Overview• Introduction• Related Work• Significance and Implications• Reverse Engineering• Key Cracking• RF Protocol Analysis and Simulation• Conclusion
Introduction: RFID• Radio-Frequency Identification– Identification method for storing and remotely
retrieving data using an RF device– Mass deployment and global adoption plans have
spawned a large amount of attention from the scientific and commercial communities
– Studies such as this have brought its large-scale usage into question
Introduction: RFID• EPC (Electronic Product Code) Tags– Class 1 Generation 2 standard– Inexpensive (5 cents/unit)– Wal-Mart and the United States Department of
Defense have published requirements that their vendors place RFID tags on all shipments [1]
– “Wireless Barcodes”– Limited circuitry, unable to implement any
cryptographic primitives
Introduction: RFID• EPC (Electronic Product Code) Tags
ALN-9540 - "Squiggle™" • World Tag: global operation 860 to 960 MHz • The EPC Class 1 Gen 2 price/performance benchmark • High performance solution for most packaging including
products containing metal and water • 97mm x 11mm ALN-9529 - "Squiggle®-SQ"• Global operation - 860 to 960 MHz • Ideal for item level tagging of plastic packaging such as
pharmaceutical pill bottles and apparel hang tags • Near-field and far-field communication modes • 23mmx 23m
Introduction: RFID• Digital Signal Transponder– Manufactured by Texas Instruments– Vehicle immobilizer keys• RFID ID embedded in Key• Condition for enabling
Fuel-Injection system
– Electronic Payment• Exxon-Mobil SpeedPass™
Introduction: RFID• Digital Signal Transponder– Consists of microchip and antenna cased in plastic
or glass– Passive RFID device• Allows for small design and long life
– Contains secret 40-bit Key– Reader initiates connection, DST emits 24-bit
identifier (factory-set)– DST authenticates itself via a Challenge-Response
protocol
Introduction: RFID• Digital Signal Transponder: Challenge-
Response protocol
– Reader initiates protocol with 40-bit challenge
– DST encrypts challenge using its key and truncates resulting cyphertext to return a 24-bit response
Introduction: ATTACK!• Able to break system by recovering secret key
after collecting two challenge-response pairs• With arbitrary challenge, able to find key in
less than an hour using array of 16 FPGAs• Pairs derived from predetermined-challenges
(chosen-plaintext) can be cracked in minutes due to a time-space trade-off
Introduction: ATTACK!• Team showed that with cheap commodity
hardware, an attacker could break the DTS system– Recover key by actively scanning at short range
for fraction of a second (skimming)– With FPGA, attacker can simulate target after
capturing multiple transcripts
Introduction: ATTACK!To validate:• Team found key from their purchased
SpeedPass™ and simulated the DTS to successfully make a purchase at an Exxon-Mobil Station
• Team found cryptographic key from DST ignition key, and was able to start a vehicle
Introduction: ATTACK!Phase 1: Reverse Engineering• After obtaining rough schematic of the block
cipher for the challenge response, they were able to determine all details of the cipher
• Required experimental observation of inputs and outputs
Introduction: ATTACK!Phase 2: Key Cracking• Assembled array of 16 FPGA’s working in
parallel• Able to crack arbitrary challenge in less than
an hour• Also assembled FPGA for time-space trade-off
[12]
Introduction: ATTACK!Phase 3: Simulation• Given the key and serial number for a DST
device, they were able to simulate its output• Simulation in software radio• Required careful analysis of the DST reader
output
Related Work• Classic Black-box example:
Duplicating the Purple encipher machine to reconstruct the Japanese Foreign Officer cipher during second World War
• Reverse-engineering of RC4 cipher as well as A5/1 and A5/2 ciphers in GSM phones
• No published black-box reverse-engineering of recent ciphers; developed custom techniques
Related Work• Key Recovery more well known• FPGA scheme similar to Deep Crack for
recovering DES keys• Chosen-challenge pairs uses time-space
tradeoff as Hellman describes in his work• Authors also use “distinguished point”
enhancement of Rivest
Significance and Implications• Purpose is not to undermine the SpeedPass™
network, nor to allow easier theft of vehicles• Exxon-Mobil has several layers of security,
including fraud detection• Largest threat to SpeedPass™ is attacker
