Upload
neena
View
31
Download
0
Embed Size (px)
DESCRIPTION
RFID Security and Privacy Part 2: security example. Zoom in: Authentication. Should be mutual reader should recognise tags tag should recognise readers EMAP: E fficient M utual A uthentication P rotocol for Low-cost RFID Tags. - PowerPoint PPT Presentation
Citation preview
RFIDSecurity and Privacy
Part 2: security example
Zoom in: Authentication
• Should be mutual– reader should recognise tags– tag should recognise readers
• EMAP: Efficient Mutual Authentication Protocolfor Low-cost RFID Tags.– proposed by P. Peris-Lopez, J. C. Hernandez-
Castro, J. M. Estevez-Tapiador, and A. Ribagorda, November 2006.
EMAP model
IDS1 Key1
… …
IDSn Keyn
Updated after each session
Identification ID (m bits)
Key (4m bits) = K1||K2||K3||K4
Pseudonym IDS (m bits)
|| concatenation
DB
EMAP protocol
Reader Tag
hello
IDS
Database
IDS
K1||K2||K3||K4
Random n1,n2 A||B||CA = IDS K1 n1
B = (IDS K2) n1
C = IDS K3 n2
Check AB.Infer n1,n2
D||E
D = IDS K4 n2
E = (IDS n1 n2) ID
K1 K2 K3 K4
Update IDS and K1...K4
Check D.Update IDS and K1...K4
Update …• IDS’ = IDS n2 K1.• K1’ = K1 n2 (ID1/2 || F(K4) || F(K3))
– ID1/2 – first m/2 bits of ID– F(X) – parity function
• Divide X in m/4 4-bit blocks• Compute a parity bit for each block
• K2’ = K2 n2 (F(K1) || F(K4) || ID2/2)• K3’ = K3 n1 (ID1/2 || F(K4) || F(K2))• K4’ = K4 n1 (F(K3) || F(K1) || ID2/2)
EMAP is efficient
• Tag memory: – Rewritable memory: 4m bits (keys) + m (IDS) – ROM: m bits (ID)– Very reasonable for m = 96…
• Operations:– tag does cheap processing: ,,, ||– random number generation – reader only!– no expensive operations
(e.g hash function, multiplication)
Further advantages of EMAP
• tag anonymity– the same ID but different messages!
• forward security– knowledge of K1...K4 does not reveal updated key
Li and Deng:
EMAP is vulnerable
"Vulnerability Analysis of EMAP-An Efficient RFID Mutual Authentication Protocol "
April 2007
Attack 1: Desynchronisation
Tag
hello
IDS
A||B||C'
infer n2' instead of n2
wrong D'||E'
Update IDS and the key
Reader
random n1,n2
Update IDS and the key
Intruder
hello
IDSj s.t. IDS(j) = 0
A||B||C Toggle j in C
D||E
Toggle j in D' and E'
n2' = n2 ej
• expected: D = (IDS K4) n2
• received: ( (IDS K4) n2’ ) ej
– i.e. (IDS K4) n2 ej ej = D
Attack 1: Reader accepts D
• expected: E = (IDS n1 n2) ID K1 K2 K3 K4
• received: (IDS n1 n2’)
ID K1 K2 K3 K4 ej
• compare: IDS n1 n2 vs. (IDS n1 n2’) ej
– look at jth bit: IDS(j) = 0 (IDS n1 n2)(j) = n2(j)
Attack 1: received E is correct
Attack 1: Tag update
• IDS’ = IDS n2 K1.• K1’ = K1 n2 (ID1/2 || F(K4) || F(K3))• K2’ = K2 n2 (F(K1) || F(K4) || ID2/2)• K3’ = K3 n1 (ID1/2 || F(K4) || F(K2))• K4’ = K4 n1 (F(K3) || F(K1) || ID2/2) Desynchronisation on IDS, K1 and K2
You can also attack n1 rather than n2 or both (see the paper)
What kind of problem has been demonstrated?A. Ethical issuesB. Illicit tracking of the tagsC. SkimmingD. Tag cloningE. Cross-contaminationF. Tag killingG. Invasive attack / side channel attackH. Jamming
Countermeasure: Error-correcting codes?
• Can report/correct a number of 1-0 errors– can detect the attack as presented above
• BUT – the attack can be generalised to replace (n1,n2) by
(n1’,n2’) toggling multiple bits simultaneously…– … and fooling the error-correcting codes!
Murphy’s Law
Just when you think things cannot get any worse,
they will.
Attack 2
Full disclosure attack
Run EMAP (a number of times) and discover ID and all the keys!
Want to know more? Read the paper