RFID Security without Extensive Cryptography

Sindhu Karthikeyan

Mikhail Nesterenko

Kent State University

SASNNovember 07, 2005

211/7/2005 SASN

RFIDs: Current State

• RFIDs allow effective identification of a large number of tagged items without physical or visual contact.

• RFID systems reduce the time and cost of processing tagged items• adopters:

Wal-Mart stores use RFID tags for tracking and maintaining their inventory Boeing and Airbus plan to use RFID tags to simplify identifying and tracking

the airplane parts Kodak uses RFID to track reusable containers in its manufacturing facilities libraries use RFID tags to track books circulation toll booths can automatically collect toll by inspecting a tag attached to the

windshield of a car

currently: crate/palette tagging even more effective: individual item tagging

311/7/2005 SASN

Security Problems of Individual Item Tagging

• major obstacle to individual item tagging: personal privacy intruder can read tags without authorization or eavesdrop on reader-tag communication

• novel types of security threats [MW04]intruder may track: learn the itinerary of tag holder by periodically querying tag

or eavesdropping on communications between tag and reader hotlist: compile list of items of particular interest and then singles

out individuals in possession of these items profile: learn what items a particular individual has

411/7/2005 SASN

How to Deal with Privacy Threat?

• erase info from tag after scanning does not allow repeated use of tag and

thus limits the utility of the technology

• periodically use secure channels for trust establishment or key refresh limits use of technology

• blocker tag requires the user to carry and manipulate the blocker

which may not be practical

• use (classic) cryptography due to tag resource limits crypto primitives (such as encode/

decode, digital sigs, crypto hash, quality random numbers) are not available tag-side

511/7/2005 SASN

Our Proposal

secure tag authentication algorithm

• based on matrix multiplication, does not use extensive crypto modest tag-side storage and computation requirements

can be implemented using currently available RFID technology

• secure against known-ciphertext attacks RFID-specific attacks

multiple tag sequencing extends the algorithm so that the reader can concurrently

identify multiple tags

611/7/2005 SASN

Outline

• security identification algorithm RFID system outline algorithm description security discussion

• multiple tag sequencing

• resource requirements estimate

• extensions and future work

711/7/2005 SASN

taggeditem

RFID System Overview

• RFID tag – a miniature electronic circuit (500 to 5000 gates) capable of elementary information storage, processing and radio communication

• RFID reader – device designed to identify the tag connected to database containing information about tag and tagged item

• tag and reader communicate over radio channel• intruder - an entity who tries to compromise the RFID system

has complete access to radio channel

radio channel

database

intruder• has access to channel• cannot access memory of reader/tag/database

tag • stores a limited amount of data• performs elementary operations such as byte-size integer addition and multiplication• runs a timer

reader• has sizable communication and storage facilities

tag

reader

811/7/2005 SASN

Secure Tag Authentication

• tag stores square p×p matrices: M1 and M2-1,

• reader maintains another two matrices: M2 and M1-1 of same size

• tag and reader share a key K – a vector of size q = rp• X= KM1 uniquely identifies the tag

• when reader receives X, it can obtain the rest of information about tag and tagged item from its database

• if reader authentication fails or the reader fails to respond before the timeout expires, the tag stops further communication until reset

reader tag

identify tag by matching X

hello

start timerX

computeX ← KM1

K, M1, M2-1K, M1

-1, M2

phase I

Y, Z

verify YM2-1 = (K1K2 …Kr),

get fresh key K ← ZM2-1

stop timer

phase II

pick Knew, computeY← (K1K2 …Kr) M2

Z← KnewM2

911/7/2005 SASN

Security Discussion

• recovering the multiplicand or multiplier from the product of matrix multiplication is computationally difficult the intruder can not discover the key or the matrices

used by the tag and the reader assume no known plaintext can’t find tag id can’t mount hotlisting or profiling attacks

as the intruder cannot deduce either the key or the matrices, he cannot authenticate himself to the tag:

any identification session with the intruder is aborted can’t do effective tracking

1011/7/2005 SASN

Outline

• security identification algorithm RFID system outline algorithm description security discussion

• multiple tag sequencing

• resource requirements estimate

• extensions and future work

1111/7/2005 SASN

Problem Statement & Assumptions

• problem tags share channel don’t have channel arbitration

capabilities

• assume can detect collision can send key one bit at a time

1211/7/2005 SASN

Proposed Scheme

• augments our tag identification algorithm to enable the reader to communicate with multiple tags

• phase I run concurrently the reader learns the keys of all the tags present each tag learns its key's position in the order (e.g., ascending) of

the keys of the tags participating in the identification session

• phase II the reader broadcasts the messages for the tags

in the order of their keys each tag receives the message sent specifically to it and

ignores the rest

1311/7/2005 SASN

a0

b

d

0

0

1

0

f011

c

e

h

0

0

1

0

1

1 1 1

100 101

1

g

• path from root to leaf – tag’s key• growth point – part of path already learned• trial – discover next bit on path after growth point & determine if the paths split

collision

collision

Reader-Side Sequencing

1411/7/2005 SASN

Resource Requirements Estimate

• key size of 8 bytes provides sufficient key space for most RFID applications.

• the matrices of 4×4 bytes provide adequate security.

• a few byte-size integer counters are necessary to implement multiple tag sequencing.

• during the identification session, the reader and the tag exchange a hello-message and two messages of 8 and 9 bytes respectively

• the storage requirements of our algorithm are modestmost of the chip-space is occupied by the byte-multiplier

the requirements are within the current capabilities of RFID tags

1511/7/2005 SASN

Extensions and Future Work

• denial of service attack possible intruder can block the tags from further identification

by botching authentication sessions

need protection

• need secure channel to unblock tags and refresh tag-side info may be time/resource consuming,

especially if items are hard to access (airplane parts?)

need effective secure channel or way to avoid using it

• possible compromise if intruder can track tag over multiple sessions outside radio channel additional key to generate longer non-repeating keys

• brute-force guessing attack potentially possible may need to increase size of matrix/key

RFID Security without Extensive Cryptography

Sindhu KarthikeyanMikhail Nesterenko

thank you