simulating multiply DSTs (suspicious use disables it)
Significance and Implications• Serious threat to Vehicles • Renders vehicle as vulnerable as one without
the immobilizer• Significant decline in auto-thefts is attributed
to the immobilizers
Significance and ImplicationsEffective Attack Range• Two different methods for capturing signals from
DST: Active Scanning and Passive Eavesdropping– Active Scanning: attacker brings their own reader
within range of DST (up to several inches) for only a few seconds• This type of attack could allow for an attacker to
harvest two chosen-challenge transcripts and perform look-ups on Hellman tables on the cracking device
Significance and ImplicationsEffective Attack Range• Two different methods for capturing signals from
DST: Active Scanning and Passive Eavesdropping– Passive Eavesdropping : an attacker listens to
legitimate communication between DST and reader during authentic session• Range depends on the ability to intercept signal from
DST• Range not found in this study
Significance and ImplicationsExample Attack Scenarios• Example 1: Auto theft via eavesdropping– Eve owns can with necessary equipment– Parks close enough to target to eavesdrop– Observe two successful session, Eve can extract
key at her convenience using FPGA– Eve returns to steal vehicle by picking door lock,
disabling immobilizer with found, and hot-wiring ignition
Significance and ImplicationsExample Attack Scenarios• Example 2: Auto theft via active attack– Eve gets access to valet key storage to scan
immobilizer keys of patrons– Record registration numbers (to get owner info)– Eve then can simulate devices and steal the
vehicles from owner’s home
Significance and ImplicationsExample Attack Scenarios• Example 3: SpeedPassTM theft via active
attack– Eve brings reader and short-range antenna on
subway– Harvests challenge-response pairs and serials
from SpeedPass™ devices– Eve can recover crypto keys at her convenience– Uses key in software radio to purchase gasoline
Significance and ImplicationsFixes• Underlying protocols should be based on publicly
scrutinized standards with sufficient key length, such as the Advanced Encryption Algorithm
• Problems: – Cost to make capable devices would significantly
increase– Backwards compatibility (significant cost to
refit/recall existing devices)
Significance and ImplicationsFixes• Faraday shielding provides a partial solution– Users can encase DSTs in adequate shielding like
aluminum foil to reflect radio while not in use– Protects against active scanning, but not
eavesdropping– Possible shielding around reader to defend against
eavesdropping
Reverse Engineering• Authors found schematic by Dr. Kaiser and TI
in a presentation• Functional components were clear, but critical
details of logic and interconnects were not• Certain features in schematic were wrong• Chose “black-box” approach by examining
logical outputs• Authors Purchased TI Series 2000 – LF RFID
Evaluation Kit and DST devices
Reverse Engineering• DST 40 is essentially a feedback shift register• During each round, inputs from challenge
register and key register pass through collection of logical units
• These units produce an output that is put back into the challenge register
Reverse Engineering• Single round as all units is referred to as F. F
has three logical layers: – First layer: represented as f1 to f16 (f-boxes)– The second layer is represented as f17 to f20,
referred to as g-boxes, which are four functional units that takes the outputs of set of four f-boxes as inputs
– The third layer is a single unit, f21, in which takes in the outputs of the g-boxes, called the h-box, returns the output of the full function F
Reverse Engineering• There are two main technical details missing
from the schematic:– Does not describe the logical operations of the f,
g, and h-boxes– Does not describe the routing array for the
mapping of key and challenge bits to the f-boxes
Reverse EngineeringObtaining a Single-Round Output• Since the contents of the f-boxes and critical
routing was unknown, the authors could not directly verify if their DSTs followed the Kaiser schematic
• Required to treat evaluation DST as a “Black-box”• From the schematic, the authors noted that the
only round dependence is in the key scheduler• used the string of ‘0’ bits for their starting
experiments
Reverse EngineeringObtaining a Single-Round Output• After each cycle, there were only small changes
