Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID Tags and Presentation of First Results Walter Hinz, Klaus Finkenzeller, Martin Seysen Barcelona, February 19 th , 2013
Agenda � Motivation for Secure UHF Tags � The Rabin-Montgomery Cryptosystem � Message Flow � Protocol Extension with Mutual Authentication � Proof-Of-Concept Implementation Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 2
Agenda � Motivation for Secure UHF Tags � The Rabin-Montgomery Cryptosystem � Message Flow � Protocol Extension with Mutual Authentication � Proof-Of-Concept Implementation Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 3
Inductive and radiative RFID Systems Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 4
Secure UHF RFID Cryptographic protection of UHF RFID systems facilitates novel applications thanks to its long operating range Today: Security � RF 13,56 MHz: Smart Card OS / 10 cm � UHF 868 MHz: Non-secure memory / 10 m HF 13.56 SCOS Secure Secure UHF RFID: UHF � Cryptographic security with same operating range Power Technology � technological leap consumption � µController with SCOS � full flexibility in the X 50 choice of authentication protocols � AES efficiently implemented in hardware UHF memory Reading range Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 5
Agenda � Motivation for Secure UHF Tags � The Rabin-Montgomery Cryptosystem � Message Flow � Protocol Extension with Mutual Authentication � Proof-Of-Concept Implementation Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 6
The Rabin-Montgomery Crypto Suite � Based on the asymmetric cryptosystem by Michael O. Rabin (1979) � Augmented by a method from Peter Montgomery (1985) to avoid the division of long numbers in modular arithmetic � Allows cost and energy efficient implementation by combining the Rabin and Montgomery algorithms � Allows non-traceable and confidential identification and authentication � Does not require a private (secret) key to be stored in a tag � the tag performs only efficient public key operations � Time consuming private key operations need only be performed by the interrogator � Can be combined with symmetric mutual authentication, based on AES Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 7
How the RAMON Tag Authentication Works RAMON is a public key protocol, using four different keys: A public key K E , used for encryption. � � This is the only key stored on the tag A private key(-set) K D , used for decryption � � This key is only stored in a secure memory in the interrogator An optional key set K s , K V ,used to validate a signed UID � � As the data length might exceed the buffer capacity of tag or interrogator, response messages are chained � First response chunk is delivered while ongoing encryption produces more data consecutively � Optimised transaction time Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 8
Information Flow with RAMON Tag Authentication 1 3 Generate {K S , K V } Generate {K D , K E } Sign Tag IDs with K S 2 4 System Tag Issuer store Tag IDs, K E Integrator 6 5 store (Signed) Tag IDs, (K V ) Secure Storage Signature Secure Storage List of (signed) verification key Tag IDs (public) K V RAMON 7 List of (signed) decryption key Tag IDs (Signed) Tag ID, K E Signature RAMON (private) K D generation key encryption key (private) K S (public) K E Signature RAMON verification key Encryption key (public) K V (public) K E User Memory verify 7 8 (Signed) Tag ID 10 store / RAMON Tag Interrogator retrieve RAMON 9 Encryption key (public) K E Optional steps and components are indicated with a dashed line . n Step n of the information flow Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 9
Basics: Rabin Cryptosystem The Rabin cryptosystem is an asymmetric cryptographic technique, whose security, like that of RSA, is related to the factorization problem. Message M 2 Encryption: C M mod n = Secret key p, q Public key n n = p * q p, q : primes, almost Cipher text C : Reader � � � � Tag equal size, p ≡ q 3 (mod 4 ) ≡ Decryption: y p y q 1 ⋅ + ⋅ = p q p 1 + 4 m C mod p C mod p r ( y p m y q m ) mod n = = + = ⋅ ⋅ + ⋅ ⋅ p p q q p q 1 + r n r − = − 4 m C mod q C mod q = = q s ( y p m y q m ) mod n + = ⋅ ⋅ − ⋅ ⋅ p q q p s n s − = − One root r , s is our Message M Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 10
