Implementing RFID Protocol

8/6/2019 Implementing RFID Protocol

1/22

IMPLEMENTING RFID PROTOCOL(ANALYSIS OF RFID PROTOCOL)

University of BirminghamSchool of Computer ScienceM.Sc Computer Security

Summer ProjectAli Raza Malkana

1055458


2/22

RFID Systems

Transponder or Tag Data carrying device

Micro chip

Transceiver or Reader Active device

Read information

RF module, Control unit,& Coupling element

Backend Database IT system for data

storage


3/22

Types of RFID Tags

Active Tags Self powered, heavier, expensive, higher range, computational ability

Semi Active Tags Self powered, moderate range, moderate computational ability

Passive Tags Small, Light, cheap, no power, less computational power

Low Frequency Tags (124KHz 135KHz) ~10cm

High Frequency Tags(13.56MHz) ~1m

Ultra High Frequency Tags(860MHz 960MHz) ~0.4m


4/22

RFID Security Threats

Privacy

Tracking

Eavesdropping

Replay Attack Relay Attack

Cloning Attack

Dos Attack

Content Addition or Modification/Attack

Reverse Engineering

Physical Tempering

Etc


5/22

RFID Vs BarcodesRFID Systems will facilitate efficient and automated collection and management of information.

Simple Identify

Line of sight

Human Interaction

Slow

Cheap

Reliable

Uniquely Identify

Line of sight not required Automatic

Fast( hundred tags/sec)

Expensive

Security Threats

Privacy

Tracking

Cloning

Barcodes RFID Tags


6/22

Why light/ultra lightweight Protocol ?

Full fledge Protocol Use cryptographic primitives (symmetric encryption, crypto one way functions, public key

algorithm)

Price Competition

Low cost RFID tags (passive)

Least computational and storage resources

Limited communication ability.

IncapableGates (5k-10k)

Security (250-3K) Sha-1(4.3k),MD5(16k),sha-256(23k)


7/22

Security Analysis of RFID Protocol

Family Ultra light mutual

authentication Protocol

LMAP

EMAP

E2MP

Strong Authentication Strong

Integrity Protocol (SASI)

HB Family

HB

HB+

HB++

HB-MP

HB-MP+

HB-MP++

Protocol

Vulnerabilities

Attacks

Security Analysis Data Confidentiality

DOS Attack

Man in Middle Attack

Data Integrity

Forgery Resistant Tag Anonymity and

unlinkability

Replay Attack

Forward Security


8/22

LMAP :-Ultra lightweight Authentication

Protocol

Tag Identification

Mutual Authentication Reader Authentication

Tag Authentication

Index-pseudonym Update

Key Updating


9/22

Vulnerabilities of LMAP

No Acknowledgement mechanism of message D.

Synchronization of secret parameters.

Message D act as a confirmation.

Stateless Tags.

Improper construction of sub messages.

Using of bitwise AND or OR operations.

All the operations used in ultra light weight protocols

are T-Functions.


10/22

Attacks on LMAP

De-Synchronization Attack

Full Disclosure Attack

Passive Attack


11/22

De-Synchronization Attack

Secret key K(K1||K2||K3||K4)and IDS are updated after everysuccessful run of protocol.

If at the end of a protocol bothreader and tag save differentvalues for these parameters tagwill be de-synchronized.

The attack can be launched bymaking following sub-messages. Attacker intercept the message

A||B||C and change the C bychanging jth bit of C.

Tag when compute the value of n2will computer a different value.

When Tag respond with D interceptthe D and toggle the same bit.

50% success rate of this simpleattack.


12/22

Full Disclosure Attack

Tag has no memory for keeping status

info, reader is stateful.

Tag will answer any request from anytag.

Send all possible A||B||C to tag.Where A,B are obtained by changing

the j-th bit of A and B.

A proper D or an Error Message.Attacker is actually concluding that the jth

bit of n1 is equal to jth bit of B or not.

Maximum in 96 trails attacker can get toknow the value of n1.

From A,B,IDS,n1 attacker can find K1,K2.


13/22

Passive AttackBreaks LMAP after eavesdropping a few consecutive rounds.

Every bit effects only the bit which are to the left from that given bit.

Least significant bits are independent of all bits.

From message B= (IDS V ID) + n2, once can conclude the value of n2

by set bits of IDS. No difficulty if you know the every bit on the right hand side.

First attacker calculate the least significant bit of every secret

shared between tag and reader.

Next step is to calculate the bit immediately before the least

significant one with the knowledge of earlier bit.

Step by step attacker learns all the secret bit by bit from the least

significant to most significant bits.


14/22

Security Analysis of UMAP

User Data Confidentiality

DOS Attack

Man in middle attack

Data integrity

Forgery Resistant

Tag Anonymity and unlinkability

Replay Attack

Forward Security


15/22

Countermeasures

Keep record of multiple IDS in database.

Careful construction of messages.

Sending of message in case of readerauthentication failure.

Provide randomness in message by using un

predictable rotations.

Storing status information on tag.

Avoiding use of only (AND & OR) bitwise functions.


16/22

Evaluation

Nodoubts, it was a brilliant idea.

Actually, The design provide confusion and diffusion

of output values but no concrete security.


17/22

HB FamilyHB,HB+,HB++,HB-MP,HB-MP+,HB-MP++

Security depends on LPNProblem.

Secure against passiveattack.

Uni authentication andmultiple rounds protocols

Active attack is stillpossible.

Query the tag with same

challenge multiple time. Gaussian elimination help

to find secret.


18/22

HB-MP

Use of rotation.

Different length of key

and messages.

New fresh key for

every single round.

Improper design of

rotation to generaterandom key turns out

to be the weakness.


19/22

Active Attack against HB-MP

Rotation is performed based on a constant key y's

ith bit.

The key for each run in different sessions of protocol

remain the same.

Attacker initiate different sessions but concentrate

on single round.

From this information attacker can get to know thesecret key x by analysing just few runs of multiple

session.


20/22

Security Analysis

Data Confidentiality

DOS Attack

Man in middle attack Data integrity

Forgery Resistant

Tag Anonymity and unlinkability

Replay Attack

Forward Security


21/22

Concluding Remarks

Analysed two families of RFID protocol.

The invention of least resource consuming function to

provide security is required.

The use of purely random rotation can help.

Invention of new light cryptographic functions.

Research on Lightweight implementation of recent

cryptographic primitives. PRESENT Ultra-Lightweight Block Cipher[1570], Grain stream cipher [1294]

Use of LFSR


22/22

Countermeasure

Use of proper non-linear function for randomization

Generation of proper random keys for each run in

same session.

Documents

Implementing RFID Protocol