to contents of the challenge register:– Each was shifted right one bit– The output of the h-box was inserted into the left-
most bit position– Challenge/Response
• two possible sequences, either:C0 = 0|C or C1 = 1|C, where | denotes concatenation
• after the first cycle, h-box output assumes challenge register is either C0 or C1 after first cycle
Reverse EngineeringObtaining a Single-Round Output• Tests failed, indicating that the DST40 differs
from the Kaiser cipher• Authors found that testing next-state
challenge response values succeeded when they modeled the h-box output as two bits
• Authors then questioned elements of the schematic including number of rounds and key update schedule
Reverse EngineeringObtaining a Single-Round Output• Since the authors were able to recover the
output of F on a single iteration, they were able to observe the entirety of each round of a cipher execution by repeatedly guessing the next state of challenge register
• They established that the encryption took over 200 cycles and the DST gets its response from the right-most 24 bits of the challenge register
Reverse EngineeringRecovering the Key Schedule• Using the ‘0’ bit key would restrict ability to
experiment with algorithm internals• They required the ability to observe single-round
outputs based on different values in the challenge and key registers
• Using a non-zero key makes the algorithm round dependent
• Needed to provide black-box with equivalent next key register state
Reverse EngineeringRecovering the Key Schedule• By following the diagram, the authors assumed new
key bits were computed by exclusive-or of several bits of the key every few seconds
• They determined the key is updated every three cycles (beginning with the second cycle)– Let ki denote the ith bit in the key register beginning with 0– The key update is defined by:
k0 = k39 k37 k20 k18
• Using this model in place of the ‘0’ bit key, they were able to simulate steps for any key
Reverse EngineeringRecovering the Key Schedule• Previously only had to guess each possibility for a
2-bit output of single round• For a non-zero key, need to guess six successive
bits (three bit-pairs) of output for the h-box at the same time, since the key schedule only repeats every 3 cycles
• This meant testing 64 possible candidate challenge-response states
• To test, they set the k’ corresponding to the key-register state after 6 cycles applied to k
Reverse EngineeringUncovering the Feistel Structure of DST40• To measure the effect, the authors generated
a random key and challenge, and determined the output of F
• For each of the 40 challenge bits, they determined whether F changed upon flipping a bit
• Repeated 150 times
Reverse EngineeringUncovering the Feistel Structure of DST40• The XOR of bits c38 and c39 showed that the
algorithm was an invertible permutation and it is a form of Unbalanced Feistel Network
• The authors speculate that the round function was chosen so that collisions would not multiply and responses would have uniform distribution
Reverse EngineeringRecovering the Bit Routing Networks• Next step was to recover internal routing
network of bits• Assumption that the h-box (f21) was the only
box with a 2-bit output• Structure of Kaiser cipher shows that h gets a
single bit from each of the g-boxes and returns one or four possible outputs
Reverse EngineeringRecovering the Bit Routing Networks• Using this observation, the authors devised a test to
see which groups of input bits of the challenge and key are routed to each of four g-boxes
• Test requires many repetitions since two test bits could be routed to different g-boxes, and different value outputs still produce two or fewer distinct outputs
• The routing network was arranged in a regular pattern, and after uncovering most of the bits dealing with g1 and the authors were able to infer and validate the remainder of g-boxes
Reverse EngineeringRecovering the Bit Routing Networks• An f-box uses a fixed boolean function z on five bit
inputs• Suppose that B is the set of inputs to this f-box:– Then let’s define A0 to be the set of value assignments to
the bits in B such that z(b1 . . . b5) = 0– Also, define A1 analogously for z(b1 . . . b5) = 1 – Notice that for a fixed setting of B, the output of h will be
invariant for the setting of B to any value in A0. – Likewise, for a fixed value assignment to B, the output of h
will be invariant for any setting of B to a value in A1.
