RFID Security and Privacy Gildas Avoine Information Security Group UCL Belgium April 2011, Rennes, France
Summary � RFID Primer. � Examples. � Capabilities. � Particularities. � Authentication in RFID. � Theory. � Practical Attacks. � Relay Attacks. � Feasibility. � Countermeasures: Distance Bounding Protocols. Gildas Avoine 2 http://sites.uclouvain.be/security/
3 RFID Primer http://sites.uclouvain.be/security/ Gildas Avoine
RFID Primer Definition � “Radio frequency identification'' (RFID) means the use of electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to communicate to or from a tag through a variety of modulation and encoding schemes to uniquely read the identity of a radio frequency tag or other data stored on it.” [European Commission Recommendation, 12.5.2009] Gildas Avoine 4 http://sites.uclouvain.be/security/
RFID Primer Examples: Basic RFID Applications � Supply chain. � Track boxes, palettes, etc. � Eg: EPC Global Inc. � Libraries. Source: www.dclogistics.com � Improve book borrowing procedure and inventory. � Pet identification. � Replace common identification Source: www.rfid-library.com tattoo by electronic one. � Will become mandatory in the EU. Gildas Avoine 5 http://sites.uclouvain.be/security/ Source: www. flickr.com
RFID Primer Examples: Evolved RFID Applications � Building access control. � Automobile ignition keys. � Passports. � Electronic passports since 2004. � Public transportation. � Eg. Brussels, Boston, Paris, London. Gildas Avoine 6 http://sites.uclouvain.be/security/
RFID Primer Capabilities power frequency active ultra-high frequency high frequency communication passive low frequency distance cm dm m no 10 cents UID pwd 50 cents sym 1 KB crypto asym computation euros crypto capabilities 40 KB memory capabilities Gildas Avoine 7 cost http://sites.uclouvain.be/security/
RFID Primer Capabilities power frequency active ultra-high frequency high frequency communication passive low frequency distance cm dm m no 10 cents UID pwd 50 cents sym 1 KB crypto asym computation euros crypto capabilities 40 KB memory capabilities Gildas Avoine 8 cost Supply chain http://sites.uclouvain.be/security/
RFID Primer Capabilities power frequency active ultra-high frequency high frequency communication passive low frequency distance cm dm m no 10 cents UID pwd 50 cents sym 1 KB crypto asym computation euros crypto capabilities 40 KB Access control memory capabilities Gildas Avoine 9 cost Supply chain http://sites.uclouvain.be/security/
RFID Security Specificities � Low-capabilities. � Calculation, Memory, Bandwidth. � Asymmetry. � Wireless. � Easy to skim and eavesdrop. � Answer without holder’s agreement / awareness. � Easier to skim, Attack not detected. � Un-perfect security better than nothing. Gildas Avoine 10 http://sites.uclouvain.be/security/
Security Threat Classification Authentication Information Leakage Malicious Traceability Denial of Service Gildas Avoine 11 http://sites.uclouvain.be/security/
RFID Security and Privacy Keyword Occurrence (since 2002, about 500 scientific papers) authentication 384 privacy 356 EPC 106 hash function 106 authentication protocol 104 mutual authentication 72 smart card 69 HB 58 eavesdropping 53 IDS 53 cloning 51 AES 50 supply chain 50 Gildas Avoine 12 http://sites.uclouvain.be/security/
13 Authentication in RFID http://sites.uclouvain.be/security/ Gildas Avoine
Authentication and Impersonation � Definition (Authentication). Authentication is any process by which a system verifies the identity of a user who wishes to access it. � Definition (Impersonation). Impersonation is an attach where a fake tag is authenticated as a genuine one. � Examples: � Clone an access control card. � Modify your mass transportation pass. � Create a fake passport. Gildas Avoine 14 http://sites.uclouvain.be/security/
Impersonation Authentication Protocol � Authentication can be done using: � A symmetric cipher, a keyed-hash function, a public-key cipher, a signature scheme, or a devoted authentication protocol. � Example: Challenge-Response Protocol. � ISO 9798-4 defines authentication protocols based on a MAC. Reader n R Tag ID T , E k ( n R , n T ) � We know how to design a secure authentication scheme. Gildas Avoine 15 http://sites.uclouvain.be/security/
Impersonation Weaknesses � Cost of the solution. � Require lightweight algorithms (wired logic). � Implementation issues. � Both sides: readers and tags. � Miss-understanding of the standards. � Architecture of the solution. � Building blocks are not enough: the whole solution must be secure. Gildas Avoine 16 http://sites.uclouvain.be/security/
