Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Institute for Applied Information Processing and Communications (IAIK)
1
TU Graz/Computer Science/IAIK/VLSI/Name Project1
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology
RFID Security
IPICS Summer School 2011
Michael Hutter
Institute for Applied Information Processing and Communications (IAIK)
2
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
About usGraz University of Technology
Faculty of Computer Science Institute for Applied Information Processing and Communications (IAIK)
Research groupsCrypto group – Vincent Rijmen
EGIZ (e-government)
Trusted computing/Java security
Network security
Formal methods for design&verification
SEnSE group
Institute for Applied Information Processing and Communications (IAIK)
3
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Research Activities and ProjectsCRYPTAPartners: austriamicrosystems, RFiT Solutions
C@RPartners: 33 international partners, budget: 15 million
TAMPRESPartners: NXP, France Telecom, ETH Zurich, UCL, IHP, …
PITPartners: Infineon, RF-iT Solutions
IIAInvestigation of Implementation Attacks
Other projects: SEPIA, DIAMOND, ECrypt2, ARTEUS, GRANDESCA, ISCA, DFA, SNAP, SCARD, ART, …
Institute for Applied Information Processing and Communications (IAIK)
4
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
OverviewIntroduction to RFIDRFID SecurityCryptographic HardwareImplementation AttacksCountermeasuresSummary
Institute for Applied Information Processing and Communications (IAIK)
5
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
What is RFID?Radio Frequency Identification
Identify objects over radio frequency
RFID systemTags (or transponders)Readers (or transceivers)Back-end system (e.g. database)
Institute for Applied Information Processing and Communications (IAIK)
6
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
RFID Applications© motorola.com
© heinbloed-pcl.blogspot.com
© monuzaspices.com
© rfidinfotek.com
© www.blogcdn.com
Institute for Applied Information Processing and Communications (IAIK)
7
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Institute for Applied Information Processing and Communications (IAIK)
8
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Why Security for RFID?5-7 % of world trade are counterfeit goods
Estimates: 200 billion USD (OECD), 600 billion USD (IACC)Automotive/Aviation
20% of auto parts in Middle East are fake, 37% in India2% of 26 million airplane parts are fake (FAA)1.5 million accidents on US roads are due to faked parts (Army AL&T07)
Pharmaceuticals10% of drugs in the US are fakes (FDA)25% in developing countries (WHO) – 32 billion USD loss"The effects of counterfeit medicines are worse than HIV/AIDS, malaria and typhoid combined” (Dora Akunyili, NAFDAC, 2003)
Tobacco5% of cigarettes sold in the UK are counterfeit
Software35 % of software is illegal (35 billion USD)
OthersMusic, printers, movies, clothes, …
Source: International Authentication Association
Institute for Applied Information Processing and Communications (IAIK)
9
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Why Security for RFID?Privacy?
1500 Eurosin wallet
Serial numbers:597387,389473
…
Wigmodel #4456
(cheap polyester)
30 items of lingerie
Das Kapital andCommunist-
party handbook
Replacement hipmedical part #459382
Reader
Source: RSA Laboratories (Ari Juels)
Institute for Applied Information Processing and Communications (IAIK)
10
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
So what are the Requirements?
1. Cryptographic servicesAuthentication, confidentiality, integrity, non-repudiation, untraceability, anonymity, …
2. Secure protocols + schemesSecurity against passive and active attacks
3. Strong cryptographyAppropriate key sizesStandardized algorithms
4. ImplementationsLow resourcesSecurity
Institute for Applied Information Processing and Communications (IAIK)
11
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Example: TI DST
Digital Signature Transponder (DST) from Texas InstrumentsBroken in 2005
Used for vehicle immobilizers (150 millions)SpeedPass system (cashless payment)
40 bit secret keyBrute-force attack16 FPGAs used
Institute for Applied Information Processing and Communications (IAIK)
12
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Another Example: HiTag2From Philips/NXP (broken in 2009)Proprietary stream cipher
Used in German government and army buildingsUnlocking Car doors remotely
Alpha Romeo, Ford Galaxy and Transit, GM Corsa and Zafira, Nissan, Opel, Peugeot, Seat, Volvo, Honda, Iveco, …Programmer (China) available for:
Audi A8, VW Touareg, VW Phaeton, Bentley Continental, Porsche Cayenne, BMW E38, E39, E46, E53, E60, E61, E63, E64, E65, E66, E87, E90, E91, E92BMW (2002-2009): CAS/CAS2/CAS3, DG512/CAS3
48-bit secret keyAlgebraic attack reveals the key within a few hours (see N. Courtois et al.)
