a security and performance evaluation of hash based rfid protocols l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
A Security and Performance Evaluation of Hash-based RFID Protocols PowerPoint Presentation
Download Presentation
A Security and Performance Evaluation of Hash-based RFID Protocols

Loading in 2 Seconds...

play fullscreen
1 / 42

A Security and Performance Evaluation of Hash-based RFID Protocols - PowerPoint PPT Presentation


  • 138 Views
  • Uploaded on

I nscrypt 2008. A Security and Performance Evaluation of Hash-based RFID Protocols. Tong Lee Lim, Tieyan Li & Yingjiu Li Cryptography and Security Department Institute for Infocomm Research (I 2 R) 17 Dec. 2008. Project Summary - what will be done. Outline.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'A Security and Performance Evaluation of Hash-based RFID Protocols' - ivana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a security and performance evaluation of hash based rfid protocols

Inscrypt 2008

A Security and Performance Evaluation of Hash-based RFID Protocols

Tong Lee Lim, Tieyan Li & Yingjiu Li

Cryptography and Security Department

Institute for Infocomm Research (I2R)

17 Dec. 2008

outline

Project Summary - what will be done

Outline
  • Introduction on RFID, and its security & privacy issues
  • Introduction on hash-based RFID authentication protocols
  • The Hash chain family of protocols and weaknesses
    • Okhubo – Hash chain
    • Henrici – Triggered hash chain
    • Lim – CRTH, FRTH
  • The TRAP family of protocols and weaknesses
    • Dimitriou – CR
    • Tsudik – YA-TRAP
    • Burmester – YA-TRAP+, O-TRAP
    • Conti – RIPP-FS
  • The Tree family of protocols and weaknesses
    • Molnar – TBPA
    • Lu – SPA
  • Remarks…
rfid debate

Project Summary - why should it be done?

RFID Debate
  • Promoters
    • Wal-Mart, Gillette, METRO…
  • Vendors
    • Microsoft, IBM, SAP…
  • Players
    • TAGSYS, ALIEN, SAVI…
    • New: Mojix, RF controls…
  • Governments, industries, researchers …

An age of RFID is coming … But security and privacy?

passive rfid
Passive RFID

The reader has a powerful antenna and a power supply

The reader surrounds itself with an electromagnetic field

The tag is illuminated by the field, providing it with power

Reader

Tag

4

reader tag data exchange
ReaderóTag Data Exchange

The reader sends commands to the tag via pulse amplitude modulation

The tag sends responses to the reader via backscatter modulation

Reader

Tag

5

rfid security privacy issues

Project Summary - why should it be done?

RFID Security & Privacy Issues
  • RFID tags have many technical limitations:
    • Limited power consumption (vs. energy consumption of battery powered devices) ~ 10µA average
    • Limited area consumption (less problem with evolving Smart Card technologies) < 1mm²
    • Limited execution time (set by batch tag reading protocol)
    • Limited backward channel (initiated by reader only)
    • Limited memory access (hundreds bits to few kBytes and slow)
    • No physical protection possible
  • Cryptography is not applicable immediately.
    • Worst case assumption is not always true for RFID
    • Weakened adversarial model is typically assumed for RFID
  • In RFID, there are many security solutions.
    • E.g., shielding, killing, tearing, blocking, proxy, policies, obfuscation, etc. for different scenarios.
rfid security privacy issues7

Project Summary - why should it be done?

RFID Security & Privacy Issues
  • Typically, RFID security means Authentication and Privacy.
    • Authentication:
      • Tag/reader authentication:
        • Both tag and reader need to prove their claimed identities.
      • Product authentication:
        • The secure binding of the tag and product need to be guaranteed.
    • Privacy:
      • Anonymity:
        • The identity information of a person of event is not disclosed by reading a tag.
      • Untraceability:
        • The itinerary of a person or a series of events can not be tracked by reading a tag.
countermeasures

Project Summary - why should it be done?

Countermeasures
  • Physical Protection
    • Private tag-to-reader channel; e.g., Clipped tag (IBM), Faraday Cage, Shielding…
    • Physical tag removal or destruction.
    • WORM; e.g., ISO/IEC 15963 defines a unique Tag ID.
  • Access Control
    • EPC Gen2 Access and Kill passwords.
    • ID obfuscation or pseudonym
  • Cryptographic Measures
    • Lightweight primitives (e.g., Present-80, Grain, Trivium, etc.)
    • Lightweight authentication schemes (e.g., HB family)
  • Active Device
    • Blocker tag
    • REP, RFIDguardian
outline9

Project Summary - what will be done

Outline
  • Introduction on RFID, and its security & privacy issues
  • Introduction on hash-based RFID authentication protocols
  • The Hash chain family of protocols and weaknesses
    • Okhubo – Hash chain
    • Henrici – Triggered hash chain
    • Lim-Li – CRTH, FRTH
  • The TRAP family of protocols and weaknesses
    • Dimitriou – CR
    • Tsudik – YA-TRAP
    • Burmester – YA-TRAP+, O-TRAP
    • Conti – RIPP-FS
  • The Tree family of protocols and weaknesses
    • Molnar – TBPA
    • Lu – SPA
  • Remarks…
research literature

