handling security threats to the rfid system of epc networks j. garcia-alfaro, m. barbeau, e....
TRANSCRIPT
Handling Security Threats to the RFID System of EPC Networks
J. Garcia-Alfaro, M. Barbeau, E. Kranakis
Presenter Gicheol Wang
presented by gcwang
RFID Tags
Radio frequency devices that transmit information (e.g., serial numbers) to compliant readers in a contactless manner
Classified in the literature as: Passive: transmission power is derived from reader Active: energy comes from on-board battery Semi-passive: battery powered chips, but transmission powered by reader
Electronic Product Code (EPC) tags Main kind of low-cost tags in use on today’s RFID supply chain
applications Passive UHF RFID tags EPCglobal inc: Main organization controlling EPC development
204/20/23
presented by gcwang
Sample representation of an EPC number
3
ELECTRONIC PRODUCT CODE
Header Manager number Object class Serial number
RFID Tag
04/20/23
presented by gcwang
Back-end services
Middleware
Readers
Security Problems
Threats to and from front-end components (i.e., tags and readers) Privacy concerns during the receiving of information
Lack of authentication between readers & tags Necessity of a fine grained access control for the interaction of principals
4
Tags
Secure
wired
channel
Insecure
wireless
channel
Security threats
04/20/23
presented by gcwang
Threat Analysis Methodology
5
Possible
Likely
HighModerateLow
Motivation
None
Solvable
Strong Unlikely
Dif
ficu
lty
High Medium Low
Impact
Unlikely
Possible
Likely
Lik
elihood
Minor
Major
Critical
04/20/23
Likelihood and risk function this framework was proposed by ETSI
presented by gcwang
EPC Inventory Protocol
Lack of authentication between readers & tags
- 16-bit random sequences (denoted as RN16) to acknowledge the process
Any compatible reader can obtain the code
- Illicit readers can impersonate legal readers
6
4. Tag ID
1. Query
3. ACK(RN16)
2. RN16
Reader Tag
04/20/23
presented by gcwang
Rogue Scanning
Powering the tag to obtain tag ID- The use of special hardware (e.g., highly sensitive receivers
and high gain antennas) can ease the attack.
7
Reader TagReaderIllicit
Motivation Difficulty Likelihood Impact Risk
High Solvable Possible High Critical
04/20/23
presented by gcwang
Reader TagReaderIllicit
Eavesdropping Reader Channel
Passive observation or recording of the communication- The distance at which an attacker can eavesdrop the signal of an EPC
reader can be much longer than the operating environment of the tag. - Some data items (e.g., 16-bit random sequences) can be eavesdropped at
long distances.
8
Motivation Difficulty Likelihood Impact Risk
High Solvable Possible High Critical
04/20/23
presented by gcwang
Cloning of Tags
Using the codes eavesdropped or scanned, an attacker may successfully clone the tags
9
Motivation Difficulty Likelihood Impact Risk
Moderate Solvable Possible Medium Major
TagReaderIllicit1. TagID 2. write TagID
04/20/23
presented by gcwang
Location Tracking
Adversaries can distinguish any given tag by just getting the EPC
Correlating reader’s position, adversary can trace location of bearers
It can also provide useful data for fingerprinting and profiling
10
Motivation Difficulty Likelihood Impact Risk
Moderate Solvable Possible Medium Major
Illicit Reader
TagID
04/20/23
presented by gcwang
Tampering of Data (1/3)
Gen2 tags are required to be writable Although this feature can be protected with a 32-bit password,
bypassing the protection is solvable
11
1. Query
2. RN16
3. ACK(RN16)
4. Tag ID
5. Req_RN(RN16)
6. Handle
Reader Tag
04/20/23
presented by gcwang
Tampering of Data (2/3)
Gen2 tags are required to be writable Although this feature can be protected with a 32-bit password,
bypassing the protection is solvable
12
Reader Tag
7. Req_RN(Handle)
8. RN16'
9. Access(PIN31:16 RN16')
10. Handle
11. Req_RN(Handle)
04/20/23
presented by gcwang
Tampering of Data (3/3)
Gen2 tags are required to be writable Although this feature can be protected with a 32-bit password,
bypassing the protection is solvable
13
Motivation Difficulty Likelihood Impact Risk
Moderate Solvable Possible High Critical
12. RN16''
13. Access(PIN15:0 RN16'')
14. Handle
15. Write(membank,wordptr,data, handle)
16. Header, Handle
Reader Tag
04/20/23
presented by gcwang
Denial of Service
Tag data destruction or interference by attacks such as (1) attacks targeting writing or self-destruction routines and (2) use of jamming or strong electromagnetic pulses.
14
Motivation Difficulty Likelihood Impact Risk
Moderate Solvable Possible Medium Major
TagIllicit Reader
write/kill command
(1) (2) Tag Jamming device
04/20/23
presented by gcwang
Evaluation of Threats (Summary)
15
Threats Motivation Difficulty Likelihood Impact Risk
Eavesdropping,Rogue Scanning High Solvable Possible High Critical
Cloning of Tags,Location Tracking
Moderate Solvable Possible Medium Major
Tampering of Data Moderate Solvable Possible High Critical
Destruction of Data, Denial of
ServiceModerate Solvable Possible Medium Major
04/20/23
presented by gcwang
How to deal with these threats ?
