VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security A Case Against Currently Used Hash Functions in RFID Protocols Workshop on RFID Security 2006 – RFIDSec06 July 13-14, 2006, Graz, Austria Martin Feldhofer and Christian Rechberger IAIK – Graz University of Technology Martin.Feldhofer@iaik.tugraz.at www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 1
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Presentation outline Cryptographic primitives in RFID systems Hardware implementation of low-power SHA-256 Synthesis and power simulation results Conclusions http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 2
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Motivation High-end security in RFID systems � standardized algorithms Hash functions are conceptionally easy � mainly used by RFID protocol designers Implementation costs? Comparison of popular hash functions with AES block cipher in context of RFID tags http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 3
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Building blocks for RFID security Authentication and/or anonymity is required Commonly used cryptographic primitives � Hash functions � Block ciphers � Universal hash functions � PRNGs � Public key algorithms � Some “leightweight” solutions (HB, …) We focus on standardized cryptographic primitives � MD4-family (SHA-256, SHA-1, MD5, MD4) � AES-128 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 4
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Survey on existing RFID security protocols Proposal Primitive Authentication Privacy Molnar PRF No Yes Avoine Hash No Yes Choi Hash Yes Yes Henrici Hash Yes Yes Ohkubo Hash No Yes Dimitriou Hash + PRNG Yes Yes Lee Hash + PRNG Yes Yes Rhee Hash + PRNG Yes Yes Weis Hash + PRNG Yes Yes Feldhofer AES + PRNG Yes Yes http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 5
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Design issues for RFID hardware Not relevant for RFID tags RF field � Energy consumption per operation I Supply � Power consumption per operation Relevant for RFID tags � Power consumption per cycle � Mean current consumption must not exceed available energy in V dd capacitor V ddMIN I IC http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 6
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Implementation targets Target Class of tags Passive class 2 (HF 13.56 MHz) Mean power consumption < 15 µA @ 1.5V Hardware resources < 1,000 - 10,000 GEs Data rate of protocol 26 kbps Clock frequency of crypto module ~100 kHz ~50 for immediate answer (0.5ms) � Number of clock cycles (latency) use interleaved protocol instead Available modules No microcontroller or external memory available Technology Standard cells (no dedicated RAM) Costs ~5-50 Cent per tag http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 7
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Outline of SHA-256 IVs Expanded message w Message m State update (64 words) Message (16 words) expansion 64 steps Output o http://www.iaik.tugraz.at (8 words) TU Graz/Computer Science/IAIK/VLSI/Feldhofer 8
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Outline of SHA-256 – Message expansion ⎧ ≤ ≤ ⎪ M ( 0 15 ) for t t = ⎨ W t ⎪ ⎩ σ + + σ + ≤ ≤ ( ) ( ) ( 16 63 ) W W W W for t − − − − 1 t 2 t 7 0 t 15 t 16 σ = ⊕ ⊕ 7 18 3 ( x ) ROTR ( x ) ROTR ( x ) SHR ( x ) 0 σ = ⊕ ⊕ 17 19 10 ( ) ( ) ( ) ( ) x ROTR x ROTR x SHR x 1 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 9
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Outline of SHA-256 – State update H(i) or IV (64 bits) A 0 B 0 C 0 D 0 E 0 F 0 G 0 H 0 Step transformation A 1 B 1 C 1 D 1 E 1 F 1 G 1 H 1 Message m Step transformation (16x32-bit) (61 identical steps) A 62 B 62 C 62 D 62 E 62 F 62 G 62 H 62 Step transformation A 63 B 63 C 63 D 63 E 63 F 63 G 63 H 63 H(i+1) (64 bits) http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 10
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Outline of SHA-256 – Step transformation http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 11
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Secure RFID tag architecture Controller http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 12
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Architecture of low-power SHA-256 Controller http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 13
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Chip area [in gate equivalents] Total chip area: 10,868 GEs RAM; 8292; 76% others; 407; 4% Controller; 364; 3% Adder; 156; 1% Sigma; 643; 6% Register T1/T2; 394; 4% 1024 bits memory � 8292 GEs !!! Constants; 612; 6% http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 14
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Power consumption [in µA @ 100kHz; 3.3V] Mean current consumption: 15.87 µA RAM; 7,73; 49% others; 1,54; 10% Controller; 1,1; 7% Constants;0,18; 1% Adder; 2,74; 17% Register T1/T2; 1,6; 10% Sigma; 0,98; 6% http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 15
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison of chip area and power consumption Area distribution Power consumption distribution RAM; 8292; 76% RAM; 7,73; 49% others; 1,54; 10% others; 407; 4% Controller; 364; 3% Controller; 1,1; 7% Adder; 156; 1% Sigma; 643; 6% Constants;0,18; 1% Register T1/T2; Adder; 2,74; 17% Register T1/T2; 1,6; Constants; 612; 6% 394; 4% 10% Sigma; 0,98; 6% http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 16
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison of SHA-256, SHA1, MD5, MD4 and AES – Chip area 12000 SHA-256 10000 MD5 Gate equivalents [GEs] SHA-1 MD4 8000 6000 AES 4000 2000 0 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 17
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison of SHA-256, SHA1, MD4, MD5 and AES – Mean current consumption 18 SHA-256 16 Current consumption [µA@100kHZ] 14 12 3.3V !!! 10 AES 8 6 4 2 SHA-1 MD5 MD4 0 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 18
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Implications of this work Two dominating factors decide on the suitability of a symmetric primitive for RFID tags � The required number of registers (state variables, chaining variables and message words) � SHA-256 (1024 bits) vs. AES (256 bits) � The underlying word size of the used primitive � How many flip flops have to be clocked at the same time � SHA-256 (32 bits) vs. AES (8 bits) Input for future design of cryptographic primitives http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 19
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison with parallel work Kaps et al. state that SHA-1 is more energy- efficient than AES � Stated chip area: 4276 GEs � This seems to contradict our conclusions But: 1. Low energy consumption is not a main concern in RFID tag design 2. Necessary external memory for message expansion is not available on RFID tags (requires additional 3722 GEs) http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 20
VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Conclusions We analyzed implementations of commonly used cryptographic primitives for RFID tags Comparison of SHA-256 with AES-128 because of same level of security � AES-128 requires less chip area � AES-128 has less mean power consumption Even older MD4-family hash functions (SHA-1, MD5, MD4) do not change conclusion http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 21
Recommend
More recommend