/

  14. Bad Example: Texas Instrument DST � Attack of Bono et al. against the Digital Signature Transponder manufactured by Texas Instrument, used in automobile ignition key (there exist more than 130 million such keys). � Cipher (not public) uses 40-bit keys. � They reverse-engineered the cipher. � Active attack in less than 1 minute (time-memory trade-offs). Reader Tag r identifier, Truncate 24 (E k (r)), checksum Source: http://www.usenix.org/events/sec05/tech/bono/bono.pdf video1 video2 Gildas Avoine 14 http://www.uclouvain.be/rfid/ video3

  15. Bad Example: NXP Mifare Classic � Philips Semiconductors (NXP) introduced the Mifare commercial denomination (1994) that includes the Mifare Classic product. � Mifare Classic’s applications: public transportation, access control, event ticketing. � Memory read & write access are protected by some keys. � Several attacks in 2008, Garcia, de Koning Gans, et al. reverse- engineered the cipher Crypto1: every Mifare Classic tag broken in a few seconds. � Move to a more evolved tag, eg. Mifare Plus. Gildas Avoine 15 http://www.uclouvain.be/rfid/

  16. Relay Attacks Verifier Prover Adv Adv 10’000 km Gildas Avoine 16 http://www.uclouvain.be/rfid/

  17. Relay Attacks Gildas Avoine 17 http://www.uclouvain.be/rfid/

  18. Challenges � Today. � We know pretty well how to design a secure authentication protocol, but… � Challenges. � Designing good pseudo-random number generators. � Designing light cryptographic building blocks, ie without processor. � Tamper-resistance and side channel attacks. � Compromised readers. � Group authentication. � Security in very low-cost tag. � Relay attacks and distance bounding. � Authenticating the path. Gildas Avoine 18 http://www.uclouvain.be/rfid/

  19. Information Leakage Gildas Avoine 19 http://www.uclouvain.be/rfid/

  20. Definition � The information leakage problem emerges when the data sent by the tag or the back-end reveals information intrinsic to the marked object. � Tagged books in libraries. � Tagged pharmaceutical products, as advocated be the US. Food and Drug Administration. � E-documents (passports, ID cards, etc.). � Directories of identifiers (eg. EPC Code). Gildas Avoine 20 http://www.uclouvain.be/rfid/

  21. Example: Leakage from the MOBIB Card � MOBIB card (RFID) launched in Brussels in 2008. � MOBIB is a Calypso technology. � MOBIB cards are rather powerful RFID tags that embed cryptographic mechanisms to avoid impersonation or cloning. � Personal data are stored in the clear in the card. � Data stored in the card during its personalization: name of the holder, birthdate, zipcode, language, etc. � Data recorded by the card when used for validations: last three validations (date, time, bus line, bus stop, subway station, etc.), and some additional technical data. Gildas Avoine 21 http://www.uclouvain.be/rfid/

  22. Example: Leakage from the MOBIB Card Reading his own card is disallowed by the STIB. The current example is just a simulation and the software – which may be considered as a “hacker tool” by Belgian laws – of course never existed… MOBIB Extractor by G. Avoine, T. Martin, and J.-P. Szikora, 2009 Gildas Avoine 22 http://www.uclouvain.be/rfid/

  23. Example: Leakage from the NAVIGO Pass � See https://www.lafargue.name/ Gildas Avoine 23 http://www.uclouvain.be/rfid/

  24. Example: Leakage from the Backend Gildas Avoine 24 http://www.uclouvain.be/rfid/

  25. Who is the Victim? The victim is not only the tag’s holder, but can also be the RFID system’s managing company: competitive intelligence. Gildas Avoine 25 http://www.uclouvain.be/rfid/

  26. Challenges � More and more data collected: the “logphilia”. � “philia” is a prefix “used to specify some kind of attraction or affinity to something, in particular the love or obsession with something” (wikipedia). � Information may eventually leak (conservative assumption). � Backup, HD thrown out, abusive use by the staff, etc. � More engineering challenges than research challenges. � Ownership transfer. Gildas Avoine 26 http://www.uclouvain.be/rfid/

  27. Malicious Traceability Gildas Avoine 27 http://www.uclouvain.be/rfid/

  28. Informal Definition � An adversary should not be able to track a tag holder, ie, he should not be able to link two interactions tag/reader. � E.g., tracking of employees by the boss, tracking of children in an amusement park, tracking of military troops, etc. � Some organization are quite powerful (CASPIAN, FoeBud, etc.). � Also considered by authorities e.g. privacy taken into account in the ePassport. Gildas Avoine 28 http://www.uclouvain.be/rfid/

  29. Importance of Avoiding Traceability � Differences between RFID and the other technologies e.g. video, credit cards, GSM, Bluetooth. � Passive tags answer without the agreement of their bearers : tags cannot be switched-off. � Ubiquity. � Tags can be almost invisible. � Easy to analyze the logs of the readers. Gildas Avoine 29 http://www.uclouvain.be/rfid/

