Transcript PPT - rfid infosec

Tag Layer
CSCE 4013 RFID INFOSEC
Instructor: Dr. Jia Di
JBHT 523
5-5728, [email protected]
1
Outline
 RFID Tag Overview
 Tag Architecture
 Memory
 Tag Protocol
 Managing Tag Populations
 Threats and Mitigation
2
RFID Tag Overview
3
Classification of RFID Tags
 Class-1: Identity Tags (Normative)
 Higher-Class Tags (Informative)
 Class-2: Higher-Functionality Tags
 Class-3: Semi-Passive Tags
 Class-4: Active Tags
 Higher-class tags shall not conflict with the operation
of, nor degrade the performance of, Class-1 tags
located in the same RF environment.
4
Classification of RFID Tags
(Cont’)
 Class-1: Identity Tags
 Class-2: Higher-Functionality
Tags
 An electronic product code (EPC)




identifier
A tag identifier
A ‘kill’ function that permanently
disable the tag
Optional password-protected
access control
Optional user memory




An extended Tag ID
Extended user memory
Authenticated access control
Optional other features
 Class-3: Semi-Passive Tags
 Class-4: Active Tags
 An integral power source
 Integrated sensing circuitry
 Tag-to-tag communications
 Active communications
 Ad-hoc networking capabilities
*Note that each higher-class tag has its extended features above and beyond its immediate predecessor
*We focus on Class-1, UHF RFID Tags
5
Review of Reader-Tag
Communication
 A reader transmits information to a tag by modulating




an RF signal in the 860 MHz – 960 MHz frequency
range.
The tag receives both information and operating
energy from this RF signal.
A reader receives information from a tag by
transmitting a continuous-wave RF signal to the tag.
The tag responds by modulating the reflection
coefficient of its antenna, thereby backscattering an
information signal to the reader.
Communication is half-duplex, meaning that readers
talk and tags listen, or vice versa.
6
Tag Architecture
7
Reader-Tag Communication Protocol
Overview
 Physical Layer
 Tag-identification layer
 Select
 Inventory
 Access
8
Circuit Block Diagram
Power Generation/
Management Unit
Antenna
Rectifier
Voltage
Regulator
Reset
Circuit
ChargePump
Demodulator
Envelope
Detector
Ring
Oscillator
Digital Logic
Memory
Comparator
Modulator
Bias
Generator
Data
FSM
Buffer
Memory
Interface
Phase
Modulator
9
Antenna
 K. V. S. Rao, P. V. Niktin, S. F. Lam,
“Antenna design for UHF RFID tags: a review
and a practical application,” IEEE
Transactions on Antenna and Propagation,
Vol. 53, Issue 12, Dec. 2005
10
Power Generation and Management
Circuit
 Rectifier
 Charge Pump
 Voltage Regulator
 Reset Circuit
11
Rectifier
 Convert alternating current to rectified direct
current
 Half-wave rectification
 Full-wave rectification
12
Charge Pump
 Use capacitors as energy storage elements
to create either a higher or lower voltage
power source
 Multi-stage operation
 It can double, triple, halve, invert, fractionally
multiply or scale voltages
13
Voltage Regulator
 Maintain a constant voltage level
 Low Dropout (LDO) regulator – a DC linear
voltage regulator which has a very small
input-output differential voltage
14
Reset Circuit
 Generate reset signal for the whole chip
 Power-on reset
15
Demodulator
 Envelope detector
 Comparator
 Ring oscillator
 Bias generator
Date Rate
Register
ASK
Input
Envelope
Detector
Waveform
Shaper
(A/D)
Counter
Digital
Comparator
Osc
16
Envelope Detector
 Take a high-frequency signal as input, and
provide an output which is the “envelope” of
the original signal
17
Comparator
18
Ring Oscillator
 A chain containing odd number of inverters,
with the output of the last inverter feeds back
to the input of the first inverter
Odd Number
19
Modulator
 Phase modulator –
represent information
as variations in the
instantaneous phase of
a carrier wave
20
Memory
21
Memory Banks
 Four distinct banks, each has its own address space
 Reserved Memory – contain kill and/or access
passwords
 EPC Memory – contain a CRC, Protocol-Control (PC)
bits, and an identification code
 TID Memory – contain an ISO/IEC allocation class
identifier, and sufficient identifying information
 User Memory – contain user-specific data storage
22
Logical Memory Map
23
Memory Access
 Commands have a MemBank parameter to
select which bank to access (00-Reserved,
01-EPC, 10-TID, 11-User), and an address
parameter to select a particular memory
location within the bank
 Operations in one logical memory bank shall
not access memory locations in another bank
 Readers may lock, permanently lock, unlock,
or permanently unlock memory
 16-bit word
24
Tag Protocol
25
Basic Operations
 Select – choose a tag population for inventory
and access
 Inventory – identify tags
 Access – communicate with (reading from
and/or writing to) a tag
26
Sessions and Inventory Flags
 Four sessions (S0, S1, S2, S3)
 Tag participates in one and only one session during an






