1 / 24

A Low-Resource Public-Key Identification Scheme for RFID Tags and Sensor Nodes

A Low-Resource Public-Key Identification Scheme for RFID Tags and Sensor Nodes. March 16-18, 2009, Zurich, Switzerland. Martin Feldhofer IAIK – Graz University of Technology Martin.Feldhofer@iaik.tugraz.at www.iaik.tugraz.at. Yossef Oren School of Electrical Engineering Tel-Aviv University.

kaida
Download Presentation

A Low-Resource Public-Key Identification Scheme for RFID Tags and Sensor Nodes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Low-Resource Public-Key Identification Scheme for RFID Tags and Sensor Nodes March 16-18, 2009, Zurich, Switzerland Martin Feldhofer IAIK – Graz University of TechnologyMartin.Feldhofer@iaik.tugraz.atwww.iaik.tugraz.at Yossef Oren School of Electrical Engineering Tel-Aviv University

  2. Outline Motivation Introduction of WIPR Requirements for RFID tag hardware Implementation of WIPR scheme in hardware Comparison of crypto implementations Conclusions

  3. Why Security for RFID Systems? – Threats Counterfeiting • 5 - 7% of world trade • ~$600 billion USD a year (ICC 2009) Privacy violation • Monitoring communication is easy (contactless, broadcast)

  4. How Can Cryptography Help Us? Encrypted communication • Prevents from reading data by unauthorized parties • Prevents tracking by unique identifier Authentication of reader/tag • Proves identity of party • Prevents from cloning tagged goods • Identification • Claim to be somebody / something • Authentication • Prove the claim (by characteristic, shared knowledge, possession)

  5. Tag-Authentication Protocol Challenge-response (strong authentication) • Proves knowledge of shared secret key (or private key) • Requires random “challenge” • “Response” depends on challenge and key (encryption result) • Compatibilitytoexistingstandards rA A B fK( rA ) Key K Key K

  6. State-of-the-Art in Secure RFID Symmetric crypto on tags is feasible • Results of AES-128 hardware module have been shown Disadvantage of symmetric solutions • Key distribution is difficult In open systems public-key cryptography is much better • Many untrusted parties (goods and tag manufacturer, tag integrators, warehouses, retailers, customer etc.) But what about the feasibility on passive RFID tags?

  7. Overview of WIPR Identification Scheme WIPR stands for Weizmann-IAIK Public-Key for RFID 1024-bit RSA-like public key • 80 bits security level Full probabilistic encryption • Anonymity (encryption of ID) • Authentication (prove knowledge of secret) Main features • 4700 gate equivalents (including memory, full functionality) • 600ms / 14µA at 100KHz • Works great with the EPC C1G2 standard • High payload capacity can be used for example in sensor nodes

  8. WIPR in Theory Rabin’s encryption scheme: • Private key: primes p, q. Public key: n = p·q • Encryption: C = P2 (mod n) • Decryption has four possible results (probabilistic) Low-resource version by Naccache and Shamir • Encryption: C = P2 + r·n, random r • Indistinguishable from Rabin’s scheme (if r is appropriately chosen) Ultra-low-resource version (this work): • Specially-formed n stored within 200 GEs • Long random strings created on-the-fly using “Feistel structure“

  9. Security Features Secrecy and privacy • ID is kept secret (by encryption) • Tracking is prevented No private key on tag • Only secret ID • “Crack one – run one” situation Encryption of arbitrary data • Data of sensor nodes No tag rewrites or coupons • No fixed number of uses Reader authentication possible • Secure backward channel is possible

  10. The WIPR Protocol for Authentication But what about the implementation costs?

  11. Secure RFID System Architecture

  12. Hardware Requirements for Passive RFID Tags Power consumption • Determines operating range (~1m required) • Maximum 25 µW • Below 15µA (1.5 V) mean current consumption • 0.35 µm CMOS: ~15 D-FF @ 1MHz Chip area • Die size equals silicon costs (5-20 Cent) • Less than 5000 gate equivalents for security BUT • Very low data rates (10-200 kbps)  low clock frequency • High number of available clock cycles

  13. Low-Power Design Power dissipation • PTotal = PStatic + PSC + PDynamic • PDynamic = CL · VDD2 · f Design for power reduction • Lowering VDD • Use lowest possible clock frequency (<100 kHz) • Clock gating • Avoiding glitching activity (sleep-mode logic) Optimization goal • Minimize triple (Imean [µA], Chip area [GE], #Clock cycles) • PDynamic = CL · VDD2 · f · psw

  14. WIPR Hardware Implementation • Tag calculates (rR | rT1 | ID)  (rR | rT1 | ID) + rT2 n • Result is calculated and sent byte by byte beginning at least significant byte (no need for storing it)

  15. Implementation of Const n (rR | rT1 | ID)  (rR | rT1 | ID) + rT2n • n has special format • Upper half is 0xAAA….AAA • Only 200 GEs to store a 1024-bitconstant

  16. Implementation of Challenge rR (rR | rT1 | ID)  (rR | rT1 | ID) + rT2 n • Register-based 8-bit RAM • 1000 GEs to store the 128-bit random challenge

  17. Impl. of Random Strings rT1a, rT1b and rT2 (rR | rT1a| ID)  (rR | rT1b| ID) + rT2 n • Random bit strings • Only sequential access • Use reversible stream cipher • Store only short seed values • Use “roll left” and “roll right” function • 2700 GEs to store a 2048-bit random of tag

  18. Sequential Memory Access of rT1a, rT1b and rT2

  19. Rolling Functions

  20. Hardware Results

  21. Comparison of Implementations

  22. Comparison of Different Algorithms Hardware implementations • Implemented on same platform WIPR

  23. Compatibility with EPC C1G2 Scheme

  24. Conclusions Strong cryptography required for protection of RFID systems Design for low power consumption necessary Symmetric-key crypto is feasible on tags • AES-128 module has been shown WIPR allows public-key crypto on RFID tags • Uses Rabin encryption scheme • Optimized for low gate count and low power consumption Contact information • Martin Feldhofer IAIK – TU Graz Martin.Feldhofer@iaik.tugraz.at

More Related