  30. Palliative Solutions � Kill-command (Eg: EPC Gen 2 requires a 32-bit kill command.) � Faraday cages. Secure passport sleeve from www.idstronghold.com � Removable antenna. � US Patent 7283035 - RF data communications device with selectively removable antenna portion and method. � Tag must be pressed (SmartCode Corp.). � Blocker tags. � None of these solutions are convenient. Gildas Avoine 30 http://www.uclouvain.be/rfid/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Future Security Challenges in RFID Gildas Avoine, UCL Belgium Third International Workshop on

The Future Security Challenges in RFID Gildas Avoine, UCL Belgium Third International Workshop on

The Future Security Challenges in RFID Gildas Avoine, UCL Belgium Third International Workshop on RFID Technology Concepts, Applications, Challenges in the Eleventh International Conference on Enterprise Information Systems 6 10 May

552 views • 37 slides
Privacy Challenges in RFID Gildas Avoine Information Security Group Universit e catholique de

Privacy Challenges in RFID Gildas Avoine Information Security Group Universit e catholique de

Privacy Challenges in RFID Gildas Avoine Information Security Group Universit e catholique de Louvain Belgium SUMMARY Background about RFID Privacy: Information Leakage Privacy: Malicious Traceability Is Privacy a Research Challenge?

343 views • 32 slides
RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium February 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium February 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium February 2011, Corua, Spain RFID Primer RFID Primer Definition Radio frequency identification'' (RFID) means the use of electromagnetic radiating waves

729 views • 47 slides
RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011,

RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011, Rennes, France Summary RFID Primer. Examples. Capabilities. Particularities. Authentication in RFID. Theory. Practical

934 views • 64 slides
A Case Against Currently Used Hash Functions in RFID Protocols Workshop on RFID Security 2006

A Case Against Currently Used Hash Functions in RFID Protocols Workshop on RFID Security 2006

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security A Case Against Currently Used Hash Functions in RFID Protocols Workshop on RFID Security 2006 RFIDSec06 July 13-14, 2006, Graz, Austria

232 views • 21 slides
RFID Technologies: Emerging Issues, Challenges, Policy Options A study by TNO and Telecom Italia

RFID Technologies: Emerging Issues, Challenges, Policy Options A study by TNO and Telecom Italia

RFID Technologies: Emerging Issues, Challenges, Policy Options A study by TNO and Telecom Italia for IPTS IFIP/FIDIS Summerschool Karlstad - 2007 Overview RFID Technologies RFID Markets RFID Privacy issues Conclusions 2

734 views • 19 slides
Smartcards and RFID Security in Organisations Erik Poll Digital Security University of Nijmegen

Smartcards and RFID Security in Organisations Erik Poll Digital Security University of Nijmegen

Smartcards and RFID Security in Organisations Erik Poll Digital Security University of Nijmegen 1 Goals of today What are smartcards and RFID tags? what can they do? what security can they provide? and what are the limits here?

1.17k views • 80 slides
RFID Security Gildas Avoine UCL, Louvain-la-Neuve, Belgium Department of Computing Science and

RFID Security Gildas Avoine UCL, Louvain-la-Neuve, Belgium Department of Computing Science and

Ecole Internationale de Printemps Syst` emes R epartis : METIS2008 RFID Security Gildas Avoine UCL, Louvain-la-Neuve, Belgium Department of Computing Science and Engineering RFID Security gildas.avoine@uclouvain.be Introduction Outline

1.28k views • 95 slides
February 2016 Planning for the Future HOW WHY Develop the best practise RFID Seeking to find a

February 2016 Planning for the Future HOW WHY Develop the best practise RFID Seeking to find a

The Journey to RFID February 2016 Planning for the Future HOW WHY Develop the best practise RFID Seeking to find a Inventory processes across the group Management system to business environment. enable item level tracking of Apply best

573 views • 12 slides
Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

March 2, 2014 Monte Jade's RFID Seminar Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight RFID 4. Current Airport RFID Deployments 5. Atlanta International Airport Activity with IATA RFID

912 views • 35 slides
Persistent Security for RFID Mike Burmester and Breno de Medeiros Computer Science Department

Persistent Security for RFID Mike Burmester and Breno de Medeiros Computer Science Department

Persistent Security for RFID Mike Burmester and Breno de Medeiros Computer Science Department Florida State University Tallahassee, FL 32306 { burmeste,breno } cs.fsu.edu Abstract. Low-cost RFID tags are being deployed to support smart

513 views • 12 slides
Strong Crypto for Tiny RFID Tags Challenges and Design Issues 11-13 July 2007, Malaga, Spain

Strong Crypto for Tiny RFID Tags Challenges and Design Issues 11-13 July 2007, Malaga, Spain

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security Strong Crypto for Tiny RFID Tags Challenges and Design Issues 11-13 July 2007, Malaga, Spain Martin Feldhofer IAIK Graz University of