inventory round
Two or more readers can use sessions to independently
inventory a common tag population
Tags maintain an independent Inventoried flag for each session
– two value (A/B)
At the beginning of each and every inventory round a reader
chooses to inventory either A or B tags in one of the four
sessions
Tags participating in an inventory round in one session shall
neither use nor modify the Inventoried flag for a different session
All other tag resources are shared among sessions except the
Inventoried flags
After singulating a tag a reader may issue a command that
causes the tag to invert its Inventoried flag for that session
27
Session Diagram
28
Tag Inventoried Flags Power-On
Status
 Persistence time




S0 Inventoried flag – set to A
S1 Inventoried flag – set to A or B
S2 Inventoried flag – set to A or B
S3 Inventoried flag – set to A or B
 Question – since the power-on status of some flags
are unknown by the reader, how can a reader
inventory all tags in the field?
 Selected flag – SL
29
FSM
 At a glance
30
Ready State
 A “holding state” for energized tags that are neither killed
nor currently participating in an inventory round
 After power-on, tag maintains in Ready state until it
receives a Query command whose inventoried
parameter and sel parameter match its current flag values
 It will then draw a Q-bit number from RNG, load it into the
slot counter, and transition to the Arbitrate state if the
number is nonzero, or to the Reply state if the number is
zero
31
Arbitrate State
 A “holding state” for tags that are participating in the current
inventory round but whose slot counters hold nonzero values
 Decrement its slot counter every time it receives a QueryRep
command whose session parameter matches the session for
the inventory round currently in progress
 Transition to the Reply state when its slot counter reaches 0000h
 If tag returns to Arbitrate state with slot counter as 0000, upon
next QueryRep the tag decrements it to 7FFFh, and remains in
Arbitrate state
32
Reply State
 Tag backscatters an RN16
 If tag receives a valid ACK it transitions to the
Acknowledged state; otherwise returns to the
Arbitrate state
33
Acknowledged State
 May transition to any state except Killed state
depending on the command
 Upon receiving a valid ACK containing the correct
RN16, the tag re-backscatters its PC, EPC, and
CRC-16; otherwise returns to Arbitrate state
34
Open State




A tag in the Acknowledged state whose access password is nonzero shall
transition to Open state upon receiving a Req_RN command, backscattering a
new RN16 (handle)
Execute all access commands except Lock
May transition to any state except Acknowledged state
Upon receiving a valid ACK containing the correct handle, the tag rebackscatters it PC, EPC, and CRC-16
35
Secured State





