RFIDSecurity and Privacy

Part 2: security example

Zoom in: Authentication

• Should be mutual– reader should recognise tags– tag should recognise readers

• EMAP: Efficient Mutual Authentication Protocolfor Low-cost RFID Tags.– proposed by P. Peris-Lopez, J. C. Hernandez-

Castro, J. M. Estevez-Tapiador, and A. Ribagorda, November 2006.

EMAP model

IDS1 Key1

… …

IDSn Keyn

Updated after each session

Identification ID (m bits)

Key (4m bits) = K1||K2||K3||K4

Pseudonym IDS (m bits)

|| concatenation

DB

EMAP protocol

Reader Tag

hello

IDS

Database

IDS

K1||K2||K3||K4

Random n1,n2 A||B||CA = IDS K1 n1

B = (IDS K2) n1

C = IDS K3 n2

Check AB.Infer n1,n2

D||E

D = IDS K4 n2

E = (IDS n1 n2) ID

K1 K2 K3 K4

Update IDS and K1...K4

Check D.Update IDS and K1...K4

Update …• IDS’ = IDS n2 K1.• K1’ = K1 n2 (ID1/2 || F(K4) || F(K3))

– ID1/2 – first m/2 bits of ID– F(X) – parity function

• Divide X in m/4 4-bit blocks• Compute a parity bit for each block

• K2’ = K2 n2 (F(K1) || F(K4) || ID2/2)• K3’ = K3 n1 (ID1/2 || F(K4) || F(K2))• K4’ = K4 n1 (F(K3) || F(K1) || ID2/2)

EMAP is efficient

• Tag memory: – Rewritable memory: 4m bits (keys) + m (IDS) – ROM: m bits (ID)– Very reasonable for m = 96…

• Operations:– tag does cheap processing: ,,, ||– random number generation – reader only!– no expensive operations

(e.g hash function, multiplication)

Further advantages of EMAP

• tag anonymity– the same ID but different messages!

• forward security– knowledge of K1...K4 does not reveal updated key

Li and Deng:

EMAP is vulnerable

"Vulnerability Analysis of EMAP-An Efficient RFID Mutual Authentication Protocol "

April 2007

Attack 1: Desynchronisation

Tag

hello

IDS

A||B||C'

infer n2' instead of n2

wrong D'||E'

Update IDS and the key

Reader

random n1,n2

Update IDS and the key

Intruder

hello

IDSj s.t. IDS(j) = 0

A||B||C Toggle j in C

D||E

Toggle j in D' and E'

n2' = n2 ej

• expected: D = (IDS K4) n2

• received: ( (IDS K4) n2’ ) ej

– i.e. (IDS K4) n2 ej ej = D

Attack 1: Reader accepts D

• expected: E = (IDS n1 n2) ID K1 K2 K3 K4

• received: (IDS n1 n2’)

ID K1 K2 K3 K4 ej

• compare: IDS n1 n2 vs. (IDS n1 n2’) ej

– look at jth bit: IDS(j) = 0 (IDS n1 n2)(j) = n2(j)

Attack 1: received E is correct

Attack 1: Tag update

• IDS’ = IDS n2 K1.• K1’ = K1 n2 (ID1/2 || F(K4) || F(K3))• K2’ = K2 n2 (F(K1) || F(K4) || ID2/2)• K3’ = K3 n1 (ID1/2 || F(K4) || F(K2))• K4’ = K4 n1 (F(K3) || F(K1) || ID2/2) Desynchronisation on IDS, K1 and K2

You can also attack n1 rather than n2 or both (see the paper)

What kind of problem has been demonstrated?A. Ethical issuesB. Illicit tracking of the tagsC. SkimmingD. Tag cloningE. Cross-contaminationF. Tag killingG. Invasive attack / side channel attackH. Jamming

Countermeasure: Error-correcting codes?

• Can report/correct a number of 1-0 errors– can detect the attack as presented above

• BUT – the attack can be generalised to replace (n1,n2) by

(n1’,n2’) toggling multiple bits simultaneously…– … and fooling the error-correcting codes!

Murphy’s Law

Just when you think things cannot get any worse,

they will.

Attack 2

Full disclosure attack

Run EMAP (a number of times) and discover ID and all the keys!

Want to know more? Read the paper