RFID Security - Michael Huttermhutter.org/slides/20110830_IPICS_RFID_security.pdf · RFID Tag vs. Contactless Smart Card RFID tag CL smart card < 1.2 - 5m Reading range < 10 cm

Institute for Applied Information Processing and Communications (IAIK)

1

TU Graz/Computer Science/IAIK/VLSI/Name Project1

TU Graz/Computer Science/IAIK/SEnSE/Michael Hutter IPICS 2011

Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology

RFID Security

IPICS Summer School 2011

Michael Hutter


2


About usGraz University of Technology

Faculty of Computer Science Institute for Applied Information Processing and Communications (IAIK)

Research groupsCrypto group – Vincent Rijmen

EGIZ (e-government)

Trusted computing/Java security

Network security

Formal methods for design&verification

SEnSE group


3


Research Activities and ProjectsCRYPTAPartners: austriamicrosystems, RFiT Solutions

C@RPartners: 33 international partners, budget: 15 million

TAMPRESPartners: NXP, France Telecom, ETH Zurich, UCL, IHP, …

PITPartners: Infineon, RF-iT Solutions

IIAInvestigation of Implementation Attacks

Other projects: SEPIA, DIAMOND, ECrypt2, ARTEUS, GRANDESCA, ISCA, DFA, SNAP, SCARD, ART, …


4


OverviewIntroduction to RFIDRFID SecurityCryptographic HardwareImplementation AttacksCountermeasuresSummary


5


What is RFID?Radio Frequency Identification

Identify objects over radio frequency

RFID systemTags (or transponders)Readers (or transceivers)Back-end system (e.g. database)


6


RFID Applications© motorola.com

© heinbloed-pcl.blogspot.com

© monuzaspices.com

© rfidinfotek.com

© www.blogcdn.com


7



8


Why Security for RFID?5-7 % of world trade are counterfeit goods

Estimates: 200 billion USD (OECD), 600 billion USD (IACC)Automotive/Aviation

20% of auto parts in Middle East are fake, 37% in India2% of 26 million airplane parts are fake (FAA)1.5 million accidents on US roads are due to faked parts (Army AL&T07)

Pharmaceuticals10% of drugs in the US are fakes (FDA)25% in developing countries (WHO) – 32 billion USD loss"The effects of counterfeit medicines are worse than HIV/AIDS, malaria and typhoid combined” (Dora Akunyili, NAFDAC, 2003)

Tobacco5% of cigarettes sold in the UK are counterfeit

Software35 % of software is illegal (35 billion USD)

OthersMusic, printers, movies, clothes, …

Source: International Authentication Association


9


Why Security for RFID?Privacy?

1500 Eurosin wallet

Serial numbers:597387,389473

…

Wigmodel #4456

(cheap polyester)

30 items of lingerie

Das Kapital andCommunist-

party handbook

Replacement hipmedical part #459382

Reader

Source: RSA Laboratories (Ari Juels)


10


So what are the Requirements?

1. Cryptographic servicesAuthentication, confidentiality, integrity, non-repudiation, untraceability, anonymity, …

2. Secure protocols + schemesSecurity against passive and active attacks

3. Strong cryptographyAppropriate key sizesStandardized algorithms

4. ImplementationsLow resourcesSecurity


11


Example: TI DST

Digital Signature Transponder (DST) from Texas InstrumentsBroken in 2005

Used for vehicle immobilizers (150 millions)SpeedPass system (cashless payment)

40 bit secret keyBrute-force attack16 FPGAs used


12


Another Example: HiTag2From Philips/NXP (broken in 2009)Proprietary stream cipher

Used in German government and army buildingsUnlocking Car doors remotely

Alpha Romeo, Ford Galaxy and Transit, GM Corsa and Zafira, Nissan, Opel, Peugeot, Seat, Volvo, Honda, Iveco, …Programmer (China) available for:

Audi A8, VW Touareg, VW Phaeton, Bentley Continental, Porsche Cayenne, BMW E38, E39, E46, E53, E60, E61, E63, E64, E65, E66, E87, E90, E91, E92BMW (2002-2009): CAS/CAS2/CAS3, DG512/CAS3

48-bit secret keyAlgebraic attack reveals the key within a few hours (see N. Courtois et al.)