A tag in the Acknowledged state whose access password is zero shall transition to the
Secured state upon receiving a Req_RN command, backscattering a new RN16 (handle)
A tag in the Open state whose access password is nonzero shall transition to Secured state
upon receiving a valid Access command sequence
Execute all access commands
May transition to any state except Open or Acknowledged
Upon receiving a valid ACK containing the correct handle, the tag re-backscatters it PC,
EPC, and CRC-16
36
Killed State
 A tag in either the Open or Secured states shall enter the Kill state




upon receiving a Kill command sequence with a valid nonzero kill
password and valid handle
Kill permanently disables a tag
Upon entering the Killed state a tag shall notify the reader that the kill
operation was successful, and shall not respond to a reader thereafter
Killed tags shall remain in the Killed state under all circumstances and
shall immediately enter Killed state upon subsequent power-ups
A kill operation is not reversible
37
Random Number Generator and Slot
Counter
 RNG – random or pseudo-random number
generator generates 16-bit random number
RN16
 Slot Counter – a 15-bit counter, preload a
value between 0 and 2Q-1 upon receiving a
Query or QueryAdjust command
38
Managing Tag
Populations
39
Reader/Tag Operation
40
Selecting Tag Populations
 Single command – Select
 Assert/deassert a tag’s SL flag, or set a tag’s
Inventoried flag to either A or B in any one of the four
sessions
 Parameters – Target, Action, MemBank, Pointer,
Length, Mask, and Truncate
 By issuing multiple identical Select commands a
reader can asymptotically single out all tags matching
the selection criteria even though tags may undergo
short-term RF fades
41
Inventorying Tag Populations
 Several commands – Query, QueryAdjust,
QueryRep, ACK, and NAK
 Query sets a slot-count parameter Q. Tags
pick a random value in the range of [0, 2Q-1],
and load the value into their slot counter.
 Tags that pick a zero transition to the reply
state and reply immediately; others transition
to the arbitrate state and await a
QueryAdjust or QueryRep command.
42
Inventorying Tag Populations (Cont’)
 Assuming that a single tag replies
 The tag backscatters an RN16 as it enters reply
 The reader acknowledges the tag with an ACK containing this
same RN16
 The acknowledged tag transitions to the acknowledged state,
backscattering its PC, EPC, and CRC-16
 The reader issues a QueryAdjust or QueryRep, causing the
identified tag to invert its inventoried flag and transition to ready,
and potentially causing another tag to initiate a query-response
dialog with the reader
 If the tag fails to receive a correct ACK, it returns to
arbitrate
43
Inventorying Tag Populations (Cont’)
 If multiple tags reply, the reader, by detecting
the resolving collisions at the waveform level,
can resolve an RN16 from one of the tags,
the reader can ACK the resolved tag.
 Unresolved tags receive erroneous RN16s
and return to arbitrate without backscattering
their PC, EPC, and CRC-16
44
Accessing Individual Tags
 Several commands – Req_RN, Read, Write,
Kill, Lock, Access, BlockWrite, BlockErase
 A reader accesses a tag in acknowledged
state
 The reader issues a Req_RN to the tag
 The tag generates and stores a new RN16 (handle),
backscatters the handle, and transitions the open if
its access password is nonzero, or to secured if zero
 The reader may now issue further access commands
45
Accessing Individual Tags (Cont’)
 Handle is an important parameter to access a tag
 Write, Kill, and Access commands send a 16-bit word
to the tag using one-time-pad based link covercoding to obscure the word being transmitted
 The reader issues Req_RN. Tag responds by backscattering a
new RN16. The reader then generate a 16-bit ciphertext string
comprising a bit-wise XOR of the 16-bit word to be transmitted
with the new RN16, and issues the command with this
ciphertext string as parameter
 The tag decrypts the received ciphertext string by performing a
bit-wise XOR of the received 16-bit ciphertext string with the
original RN16
 Multi-step procedure – Kill, issuing an access
password
 Memory lock
46
Tag Layer Threats and
Mitigation Methods
Some Slides Borrowed from Kris Tiri, Hwasun Chang, Yossef Oren, and
Pankaj Rohatgi
47
Limitations of Class I Gen 2 RFID
Tags
 Cost
 Power
 Wireless communication nature
48
Attacks for Impersonation
 Tag Cloning / Counterfeiting
 Tag Spoofing
 Relay Attack
 Replay Attack
49
Tag Cloning / Counterfeiting
 An adversary can easily copy the memory
content of an authentic tag to create an
identical yet cloned tag
 EPC Class I tags have no mechanism for
