1 / 16

RFID Security and Privacy Part 2: security example

RFID Security and Privacy Part 2: security example. Zoom in: Authentication. Should be mutual reader should recognise tags tag should recognise readers EMAP: E fficient M utual A uthentication P rotocol for Low-cost RFID Tags.

neena
Download Presentation

RFID Security and Privacy Part 2: security example

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RFID Security and Privacy Part 2: security example

  2. Zoom in: Authentication • Should be mutual • reader should recognise tags • tag should recognise readers • EMAP: Efficient Mutual Authentication Protocolfor Low-cost RFID Tags. • proposed by P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, and A. Ribagorda, November 2006.

  3. EMAP model DB Identification ID (m bits) Key (4m bits) = K1||K2||K3||K4 Pseudonym IDS (m bits) Updated after each session || concatenation

  4. EMAP protocol Reader Tag Database hello IDS IDS K1||K2||K3||K4 Check AB.Infer n1,n2 Random n1,n2 A||B||C A = IDS  K1  n1 B = (IDS  K2) n1 C = IDS  K3  n2 D = IDS  K4  n2 E = (IDS  n1  n2) ID K1  K2  K3  K4 D||E Check D.Update IDS and K1...K4 Update IDS and K1...K4

  5. Update … • IDS’ = IDS  n2 K1. • K1’ = K1  n2 (ID1/2 || F(K4) || F(K3)) • ID1/2 – first m/2 bits of ID • F(X)–parity function • Divide X in m/4 4-bit blocks • Compute a parity bit for each block • K2’ = K2  n2 (F(K1) || F(K4) || ID2/2) • K3’ = K3  n1 (ID1/2 || F(K4) || F(K2)) • K4’ = K4  n1 (F(K3) || F(K1) || ID2/2)

  6. EMAP is efficient • Tag memory: • Rewritable memory: 4m bits (keys) + m (IDS) • ROM: m bits (ID) • Very reasonable for m = 96… • Operations: • tag does cheap processing: ,,, || • random number generation – reader only! • no expensive operations(e.g hash function, multiplication)

  7. Further advantages of EMAP • tag anonymity • the same ID but different messages! • forward security • knowledge of K1...K4 does not reveal updated key

  8. Li and Deng: EMAP is vulnerable "Vulnerability Analysis of EMAP-An Efficient RFID Mutual Authentication Protocol " April 2007

  9. Attack 1: Desynchronisation Intruder Tag Reader hello hello IDS j s.t. IDS(j) = 0 IDS random n1,n2 Toggle j in C n2' = n2 ej A||B||C A||B||C' infer n2' instead of n2 Toggle j in D' and E' wrong D'||E' D||E Update IDS and the key Update IDS and the key

  10. Attack 1: Reader accepts D • expected: D = (IDS  K4) n2 • received: ( (IDS  K4) n2’ ) ej • i.e. (IDS  K4) n2 ej  ej = D

  11. Attack 1: received E is correct • expected: E = (IDS  n1  n2) ID K1  K2  K3  K4 • received: (IDS  n1  n2’) ID K1  K2  K3  K4 ej • compare: IDS  n1  n2 vs. (IDS  n1  n2’) ej • look at jth bit: IDS(j) = 0  (IDS  n1  n2)(j)=n2(j)

  12. Attack 1: Tag update • IDS’ = IDS  n2 K1. • K1’ = K1  n2 (ID1/2 || F(K4) || F(K3)) • K2’ = K2  n2 (F(K1) || F(K4) || ID2/2) • K3’ = K3  n1 (ID1/2 || F(K4) || F(K2)) • K4’ = K4  n1 (F(K3) || F(K1) || ID2/2) • Desynchronisation on IDS, K1and K2 • You can also attackn1 rather thann2 or both (see the paper)

  13. Quick Quiz • What kind of problem has been demonstrated? • Ethical issues • Illicit tracking of the tags • Skimming • Tag cloning • Cross-contamination • Tag killing • Invasive attack / side channel attack • Jamming

  14. Countermeasure: Error-correcting codes? • Can report/correct a number of 1-0 errors • can detect the attack as presented above • BUT • the attack can be generalised to replace (n1,n2) by (n1’,n2’) toggling multiple bits simultaneously… • … and fooling the error-correcting codes!

  15. Murphy’s Law Just when you think things cannot get any worse, they will.

  16. Attack 2 Full disclosure attack Run EMAP (a number of times) and discover ID and all the keys! Want to know more? Read the paper

More Related