13


RFID Tag vs. Contactless Smart Card

RFID tag CL smart card< 1.2 - 5m Reading range < 10 cm

< 15µA (scarce)

< 1 mm²

Power consumption ~ 10mA (enough)

Chip area 15 -20mm²

minimal, 5-10 Cent Prize (€) some €

LF, HF, UHF Frequency HF

inventory (until now) Application authentication

dedicated circuit Hardware microcontroller

non/proprietary Security crypto coprocessor


14


Wide Range of Term “RFID”

Implementation challenge: high security with low resources

© www.ariva.de

Security Level

Mid-cost smart cards

E-Passport

NFC

Res

ourc

es

Low-cost Tags

no crypto / proprietary

symmetric primitives (AES, DES, stream ciphers, …)

asymmetric primitives (RSA, ECC, …)


15


Implementation Issues

Hardware LimitationsChip area

Memory consumes around 60-80% of chip sizeDie size is proportional to silicon costsOnly a small part of the chip can be used for crypto

Power consumptionPower supply is limitedSupply voltage ~ 1.5 VMean current Iavg < 15 µADetermines reading range

Digital Control

AnalogFrontend

EEPROM

CryptoModule

VDD

Data

CLK

RFID Reader

RFID Tag


16




17


Hardware Design (1)CMOS

Complementary Metal Oxide SemiconductorTechnology for constructing ICs (> 90 % of all ICs)

Basic elements: transistorsGeometry

W = gate widthL = gate lengthtox = thickness of gate oxideLmin = min. feature size

Moore’s law“Number of transistors in ICs doubles every 2 years”

© Gary Drake


18


Hardware Design (2)Fabrication process

Is defined by the minimum transistor size (channel/gate length L0) that can be manufactured, e.g. 30nm.

State of the ArtSince 2008: 45nm CMOS process technology2 May 2011: first 22nm microprocessor from Intel (codename: Ivy Bridge)

What about Speed and Power?The smaller the transistor, the faster the chipPower P P P P uitshort_circdynamicstatic ++=

Influenza virus ©Centers for Disease Control and Prevention

L = 100nm

30nm CMOS ©Intel

LDD CfV ⋅⋅⋅= 2dynamic 2/1 P


19


Hardware Design (3)1 Gate Equivalent = 1 two-input NAND gate

Unit of measure4 transistors

Area available for crypto on low-cost RFID tags1000 – 6000 GEs


20


Example: AES„Tina“: Tiny AESFeatures

128-bit encryption and decryptionArchitecture

8-bit datapath0.35 µm CMOS256 bit storage: RAM

32 x 8-bit organization

Chip Size~ 3400 GEs

Speed~1000 cycles per encryption

Power3µA @ 100 kHz at 1.5 V

Suitable for passive RFID

AES-128

RAM32 x 8-bit

Data Unit

startread

finished

data_out

data_in

reset

enc


21


Another Example: ECC for RFIDFeatures

163-bit Elliptic-Curve Cryptography on a Chip (ECCON)Based on asymmetric cryptography over GF(2m)

Architecture16-bit datapath163x7-bit RAM storage

Implementation DetailsOn 180 nm CMOSISO 15693 RFID interfaceProven suitability for RFID

13,685 GE chip area6 µA @1.8V at 106 kHz306,000 clock cycles

TINA

Secure

TINA

ECCON


22


Example: ECDSA on Passive RFIDFeatures

Passive HF TagNFC Forum Type 4 compatibleECDSA P-192, AES-128, SHA-1

AreaTotal: 21,502 GEsOverhead of AES: 2,387 GEsOverhead of SHA1: 889 GEs

SpeedECDSA: 863,109 cyclesSHA1: 3,639 cyclesAES: 4,529 cycles

Power~485 µA @ 847kHz and 3.3V(0.35µm CMOS)