preventing cloning
 In many cases, cloned tags are
indistinguishable from authentic ones
50
Tag Spoofing
 Emulation
 A variation of tag cloning
 An adversary uses a custom designed
electronic device to imitate, or emulate, the
authentic tag
 The adversary needs to have full access to
legitimate communication channel as well as
knowledge of the protocols and secrets used
in the authentication process
51
Mitigating Tag Cloning /
Counterfeiting / Spoofing Attacks
 Challenge-response authentication protocol
 Physical Unclonable Function (PUF)
 Fragile watermarking
 Tag Fingerprinting
52
Relay Attack
 Man-in-the-middle
 Close proximity assumption (<~25 feet)
 This assumption can be utilized by an
adversary to “fool” the authentic tag and
reader by letting them believe they are
communicating with each other directly, while
they are actually talking to “the middle man”
Victim
Reader
Ghost
Leech
Victim
Tag
53
Replay Attack
 Similar to relay attack
 An adversary may use the captured valid
reader-tag communication data at a later time
to other readers or tags for impersonation
54
Mitigating Relay Attacks
 Detect the distance between reader and tag
 Limit the direction of radio signals
55
Mitigating Replay Attacks
 Add timestamps
 One-time password
 Incremental sequence numbers
 Clock synchronization
56
Attacks for Information Leakage
 Unauthorized Tag Reading
 Covert Channel
 Eavesdropping
 Tag Modification
 Side-Channel Attacks (to be covered later)
57
Unauthorized Tag Reading
 An adversary places an illegitimate reader
within the proximity of the target tag to access
the tag data
 Tags do not have on/off switches
 Simple yet effective
58
Covert Channel
 Covert channels are unintended or
unauthorized communication paths that can
be used to transfer information in a manner
that violates system security policies
 It is possible to create covert communication
channels through the use of user-defined
memory banks on tag
59
Eavesdropping / Sniffing
 An adversary uses an electronic device with
antenna to listen to the legitimate reader-tag
communication and record the messages
 Reader-to-tag (forward channel)
 Tag-to-reader (backward channel)
Reader
Tag
Operating
Range
Backward Channel
Eavesdropping Range
Forward Channel Eavesdropping Range
60
Mitigating Unauthorized Tag Reading /
Covert Channel / Eavesdropping Attacks
 Break the reader-tag communication link
when the tag is not being accessed
 Tag shielding
 Blocker tag
 RFID Guardian
 Apply access control mechanisms to the tag
 Communication Encryption
 Kill the tag after use
 Reduce the availability of the memory resource on
tag
61
Tag Modification
 An adversary tries to modify the data stored
on tag
 User-writeable memory
62
Mitigating Tag Modification and
Reprogramming Attacks
 Use read-only tags
 Adopt efficient coding / cryptographic
algorithms to secure the on-tag data
 Reader authentication
63
Attacks for Denial-of-Service (DoS)
 KILL Command Abuse
 Passive Interference
 Active Jamming
64
Kill Command Abuse
 If an adversary obtains the password for the
Kill command, he/she can use it to issue
unauthorized Kill commands
 Lock
 Permanent Lock
65
Passive Interference
 The RF communication link between reader
and tag is susceptible to interferences
 Absorption
 Bound back
 Collision
 An adversary may use foil-lined bags to
shield tags from EM waves sent from a
legitimate reader to block the access
66
Active Jamming
 Powered interference
 An adversary uses an electronic device to
send out radio signals to disrupt the readertag communication
67
Mitigating Kill Command Abuse / Passive
Interference / Active Jamming Attacks
 Improve the physical security of the
authorized reader-tag communication
channel
 Secure password management
68
Attacks through Physical Manipulation
 Physical Tampering
 Tag Swapping
 Tag Removal
 Tag Destruction
 Tag Reprogramming
69
Side-Channels
Information leakage from implementation
 Example:
safecracker
feels tumblers impacting
and opens lock without
trying each combination
 Similarly:
hacker observes time/power
and cracks cipher without trying each key
Device in normal operation, no physical harm
Covert channel without conspiracy/consent
70
Side-Channel Attacks in a Nutshell
unknown secret key
device
e.g. estimated power =
AES: 128-bit secret key
number of changing bits
brute force impossible
can be lousy model
measurement
input
analysis
P ==SS-1-1
(K(K
P
GC)
GC)
model
E
E ==HmW(P)
HmW(P)
7
3
3
key fragment guess
20840272
estimation
3
6712875
18265523
compare both and
e.g. guess 8 bits
choose key guess
71
brute force easy
with best match
Power Analysis Example
 Unprotected ASIC AES





