Hot Topics in RFID Security...A minimalist mutual authentication protocol for RFID system & BAN logic analysis [12] Tag/Reader Impersonation Traceability Attack PEARL Project Hot Topics

PEARL Project Hot Topics

Hot Topics in RFID Security

Pedro Peris-Lopez - TU Delft

Security Lab, Faculty of Electrical Engineering, Mathematics and ComputerScience, Delft University of Technology

June 24, 2010 Leuven, Belgium


Agenda

1 PEARL Project

2 Hot Topics


PEARL Project

Title: Privacy Enhanced security Architecture for RFID Labels.

Objectives:

1 Design of security and privacy controls(lightweight-cryptography)

Cryptographic primitivesSecurity protocols

2 Assessment of the security a privacy properties

Modeling propertiesModeling systemsPoliciesVerification


PEARL Project

Funding: SENTINELS research programme

Research institutes:

Computer Science Department, University of Eindhoven

SoS group, Radboud University Nijmegen

Faculty of Electrical Engineering, Delft University ofTechnology

Industrial partners:

Philips

TNO ICT


PEARL Project

More Information:


Research Topics

TU Delft is focused on the research areas listed below:

Lightweight and ultralightweight protocols [1, 2, 3, 4]

Distance-bounding protocols [5, 6, 7]

Yoking-proofs [8, 9]

Lightweight PRNG [10]


Lightweight and Ultralightweight Protocols (I)

Weaknesses in Two Recent Lightweight RFID AuthenticationProtocols

Privacy for RFID systems to prevent tracking and cloning [11]

Cloning AttackTraceability AttackFull Disclosure Attack

A minimalist mutual authentication protocol for RFID system& BAN logic analysis [12]

Tag/Reader ImpersonationTraceability Attack


Lightweight and Ultralightweight Protocols (II)

Security Flaws in a Recent Ultralightweight RFID Protocol [13]

Traceability Attack

Full Disclosure Attack

Cloning Attack

Desynchronization Attack


Lightweight and Ultralightweight Protocols (III)

Cryptanalysis of the David-Prasad RFID UltralightweightAuthentication Protocol [14]

Traceability

Leakage of Stored Secrets

Tango Attack

Passive Cryptanalysis of an Ultralightweight AuthenticationProtocol of RFIDsec’10 Asia [15]

Traceability

Norwegian Attack

Tango Attack


Lightweight and Ultralightweight Protocols (IV)

Norwegian and Tango Attack: some details ...


Yeh-Lo-Winata Protocol (I)

Step 1 Reader → Tag: Hello

Step 2 Tag → Reader: IDSt

Step 3 Reader → Tag: A ‖ B ‖ C ‖ flagIf (IDSt = IDStrnew ): flag = 0 and K = Kt .Else: flag = 1 and K = ID.

A = (IDS ⊕ K )⊕ n1

B = (IDS ∨ K )⊕ n2

C = (K̂ ⊕ n1) + n2 K̂ = Rot(K ⊕ n2, n1)

Step 4 Tag extracts {n1, n2}, computes K̂ and verifies C .Then Tag → Reader: D

D = (K̂ ′ ⊕ n2) + n1 K̂ ′ = Rot(K ⊕ n1, n2)


Yeh-Lo-Winata Protocol (I)

Step 5 Reader computes K̂ ′ and verifies D. If OK, it updates thesecrets:

IDStrold= IDS

IDStrnew = (IDS + (ID ⊕ K̂ ′))⊕ n1 ⊕ n2

Ktr = K̂

Reader → Tag: Update command

Step 6 Tag updates IDS and K


Full Disclosure Norwegian Attack (I)

1. For i = 0 to L2. Observations[i ] = 03. Repeat a sufficiently high number of times N the following steps:4. Observe an authentication session and get IDS , A, B, C and D5. Check if for these values it holds that C mod L = D mod L6. If this is not the case, go to step 4.7. Perform the following tasks:8. Wait for the authentication session to finish.9. Send to the tag a “Hello” message to obtain IDStrnew .

