contact based fault injections and power analysis on rfid
play

Contact-based Fault Injections and Power Analysis on RFID Tags - PowerPoint PPT Presentation

Dec 01, 2023 •341 likes •514 views

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI & Security Contact-based Fault Injections and Power Analysis on RFID Tags Michael Hutter, Jrn-Marc Schmidt, Thomas Plos ECCTD 2009 Institute for Applied

  1. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Contact-based Fault Injections and Power Analysis on RFID Tags Michael Hutter, Jörn-Marc Schmidt, Thomas Plos ECCTD 2009 Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 1

  2. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Presentation Outline  Introduction  Implementation attacks on RFID  Related work  Contact-based measurement setup  Fault injection setup and results  Power analysis setup and results  Conclusions and future work http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 2

  3. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Introduction  RFID … R adio F requency Id entification  Small microchip attached to an antenna  Reader field is used for  Communication  Power supply  (Clock signal) Reader http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 3

  4. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Implementation Attacks on RFID  Active attacks  Fault attacks  Passive attacks  Physical probing  Side-channel attacks  Power consumption  Electromagnetic radiation  Timing analysis http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 4

  5. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Recent Work  Oren and Shamir 2006  Simple power analysis attacks on UHF tags  Hutter et al. 2007  Differential electromagnetic analysis on HF tags  Plos 2008  Differential electromagnetic analysis on UHF tags  Hutter et al. 2008  Fault attacks on HF and UHF tags  This work  Differential power analysis and fault attacks on UHF and HF tags http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 5

  6. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Our Analysis  Performed fault attacks and power-analysis attacks on different RFID tags  We induced over-voltage spikes into the chip-antenna connections  Analyzed HF and UHF tags  ISO 15693 and ISO 18000-6C (EPC Gen2)  Focus on write operation  Critical in terms of power consumption and execution time  Used a contact-based measurement setup http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 6

  7. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Contact-based Measurement Setup  The chip of the tag is separated from its antenna  Chip and reader are directly connected by 2 wires  No air interface (no inductive/electromagnetic coupling)  The setup allows… PC  … contact-based fault injections  … power-consumption measurements of the chip Reader control RFID Tag R series R term reader chip http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 7

  8. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Basic Communication Process Reader request Response time Tag response http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 8

  9. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Fault-Injection Setup  Two high-speed multiplexers connect the chip to a DC voltage (over-voltage injection)  Trigger device PC FPGA board Trigger µC Switch control Reader control RFID Tag R Term reader chip DC supply http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 9

  10. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Trigger Signal  Trigger device  SASEBO board used to control the trigger delay and duration  A microcontroller is used to listen to the reader communication and to provide a trigger signal after a write command  Fault injections during the response time of the chip (a few milliseconds)  Trigger device was programmed to sweep across the response time (automatic sweep)  Injected spikes in steps of 9ns  Over-voltage was induced for at least 80ns http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 10

  11. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Results  Faults cause the chip to write faulty values into the memory  Tags perform a reset during the writing of data  The faulty value depends on the trigger delay  Different tags have a different writing time  Allows fingerprinting of RFID tags http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 11

  12. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Power-Analysis Setup  For HF tags  Power is measured over a 100 Ohm resistor  For UHF tags  Power is measured over the internal capacity (0.1pF) of the differential probe (no resistor used) PC Oscilloscope control Digital-storage oscilloscope Trigger Reader Differential µC control probe RFID Tag R Meas R Term reader chip http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 12

  13. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Power-Analysis Attacks  Trace acquisition  1000 traces for UHF tags and 10000 traces for HF tags were measured  Sampling rate: 100 MS/s  Post-processing techniques  Calculated the envelope signal (absolute values + 2 MHz low- pass filter  Horizontal and vertical trace alignment  Target of the attack  8-bit value that was written into memory  Different Power models applied http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 13

  14. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Results  All attacks have been successful ISO 15693 HF tag ISO 18006C UHF tag http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 14

  15. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Summary  Performed fault and power-analysis attacks on RFID  Analyzed HF and UHF RFID tags  Contact-based measurement setup used  All attacks have been performed successfully  Security-enabled RFID devices have to include countermeasures to thwart these attacks http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 15

  16. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Thank you for your attention. Questions? Michael.Hutter@iaik.tugraz.at Jörn-Marc.Schmidt@iaik.tugraz.at Thomas.Plos@iaik.tugraz.at http://www.iaik.tugraz.at/content/research/implementation_attacks/ http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/SCA Antalya, 2009 ECCTD 2009 16

Recommend

Results of the Hardware Injections Results of the Hardware Injections performed on the LIGO

Results of the Hardware Injections Results of the Hardware Injections performed on the LIGO