842 views • 39 slides
AI and Security: Lessons, Challenges & Future Directions Dawn Song UC Berkeley AI and

AI and Security: Lessons, Challenges & Future Directions Dawn Song UC Berkeley AI and

AI and Security: Lessons, Challenges & Future Directions Dawn Song UC Berkeley AI and Security Enabler AI Security Enabler AI enables security applications Security enables better AI Integrity: produces intended/correct

1.03k views • 81 slides
IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing Tag Oslo, 28 November 2007 IntelliSense RFID Workshop IntelliSense RFID RESEARCH PROJECT FOR TECHNOLOGY DEVELOPMENT WITHIN THE FIELDS OF RFID

788 views • 13 slides
The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio Frequency Identification Modern RFID Applications VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips

628 views • 29 slides
Privacy and security in the cloud Challenges and solutions for our future information society

Privacy and security in the cloud Challenges and solutions for our future information society

Privacy and security in the cloud Challenges and solutions for our future information society Panel Building trust the technical challenges World Summit on the Information Society Forum 25-29 May 2015 ITU, UNESCO, UNDP and UNCTAD

709 views • 17 slides
Professionals to Prepare STEM Undergraduates for Research This work was sponsored by a

Professionals to Prepare STEM Undergraduates for Research This work was sponsored by a

NSF Sponsored Workshop: Training Professionals to Prepare STEM Undergraduates for Research This work was sponsored by a collaborative grant from the National Science Foundation (1623694, 1623581, 1623697, and 1623631) Introductions- The

992 views • 82 slides
Characteristic Sets: Accurate Cardinality Estimation for RDF Queries with Multiple Joins Thomas

Characteristic Sets: Accurate Cardinality Estimation for RDF Queries with Multiple Joins Thomas

Characteristic Sets: Accurate Cardinality Estimation for RDF Queries with Multiple Joins Thomas Neumann Guido Moerkotte Presented By : Pranjal Gupta Recap. RDF is the underlying query language of the Semantic Web. Data is represented as

1.03k views • 63 slides
Button Click Many ways use Button in Android SetOnClickListener (just click button)

Button Click Many ways use Button in Android SetOnClickListener (just click button)

Button Click Many ways use Button in Android SetOnClickListener (just click button) SetOnLongClickListener (on long press) SetOnTouchListener (until button is pressed) OnClick (simple click using XML) Many other ways

470 views • 30 slides
Welcome to CSE 506 Introduction & Review Don Porter CSE 506: Operating Systems Why Grad OS?

Welcome to CSE 506 Introduction & Review Don Porter CSE 506: Operating Systems Why Grad OS?

CSE 506: Operating Systems Welcome to CSE 506 Introduction & Review Don Porter CSE 506: Operating Systems Why Grad OS? Primary Goal: Demystify how computers work CSE 506: Operating Systems An example progression Undergrad OS:

450 views • 33 slides
History and Principles of Steganography CSM25 Secure Information Hiding Dr Hans Georg Schaathun

History and Principles of Steganography CSM25 Secure Information Hiding Dr Hans Georg Schaathun

History and Principles of Steganography CSM25 Secure Information Hiding Dr Hans Georg Schaathun University of Surrey Spring 2009 Week 6 Dr Hans Georg Schaathun History and Principles of Steganography Spring 2009 Week 6 1 / 31

1.09k views • 105 slides
S chool Rove r STAND AND DELIVER TALA MORSEU FONT The weeks in Term 3 are flashing by and almost

S chool Rove r STAND AND DELIVER TALA MORSEU FONT The weeks in Term 3 are flashing by and almost

A jug fills drop by drop. Issue 13, Aug. 27, 2010 Buddha ACN 063049669 Maher Road, P. O. Box 771, Gordonvale, North Queensland 4865 tel: (07) 40433777 fax: (07) 40566111 email:

399 views • 8 slides
TB Slide Set, 2016 Surveillance Data NCHHSTP AtlasPlus National Center for HIV/AIDS, Viral

TB Slide Set, 2016 Surveillance Data NCHHSTP AtlasPlus National Center for HIV/AIDS, Viral

TB Slide Set, 2016 Surveillance Data NCHHSTP AtlasPlus National Center for HIV/AIDS, Viral Hepatitis, STD, and TB Prevention The NCHHSTP AtlasPlus is an online, interactive tool that gives you the power to analyze, map, and create tables using

644 views • 7 slides
Fast and Secure H T Y T O H Laptop Backups F G R E U D B I N with Encrypted

Fast and Secure H T Y T O H Laptop Backups F G R E U D B I N with Encrypted

I V N E U R S E I Fast and Secure H T Y T O H Laptop Backups F G R E U D B I N with Encrypted De-duplication Le Zhang <zhang.le@ed.ac.uk> Paul Anderson <dcspaul@ed.ac.uk> LISA 2010 Laptop Backup Options

390 views • 18 slides

More recommend