10. Compute IDestimated mod L = (IDStrnew − IDS)⊕ D mod L11. Increment Observations[IDestimated ]12. Filter: find IDconjecture , the maximum of the values in Observations[i ].13. Guess that IDconjecture = ID mod L.


Full Disclosure Norwegian Attack (II)

0 20 40 60 80 100 1200

50

100

150

200

250

300

350

400

450

500

ID candidates

# of

tim

es ID

is o

bser

ved

ID mod 128 = IDconjecture mod 128

Histogram of ID candidates (L = 128, N = 218)


Full Disclosure Tango Attack

Can we do it better? Here’s the idea:

How much information about the secrets is leaked out by thepublic messages exchanged during one session?

Let’s consider only very simple combinations of publicmessages after session i :

Lk = a0IDSk⊕a1Ai⊕a2B i⊕a3C i⊕a4D i⊕a5IDSk+1 ai ∈ {0, 1}

and then see whether there’s any correlation between Lk andID

One simple measure: bias w.r.t. optimal Hamming distance

ε =∣∣dH(Lk , ID)− m

2

∣∣


A Scaled-down Example

ID(base10) = 85 ID =[0, 1, 0, 1, 0, 1, 0, 1

]

Session k:Eavesdropping of vectors {IDSk , Ak , Bk , C k ,Dk , IDSk+1}Computing of an approximation: i.e. IDapprox (1) = [0 1 0 1 1 1 1 1]

Session k + 1:Eavesdropping of vectors {IDSk+1, Ak+1, Bk+1, C k+1,Dk+1, IDSk+2}Computing of an approximation: i.e. IDapprox (2) = [0 1 0 1 0 1 0 0]

Session k + 2:Eavesdropping of vectors {IDSk+2, Ak+2, Bk+2, C k+2,Dk+2, IDSk+3}Computing of an approximation: i.e. IDapprox (3) = [0 1 1 0 0 1 0 1]

Conjecture ID:Sum of the vectors: [0 1 0 1 1 1 1 1]

[0 1 0 1 0 1 0 0][0 1 1 0 0 1 0 1]

+IDapprox = [0 3 1 2 1 3 1 2]

Average value:

{if (id

approxi ≥ γ) id

conjecturei = 1

if (idapproxi < γ) id

conjecturei = 0

i.e. If γ = 1.5 IDconjecture =[0, 1, 0, 1, 0, 1, 0, 1

]

Conjecture: IDconjecture (base10) = 85


Lightweight and Ultralightweight Protocols: Conclusions

Conclusions

The use of random numbers is necessary but not sufficientcondition to assure untraceability

CRC should be confined to detect error transmissions

Combine simple linear (i.e. bitwise operations) andnon-triangular operations (i.e. rotations) ⇒ i.e. SASI protocol[17] and Gossamer protocol [16]

Rigorous security analyses are necessary

Future work: New Protocols

Security Analysis

Design + Formal proof


Relay Attacks

c© Avoine et al.


Distance Bounding Protocols

R ooRange

T

(a) Distance fraud attack

R ooRange

// T R oo // T

(b) Mafia fraud attack

R ooRange

// T oo collaborateT

(c) Terrorist fraud attack


Hacke and Kuhn’s Protocol

Mafia Fraud Attack: ( 34 )n

Terrorist Fraud Attack: 1

Distance Fraud: ( 34 )n


Swiss-Knife RFID Distance Bounding Protocol [18]B Basic Distance Bounding Protocol of Kim et al.

An authentication protocol combined with a rapid bit exchange is displayedbelow [1].