Project Summary - what will be done

Research literature
  • Solutions that used classic cryptographic primitives
    • PRNGs alone, (Juels; Piramuthu; Tsudik; Chatmon; Duc; Molnar)
    • Hashs alone, (Engberg; Avoine; Dimitriou; Yang; Weis; Henrici; Choi)
    • PRNGs and hashs, (Gao; Rhee; Lee;)
    • PRNGs and Symmetric crypto, (Molnar; Dimitriou; Bailey; Dominikus)
  • In 2002, Sarma et al. first proposed to use hash functions
    • Hash lock, by Rivest et al. (03)
    • Randomized hash lock, by Weis et al. (03)
    • Hash chain, by Okhubo et al. (RFIDsec’03)
    • Hash-based ID variation, by Henrici et al. (Percom’04)
    • Triggered hash chain, by Henrici et al. (Percom’08)
    • CRTH, FRTH, By Lim and Li (ICPADS’08)
    • YA-TRAP, by Tsudik et al. (PercomW’06)
    • YA-TRAP+, O-TRAP (O-FRAP, O-FRAKE), by Burmester et al. (06)
    • RIPP-FS, by Conti et al. (PercomW’07)
    • Hash tree, by Molnar et al. (SAC’05)
    • Dynamic hash tree, by Lu et al. (Percom’07)
rfid authentication characteristics

Project Summary - what will be done

RFID Authentication Characteristics
  • There are some fundamental characteristics that distinguish RFID authentication from general purpose authentication:
    • Lightweightness,Many RFID platforms can only implement symmetric key crypto techniques.
    • Anonymity,General purpose authentication protocols may not support anonymity. For RFID applications, anonymityis essential,because rogue readers can easily track them.
    • Availability, RFID devices are subject to attacks by rogue readers in which they may assume a state from which they may no longer be able to authenticate themselves.
    • Forward security, RFID devices may be discarded, are easily captured, and may be highly vulnerable to side channel attacks on the stored keys. It is important to guarantee the privacy of past sessions if key is compromised.
rfid authentication properties

Project Summary - what will be done

RFID Authentication Properties
  • Besides the characteristics, in RFID authentications, we ensure some major security properties:
    • Session Unlinkability: Any two protocol sessions involving the same tag can not be linked.
    • Tag Authenticity: The authenticity of a tag is verified to prevent an adversary from impersonating the tag.
    • Reader Authenticity: A reader needs to be authenticated before it can be allowed to access confidential data on tags.
    • Desynchronization Resilience: An adversary is not able to bring an inconsistent state to the tag and its backend database.
security model

Project Summary - what will be done

Security model

Byzantine threat model

  • All entities (tags, readers, back-end server) including the adversary (the attackers) have polynomial bounded resources.
  • The adversary controls the delivery schedule of all communication channels, and may eavesdrop into, or modify their contents.
  • The adversary may also instantiate new communication channels and directly interact with honest parties.
  • However, the reader-server channels are assumed to be secure.

In this paper, we classify 4 levels of adversaries:

  • Level 1 (Passive attack): Ability to perform passive eavesdropping overlegitimate protocol sessions.
  • Level 2 (Active attack with protocol participation): Ability to communicatewith a legitimate tag or reader by following the steps specifiedunder the protocol and to replay messages.
  • Level 3 (Active attack with protocol disruption): Ability to activelycorrupt, block or inject (replace) messages exchanged during a protocol sessionbetween a legitimate tag and an authorized reader.
  • Level 4 (Active attack with secret compromise): Ability to capturea legitimate tag and extract its secrets through physical and side channelattacks.
outline14

Project Summary - what will be done

Outline
  • Introduction on RFID, and its security & privacy issues
  • Introduction on hash-based RFID authentication protocols
  • The Hash chain family of protocols and weaknesses
    • Okhubo – Hash chain
    • Henrici – Triggered hash chain
    • Lim – CRTH, FRTH
  • The TRAP family of protocols and weaknesses
    • Dimitriou – CR
    • Tsudik – YA-TRAP
    • Burmester – YA-TRAP+, O-TRAP
    • Conti – RIPP-FS
  • The Tree family of protocols and weaknesses
    • Molnar – TBPA
    • Lu – SPA
  • Remarks…
osk hash chain16

Project Summary - what will be done

OSK: Hash Chain
  • Process
  • Elegant approach (simple, forward secure, etc.), but:
  • Problems:
    • no synchronization between tag and “backend”
    • does not provide authentication (mimicking possible)
  • Protocol cannot be used in practice
henrici hash based id variation18

Project Summary - what will be done

Henrici: Hash-based ID Variation
  • Based on a message exchange
  • Keep two database records for each tag to cope with message loss
  • Hash values are used for mutual authentication and ensuringmessage integrity
  • Transaction counter “t” prevents replay attacks and helps insynchronization between tag and backend
  • Transmitting differences between transaction counters prevents thelatter to be abused for recognition and tracking
  • New identifier is not transmitted in clear;instead, calculate new identifier using old internal identifier andtransmitted random number
henrici triggered hash chain21