23


Forgery-Proof PrototypeProduct authenticity

Through digital signatures“Proof of Origin”

Anti-CounterfeitingStep toward preventing illicit copying intellectual property and goods

Touch & VerifyUsing NFC-enabled mobile phones, e.g. Nokia 6212Up to 3cm reading range


24




25


Implementation AttacksThe weakest link in a system decides security

Cryptographic algorithms are mathematically secureBut: Implementations thereof are not!

TypesSide-Channel Attacks

Timing AnalysisPower AnalysisElectromagnetic Analysis

Fault AnalysisProbing AttacksOthers

Reverse Engineering


26


Timing AnalysisAnalysis of the execution time of cryptographic implementationsTiming behavior can leak information about the secret keyE.g. RSA modular exponentiation: R = yx mod n

R = 1for i = k – 1 downto 0 do

R = R2 mod n - squareif (bi = 1) do

R = R * x mod n - multiplyend if

end forReturn R

key-bit dependent side-channel leakage in the execution time!


27


Power Analysis (1)Simple Power Analysis (SPA)

Extract secret-key information by visually inspecting a power-consumption trace

Digital storage oscilloscope neededDifferent operations can be distinguished

Square and multiply (RSA)Double and add (ECC)

Rounds of block ciphers (AES, DES, …) can be clearly seen

Picture taken from Örs, Oswald, and Preneel (CHES 2003)


28


Power Analysis (2)Differential Power Analysis (DPA)

Target of the attack is an intermediate value that depends on the secret key (e.g. Sbox-output byte in AES)

Powertraces

Cryptographicdevice

Input data

AES

Power model

Input data

Statistical Methods(Correlation, Distance of means,..)

SoftwareModel

256 keyhypotheses

256 correlation tracesHighest absolute peak confirms correct key hypothesisMore infos in

the DPA Book


29


Example: KeeLoq broken in 2008From Microchip Technology Inc.Proprietary NLFSR cipher

Car door openingCrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, VW, Clifford, Shurlok, Jaguar, …

Garage doors

20 years old cipher64-bit secret key

DPA attack reveals the key (see T. Eisenbarth et al.)


30


Electromagnetic AnalysisElectronic devices leak information by electromagnetic (EM) emanation

Extract information by using tiny EM probesAllows attacks at a distance(far-field measurements)Very simple, cheap, and easy


31


Fault AnalysisFault-Injection Methods

Non-invasivePackage left untouchedModify working conditions

Semi-invasive Decapsulation neededE.g. optical fault injection

InvasiveEstablish electrical contact to the chipChip modification


32


Electromagnetic Fault InjectionCharge pump generates up to 18kVEM pulses of nanosecondsHandmade probe coilNon invasive


33


Optical Fault InjectionLaser diode (100mW @ 785nm)Non-invasive

GlobalLaser placed upon the chip

LocalLaser mounted on camera portFocused on different positions50 diameters object lens


34


Reverse EngineeringExample: Mifare Classic (NXP)

CCC 2007: Henryk Plötz and Karsten NohlProprietary CRYPTO-1 cipher

Transport ticketing:Amsterdam, London, Boston, Los Angeles, Taipei, Pusan, Bejing, Brisbane, Shanghai,…

Access controlMore than 1 billon tags sold48-bit secret key

Algebraic attack reveals the key within 0.05 seconds (see N. Courtois et al. and De KonigGans et al.)