Reader Channel Tag

(x, ID)

� �Pick a random NA

�NA

Pick a random NB

a := fx(CB , NB){Z0 := a

Z1 = a⊕ x

� NB

Start of rapid bit exchangefor i = 1 to n

Pick ci ∈ {0, 1}Start Clock

�c′i

ri :=

{Z0

i , if c′i = 0

Z1i , if c′

i = 1

� ri

Stop ClockStore ri, Δti

End of rapid bit exchange

tB := fx(c′1, ..., c′

n,ID, NA, NB)

� tB , c′1, ...., c′

n

Check ID via DBCompute Z0, Z1.Compute errc := #{i : ci �= c′

i},errr := #{i : ci = c′

i ∧ ri �= Zcii },

errt := #{i : ci = c′i ∧ Δti > tmax.

If errc + errr + errt � T ,then REJECT.

tA := fx(NB)

�tA

Compute and compare tA

Fig. 7. Swiss-Knife RFID Distance Bounding Protocol


The Hitomi RFID Distance Bounding Protocol [6]

Reader Channel Tag

(x, ID)

� �Pick a random NR

�NR

Pick a random NT1 , NT2 and NT3a := fx(NR, NT1 , W )

b := fa(NT2 , NT3 , W ′){Z0 := a

Z1 = b ⊕ x

�NT1 , NT2 , NT3

Start of rapid bit exchangefor i = 1 to n

Pick ci ∈ {0, 1}Start Clock

�c′i

r′i :=

{Z0

i , if c′i = 0

Z1i , if c′

i = 1

� ri

Stop ClockStore ri, Δti

End of rapid bit exchange

m ={c′

1||c′2||...||c′

n||r′1||r′

2||...||r′n}

tB := fx(m, ID, NR, NT1 ,NT2 , NT3 )

� tB , m

Check ID via DBCompute Z0, Z1, R0, R1

Compute errc := #{i : ci �= c′i},

errr := #{i : ci = c′i ∧ ri �= Z

cii },

errt := #{i : ci = c′i ∧ Δti > tmax.

If errc + errr + errt � τ ,then REJECT.

tA := fx(NR, b)

�tA

Compute and compare tA


Distance Bounding Protocols: a new idea ...

Cryptographic Puzzles and Distance-bounding Protocols:Practical Tools for RFID Security [7]

Reader → Tag : RequestTag → Reader : Puzzle(ID)

(1)

Drawback:

Rouge readers and honest readers: same effort!

Solution:

Key delegation

Puzzles + Distance Bounding


Step 1: WSBC Authentication Scheme

Secure Channel

Reader Tag

1 1, m request n=

( ) *2 2 j, , , ,j j jm n kπς ω υ ν=

* *3 4, jm n τ=

Back-end Database

1. R→ T : m1 = request, n1

2. T → R: m2 = n2, 〈ςj , ωπj (k)〉, υj , ν∗j

3. R→ T : m3 = n∗4 , τ∗j (∗Optional)

where {ni}4i=0 are different nonces

ςj = enck (n1||ID||n1||j)ωπj (k) = {kπ(0), kπ(1), . . . , kπ(l−1)} is a l-bitWSBC function and π() is a given permutationυj = h(j ||n1||ID||n2)ν∗j = enck (j ||n3||ID||n1) (Optional)

and τ∗j = enck (j ||n4||ID + 1||n3||n1) (Optional)


Step 2: WSBC + Distance-Bounding Authen. Scheme

Secure Channel

Reader Tag

1 1, m request n=

( ) *2 2 j, , , ,j j jm n kπς ω υ ν=

* *3 4, jm n τ=

Back-end Database

Secure Channel

Reader Tag

1 1, m request n=

2 2 j, ,m n ς= −

Back-end Database

( )j iα

( ) ( ) ( )j jj i i s iβ α= ⊕

1,

...,

For

it

=

( )3 , , ,j j jm kπω υ ν= −

* *4 4, jm n τ=


Noent: WSBC + Distance-Bounding Authen. Scheme

Secure Channel

Reader Tag

11 ,, jm request n γ=

Back-end Database

( )j iα

( ) ( ) ( )j jj i i s iβ α= ⊕

1, ..