with 128-bit datapath,
key scheduling
Measurement: Ipeak
in round 11
Estimation:
HamDistance
of 8 internal bits
Comparison: correlation
Key bits easily found
despite algorithmic noise
128-bit key under 3 min.
‘start encryption’-signal
supply current
clock cycle of interest
72
DPA Result Example
Average Power
Consumption
Power Consumption
Differential Curve
With Correct Key Guess
Power Consumption
Differential Curve
With Incorrect Key Guess
Power Consumption
Differential Curve
With Incorrect Key Guess
73
EM-attack example: TESTED BIT = 0 IN BOTH TRACES
74
EM-attack example: TESTED BIT DIFFERENT
75
Side-Channel Attacks
 Power-based attacks (SPA, DPA, HO-DPA)
 Timing-based attacks
 Electromagnetic-based attacks
 Fault-injection attacks
76
Remote Power Analysis to RFID Tags
 Most of the payload of today’s RFID tags is
public – that’s what they’re for
 However, tags still have secrets!
 Today – EPC tags have secret access and
kill passwords
 Tomorrow – cryptographic keys?
77
A Closer Look at Backscatter
Modulation
 The current flowing through the tag antenna
results in an electromagnetic field
 Busy tag = More current = stronger field
 We call this effect parasitic backscatter
Tag
Reader
78
Existence of parasitic backscatter (1)
 Trace shows the signal reflected from a Generation 1 tag
during a kill command
 Tag is supposed to be completely silent
 Is it? Let’s zoom in…
Power
Time
79
Existence of parasitic backscatter (2)
 The distinctive saw-tooth pattern is added by the tag to the
clean reader signal
Reflection from tag
Original signal from reader
Power
Time
80
Full power analysis attack from
parasitic backscatter
 Experiment was done with one tag at a fixed
location
 Tag was programmed with kill password
“1111 1111”, then “0000 0001”
 In both cases we tried to kill it with the wrong
password “0000 0000”
81
81
Extracting one password bit
In both cases, tag gets “0000 0000”
Here, the tag is expecting “1111 1111”
Here, it is expecting “0000 0001”
82
CMOS Circuit Power Consumption
 CMOS circuits are built out of transistors,
which act as voltage-controlled switches
 Switching activities at internal circuit nodes
cause power and delay
83
CMOS Circuit Power and Delay
P  CL V  
2
DD
t  Ron  CL
Power consumption and timing delay are highly correlated to switching activities
84
Imbalance of Switching Activities
among Processing Different Data
Y2
Y1
Y0
X2
REG REG REG
22
12
02
X1
X0
Y2
HA
11
01
FA
20
Y0
X2
REG REG REG
REG REG REG
21
Y1
10
00
22
12
02
21
11
01
FA
20
10
00
HA
HA
HA
FA
FA
FA
FA
REG
REG
S5
S4
0
X0
REG REG REG
HA
HA
X1
REG REG REG REG
S3
S2
S1
S0
REG
REG
S5
S4
REG REG REG REG
S3
S2
X
0
0
0
X
1
1
1
Y
0
0
0
Y
1
1
1
0
0
1
1
1
1
1
1
1
1
1
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
1
0
1
S1
S0
85
Synchronous Circuit Power
Fluctuation Simulation
120000.00%
350000.00%
300000.00%
100000.00%
250000.00%
80000.00%
200000.00%
60000.00%
Syn AND
Syn XOR
Syn Mult
150000.00%
40000.00%
100000.00%
20000.00%
50000.00%
0.00%
0.00%
0x0
1x1
2x2
(a)
3x3
4x4
00
01
10
11
(b)
Boolean circuits are vulnerable to side-channel attacks
86
What can we do about it?
 Randomize power consumption – add noise
to reader/tag
 Use random initial point
 Random power management
 Random code injection
 De-correlate power consumption from internal
data pattern being processed
 New transistor-level gate designs (SABL, DyCML, SDDL,
WDDL, etc.)
 Current compensation
 Execute both nominal and complementary data
 Dual-rail asynchronous logic
87
Asynchronous Logic
 No clock
 High power efficiency
 Potential speed up
 Low noise / emission
 Flexible timing requirement
 Robust operation
88
Attempting to Balance Power Fluctuation –
Traditional Asynchronous Method
 NULL Convention Logic (NCL)
 Multi-rail encoding
 DATA-NULL cycle
Data #3
NULL
Data #2
NULL
State
Rail 1
Rail 0
NULL
0
0
DATA 0
0
1
DATA 1
1
0
Invalid
1
1
Data #1
NULL
Rail 1
Rail 0
1
N
0
N
1
N
Number of switching is independent of data pattern
89
However, Power Fluctuation Still
Exists
Rail 1
Rail 0
1
N
1
N
1
N
Rail 1
Rail 0
0
N
0
N
0
N
Rail 1
CL1
Rail 1
Rail 0
Rail 0
CL0
2
P  CL VDD

