Ecole Internationale de Printemps Systemes Repartis : METIS2008
RFID Security
Gildas Avoine
UCL, Louvain-la-Neuve, Belgium
Department of Computing Science and Engineering
[email protected] RFID Security
Introduction Outline of this Talk
Part 1: RFID primer
Part 2: Security threats in RFID systems
Part 3: Ensuring Privacy
[email protected] RFID Security
Outline
1 First Step
2 Daily Life Examples
3 Tags Characteristics
4 Identification and Authentication Protocols
[email protected] RFID Security
Definition
Radio Frequency IDentification (RFID) is a method of storing andremotely retrieving data (typically an identifier) using devices calledRFID tags or transponders.
An RFID tag is a small object that can be attached to or incorpo-rated into a product, animal, or person.
RFID tags contain antennas to enable them to receive and respondto radio-frequency queries from an RFID transceiver.
[email protected] RFID Security
Architecture and Definitions Infrastructure
Identifier Request−−−−−−−−−−−−−−−−−→Unique Identifier←−−−−−−−−−−−−−−−−−
Data Request (+ Auth)−−−−−−−−−−−−−−−−−→Data (Encrypted)←−−−−−−−−−−−−−−−−−
[email protected] RFID Security
History
RFID exists since the forties (IFF, Russian spy).
Commercial RFID applications appeared in the early eigthies.
Boom which RFID technology is enjoying today relies on thewillingness to develop small and cheap RFID tags.
Auto-ID Center created in 1999 at the MIT. (EPC code)
[email protected] RFID Security
Daily Life Examples Applications
Management of stocks (Wal-Mart, US DoD, etc.)
Libraries (Santa Clara Library, etc.)
Pets identification
Anti-counterfeiting (luxury articles, etc.)
Sensor networks (Michelin’s tyres, etc.)
Acess control (Building, ?Famous Baja Beach Club, etc.)
Automobile ignition keys (TI DST Module, etc.)
Localization of people? (Amusement parks, etc.)
Electronic documents (IDs, Passports, etc.)
Public transportation (Paris, Boston, etc.)
[email protected] RFID Security
Tag Characteristics
communication distance
computation
tamper−resistance
ISO15693
power source
cost
meters memory
asymmetric
standard
frequency
ISO14443
124−135KHz
2.4GHz
$0.20
$0.80
$3
no
yes
1281024
xor
symmetric
semi−passive
active
passive
cent
im.
900MHz
13.56MHz
EPC Gen
2
Eg. Logistics
Eg. Access Control
[email protected] RFID Security
Tags Characteristics Communication Model
physical
application
session
network
data link
presentation
transport transport
application
internet
physicalphysical
application
communication
OSI TCP / IP RFID
[email protected] RFID Security
Tags Characteristics Standards
ISOInternational Organization for Standardization (www.iso.org)
EPCElectronic Product Code (http://www.epcglobalinc.org/)
[email protected] RFID Security
Tags Characteristics ISO Standards Generalities
There exist numerous ISO standards on contactless identification
11785
24721
10536
117363 18185
15434
15459
17365
17367
15961
15693
17358
10374
17364
24710
15418
11784
11785
19789
19762
15963
18046
180001736614443
15962 18047
[email protected] RFID Security
Tags Characteristics About EPCglobal
“The EPCglobal NetworkTM was developed by the Auto-ID Centre,a global research team directed through the Massachusetts Instituteof Technology with labs around the world.”
“Our mission is to make organizations more effective by enablingtrue visibility of information about items in the supply chain. Tothat end, EPCglobal develops and oversees standards (...)”
“EPCglobal is a neutral, consensus-based, not-for-profit standardsorganisation.”
[email protected] RFID Security
Tags Characteristics EPCglobal Specifications
900 MHz Class-0
13.56 MHz ISM Band Class-1
860MHz – 930 MHz Class-1
Class-1 Generation-2 UHF (RFID Conformance Requirements)
EPCglobal Architecture Framework Version 1.0
EPC Tag Data Standard Version 1.1 rev 1.27
Class-1 Generation 2 UHF Standard Version 1.0.9
Class-1 Gen 2 EPC Standard is now part of ISO 18000-6 Standard
[email protected] RFID Security
RFID Goal
WHY do I want to use RFID?
What should be the primary GOAL of the protocol?
[email protected] RFID Security
Protocols Identification vs Authentication 2/
Management of stocks (Wal-Mart, US DoD, etc.)
Libraries (Santa Clara Library, etc.)
Pets identification
Anti-counterfeiting (luxury articles, etc.)
Sensor networks (Michelin’s tyres, etc.)
Access control (Famous Baja Beach Club, etc.)