., Fo

ri

t=

( )32 , , , ,j j j jm n kπς ω υ ν=

53 , jm n τ=

( )c i

2, jn s

Main idea: WSBC 〈ςj , ωπj (k)〉 which depends on the distance

(drt) that separates the tag and the reader.


Yoking Proofs (I)

A pharmacy might want to be able to prove, for instance, that it

dispensed an RFID-tagged prescription bottle along with a required

RFID-tagged booklet containing indications.

c© Juels [19]


Yoking Proofs (II)

Yooking/Clumping/Grouping Proofs

A proof that a pair of RFID tags has been scannedsimultaneously

Analysis of existing proposals

Design guidelines

Next step: design a new yoking proof


Yoking Proofs: Analysis of Existing Proposals [8]

y p y g/g p g pTraceability Impersonation Forge Subset Anonymity Replay Multi-proof Useless proofs

proof Replay (Peris-Lopez (DoS) (Burmesteret al. (2007)) et al. 2008)

Juels (2004) x x - - x x - xSaito and Sakurai (2005) - x - x - x - xBolotnyy and Robins (2006) - - - x - - x xPiramuthu (2006) x - - - x - x xLin et al. (2007)∗ x x - - x - - xPeris-Lopez et al. (2007) - - - - - - - xCho et al. (2008) x - - - x - x xLien et al. (2008) x - - - x - - xBurmester et al. (2008) - x - - - - - -Chien and Liu (2009) x - - - - - - -Huang and Ku (2009) x - x - x - - xChien et al. (2010) x - x - x - - xChien et al. (2010)∗ x - - x x - - x

∗ Offline version

ReplaySubset

proofForgeImpersonationTraceability


Yoking Proofs: Protocol Design [8]

Design Guidelines

Computing capabilities

Dependence

Identification (privacy)

Matching

Verification

Performance (computations + messages)

Forward security (open problem)


Real Applications: Health care (I)

Errors involving medication administration can be costly, bothin financial and in human terms

Patient safety can be improved by means of properInformation Technology (IT) systems

“Five-right” method: treating the right patient, with the rightdrug, in the right dose, in the correct way and at the righttime

Existing solutions:

RFID + barcodesSecurity and implementation problems


Real Applications: Health care (II)

4 . Monitoring Procedure

2. Nurse Station Procedure

Nurse Cart

Inpatient

1 . Drug Package Procedure

3 . Safe Drug Administration Procedure

HIS

3.1. Real-time Verification3.2. Evidence Generation

Unit-dose Medications

Figure 4: Phases of IS-RFID

22


Real Applications: Health care (III)

HIS

Visiting an inpatient

Unit-dose Medication

Inpatient

Nurse

Nursestation

Requ

est

Mut

ual A

uthe

ntica

tion

1Inpatient 1UD 1t…

NInpatient NUD Nt

{ , }Prequest r { , }Prequest r

i P M{ , PRNG(UD , r , r )}Mr

{ }it

i

' 'T i w i Inpatient{ , m = PRNG(Inpatient r PRNG(t ) PRNG(K ))}Wr � � � { }Tm

i

' 'UD i M T UD{ , m = PRNG(UD r PRNG(m ) K ))}Mr � � �{ }UDm

iTUD i T UD Inpatient{m = PRNG(Inpatient PRNG(m ) K )}m� � �

' 'i i i W M TUD{ = {Inpatient , UD , t , r , r , m }ie

Nurse

1Inpatient

1UD

1t1

1{

, sig

n(e

)}e

. . .

NInpatient

NUD

NtN

{, s

ign(

e)}

Ne

isign(e )i, i{e sign(e )}

1

Inpatient

1UD1t

. . .

