Reverse Engineering a Cryptographic RFID Tag

Similar documents
Karsten Nohl University of Virginia. Henryk Plötz HU Berlin

Reviving smart card analysis

Hacking Mifare Classic Cards. Márcio Almeida

Reverse-Engineering a Cryptographic RFID Tag

RFID Security. April 10, Martin Dam Pedersen Department of Mathematics and Computer Science University Of Southern Denmark

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

Strengthen RFID Tags Security Using New Data Structure

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

Best Practices for the Use of RF-Enabled Technology in Identity Management. January Developed by: Smart Card Alliance Identity Council

A PPENDIX H RITERIA FOR AES E VALUATION C RITERIA FOR

Privacy and Security in library RFID Issues, Practices and Architecture

Gemalto Mifare 1K Datasheet

How To Understand The Power Of An Freddi Tag (Rfid) System

PUF Physical Unclonable Functions

ADVANCED IC REVERSE ENGINEERING TECHNIQUES: IN DEPTH ANALYSIS OF A MODERN SMART CARD. Olivier THOMAS Blackhat USA 2015

Beveiliging van de OV-Chipkaart

Securing Host Operations with a Dedicated Cryptographic IC - CryptoCompanion

RFID Penetration Tests when the truth is stranger than fiction

Peeling Away Layers of an RFID Security System

NACCU Migrating to Contactless:

Implementation of biometrics, issues to be solved

RFID BASED VEHICLE TRACKING SYSTEM

Using RFID Techniques for a Universal Identification Device

A Vulnerability in the Song Authentication Protocol for Low-Cost RFID Tags

Chip Card & Security ICs Mifare NRG SLE 66R35

Lightweight Cryptography. Lappeenranta University of Technology

MF1 IC S General description. Functional specification. 1.1 Contactless Energy and Data Transfer. 1.2 Anticollision. Energy

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Secure Semi-Passive RFID Tags Prototype and Analysis

Enabling the secure use of RFID

MIFARE CONTACTLESS CARD TECHNOLOLGY AN HID WHITE PAPER

A Low Cost Solution to Authentication in Passive RFID Systems

RAIN RFID and the Internet of Things: Industry Snapshot and Security Needs. Matt Robshaw and Tyler Williamson Impinj Seattle, USA

IronKey Data Encryption Methods

Side Channel Analysis and Embedded Systems Impact and Countermeasures

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

What is a Smart Card?

More effective protection for your access control system with end-to-end security

Various Attacks and their Countermeasure on all Layers of RFID System

W.A.R.N. Passive Biometric ID Card Solution

Radio Frequency Identification (RFID)

GSM Risks and Countermeasures

The Misuse of RC4 in Microsoft Word and Excel

WHITE PAPER. ABCs of RFID

SECURITY IN LOW RESOURCE ENVIRONMENTS

Security and Privacy in RFID

RFID Security: Threats, solutions and open challenges

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Security & Chip Card ICs SLE 44R35S / Mifare

Low- Cost Chip Microprobing

CHASE Survey on 6 Most Important Topics in Hardware Security

Design And Implementation Of Bank Locker Security System Based On Fingerprint Sensing Circuit And RFID Reader

Security in Near Field Communication (NFC)

Advancements in Wireless Access-Control Security. By Vivien Delport Director of Applications. And

Information Security Group (ISG) Core Research Areas. The ISG Smart Card Centre. From Smart Cards to NFC Smart Phone Security

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Secure recharge of disposable RFID tickets

Anatomy. Subway Hack. of a. Russell Ryan Zack Anderson Alessandro Chiesa. For updated slides and code, see:

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Lightweight Encryption Protocol for Passive RFID System using SIMON

All You Can Eat. Breaking a Real-World Contactless Payment System

Security and Privacy Flaws in a Recent Authentication Protocol for EPC C1 G2 RFID Tags

Chapter 6 CDMA/802.11i

A Study on the Security of RFID with Enhancing Privacy Protection

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Design and Security Considerations for Passive Immobilizer Systems

Secure Automatic Ticketing System

Rfid Authentication Protocol for security and privacy Maintenance in Cloud Based Employee Management System

CSCE 465 Computer & Network Security

RFID Security and Privacy: A Research Survey. Vincent Naessens Studiedag Rabbit project

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

Functional diagram: Secure encrypted data. totally encrypted. XOR encryption. RFID token. fingerprint reader. 128 bit AES in ECB mode Security HDD

Security/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Keep Out of My Passport: Access Control Mechanisms in E-passports

Network Security: Cryptography CS/SS G513 S.K. Sahay

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

RF ID Security and Privacy

Overview of the Internet of Things {adapted based on Things in 2020 Roadmap for the Future by EU INFSO D.4 NETWORKED ENTERPRISE & RFID}

Evolving Bar Codes. Y398 Internship. William Holmes

Data Protection Technical Guidance Radio Frequency Identification

RFID SECURITY. February The Government of the Hong Kong Special Administrative Region

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

CSci 530 Midterm Exam. Fall 2012

Privacy Enhanced Active RFID Tag

Technical Article. NFiC: a new, economical way to make a device NFC-compliant. Prashant Dekate

Authentication requirement Authentication function MAC Hash function Security of

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

E-Blocks Easy RFID Bundle

Location-Aware and Safer Cards: Enhancing RFID Security and Privacy

RFID based Bill Generation and Payment through Mobile

advant advanced contactless smart card system

Cryptography and Network Security

Advanced Authentication

Analysis of the MIFARE Classic used in the OV-Chipkaart project

Cryptography and Network Security Chapter 12

Pervasive Computing und. Informationssicherheit

Smart Card Security How Can We Be So Sure?