Basics: Montgomery Modular Multiplication The Montgomery approach allows a much more efficient calculation of the cipher text C in the tag. Message M Secret key p, q Public key n * 2 1 − Encryption: C M R mod n = n = p * q p, q : primes, almost equal size, p ≡ q 3 (mod 4 ) ≡ Cipher text C* : Reader � � Tag � � Residue R is a power of 2 and k > . R ≥ 2 n Conversion: In other words, R is at least * 2 1 − C C R mod n ( M R ) R mod n = = the next power of 2 which is larger than n . d bl nd ⋅ n 1 mod 2 ; 1 nd d ; nd Rabin Decryption (previous slide) = ≤ < ≈ 2 Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 11
Agenda � Motivation for Secure UHF Tags � The Rabin-Montgomery Cryptosystem � Message Flow � Protocol Extension with Mutual Authentication � Proof-Of-Concept Implementation Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 12
RAMON Protocol Steps – Tag Identification Only Interrogator Tag Identification Identification Generate RND challenge CH Generate RND number RN CH (1) Tag (1) Tag Decrypt R Generate Response R [Validate Signature of UID] * Tag identified or Tag identified or even authenticated even authenticated Stop here, if only tag identification is required *: signature validation is an optional step Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 13
Detailed data flow for tag only authentication Interrogator Tag {Database, K D , K V } {(signed)UID, K E } Generate RND challenge CH CH Generate RND number RN Generate Response R R R = ENC (K E ,MIX(CH,RN,UID)) Decrypt P = DEC (KD,R) � CH, RN, UID Validate Signature of UID Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 14
Detailed Protocol Step 1: Interrogator send challenge � Step 1: The interrogator challenge is delivered to the tag. � The tag immediately starts with the cryptographic calculation and answers with the length of the response data which will be calculated. Interrogator Tag Command RFU CSI Length Message RN-16 CRC-16 11010010 2 ’00' xx EBV Interrogator Challenge step 1 xx xx Command Step 1 AuthMethod Step RFU Interrogator Challenge 11 2 01 2 0000 2 CH [127:0] Header Length Response RN-16 CRC-16 0 EBV Response data length xx xx Response Step 1 Start Calculaton AuthMethod Step RFU Response data length 11 2 10 2 0000 2 (Total Nr. of Bytes) Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 15
Detailed Protocol Step 2: Retrieve calculation results Tag Interrogator � Step 2: The Command RFU CSI Length Message RN- 16 CRC -16 interrogator 11010010 2 ’00' xx EBV Retrieve Response xx xx Command Step 2 retrieves the AuthMethod Step RFU remaining 11 2 01 2 0000 2 fragments by Header Length Response RN -16 CRC - 16 R chaining. espon 0 EBV Response data length xx xx seD Response Step 2 AuthMethod Step RFU Response data fragment Remaining ata Part1 11 2 10 2 0000 2 Part from result (Nr. of Bytes) � Once the Command RFU CSI Length Message RN- 16 CRC-16 interrogator 11010010 2 ’00' xx EBV Retrieve Response xx xx Command Step 3 has retrieved AuthMethod Step RFU Calculation 11 2 01 2 0000 2 the entire R finished espo nseD record, it is Header Length Response RN -16 CRC- 16 ata Part2 able to 0 EBV Response data length xx xx Response Step 3 authenticate AuthMethod Step RFU Response data fragment Remaining 11 2 10 2 0000 2 Last part from result ’00 ' the tag. Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 16
Detailed Protocol steps for tag only authentication � In Step 1, the interrogator challenge is delivered to the tag. This message is used to request the tag to perform authentication. � In Step 2, the interrogator retrieves the remaining fragments by chaining further Authenticate commands and responses. Once the interrogator has fetched the entire authentication record it is able to authenticate the tag. Power - up & ~ killed . Tag state transitions acc Authenticate to ISO/IEC 18000-63 Finished ( Step 1 ) Authenticate Authenticate Authenticate TAM 1.2 Init TAM 1.1 TAM 1.3 ( Step 1 ) ( Step 2 ) ( Step 2 ) Error Finished or Error Any other command Mutual authentication Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 17
Agenda � Motivation for Secure UHF Tags � The Rabin-Montgomery Cryptosystem � Message Flow � Protocol Extension with Mutual Authentication � Proof-Of-Concept Implementation Secure UHF Tags with Strong Cryptography February 19th, 2013 Slide 18
Recommend
More recommend