N

Inpatient

NUDNt

� Matching Verification

� Evidence Generation

1

Inpatient

1UD

1t…

N

Inpatient

NUD

Nt

i{ , PRNG( , , )}W P Wr Inpatient r r

Figure 5: IS-RFID Protocol

23


Pseudo-random Number Generator

Design a new lightweight PRNG

Security Analysis

Hardware requirements1

1Department of Electrical Engineering, Carlos III University of Madrid. (Spain)


Lightweight PRNG

Security requirements:

Cryptanalysis

Statistical tests (i.e. ENT, DIEHARD, NIST)

Hardware requirements:

Gate Equivalents < 4K

Clock cycles < 500-600

Operation frequency: 100 KHz

Power consumption: µW


AKARI-1 and AKARI-2

Figure1

AKARI-1 AKARI-2

Initialize x0 and x1 of m-bits

x0 = x0 + ((x0 * x0) ∨ 5)

x1 = x1 + ((x1 * x1) ∨ 13)

z = x0

for r from 0 to 63

z = (z >>1) + (z << 1) + z + x1

%Output m/2 bits

Lower half of z

Initialize x0 and x1 of m-bits

x0 = x0 + ((x0 * x0) ∨ 5)

x1 = x1 + ((x1 * x1) ∨ 13)

z = x0 ^ x1

for r from 0 to 24

z = (z << 1) + ((z + (0x56AB0A)) >1)

y = x1 ^ z

for r from 0 to 24

y = (y >> 1) + (y << 1) + y +

(0x72A4FB))

%Output m/2 bits

Lower half of y

Figure 2


AKARI-1 and AKARI-2: EPC tags

m = 32 bits Gate Equivalents Power (µW) Clock cycles

AKARI-1 880 16.86 66

AKARI-2 1629 29.91 51


AKARI-1 and AKARI-2: Low-cost RFID tags

mmaximal = 128 bits Gate Equivalents Power (µW) Clock cycles

AKARI-1A 3358 62.4 66

AKARI-1B 3822 73.48 450

mmaximal = 64 bits Gate Equivalents Power (µW) Clock cycles

AKARI-2A 3259 58.26 51

AKARI-2B 3135 57.42 290

AKARI-2C 2993 55.87 530


Questions?

Thank you

More information:http://www.lightweightcryptography.com/

http://www.cs.ru.nl/pearl/

http://www.lightweightcryptography.com/

http://www.cs.ru.nl/pearl/


P. Peris-Lopez, J. C. Hernandez-Castro, J. M. E. Tapiador, T. Li and J. C. A.van der Lubbe. “Weaknesses in Two Recent Lightweight RFID AuthenticationProtocols”. In INSCRYPT’09 (In Cooperation with IACR), Beijing, December,2009

P. Peris-Lopez, J. C. Hernandez-Castro, J. M. E. Tapiador and J. C. A. van derLubbe. “Security Flaws in a Recent Ultralightweight RFID Protocol”. InWorkshop on RFID Security (RFIDSec Asia10), Volume 4 of Cryptology andInformation Security Series, pages 83-93. IOS Press, 2010.

J. C. Hernandez-Castro, P. Peris-Lopez, R. C.-W. Phan, J. M. E. Tapiador.“Cryptanalysis of the David-Prasad RFID Ultralightweight AuthenticationProtocol”. In Workshop on RFID Security (RFIDSec10), Istanbul, June, 2010.

P. Peris-Lopez, J. C.Hernandez-Castro, R. C.-W. Phan, J. M. E. Tapiador, T. Li.“Passive Cryptanalysis of an Ultralightweight Authentication Protocol ofRFIDsec’10 Asia (Poster)”. In Workshop on RFID Security (RFIDSec10),Istanbul, June, 2010.

A. Mitrokotsa, C. Dimitrakakis, P. Peris-Lopez, J. C. Hernandez-Castro. “Reid etal.’s Distance Bounding Protocol and Mafia Fraud Attacks over Noisy Channels”.In IEEE Communications Letters, Volume 14, Issue 2, pp. 121-123, 2010.