Project Summary - what will be done

Henrici: Triggered hash chain
  • Relation to Hash Chains
    • Self-refreshment of internal tag identifier
    • Simple and elegant
  • Relation to Hash-based ID Variation
    • Message exchange
    • Two database records for each tag in backend
    • Authentication by running protocol twice
  • But improvements:
    • No transaction counter “hacks” (like in Hash-based ID Variation)
    • No need to stay online (like in Hash-based ID Variation)
    • No synchronization problems (like in Hash Chains)
comparison security

Project Summary - what will be done

Comparison (security)

All 5 protocols support:

  • Tag anonymity
  • Forward security
outline25

Project Summary - what will be done

Outline
  • Introduction on RFID, and its security & privacy issues
  • Introduction on hash-based RFID authentication protocols
  • The Hash chain family of protocols and weaknesses
    • Okhubo – Hash chain
    • Henrici – Triggered hash chain
    • Lim – CRTH, FRTH
  • The TRAP family of protocols and weaknesses
    • Dimitriou – CR
    • Tsudik – YA-TRAP
    • Burmester – YA-TRAP+, O-TRAP
    • Conti – RIPP-FS
  • The Tree family of protocols and weaknesses
    • Molnar – TBPA
    • Lu – SPA
  • Remarks…
cr protocols

c

f(k, c, …)

Project Summary - what will be done

CR protocols
  • Typical Challenge-Response RFID protocol
  • Pass 1: the Reader sends a challenge that may include a timestamp, a random nonce, or other information.
  • Pass 2: the Tag responds by evaluating a function f (k; c; ) on the challenge.
    • Its input may include a value r that may embed a nonce, and an identifier or a (mutable) pseudonym for tag recognition.

Reader

RFID tag

Stores secret

Stores secret for each tag

ya trap

Project Summary - what will be done

YA-TRAP
  • YA-TRAP [Tsudik] Assumptions:
      • Reader shares a secret with each tag
      • Reader has database with entry <hash(secret, time), secret> for each tag

Server (K, Table(K,r)) Tag (HK , ttag)

S activates the tag with tsys tsys

Iftsys < ttag or tsys > tmax, send r. Else send HK(tsys)

h = HK(tsys)

ttag  tsys

ya trap29

Project Summary - what will be done

YA-TRAP
  • YA-TRAP [Tsudik]
    • Reader looks up hash in database to get secret
    • Issue: time must only increase
  • Drawback:
    • DoS attack; bogus reader sends t’sys = tmax
    • Future time attack; bogus reader sends t’sys, i < tsys
o trap

Project Summary - what will be done

O-TRAP
  • Optimistic Trivial RFID Authentication Protocol

Server (K, Table(K,r)) Tag (HK , rtag)

S updates rsys at regular periods rsys

rtag , h = HK(rsys,rtag)

rtag  HK(rtag)

If (K,rtag)Table(K,r) & h=HK(rsys,rtag),

Or  KK : h=HK(rsys,rtag) accept

update Table(K,r): rtag HK(rtag)

Else reject

o trap32

Project Summary - what will be done

O-TRAP

Table(K,r)

  • When the adversary is not active, the server gets the key of the tag from the look-up Table(K,r).
  • Otherwise the value of rK stored in the table may be out-of-sync with the value of the tag.
  • In this case the server must search exhaustively by hashing the pairs (rsys, rtag) for each key value.
ripp fs

Project Summary - what will be done

RIPP-FS

RIPP-FS[Conti]

  • Lamport hash value to authenticate the reader.

Drawback:

  • Replay attack
  • Infinite hash chain
comparison security34

Project Summary - what will be done

Comparison (security)

All 5 protocols support:

  • Tag anonymity
  • Session unlinkability (except Dimitriou’s CR protocol)
outline35

Project Summary - what will be done

Outline
  • Introduction on RFID, and its security & privacy issues
  • Introduction on hash-based RFID authentication protocols
  • The Hash chain family of protocols and weaknesses
    • Okhubo – Hash chain
    • Henrici – Triggered hash chain
    • Lim – CRTH, FRTH
  • The TRAP family of protocols and weaknesses
    • Dimitriou – CR
    • Tsudik – YA-TRAP
    • Burmester – YA-TRAP+, O-TRAP
    • Conti – RIPP-FS
  • The Tree family of protocols and weaknesses
    • Molnar – TBPA
    • Lu – SPA
  • Remarks…
comparison security38

Project Summary - what will be done

Comparison (security)

All 2 protocols support:

  • Tag anonymity
  • Tag authenticity
  • Reader authenticity
remarks

Project Summary - why should it be done?

Remarks…
  • We have reviewed a class of hash based authentication protocols.
  • Note that hash functions can be implemented using lightweight block ciphers, which can be implemented more efficiently.
  • Can we design an elegant protocol fulfilling all properties in RFID context?
  • RFID will be deployed “unawarely” anywhere in our daily life, new threats are to be addressed and defended with “balanced” security & privacy solutions.
  • We have no backyard but to prevent the unforeseen threats beforehand.

Thank you!