Automobile ignition keys (Texas Instruments, etc.)
Localization of people (Amusement parks, etc.)
Electronic documents (Passports, etc.)
Transport Ticketing (Metro in Paris, etc.)
Counting cattle
Faciliting sorting of recyclable material
[email protected] RFID Security
Authentication vs Identification
Identification: Get Identity of remote party.
Authentication: Get Identity + Proof of remote party
[email protected] RFID Security
Outline
Classification of the threats
Analysis of the threats
Relationship between threats and communication model
[email protected] RFID Security
Classification
Impersonation
Information Leakage
Malicious Traceability
Denial of Service
[email protected] RFID Security
Impersonation Definition
Definition (resistance to impersontation)
The probability is negligible that any adversary distinct from thetag, carrying out the protocol playing the role of the tag, can causethe reader to complete and accept the tag’s identity.
Speaking about impersonation when dealing with identificationdoes not make sense
Impersonation is related to authentication.
[email protected] RFID Security
Impersonation
Reader Tag
r−−−−−−−−−−−−−−−−−→IDID, EK (r)←−−−−−−−−−−−−−−−−−
Danger: lightweight protocols and algorithms (wired logicinstead of microprocessor), problem of key management, tagsare not fully tamper-resistant, etc.
Do not cut the prices by using weak algorithms or weak keys.R read the standards, hire good engineers and programmers.
[email protected] RFID Security
Impersonation MIT Authentication System (MIT)
Theory vs Real Life: authentication is sometimes done using anidentification protocol!
Example: The RFID-based MIT ID Card.
[email protected] RFID Security
Impersonation KeeLoq Attack (KUL, Technion, Hebrew Inst.)
KeeLoq: Car locks and alarms, sold by Microchip R© Inc.,used by Chrysler, Daewoo, Honda, BMW, Jaguar, Fiat, GM,Volvo,...
Attack with 244.5 crypt. op. (secure at least 280, recom. 2128).
Two days on 50 Dual Core machines.
The poor design allows to recover the master key.
[email protected] RFID Security
Impersonation Texas Instrument (RSA Labs & Johns Hopkins)
Attack against the Digital Signature Transponder manufacturedby Texas Instrument, used in automobile ignition keys (there existmore than 130 millions such keys).
Key (RFID)Carr
kE (r)
Cipher (proprietary) uses 40-bit keys: recovering a key takes lessthan 1 minute using a time-memory trade-offs.
[email protected] RFID Security
Mifare Classic 2/
Each card shares a key with the reader.
The encryption algorithm – Crypto 1 – is not public.
The authentication protocol is neither public.
Crypto1 uses 48 bit keys.
[email protected] RFID Security
Mifare Classic 3/
TagID, r1−−−−−−−−−−−−−−−−−→ ReaderEk (r1)←−−−−−−−−−−−−−−−−−
Ek (data)−−−−−−−−−−−−−−−−−→
[email protected] RFID Security
Mifare Classic 4/
Crypto1 is weak: each key can be recovered within less than1’.
The communication can be decrypted.
The tag can be cloned using a blank Mifare Classic tag.
E.g. one can copy an electronic wallet.
The same key is sometimes used for all the tags.
[email protected] RFID Security
Impersonation Relay Attack
The reader believes that the tag is in its field while it is not thecase: the adversary acts as an extension cord.
reader
database
tagadv adv
The countermeasure consists in measuring the round trip timebetween the reader and the tag (do-able in practice?).
[email protected] RFID Security
Information Leakage Examples
The information leakage problem emerges when the data sent by thetag reveals information intrinsic to the marked object.
Tagged books in libraries
Tagged pharmaceutical products, as advocated be the USFood and Drug Administration
E-documents (passports, ID cards, etc.)
Directory of identifiers (eg. EPC Code)
[email protected] RFID Security
Information Leakage Californian Senate Bill
In California, the Senate Bill 682 plans to limit use of RFID in IDcards. In its initial version the pending act was very restrictive:
See Senate Bill 682, version February 22, 2005
“The act would prohibit identity documents created, man-dated, or issued by various public entities from containing acontactless integrated circuit or other device that can broad-cast personal information or enable personal information tobe scanned remotely.”
[email protected] RFID Security
Information Leakage
Tag holder is threatened.
RFID system is threatened.
[email protected] RFID Security
Information Leakage
More and more data collected = valuable target(eg. during the manufacturing).
Unaware information leakage(backup, HD thrown out, housekeeping).
Abusive use(eg. French police’s confidential files, Charlie Card in Boston).