Results of the Hardware Injections Results of the Hardware Injections performed on the LIGO Interferometers Interferometers performed on the LIGO Myungkee Sung for the LIGO Science Collaboration 11th Gravitational Wave Data Analysis Workshop

331 views • 18 slides
MAS.S61: Emerging Wireless & Mobile Technologies Lecture 4: Low-power communica2on, RFID

MAS.S61: Emerging Wireless & Mobile Technologies Lecture 4: Low-power communica2on, RFID

MAS.S61: Emerging Wireless & Mobile Technologies Lecture 4: Low-power communica2on, RFID RFID (Radio Frequency IDentification) Inventory control Access Control Security Sensitive Applications Tracking & Localization Long-Range

546 views • 35 slides
Smart Sensing RFID Technology Passi sive, Activ ive e RFID, , Barcode code & BLE based

Smart Sensing RFID Technology Passi sive, Activ ive e RFID, , Barcode code & BLE based

Smart Sensing RFID Technology Passi sive, Activ ive e RFID, , Barcode code & BLE based ed Hybri rid d Asset set Trac acking ing syst stem em Smart Sensing RFID Technology and Management Consultancy Every day, our work helps

579 views • 27 slides
AI-based Low Computational Power Actuator/ Sensor Fault Detection Applied on a MAGLEV Suspension

AI-based Low Computational Power Actuator/ Sensor Fault Detection Applied on a MAGLEV Suspension

AI-based Low Computational Power Actuator/ Sensor Fault Detection Applied on a MAGLEV Suspension K. Michail, K. Deliparaschos, A. Zolotas, S. G. Tzafestas 21 st Mediterranean Conference on Control and Automation Crete, Greece, 25-28 June 2013

945 views • 23 slides
JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers Shivam Bhasin Temasek Labs @ NTU ASK 2018, Kolkata, India 15 Nov 2018 Table of Contents 1. Introduction to Fault Attacks 2. Persistent Fault Analysis (PFA) 3. PFA on Fault

588 views • 19 slides
Injections Injections for the Upper Extremity Treatment Tortures, Voodoo or Magic Bullet

Injections Injections for the Upper Extremity Treatment Tortures, Voodoo or Magic Bullet

Injections Injections for the Upper Extremity Treatment Tortures, Voodoo or Magic Bullet Anti-inflammatory Viscosupplementation C. Benjamin Ma, MD Diagnostic Lidocaine injection Professor in Residence Differential

425 views • 4 slides
Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

March 2, 2014 Monte Jade's RFID Seminar Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight RFID 4. Current Airport RFID Deployments 5. Atlanta International Airport Activity with IATA RFID

912 views • 35 slides
LIGO S2 Inspiral Hardware Injections Steve Fairhurst University of Wisconsin-Milwaukee LSC

LIGO S2 Inspiral Hardware Injections Steve Fairhurst University of Wisconsin-Milwaukee LSC

LIGO S2 Inspiral Hardware Injections Steve Fairhurst University of Wisconsin-Milwaukee LSC Inspiral Working Group GWDAW December 19, 2003. LIGO-G030688-00-Z Introduction Hardware injections provide a good test of the entire analysis

315 views • 13 slides
CLICK HERE.exe SQL Injections Security Meetup Month 1 of 12 (January) This month: SQL

CLICK HERE.exe SQL Injections Security Meetup Month 1 of 12 (January) This month: SQL

CLICK HERE.exe SQL Injections Security Meetup Month 1 of 12 (January) This month: SQL Injections Next month: XSS / CSRF Meetup Group for times/dates Plan of Attack History of SQL Basic Injections Protections

890 views • 58 slides
IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing Tag Oslo, 28 November 2007 IntelliSense RFID Workshop IntelliSense RFID RESEARCH PROJECT FOR TECHNOLOGY DEVELOPMENT WITHIN THE FIELDS OF RFID

788 views • 13 slides
The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio Frequency Identification Modern RFID Applications VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips

628 views • 29 slides
Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010

Differential Fault Analysis of HC-128 Differential Fault Analysis of HC-128 Aleksandar Kircanski and Amr M. Youssef AFRICACRYPT 2010 May 03-06, 2010, Stellenbosch, South Africa Differential Fault Analysis of HC-128 Outline Fault analysis

374 views • 24 slides
How Earthquake Risk Depends on the Closeness to a Fault: Symmetry-Based Geometric Analysis Aaron

How Earthquake Risk Depends on the Closeness to a Fault: Symmetry-Based Geometric Analysis Aaron

How Earthquake Risk Depends on the Closeness to a Fault: Symmetry-Based Geometric Analysis Aaron Velasco 1 , Solymar Ayala Cortez 1 Olga Kosheleva 2 , and Vladik Kreinovich 3 1 Department of Geological Sciences 2 Department of Teacher Education 3