Reverse EngineeringRecovering the Bit Routing Networks• Using the invariant, the authors performed tests to
exclude combinations of bits that can’t be inputs the same f-box
• Next step was to Iterate over all 32 value assignments to B and record the output pattern from F
• They then repeated the experiment over B• If no invariant like described, the B cannot consist of
inputs to a single f-box• Test repeated until excluded all possible inputs except
for correct ones
Reverse EngineeringBuilding Logical Tables for the f, g, and h-boxes• Once the corresponding bits to each f-box were
identified, the authors constructed tables to represent logical functions computed by all the boxes
• To calculate the f-box tables, they simply iterated through 32 possible input value for the set B that corresponds to the f-box
• To calculate a given g-box, four corresponding f-boxes and iterated over all 24 = 16 combinations of their output values
• It’s essentially the same method to construct the h-box table; though the h-box outputs two bits instead of one
Key CrackingThe DST40 Keycracker• First implemented in software• To slow for a keycracker• Software could only compute less than 200,000
encryptions per second on 3.4 GHz Pentium• Time would take more than 2 weeks for a 10
node cluster• Decided to implement the keycracker in
hardware
Key CrackingThe DST40 Keycracker• Each node consisted of a single Xilinx XC3S1000
FPGA• 32 cores per FPGA• Since DST40 outputs 24 bits per 40 bit challenge,
at least two challenge/response pairs are needed to determine a unique key
• Clock on board was fixed to 100 MHz, allowing for 16 million keys per second
• Entire 40 bit key-space can be exhausted in less than 21 hours
Key CrackingThe DST40 Keycracker• Single FPGA board was enough to verify
testing• Cracker recoverd key from SpeedPass™ in
under 11 hours• Bought a total 16 evaluation boards to get a
significantly reduced crack time• Cracked 5 TI DST tags and recovered all keys in
less than 2 hours
Key CrackingThe Hellman Time-Space Tradeoff• As described, Software key cracker uses
Hellman tables• Estimates suggest a 99+% success rate• Requires 10 GB of storage• Should finish in under one minute on fast PC• Table construction requires a large amount of
pre-computation
RF Protocol Analysis and Simulation• A reader in the DST system transmits power to
the transponder at a 15-to-50 ms electromagnetic pulse at 134.2 kHz
• Once powered, transponder can perform session tasks
• Reader transmits as a sequence of amplitude-modulated bits
• Once transponder has received and processed a command, it discharges its power while transmitting response
RF Protocol Analysis and SimulationSniffing the Protocol• The team configured a portable PC with a digital-to-
analog board• Designed to send and receive desired analog signals• The authors wrote routines for modulation and
demodulation to produce the signals produced by the reader and FM-FSK signals produced from the transponder
• Using this equipment can allow for successful eavesdropping or actively participate by emulating either reader or transponder
RF Protocol Analysis and SimulationPutting Together the Pieces: the Full DST Protocol• First, the reader transmits a challenge request
to the transponder– Consists of an 8-bit opcode followed by the 40-bit
challenge (opcode specifies type of request being made)
– The transponder encrypts the challenge using the shared secret 40-bit key
– The least significant 24 bits in the transponder challenge register consitutes a 24-bit Signature
RF Protocol Analysis and SimulationPutting Together the Pieces: the Full DST Protocol• The transponder then responds– Replies with 24-bit serial number, 24-bit signature,
and a keyed 16-bit CRC of the transmitted data
• Using the shared encryption key and secret CRC start value, the reader can then verify
• The CRC is intended to add extra security as well as provide error checking
RF Protocol Analysis and SimulationPutting Together the Pieces: the Full DST Protocol• The stated aim of DST was to make it resistant
to:– Signature-guessing attacks– Dictionary attacks– Attacks using known challenge-response pairs– Cryptanalytic attacks– Exhaustive key search
RF Protocol Analysis and SimulationSimulating a DST Device• The authors software performs the following:– It analyzes the A/D conversions received from the
DAC board– Decodes the AM signal containing the challenge sent
from the reader – Performs an encryption of this challenge using the
recovered secret DST key– Codes the FM-FSK signal representing the correct
response– Outputs this FM-FSK signal to the DAC board
Conclusion• The weakness of DST40 cipher demonstrated
by the authors is primarily due to an insufficient key-length
• Further cryptanalysis may reveal weaknesses in the cipher
• Systems with the strongest security are generally standard cryptographic algorithms with adequate key lengths
References[1]. http://en.wikipedia.org/wiki/RFID[2]. http
://en.wikipedia.org/wiki/Digital_Signature_Transponder