Imbalance of switching activities
between the two rails still cause
power fluctuation
90
Balancing the Switching Activities
between Two Rails
 Dual-spacer Dual-rail
Delay-insensitive Logic
(D3L)
Data #3
All-zero
Spacer
Data #2
State
Rail 1
Rail 0
All-zero spacer
0
0
DATA 0
0
1
DATA 1
1
0
All-one spacer
1
1
All-one
Spacer
Data #1
All-zero
Spacer
Rail 1
Rail 0
DATA1
AZS
DATA0
AOS
DATA1
AZS
91
Data Sequence Examples
Rail 1
Rail 0
AZS
DATA1
AOS
DATA1
AZS
DATA1
AOS
DATA1
AZS
Rail 1
Rail 0
AZS
DATA0
AOS
DATA0
AZS
DATA0
AOS
DATA0
AZS
Rail 1
Rail 0
AZS
DATA0
AOS
DATA1
AZS
DATA1
AOS
DATA0
AZS
Switching activities between two rails are perfectly balanced92
The Flip Side
 Both NCL and D3L exhibit average case
performance, i.e., the same input pattern
always takes the same amount of time to
process
 Significantly facilitate timing-based sidechannel attacks
 Solution – timing randomization using delay
elements
93
Delay Element Used in D3L Circuits
94
Controlling the Delay Element
95
Test Vehicle – AES Core
96
Simulation Setup
 Three AES Cores – Synchronous, NCL, D3L
(two versions)
 IBM 5AM 0.5μm Process
 Differential Power Analysis on all three
designs
 Timing Analysis on D3L designs (with and
without delay elements)
 Synopsys Nanosim
97
DPA Results
98
Timing Analysis Results
99