Do not figure out that some privacy is disclosed
[email protected] RFID Security
Traceability Definition
Definition (untraceability)
Given a set of readings between tags and readers, an adversarymust not be able to find any relation between any readings of asame tag or set of tags.
E.g., tracking of employees by the boss, tracking of children in anamusement park, tracking of military troops, etc.
[email protected] RFID Security
Malicious Traceability 1/
An adversary should not be able to track a tag holder, ie, heshould not be able to link two interactions tag–reader.
Identifier Request−−−−−−−−−−−−−−−−−→Unique Identifier←−−−−−−−−−−−−−−−−−
Data Request (+ Auth)−−−−−−−−−−−−−−−−−→Data (Encrypted)←−−−−−−−−−−−−−−−−−
Example: tracking military troops, tracking of employees by theboss, tracking of children in an amusement park.
[email protected] RFID Security
Traceability Characteristics
Differences between RFID and the other technologies e.g. video,credit cards, GSM, Bluetooth.
Tags cannot be switched-off
Tags answer without the agreement of their bearers
Easy to analyze the logs of the readers
Increasing of the communication range
Tags can be almost invisible
[email protected] RFID Security
Traceability Hidden Tags
Videos and heavy pictures have been removed from this version.
[email protected] RFID Security
Traceability Liberty Rights Organizations
Even if you do not think that privacy is important, some peoplethink so and they are rather influential (CASPIAN, FoeBud, etc.)
[email protected] RFID Security
Traceability in Lower Layers Communication Model
physical
application
session
network
data link
presentation
transport transport
application
internet
physicalphysical
application
communication
OSI TCP / IP RFID
[email protected] RFID Security
Traceability in Lower Layers Privacy vs Classical Properties
The main concepts of cryptography, i.e, confidentiality, integrity,and authentication, are treated without any practical considerations.
If one of these properties is theoretically ensured, it remains ensuredin practice whatever the layer we choose to implement the protocol.
Privacy needs to be ensured at each layer.
All efforts to prevent traceability in the application layer may beuseless if no care is taken at the lower layers.
[email protected] RFID Security
Traceability in Lower Layers RFID Model
Communication layer: Medium access (Collision avoidance).
AndrewMoti
AriJacques
David
Noise
Are there any questions?
[email protected] RFID Security
Collision Avoidance
The computational power of the tags is very limited and theyare unable to communicate with each other.
The reader must deal with the collision avoidance itself.
Collision avoidance protocols are often (non-open source)proprietary algorithms. Standards appear: ISO and EPC.
Two large families: deterministic protocols and probabilisticprotocols.
[email protected] RFID Security
Lack of Randomness
With deterministic protocols, the attacker can track the tag becausethe identifier is static. The straightforward solution is... to renewthe identifier (of the communication layer) each time the tag isidentified by a reader.
[email protected] RFID Security
Lack of Randomness
With probabilistic protocols, the attacker can track the tag if... italways answers during the same time slot, or if the choice is biased.
[email protected] RFID Security
Practical Example: EPC draft
The EPC draft “specification for a 900 mhz class 0 radiofrequency identification tag” proposes to use short identifiers(used during the deterministic collision avoidance process)which are refreshed using a PRNG.
The used identifiers are short for efficiency reasons since thereare usually only few tags in a given field.
If the number of tags in the field is large, the reader canimpose to use additional static identifiers, available in the tag,set by the manufacturer!
The benefit of using PRNG is therefore totally null and void.
[email protected] RFID Security
Traceability in Lower Layers Diversity of Standards
Physical layer
Signals from tags using different standards are easy to distin-guish.
A problem arises when we consider sets of tags rather than asingle tag.
Threats due to radio fingerprints
No benefit for the manufacturers in producing tags that useexactly the same technology.
[email protected] RFID Security
Denial of Service Definition and Examples
A DoS attack aims at preventing the target from fulfilling itsnormal service.
Defacing a website, using weakness in web server software
Flooding a server using SYN packets
Spam, using an open relay
Etc.
[email protected] RFID Security
Denial of Service
Threatened by DoS attacks if:
wireless technology (if reader/devices close to public zone),there is an interface inside / outside.
Hard to thwart such attacks.
[email protected] RFID Security
Denial of Service Goal in RFID
For fun
For disturbing a competitor
For proving that RFID is not secure
Other ideas?
[email protected] RFID Security
Denial of Service A Few Techniques in RFID
Kill-command
Blocker tag
Electronic noise
kill or hide tags (electronics, etc.)
Bug in the Reader/Back-end System
Viruses
[email protected] RFID Security
Denial of Service Bugs in Passport Readers
Lucas Grunwald, German securityexpert, found a buffer-overflowattack against two ePassport readersmade by different manufacturers.