P. Peris-Lopez, J. C. Hernandez-Castro, C. Dimitrakakis, A. Mitrokotsa, J. M. E.Tapiador. “Shedding Some Light on RFID Distance Bounding Protocols andTerrorist Attacks”. In CoRR, volume abs/0906.461, 2009.(http://arxiv.org/abs/0906.4618)


P. Peris-Lopez and J. C. Hernandez-Castro and J. M. E. Tapiador and E.Palomar and J. C.A. van der Lubbe. “Cryptographic Puzzles andDistance-bounding Protocols: Practical Tools for RFID Security”. In IEEEInternational Conference on RFID, Orlando, 2010.

P. Peris-Lopez, A. Orfila, J. C. Hernandez-Castro, J. C. A. van der Lubbe.“Flaws on RFID Grouping-Proofs. Guidelines for Future Sound Protocols”. InJournal of Network and Computer Applications (In Press). Available online 1May 2010. (http://dx.doi.org/10.1016/j.jnca.2010.04.008 )

P. Peris-Lopez, J. Cesar Hernandez-Castro, J. M. Estevez-Tapiador, and A.Ribagorda. “Solving the Simultaneous Scanning Problem Anonymously:Clumping Proofs for RFID Tags”. In the 3rd International Workshop on Security,Privacy and Trust in Pervasive and Ubiquitous Computing(SecPerU07), pages55-60. IEEE Computer Society Press, Istanbul (Turkey), July, 2007.

P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, and A.Ribagorda. “LAMED A PRNG for EPC Class-1 Generation-2 RFIDSpecification”. In Computer Standards & Interfaces, Volume 31, Issue 1, pp.88-97, January 2009.

Mitra, M.:Privacy for RFID systems to prevent tracking and cloning.International Journal of Computer Science and Network Security 8(1) (January2008) 1–5

Qingling, C., Yiju, Z., Yonghua, W.


A minimalist mutual authentication protocol for RFID system & BAN logicanalysis.In: Proc. of CCCM ’08, IEEE Computer Society (2008) 449–453

Y.-C. Lee, Y.-C. Hsieh, P.-S. You, T.-C. Chen.A New Ultralightweight RFID Protocol with Mutual Authentication,In Proc. of WASE’09, Volume 2 of ICIE, pages 58-61, 2009.

M. David and N. R. Prasad.Providing Strong Security and High Privacy in Low-Cost RFID Networks.In Proc. of Security and Privacy in Mobile Information and CommunicationSystems, MobiSec’09, pages 172–179. Springer Berlin Heidelberg, September2009.

K.-H. Yeh, N.W. Lo, E. Winata. “An Efficient Ultralightweight AuthenticationProtocol for RFID Systems”. Proc. of RFIDSec Asia’10, volume 4 of Cryptologyand Information Security Series, pages 49–60, IOS Press, 2010.

P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, andA. Ribagorda.Advances in Ultralightweight Cryptography for Low-cost RFID Tags: GossamerProtocol.In Proc. of Workshop on Information Security Applications, volume 5379 ofLNCS, pages 56–68. Springer-Verlag, Jeju Island (Korea), September 23-25,2008.


H.-Y. Chien. “SASI: A New Ultralightweight RFID Authentication ProtocolProviding Strong Authentication and Strong Integrity”. IEEE Transactions onDependable and Secure Computing 4(4):337–340. Oct.-Dec. 2007.

C. H. Kim, G. Avoine, F. Koeune, F.-X. Standaert, and O. Pereira.The Swiss-Knife RFID Distance Bounding Protocol.In International Conference on Information Security and Cryptology – ICISC,Lecture Notes in Computer Science. Springer-Verlag, December 2008.

A. Juels. “Yoking-Proofs” for RFID Tags”. In First International Workshop onPervasive Computing and Communication Security. IEEE Press, pp.138143.2004.

Documents

Hot Topics in RFID Security...A minimalist mutual authentication protocol for RFID system & BAN logic analysis [12] Tag/Reader Impersonation Traceability Attack PEARL Project Hot Topics