562 views • 23 slides
Outline Knee Shoulder and Knee Injections Indications for Injections/Aspirations

Outline Knee Shoulder and Knee Injections Indications for Injections/Aspirations

Outline Knee Shoulder and Knee Injections Indications for Injections/Aspirations Outcomes Brian Feeley, MD How to do a knee injection easily Sports Medicine and Shoulder Surgery Shoulder UC San Francisco Indications

326 views • 13 slides
A 45 W Bias Power, 34 dB Gain Reflection Amplifier Exploiting the Tunneling Effect for RFID

A 45 W Bias Power, 34 dB Gain Reflection Amplifier Exploiting the Tunneling Effect for RFID

A 45 W Bias Power, 34 dB Gain Reflection Amplifier Exploiting the Tunneling Effect for RFID Applications Francesco Amato, Christopher W. Peterson, Brian D. Degnan, Gregory D. Durgin School of Electrical and Computer Engineering Georgia

635 views • 28 slides
TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown &

TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown &

TrainTraxx.com HiveID RFID/NFC Solutions for Model Railroaders Presented by Carlton Brown & Blaine McDonnell Using RFID for Model Railroad Operations What is RFID? How does RFID Work? RFID Frequencies and Type of Tags

853 views • 25 slides
DEVELOPMENT OF AN RFID SYSTEM FOR SPS-ALPHA 1 OBJECTIVES RFID Implementation: SPS-ALPHA

DEVELOPMENT OF AN RFID SYSTEM FOR SPS-ALPHA 1 OBJECTIVES RFID Implementation: SPS-ALPHA

DEVELOPMENT OF AN RFID SYSTEM FOR SPS-ALPHA 1 OBJECTIVES RFID Implementation: SPS-ALPHA Structure RFID Technology Applications in SPS-ALPHA architecture Part Identification Location Referencing 2 Why Space Solar No

241 views • 22 slides
Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya

Reliability Maintenance and Managing Risk Conference 2019 Can Fault Tree Analysis Technique Resolve Fault Isolation Ambiguity? Alpana Gangopadhyaya Supportability Systems Engineer Northrop Grumman Alpana.Gangopadhyaya@ngc.com Phone Number

466 views • 18 slides
RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5

Introduction Fault Model Strategies Scheduling Analysis Performance Conclusions RTNS: Scheduling Analysis under Fault Bursts Florian Many, Frdric Boniol, David Doose 5 November 2010 RTNS: Scheduling Analysis under Fault Bursts 1 / 25

259 views • 21 slides
Structural analysis for fault diagnosis faults f ( t ) observation y ( t ) residual r ( t ) +

Structural analysis for fault diagnosis faults f ( t ) observation y ( t ) residual r ( t ) +

Jubilee Symposium 2019: Future Directions of System Modeling and Simulation 2 Model based diagnosis, basic idea System Structural analysis for fault diagnosis faults f ( t ) observation y ( t ) residual r ( t ) + actuators u ( t ) of equation

526 views • 15 slides
Fault Based Almost Universal Forgeries on CLOC and SILC Avik Chakraborti (ISI, Kolkata) Joint

Fault Based Almost Universal Forgeries on CLOC and SILC Avik Chakraborti (ISI, Kolkata) Joint

Motivation Description of CLOC and SILC Fault Based Almost Universal Forgery on CLOC Fault Based Almost Universal Forgery on SILC Implementation of Fault Conclusion Fault Based Almost Universal Forgeries on CLOC and SILC Avik Chakraborti

554 views • 32 slides
RFID-based Identification System in a Hospital

RFID-based Identification System in a Hospital

RFID-based Identification System in a Hospital IoT Conference, ETH Zurich 2008 Welcome Internet of Things 2008 Dr.med. Marc Oertle Medical Informatics Agenda

1.4k views • 23 slides
Learning objectives Understand the basic ideas of fault-based testing How knowledge of a

Learning objectives Understand the basic ideas of fault-based testing How knowledge of a

Learning objectives Understand the basic ideas of fault-based testing How knowledge of a fault model can be used to Fault-Based Testing create useful tests and judge the quality of test cases Understand the rationale of

296 views • 5 slides
Fault Detection and Mitigation in WLAN RSS Nearest Neighbor Fingerprint-based Positioning

Fault Detection and Mitigation in WLAN RSS Nearest Neighbor Fingerprint-based Positioning

Introduction - Motivation - Fault Model - Measurement Setup Fault Detection and Mitigation in WLAN RSS Nearest Neighbor Fingerprint-based Positioning Algorithm - Fault Detection - Fault Tolerance Hybrid Positioning Algorithm Christos

708 views • 41 slides

More recommend