He copied the content of a passport,modified the JPEG2000 face picture,and wrote the modified data in awritable chip. The reader crashed.
[email protected] RFID Security
Outline
Palliative Techniques
Thwarting Malicious Traceability
The Passport Case
[email protected] RFID Security
Information Leakage Palliative Techniques
kill-command
Faraday cages
Blocker tags
Bill of Rights
Removable antenna
Tag must be pressed
[email protected] RFID Security
Malicious Traceability Privacy-Friendly Protocol
How designing an RFID protocol such that only an authorized partyis able to identify (or authenticate) a tag while an adversary isneither able to identify it nor to trace it? The protocol must suitlarge-scale applications.
[email protected] RFID Security
Malicious Traceability Challenge-Response
Reader Tag
Pick rr−−−−−−−−−−−−−−−−−→
identifier, Ek (r)Ek (r)Ek (r ,s)←−−−−−−−−−−−−−−−−− Pick s
[email protected] RFID Security
Malicious Traceability Complexity Issue
Private Challenge-Response protocols are not efficient.
Tag are not tamper-resistant: using the same key for all tagsis not secure.
Every tag should have a unique key:
One system / one tag (eg. automobile ignition key): Identifying onetag requires O(1) operationsOne system / n tags (eg. library): Identifying one tag requires O(n)operations (exhaustive search) and identifying the whole systemrequires O(n2) operations.
This approach differs from all the other authenticationprotocols because we usually assume that the verifier knowsthe identity of the prover.
[email protected] RFID Security
Passport Characteristics
communication distance
computation
memory
tamper−resistance
power source
symmetric
semi−passive
128 1024
meters
centim.no
yes
passive
active
asymmetricxor
[email protected] RFID Security
Passport Required Security Properties
What/How do we want to protect?State’s protection Passport owner’s protection
Integrity of the dataPassive authentication
Forging a passport fromscratch
Passive authentication
Cloning an existingpassport
Active authentication
Information leakage:Basic Access ControlSecure MessagingRadio-blocking shield
Malicious traceability:Protocols well-designedRandom UID
[email protected] RFID Security
Passport Passive Authentication
... ...
signature certificat
donnée hash
donnée hash
donnée hash
donnée hash
[email protected] RFID Security
Passport Active Authentication
PasseportLecteur(clef publique) (clef privée)
Cr
Sign(Cr,Cp)
[email protected] RFID Security
Passport Basic Access Control and Secure Messaging
MRZ
Requete (je veux lire) + preuve auth
Données chiffrées
Lecteur Passeport
Clef de MAC de session
Secure Messaging
Clef de chiffrement de session
Basic Access Control
Lecteur PasseportCp
Clef de MAC
Clef de chiffrementa = ENC(Cp, Cr, Kr), MAC(a)
b = ENC(Cp, Cr, Kp), MAC(b)
Kr, Kp
[email protected] RFID Security
Passport Low Entropy
BAC keys are derived from the MRZ, especially date of birth, dateof expiry, passport number.
Country Effective Birth date knownGermany 55 40
USA 54 39
Netherlands 50 35
Belgium 38 23
[email protected] RFID Security
Passport Still Worse
Off-line vs on-line attack
First vs second generation
[email protected] RFID Security
Discovering the Nationality
Error messages are not clearly standardized and so depends on theimplementation. Almost every country as its own implementation:error messages may reveal nationality of the passport.
[email protected] RFID Security
What are we able to do?
We know how to avoid impersonation, information leakage.
Use open-source algorithms, define what you want and thenpay what is required, no “shortcut”, be careful with the errormessages.
We do not have efficient privacy-compliant RFID protocols.
We do not have solution against denial of service.
[email protected] RFID Security
Tarnished Reputation
RFID may tarnish a company’s reputation when somethingbecomes out of control.
Secure RFID solution broken (eg. NXP Mifare).
Database containing personal data leaks.
Boycott campaign (eg. Benetton, Gilette).
Poor communication (eg. Navigo).
[email protected] RFID Security
Conclusion
Who is the victim? Who is the attacker
“The ‘authorized parties’ pose a greater threat to privacy than thecriminals” (K. Albrecht, 2007)
[email protected] RFID Security
Conclusion Further Readings: Books
RFID Security and Privacy Lounge:http://lasecwww.epfl.ch/∼gavoine/rfid/
RFID Handbook: Fundamentals and Applicationsin Contactless Smart Cards and Identification.By Klaus Finkenzeller.
Spychips: How Major Corporations and Govern-ment Plan to Track Your Every Move with RFID.By Katherine Albrecht and Liz McIntyre
[email protected] RFID Security