35




36


Implementation of Countermeasures„The goal of countermeasures against SCA attacks is to make the

power consumption of the device independent of the intermediate values of the executed algorithm.“ [Mangard, Oswald, Popp; Power Analysis Attacks – Revealing the Secrets of Smart Cards]

Types of countermeasuresHiding (randomization)

Remove data dependency of power consumptionShuffling of operationsExecution of dummy cycles

Masking Randomize intermediate values that are processedUse an SCA-resistant logic style


37


Randomizing the AESAES algorithm

Shuffling of operationsa00 a01 a02 a03

a20 a21 a22 a23

a10 a11 a12 a13

a30 a31 a32 a33

a11 a21 a31 a01 a22 a32 a02 a12 a03 a13 a23 a33 a20 a30 a00 a10

The probability that a certain element is processed at a certain point of time is now 1/16.

Randomly choose a starting element (column & row)New sequence:


38


Increase RandomizationExecution of dummy cycles

Add a certain amount of dummy blocks randomly at the beginning and/or at the end

Probability that a certain element occurs at a certain point of time is p = 1/(16 + n) (n … number of dummy cycles)e.g. n=12: probability that a certain element occurs at a certain point of time is 1/28

a11 a21 a31 a01 a22 a32 a02 a12 a03 a13 a23 a33 a20 a30 a00 a10 d d d dd d d d d d d d


39


Fault-Attack Countermeasures

Passive or active shieldingMesh of power lines on top of all metal layersIntegration of sensors (voltage or clock check, light detection, temperature variation, …)

Redundant computationIntermediate results are calculated twiceFinal check of results

ST16SF48A sensor mesh © Kömmerling and Kuhn


40


Cell-Level Countermeasures

Secure Logic StylesDual-Rail (DR)

Two complementary wires instead of oneSame power consumption in each clock cycle

ProblemsBalancing the complementary outputsEarly-propagation effects

ExamplesSABLWDDLiMDPL…

SR cell

a

bq DR

cell

a

b

qa

bq

High-level design capture

Logic synthesis

Floorplanning

Placement and routing

Tape-out

Special constraints

Logic style conversion

Conversion rules

SR cell library

DRP cell library


41


Example: SCARD Chip

AES in MDPLArea: 5x largerDPA resistance: 10x higher

Features8051 miocrocontrollerAES co-processor1 CMOS reference implementation (STD)7 different DPA-resistant implementations0.13µm technology from Infineon

MDPL

STD

0 0.5 1 1.5 2

-0.1

-0.05

0

0.05

Time [µs]

Corr

elat

ion

MDPL µPCore: 20.000 samples


42


Example: GRANDESCA Chip

AES in iMDPLArea: 18x largerDPA resistance: 100x higher

Features8051 miocrocontrollerStand-alone AES processor1 CMOS reference implementation0.18µm technology from UMC

Stand-alone AESprocessor

iMDPL

8051-µC + AES coprocessor

iMDPL

PRNG, glue logic, etc.

CMOS

CMOS

iMDPL µPCore: 20.000 samples

0 1 2 3 4 5

-0.1

-0.05

0

0.05

Time [µs]

Corr

elat

ion


43


Example: POWERTRUST Chip

AES in iMDPL with Secure-zone

Area: only 1.5x larger

Features32-bit SPARC-V8 compliant LEON3 processorArchitectural masking combined with a secure logic style0.18µm technology from UMC

secure_zoneiMDPL

szcmos

caches, memories, etc…

DSUsecu

re_z

one

DW

DD

L (M

AST

ER)

secu

re_z

one

DW

DD

L (C

LON

E)


44




45


Summary

Inadequate security is common…better loosing one million per year due to fraud than loosing two million per year to fix the security problems…

AES and ECC are feasible for RFIDIt’s only a matter of costs

Security is mandatoryThink of privacy issues or the problem of fraud

Countermeasures are neededTo thwart against side-channel and fault attacks

Documents

RFID Security - Michael Huttermhutter.org/slides/20110830_IPICS_RFID_security.pdf · RFID Tag vs. Contactless Smart Card RFID tag CL smart card < 1.2 - 5m Reading range < 10 cm