Institute for Applied Information Processing and Communications (IAIK)
13
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
RFID Tag vs. Contactless Smart Card
RFID tag CL smart card< 1.2 - 5m Reading range < 10 cm
< 15µA (scarce)
< 1 mm²
Power consumption ~ 10mA (enough)
Chip area 15 -20mm²
minimal, 5-10 Cent Prize (€) some €
LF, HF, UHF Frequency HF
inventory (until now) Application authentication
dedicated circuit Hardware microcontroller
non/proprietary Security crypto coprocessor
Institute for Applied Information Processing and Communications (IAIK)
14
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Wide Range of Term “RFID”
Implementation challenge: high security with low resources
© www.ariva.de
Security Level
Mid-cost smart cards
E-Passport
NFC
Res
ourc
es
Low-cost Tags
no crypto / proprietary
symmetric primitives (AES, DES, stream ciphers, …)
asymmetric primitives (RSA, ECC, …)
Institute for Applied Information Processing and Communications (IAIK)
15
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Implementation Issues
Hardware LimitationsChip area
Memory consumes around 60-80% of chip sizeDie size is proportional to silicon costsOnly a small part of the chip can be used for crypto
Power consumptionPower supply is limitedSupply voltage ~ 1.5 VMean current Iavg < 15 µADetermines reading range
Digital Control
AnalogFrontend
EEPROM
CryptoModule
VDD
Data
CLK
RFID Reader
RFID Tag
Institute for Applied Information Processing and Communications (IAIK)
16
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
OverviewIntroduction to RFIDRFID SecurityCryptographic HardwareImplementation AttacksCountermeasuresSummary
Institute for Applied Information Processing and Communications (IAIK)
17
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Hardware Design (1)CMOS
Complementary Metal Oxide SemiconductorTechnology for constructing ICs (> 90 % of all ICs)
Basic elements: transistorsGeometry
W = gate widthL = gate lengthtox = thickness of gate oxideLmin = min. feature size
Moore’s law“Number of transistors in ICs doubles every 2 years”
© Gary Drake
Institute for Applied Information Processing and Communications (IAIK)
18
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Hardware Design (2)Fabrication process
Is defined by the minimum transistor size (channel/gate length L0) that can be manufactured, e.g. 30nm.
State of the ArtSince 2008: 45nm CMOS process technology2 May 2011: first 22nm microprocessor from Intel (codename: Ivy Bridge)
What about Speed and Power?The smaller the transistor, the faster the chipPower P P P P uitshort_circdynamicstatic ++=
Influenza virus ©Centers for Disease Control and Prevention
L = 100nm
30nm CMOS ©Intel
LDD CfV ⋅⋅⋅= 2dynamic 2/1 P
Institute for Applied Information Processing and Communications (IAIK)
19
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Hardware Design (3)1 Gate Equivalent = 1 two-input NAND gate
Unit of measure4 transistors
Area available for crypto on low-cost RFID tags1000 – 6000 GEs
Institute for Applied Information Processing and Communications (IAIK)
20
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Example: AES„Tina“: Tiny AESFeatures
128-bit encryption and decryptionArchitecture
8-bit datapath0.35 µm CMOS256 bit storage: RAM
32 x 8-bit organization
Chip Size~ 3400 GEs
Speed~1000 cycles per encryption
Power3µA @ 100 kHz at 1.5 V
Suitable for passive RFID
AES-128
RAM32 x 8-bit
Data Unit
startread
finished
data_out
data_in
reset
enc
Institute for Applied Information Processing and Communications (IAIK)
21
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Another Example: ECC for RFIDFeatures
163-bit Elliptic-Curve Cryptography on a Chip (ECCON)Based on asymmetric cryptography over GF(2m)
Architecture16-bit datapath163x7-bit RAM storage
Implementation DetailsOn 180 nm CMOSISO 15693 RFID interfaceProven suitability for RFID
13,685 GE chip area6 µA @1.8V at 106 kHz306,000 clock cycles
TINA
Secure
TINA
ECCON
Institute for Applied Information Processing and Communications (IAIK)
22
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Example: ECDSA on Passive RFIDFeatures
Passive HF TagNFC Forum Type 4 compatibleECDSA P-192, AES-128, SHA-1
AreaTotal: 21,502 GEsOverhead of AES: 2,387 GEsOverhead of SHA1: 889 GEs
SpeedECDSA: 863,109 cyclesSHA1: 3,639 cyclesAES: 4,529 cycles
Power~485 µA @ 847kHz and 3.3V(0.35µm CMOS)
Institute for Applied Information Processing and Communications (IAIK)
23
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Forgery-Proof PrototypeProduct authenticity
Through digital signatures“Proof of Origin”
Anti-CounterfeitingStep toward preventing illicit copying intellectual property and goods
Touch & VerifyUsing NFC-enabled mobile phones, e.g. Nokia 6212Up to 3cm reading range
Institute for Applied Information Processing and Communications (IAIK)
24
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
OverviewIntroduction to RFIDRFID SecurityCryptographic HardwareImplementation AttacksCountermeasuresSummary
Institute for Applied Information Processing and Communications (IAIK)
25
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Implementation AttacksThe weakest link in a system decides security
Cryptographic algorithms are mathematically secureBut: Implementations thereof are not!