Transcription:

Reverse Engineering a Cryptographic RFID Tag Karsten Nohl, David Evans, Starbug Plötz, Henrik Plötz Presented by Avani Wildani

Radio Frequency IDentification All RFID tags are essentially radio transponders with memory. Can be either passive (no power) or use relfective power (modulated backscatter) with a battery. Two components: IC and antenna

Where are RFIDs used? UCSC (and most corporate) ID Cards Passports Clothing/Books/CDs (EPC tags) BART Passes Animal Tracking Paying for drinks if you re a VIP (!) Image: WalMart EPC RFID tag; courtesy of Wikipedia

RFID Errata Smallest tag is 150 x 150 x 7.5 microns Can store 38 digit numbers using 128-bit ROM. Initiative to reduce per-tag price to 5, or about a nickel. Typical frequencies are 0.125 0.1342, 0.140 0.1485, 13.56, and 868 928 Mhz. Optical RF ID uses 333 THz. It also can t be read without line of sight, which makes it slightly less vulnerable. Image courtesy of http://www.pinktentacle.com/tag/hitachi/

Security Issues RFID manufacturers love Security through Obscurity Many RFID tags send and receive data in clear text, leaving themselves open to man in the middle attacks (more later) Cost of reconstructing cipher from the hardware implementation is less than manufacturers think.

MIFARE Classic RFID Tag Primarily for ticketing, transportation, and access control / identification. Widespread: Costs under.5 in small quantities. 1sq mm: 1/4 for 1K flash, 1/4 for antenna, 1/2 for logic + cryptography Crypto functions make up 400 2-NAND gate equivalents, whereas small AES takes 3400: very simplistic.

MIFARE Cipher Uses a 48-bit symmetric stream cipher. This is already crackable: remember how easy it was to crack 56-bit DES. Data is divided into two sections with different access rights and correspondingly different keys. To ease key-distribution, different tags in a system frequently have the same read key, leaving it open to impersonation.

Physical Reverse Engineering Step 1: Dissolve cards with acetone to get access to the chip. Step 1.5: Place chip in a medium to limit tilting Step 2: Polish off micrometer-thin layers of the chip using.04µm thick sandpaper or polishing solution. Step 3: Image all 6 layers (transistors are on the bottom). Some tilting is unavoidable. Use a tool to average several images.

Physical Reverse Engineering Step 4: There are several thousand logic gates on a chip, but only about 70 types. Identify these gates. Step 5: Use MATLAB image processing to automatically identify these gates given the templates you ve identified. Use normalized cross-correlation to overcome the variation in color/brightness across your chip images. This is <10 minutes for the entire chip.

Physical Reverse Engineering Image from Nohl et al., 2008

Physical Reverse Engineering Now that you know how the gates are laid out, you can find the cryptographic area of the chip by looking for a 48+ bit register and a set of XOR gates. RNG is an area with output but no input. Examine the area by hand, but don t over-do it: you can fill in holes in your knowledge by analyzing the protocol.

Protocol Analysis Use the OpenPCD Open Source RFID Reader to poke the chip. This lets you control timing, which is important to discovering vulnerabilities. First test: Are the key and the (known) tag ID shifted together sequentially? They tried shifted combinations and found many worked. This also told them the structure of the 48-bit linear shift register that holds the cipher. Entirely deterministic register that just cycles through a set of values by XOR-ing.

Protocol Analysis Cipher contains no non-linearity. This means everything is easy to derive once you know something. Recap: Authentication protocol is taking a shared secret key and a unique ID tag as input and using those to establish a shared session key for the stream cipher.

Random Number Generation Random numbers generated by a 16-bit linear feedback shift register initialized to a constant value. This means that the random number is purely a function of the amount of time the tag has been powered up! The number is also very short. Even if you can t control the timing, you only have 65,535 possibilities.

Vulnerabilities Key is small enough to brute force. Takes about 50 minutes on 64 FPGAs. Since you control random numbers and know the shifting patterns, you can create a codebook of recorded authentication outputs and the corresponding keys. Rainbow tables let you trade computation for space and store information for all keys. Each session key/id pair has exactly one corresponding secret key and all shifts are linear: Thus, if you compute codebook for one secret key, you can use it anywhere...

Summary Attacker scans public RFID ID. Use a reader to record just two timed challengeresponse interactions with the card. Use codebook to compute the key. Read all data on the card in the clear. Game over.

Fixing MIFARE Classic Better RNG: exploit the fact that memory cells are initially random. Start the cipher area in a random state and evolve using feedback loop until the random number is needed. This also saves space since you don t need a separate RNG: Use this to make a bigger cipher. Break the key-id mapping by using a non-linear feedback on one of the two for the register shift. Make the output function non-linear to protect against statistical attacks.

General Defense Don t rely on secrets! Use something like 3-DES and implement it properly. Use fraud detection to detect unusual access patterns. Even worse for privacy than straight RFID. Obfuscate at least the cipher part of your physical circuit design.

Just in case you feel safe... Many large companies don t bother with encryption at all. For access-passes, you can just grab and replicate the authentication code from a correct RFID: This is known as a relay attack. Passport cards and drivers licenses can be easily cloned as well as having the data stolen off them. You can download apps off the Internet to back-up any actual modern US passport.

Further Reading http://www.dexlab.nl/ (Passport Backup) http://hackaday.com/2009/02/16/shmoocon-2009- chris-pagets-rfid-cloning-talk/ (Great talk!) http://hackaday.com/2009/02/02/mobile-rfid-scanning/ (Passport RFID Cards) http://www.schneier.com/blog/

Questions? Amal Graafstra s hands. Image courtesy of http://www.amal.net/rfid.html

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information