• Shielding or jamming the signal It may work on some other RFID applications, but not on EPC setups
Third party blockers or guardians Requires the management of new components
Use of lightweight countermeasures, such as: Message Authentication Codes Lock-based Access Control Schemes Random Pseudonyms Threshold Cryptography Physically Unclonable Functions
04/20/23 16
presented by gcwang
Message Authentication Codes
17
Keyed Hash Function
Message Secret
ReaderTag
MAC
{Message, MAC}
Keyed Hash Function
SecretMessage
Output
MAC
?
• Tags & readers share a secret that allows the verification of the integrity and authenticity of exchanged messages
04/20/23
presented by gcwang
• Simplified Scheme:– Readers and tags share a common secret – When a tag receives a proof ownership of the secret (e.g., a hash of it), it locks itself
when interrogated, it only answers with this pseudo ID– Tag unlocks itself when it receives the secret
Lock-based Access Control Schemes
hash(secret)
Reader Tag
secret
Reader Tag
(1)
(2)
04/20/23 18
presented by gcwang
Random Pseudonyms
19
• Tags storing a pseudonym, or a list of pseudonyms, instead of the real object or tag identifier (i.e., EPC number)
• To handle the location tracking threat, pseudonyms must be generated at random and they must change frequently
• Authorized readers must know how to match the pseudonyms to the real tag identifiers
04/20/23
presented by gcwang
Threshold Cryptography
Exploit the natural movement of tag populations on the supply chain to distribute secrets and enforce privacy
20
T1
…
k out of n tags can reconstruct the secret
…T2 Tk Tn
Secret
Secret04/20/23
Secret Sharing
presented by gcwang
Physically Unclonable Functions (1/2)
21
• Originated from optical mechanisms for generating unique secrets in the form of physical variations
• E.g.:
Light Binary output
04/20/23
presented by gcwang
Physically Unclonable Functions (2/2)
22
• Promising for the implementation of challenge-response protocols in low-cost EPC tags.
• Optical designs have been improved towards new schemes exploiting other physical random variations - Delays of wires and logic gates of integrated circuits
- SRAM startup values as origin of randomness
• Can be used to handle the authentication threat, as well as the cloning and location tracking threats
04/20/23
presented by gcwang2323年 4月 20日
Secret Sharing(I)
Motivation of Secret SharingMy colleagues and I accidentally discovered a mapthat would lead us to a treasure island. We agreed to start the trip together tomorrow. The problem is who possesses the map until the start time
They don’t really trust one anotherNow, They can happily go home
presented by gcwang2423年 4月 20日
Secret Sharing(II)
Problem of Secret Sharing in above example, if someone who has the part of the
map burns his(hers) intentionally they never go to the treasure island
(n, t) Secret Sharing = threshold cryptography greater than or equal to t parties can recover original s less than t parties have no information about s
You have never imagine
I’m a spy.I’ll destroy my
key.
presented by gcwang2523年 4月 20日
Secret Sharing(III)
Design of (n,t) secret sharing generate a polynomial f(x)=ax(t-1) + bx(t-2) … + cx + M (mod
p) a prime ‘p’ which is larger than the number of shares required ‘t’ is the number of shares necessary to reconstruct the secret ‘a’, …, ‘c’ are random secret coefficients which are discarded
once the data has been distributed ‘M’ is the secret to be distributed
evaluate f(x) at x=1, x=2, …, x=n distribute the resulting f(1), f(2), …, f(n) values as the
shared data any ‘t’ shares can be used to create the same polynomial
f(x) a linear algebra(Lagrange Interpolation) can be used to solve
for M
presented by gcwang2623年 4月 20日
Secret Sharing(IV)
Example of (n,t) secret sharing generate a polynomial ax2 + bx + M (mod p) Assumption
a (5,3) threshold scheme is employed M=5, a=4, b=6, and p=13
f(x) = 4x2 + 6x + 5 (mod 13) f(1) = 4+6+5 (mod 13)=2, f(2)=16+12+5 (mod 13)=7, f(3)=7,
f(4)=2, f(5)=5 {x, f(x)} is distributed to any five nodes
any node which gets three of these shares(for example share 1, 3, 5) can acquire the original polynomial through the following equation.
13) (mod 8
25487
)35)(15(
)3)(1(5
)53)(13(
)5)(1(7
)51)(31(
)5)(3(2)(
2
3
xxxxxxxx
xP
presented by gcwang2723年 4月 20日
Secret Sharing(V)
Lagrange interpolation We can compute the lagrange interpolation polynomial
using four points , , , as the following
5 13) (mod 51)13mod( 8
25-M
,13) (mod 6b
,4 13) (mod 56 13) (mod 8
7 a
13) (mod 8
25487)(
2
3
-
xxxP
presented by gcwang2823年 4月 20日
An Example of secret sharing
(3,2) threshold signature K/k
m
s1
s2
s3
c
server 1
server 2
server 3
PS(m, s1)
PS(m, s3)
<m>k
m : messagePS : partial signatureEx) PS(m, s1) is a partial signature of m via share s1 c : combiner<m>k : fully signature of m signed by private key
Secret Sharing(VI)
Return