TypesSide-Channel Attacks
Timing AnalysisPower AnalysisElectromagnetic Analysis
Fault AnalysisProbing AttacksOthers
Reverse Engineering
Institute for Applied Information Processing and Communications (IAIK)
26
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Timing AnalysisAnalysis of the execution time of cryptographic implementationsTiming behavior can leak information about the secret keyE.g. RSA modular exponentiation: R = yx mod n
R = 1for i = k – 1 downto 0 do
R = R2 mod n - squareif (bi = 1) do
R = R * x mod n - multiplyend if
end forReturn R
key-bit dependent side-channel leakage in the execution time!
Institute for Applied Information Processing and Communications (IAIK)
27
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Power Analysis (1)Simple Power Analysis (SPA)
Extract secret-key information by visually inspecting a power-consumption trace
Digital storage oscilloscope neededDifferent operations can be distinguished
Square and multiply (RSA)Double and add (ECC)
Rounds of block ciphers (AES, DES, …) can be clearly seen
Picture taken from Örs, Oswald, and Preneel (CHES 2003)
Institute for Applied Information Processing and Communications (IAIK)
28
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Power Analysis (2)Differential Power Analysis (DPA)
Target of the attack is an intermediate value that depends on the secret key (e.g. Sbox-output byte in AES)
Powertraces
Cryptographicdevice
Input data
AES
Power model
Input data
Statistical Methods(Correlation, Distance of means,..)
SoftwareModel
256 keyhypotheses
256 correlation tracesHighest absolute peak confirms correct key hypothesisMore infos in
the DPA Book
Institute for Applied Information Processing and Communications (IAIK)
29
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Example: KeeLoq broken in 2008From Microchip Technology Inc.Proprietary NLFSR cipher
Car door openingCrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, VW, Clifford, Shurlok, Jaguar, …
Garage doors
20 years old cipher64-bit secret key
DPA attack reveals the key (see T. Eisenbarth et al.)
Institute for Applied Information Processing and Communications (IAIK)
30
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Electromagnetic AnalysisElectronic devices leak information by electromagnetic (EM) emanation
Extract information by using tiny EM probesAllows attacks at a distance(far-field measurements)Very simple, cheap, and easy
Institute for Applied Information Processing and Communications (IAIK)
31
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Fault AnalysisFault-Injection Methods
Non-invasivePackage left untouchedModify working conditions
Semi-invasive Decapsulation neededE.g. optical fault injection
InvasiveEstablish electrical contact to the chipChip modification
Institute for Applied Information Processing and Communications (IAIK)
32
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Electromagnetic Fault InjectionCharge pump generates up to 18kVEM pulses of nanosecondsHandmade probe coilNon invasive
Institute for Applied Information Processing and Communications (IAIK)
33
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Optical Fault InjectionLaser diode (100mW @ 785nm)Non-invasive
GlobalLaser placed upon the chip
LocalLaser mounted on camera portFocused on different positions50 diameters object lens
Institute for Applied Information Processing and Communications (IAIK)
34
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Reverse EngineeringExample: Mifare Classic (NXP)
CCC 2007: Henryk Plötz and Karsten NohlProprietary CRYPTO-1 cipher
Transport ticketing:Amsterdam, London, Boston, Los Angeles, Taipei, Pusan, Bejing, Brisbane, Shanghai,…
Access controlMore than 1 billon tags sold48-bit secret key
Algebraic attack reveals the key within 0.05 seconds (see N. Courtois et al. and De KonigGans et al.)