RFID Primer Looking Inside � Many available solutions are weak. Source : jp.digikey.com Source : www.sirlepaper.com Gildas Avoine 17 http://sites.uclouvain.be/security/
RFID Primer Looking Inside � Many available solutions are weak. Source : jp.digikey.com Source : www.sirlepaper.com Source : lirent.net Gildas Avoine 18 http://sites.uclouvain.be/security/
Examples of Weak Solutions � Navigo Pass. � Security sounds fine, personal data not protected. � Texas Instruments DST. � Broken. 2005. � NXP Mifare Classic. � Broken. 2008. Gildas Avoine 19 http://sites.uclouvain.be/security/
Example: Leakage from the MOBIB Card MOBIB Extractor by G. Avoine, T. Martin, and J.-P. Szikora, 2009 Gildas Avoine 20 http://sites.uclouvain.be/security/
Impersonation � TI: Texas Instruments. � DST: Digital Signature Transponder. � More than 100 million DST modules sold around the world. � Car ignition key (eg. Ford) and payment cards. Gildas Avoine 21 http://sites.uclouvain.be/security/
Impersonation Video: Texas Instrument DST Reader (k) r Tag (k) E k ( r ) Adversary goal: retrieve the secret k in order to make a clone. 1. Query once the car’s key (tag inside). 2. Try all the possible keys k until finding the one that correctly decipher E k ( r ). 3. Steal the car simulating the car’s key. Gildas Avoine 22 http://sites.uclouvain.be/security/
Impersonation Attack on NXP Mifare Classic � Philips Semiconductors (NXP) introduced the Mifare commercial denomination (1994) that includes the Mifare Classic product. � Applications: public transportation, access control, ticketing… � Memory read & write access are protected by some keys. � Several hundreds million Mifare Classic tags sold up to now. � Several attacks in 2008, Hoepman, Garcia, de Koning Gans, et al. reverse-engineered the cipher Crypto1: every Mifare Classic tag broken in a few minutes. Gildas Avoine 23 http://sites.uclouvain.be/security/
24 Relay Attacks http://sites.uclouvain.be/security/ Gildas Avoine
25 http://sites.uclouvain.be/security/ Gildas Avoine Impersonation Relay Attacks
26 http://sites.uclouvain.be/security/ Gildas Avoine Impersonation Relay Attacks
27 Adv http://sites.uclouvain.be/security/ Gildas Avoine 10’000 km Impersonation Adv Relay Attacks
Impersonation Relay Attacks: Timing � Reader starts a timer when sending a message. � To avoid half-opened connections. � ISO 14443 “Proximity Cards”. � Used in most secure applications. � Default timer is around 4 ms. � Tag can require more time, up to… Gildas Avoine 28 http://sites.uclouvain.be/security/
Impersonation Relay Attacks: Feasibility Radio link over 50 meters (G. Hancke 05). � With some locally-connected ACR122 (A. Laurie 09). � With Nokia cell phones (A. Laurie 10). � Over Internet (libNFC 10). � Gildas Avoine 29 http://sites.uclouvain.be/security/
COUNTERMEASURES
Protocol Aims in General Framework Definition (Authentication) An authentication is a process whereby one party is assured of the identity of a second party involved in a protocol, and that the second has actually participated (i.e. is active at, or immediately prior to, the time evidence is acquired). [Handbook of Crypto] Definition (Distance Checking) A distance checking is a process whereby one party is assured that a given property on its distance to a second party involved in a protocol is satisfied at some point in the protocol. The area where the property is satisfied is called the neighborhood of the verifying party. 2
Protocol Aims in RFID Framework Definition (Distance Bounding) A distance bounding is a process that consists of an authentication combined with a distance-checking, where the considered property is an upper-bound on the distance between the two parties. 3
Protocol Aims in RFID Framework Definition (Distance Bounding) A distance bounding is a process that consists of an authentication combined with a distance-checking, where the considered property is an upper-bound on the distance between the two parties. Distance bounding does not avoid relay attacks. Distance bounding check that the distance property between the verifier and the claimed prover is verified (Proximity check). 3
No Fraud Reader Reader Reader Tag Tag Adversary Tag Adversary 4
Fraud Reader Reader Reader Adversary Adversary Tag Tag Reader Reader Adversary Adversary Tag 5
Recommend
More recommend