New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs

1. New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs Chair for Embedded Security Ruhr University Bochum David Oswald Timo Kasper Christof Paar www.crypto.rub.de 01.07.2009

2. Motivation

3. RFID Smartcards Source: Wikimedia Commons • Applications: Payment, Access control, ... • Proprietary ciphers: Often insecure • New Generation: 3DES / AES • Mathematically secure  Side Channel Analysis?

4. RFID Side Channel Measurement:Authentication Protocol Measure EM ? Smartcard: Encrypt this value with 3DES Output: Success/Failure Reader: Send protocol value

5. Measurement Setup

6. Measurement Setup

7. Measurement Setup • ISO14443-compatible • Freely Programmable • Low Cost (< 40 €)

8. Measurement Setup • 1 GS/s, 128 MB Memory • ± 100 mV • USB 2.0 Interface

9. Measurement Setup Aim: Reduce Carrier Wave Influence vs.

10. Carrier Dampening Aim: Reduce Carrier Wave Influence vs.

11. Carrier Dampening Side-Channel Model (idealised): = 

12. Carrier Dampening Side-Channel Model (idealised): =

13. Carrier Dampening

14. Side Channel Analysis Step 1: Raw measurements

15. Trace (without analogue filter)

16. Trace (without analogue filter)

17. Trace (without analogue filter) ?

18. Step 2: Analogue filter

19. Trace (with analogue filter)

20. Trace (with analogue filter)

21. Trace (with analogue filter) ?

22. Step 3: Digital Demodulation

23. Digital Demodulation Digital Demodulator Rectifier Digital Filter

24. Digital Demodulation

25. Digital Demodulation ?!

26. Step 4: Alignment

27. Alignment Pick Reference Pattern

28. Alignment Pick Reference Pattern

29. Alignment

30. Alignment Varies for identical Plaintext

31. Step 5: Location of 3DES

32. Data Bus Locate Plain- & Ciphertext Transfer

33. Data Bus DPA: Plaintext 8 Bit Hamming Weight

34. Data Bus DPA: Ciphertext 8 Bit Hamming Weight

35. Trace Overview ... Other processing Plaintext 3DES Ciphertext

36. Assumptions ?! ?! C 3DES

37. Step 6: Attack

38. 3DES Engine DPA ?! C 3DES 3DES located  Power Model: Hamming distance R0  R1, 4 Bit (S-Box output)

39. 3DES-Engine DPA But: Only for S-Box 1 & 3

40. 3DES Engine DPA: Peak Extraction

41. 3DES Engine DPA: Peak Extraction

42. 3DES Engine DPA: Binwise

43. 3DES Engine DPA: Binwise Apply DPA binwise

44. 3DES Engine DPA: Binwise Correlation Correct Key for 4 of 8 S-Boxes

45. Conclusion

46. Results Real World Device Black Box Analysis Low Cost Key Recovery

47. Summary Measurement Setup built  Profiling done  Data Bus revealed  Correct Subkey for 4/8 S-Boxes found

48. Future Work • Improve • More traces • Equipment • Extend • Other RFID smartcards • Remote Attacks

49. Thank you for your attention! Questions? Chair for Embedded Security Timo Kasper David Oswald Christof Paar www.crypto.rub.de timo.kasper@rub.de david.oswald@rub.de cpaar@crypto.rub.de