Institute for Applied Information Processing and Communications (IAIK)
35
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
OverviewIntroduction to RFIDRFID SecurityCryptographic HardwareImplementation AttacksCountermeasuresSummary
Institute for Applied Information Processing and Communications (IAIK)
36
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Implementation of Countermeasures„The goal of countermeasures against SCA attacks is to make the
power consumption of the device independent of the intermediate values of the executed algorithm.“ [Mangard, Oswald, Popp; Power Analysis Attacks – Revealing the Secrets of Smart Cards]
Types of countermeasuresHiding (randomization)
Remove data dependency of power consumptionShuffling of operationsExecution of dummy cycles
Masking Randomize intermediate values that are processedUse an SCA-resistant logic style
Institute for Applied Information Processing and Communications (IAIK)
37
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Randomizing the AESAES algorithm
Shuffling of operationsa00 a01 a02 a03
a20 a21 a22 a23
a10 a11 a12 a13
a30 a31 a32 a33
a11 a21 a31 a01 a22 a32 a02 a12 a03 a13 a23 a33 a20 a30 a00 a10
The probability that a certain element is processed at a certain point of time is now 1/16.
Randomly choose a starting element (column & row)New sequence:
Institute for Applied Information Processing and Communications (IAIK)
38
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Increase RandomizationExecution of dummy cycles
Add a certain amount of dummy blocks randomly at the beginning and/or at the end
Probability that a certain element occurs at a certain point of time is p = 1/(16 + n) (n … number of dummy cycles)e.g. n=12: probability that a certain element occurs at a certain point of time is 1/28
a11 a21 a31 a01 a22 a32 a02 a12 a03 a13 a23 a33 a20 a30 a00 a10 d d d dd d d d d d d d
Institute for Applied Information Processing and Communications (IAIK)
39
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Fault-Attack Countermeasures
Passive or active shieldingMesh of power lines on top of all metal layersIntegration of sensors (voltage or clock check, light detection, temperature variation, …)
Redundant computationIntermediate results are calculated twiceFinal check of results
ST16SF48A sensor mesh © Kömmerling and Kuhn
Institute for Applied Information Processing and Communications (IAIK)
40
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Cell-Level Countermeasures
Secure Logic StylesDual-Rail (DR)
Two complementary wires instead of oneSame power consumption in each clock cycle
ProblemsBalancing the complementary outputsEarly-propagation effects
ExamplesSABLWDDLiMDPL…
SR cell
a
bq DR
cell
a
b
qa
bq
High-level design capture
Logic synthesis
Floorplanning
Placement and routing
Tape-out
Special constraints
Logic style conversion
Conversion rules
SR cell library
DRP cell library
Institute for Applied Information Processing and Communications (IAIK)
41
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Example: SCARD Chip
AES in MDPLArea: 5x largerDPA resistance: 10x higher
Features8051 miocrocontrollerAES co-processor1 CMOS reference implementation (STD)7 different DPA-resistant implementations0.13µm technology from Infineon
MDPL
STD
0 0.5 1 1.5 2
-0.1
-0.05
0
0.05
Time [µs]
Corr
elat
ion
MDPL µPCore: 20.000 samples
Institute for Applied Information Processing and Communications (IAIK)
42
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Example: GRANDESCA Chip
AES in iMDPLArea: 18x largerDPA resistance: 100x higher
Features8051 miocrocontrollerStand-alone AES processor1 CMOS reference implementation0.18µm technology from UMC
Stand-alone AESprocessor
iMDPL
8051-µC + AES coprocessor
iMDPL
PRNG, glue logic, etc.
CMOS
CMOS
iMDPL µPCore: 20.000 samples
0 1 2 3 4 5
-0.1
-0.05
0
0.05
Time [µs]
Corr
elat
ion
Institute for Applied Information Processing and Communications (IAIK)
43
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Example: POWERTRUST Chip
AES in iMDPL with Secure-zone
Area: only 1.5x larger
Features32-bit SPARC-V8 compliant LEON3 processorArchitectural masking combined with a secure logic style0.18µm technology from UMC
secure_zoneiMDPL
szcmos
caches, memories, etc…
DSUsecu
re_z
one
DW
DD
L (M
AST
ER)
secu
re_z
one
DW
DD
L (C
LON
E)
Institute for Applied Information Processing and Communications (IAIK)
44
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
OverviewIntroduction to RFIDRFID SecurityCryptographic HardwareImplementation AttacksCountermeasuresSummary
Institute for Applied Information Processing and Communications (IAIK)
45
TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011
Summary
Inadequate security is common…better loosing one million per year due to fraud than loosing two million per year to fix the security problems…
AES and ECC are feasible for RFIDIt’s only a matter of costs
Security is mandatoryThink of privacy issues or the problem of fraud
Countermeasures are neededTo thwart against side-channel and fault attacks