Transcript Project Title (i)

Inscrypt 2008
A Security and Performance Evaluation
of Hash-based RFID Protocols
Tong Lee Lim, Tieyan Li & Yingjiu Li
Cryptography and Security Department
Institute for Infocomm Research (I2R)
17 Dec. 2008
Inscrypt’08 – RFID Authentication
Outline
Project Summary - what will be done
 Introduction on RFID, and its security & privacy issues
 Introduction on hash-based RFID authentication protocols
 The Hash chain family of protocols and weaknesses
 Okhubo – Hash chain
 Henrici – Triggered hash chain
 Lim – CRTH, FRTH
 The TRAP family of protocols and weaknesses




Dimitriou – CR
Tsudik – YA-TRAP
Burmester – YA-TRAP+, O-TRAP
Conti – RIPP-FS
 The Tree family of protocols and weaknesses
 Molnar – TBPA
 Lu – SPA
 Remarks…
2
Inscrypt’08 – RFID Authentication
RFID Debate
Project Summary - why should it be done?
• Promoters
• Wal-Mart, Gillette, METRO…
• Vendors
• Microsoft, IBM, SAP…
• Players
• TAGSYS, ALIEN, SAVI…
• New: Mojix, RF controls…
• Governments, industries,
researchers …
An age of RFID is coming … But security and privacy?
3
Inscrypt’08 – RFID Authentication
Passive RFID
• The reader has a powerful antenna and a power supply
• The reader surrounds itself with an electromagnetic
field
• The tag is illuminated by the field, providing it with
power
Tag
Reader
4
4
Inscrypt’08 – RFID Authentication
ReaderTag Data Exchange
• The reader sends commands to the tag via pulse amplitude
modulation
• The tag sends responses to the reader via backscatter modulation
Tag
Reader
5
5
Inscrypt’08 – RFID Authentication
RFID Security & Privacy Issues
Project Summary - why should it be done?
• RFID tags have many technical limitations:
– Limited power consumption (vs. energy consumption of battery
powered devices) ~ 10µA average
– Limited area consumption (less problem with evolving Smart Card
technologies) < 1mm²
– Limited execution time (set by batch tag reading protocol)
– Limited backward channel (initiated by reader only)
– Limited memory access (hundreds bits to few kBytes and slow)
– No physical protection possible
• Cryptography is not applicable immediately.
– Worst case assumption is not always true for RFID
– Weakened adversarial model is typically assumed for RFID
• In RFID, there are many security solutions.
– E.g., shielding, killing, tearing, blocking, proxy, policies, obfuscation,
etc. for different scenarios.
6
Inscrypt’08 – RFID Authentication
RFID Security & Privacy Issues
Project Summary - why should it be done?
• Typically, RFID security means Authentication and
Privacy.
– Authentication:
• Tag/reader authentication:
– Both tag and reader need to prove their claimed identities.
• Product authentication:
– The secure binding of the tag and product need to be guaranteed.
– Privacy:
• Anonymity:
– The identity information of a person of event is not disclosed by
reading a tag.
• Untraceability:
– The itinerary of a person or a series of events can not be tracked by
reading a tag.
7
Inscrypt’08 – RFID Authentication
Countermeasures
Project Summary - why should it be done?
•
Physical Protection
– Private tag-to-reader channel; e.g., Clipped tag (IBM), Faraday Cage, Shielding…
– Physical tag removal or destruction.
– WORM; e.g., ISO/IEC 15963 defines a unique Tag ID.
•
Access Control
– EPC Gen2 Access and Kill passwords.
– ID obfuscation or pseudonym
•
Cryptographic Measures
– Lightweight primitives (e.g., Present-80, Grain, Trivium, etc.)
– Lightweight authentication schemes (e.g., HB family)
•
Active Device
– Blocker tag
– REP, RFIDguardian
8
Inscrypt’08 – RFID Authentication
Outline
Project Summary - what will be done
 Introduction on RFID, and its security & privacy issues
 Introduction on hash-based RFID authentication protocols
 The Hash chain family of protocols and weaknesses
 Okhubo – Hash chain
 Henrici – Triggered hash chain
 Lim-Li – CRTH, FRTH
 The TRAP family of protocols and weaknesses




Dimitriou – CR
Tsudik – YA-TRAP
Burmester – YA-TRAP+, O-TRAP
Conti – RIPP-FS
 The Tree family of protocols and weaknesses
 Molnar – TBPA
 Lu – SPA
 Remarks…
9
Inscrypt’08 – RFID Authentication
Research literature
Project Summary - what will be done
•
Solutions that used classic cryptographic primitives
•
In 2002, Sarma et al. first proposed to use hash functions
–
–
–
–
PRNGs alone, (Juels; Piramuthu; Tsudik; Chatmon; Duc; Molnar)
Hashs alone, (Engberg; Avoine; Dimitriou; Yang; Weis; Henrici; Choi)
PRNGs and hashs, (Gao; Rhee; Lee;)
PRNGs and Symmetric crypto, (Molnar; Dimitriou; Bailey; Dominikus)
–
–
Hash lock, by Rivest et al. (03)
Randomized hash lock, by Weis et al. (03)
–
–
–
–
Hash chain, by Okhubo et al. (RFIDsec’03)
Hash-based ID variation, by Henrici et al. (Percom’04)
Triggered hash chain, by Henrici et al. (Percom’08)
CRTH, FRTH, By Lim and Li (ICPADS’08)
–
–
–
YA-TRAP, by Tsudik et al. (PercomW’06)
YA-TRAP+, O-TRAP (O-FRAP, O-FRAKE), by Burmester et al. (06)
RIPP-FS, by Conti et al. (PercomW’07)
–
–
Hash tree, by Molnar et al. (SAC’05)
Dynamic hash tree, by Lu et al. (Percom’07)
10
Inscrypt’08 – RFID Authentication
RFID Authentication Characteristics
Project Summary - what will be done
• There are some fundamental characteristics that distinguish RFID
authentication from general purpose authentication:
– Lightweightness, Many RFID platforms can only implement symmetric
key crypto techniques.
– Anonymity, General purpose authentication protocols may not support
anonymity. For RFID applications, anonymity is essential, because rogue
readers can easily track them.
– Availability, RFID devices are subject to attacks by rogue readers in
which they may assume a state from which they may no longer be able
to authenticate themselves.
– Forward security, RFID devices may be discarded, are easily captured,
and may be highly vulnerable to side channel attacks on the stored keys.
It is important to guarantee the privacy of past sessions if key is
compromised.
11
Inscrypt’08 – RFID Authentication
RFID Authentication Properties
Project Summary - what will be done
• Besides the characteristics, in RFID authentications, we ensure some
major security properties:
– Session Unlinkability: Any two protocol sessions involving the same tag
can not be linked.
– Tag Authenticity: The authenticity of a tag is verified to prevent an
adversary from impersonating the tag.
– Reader Authenticity: A reader needs to be authenticated before it can be
allowed to access confidential data on tags.
– Desynchronization Resilience: An adversary is not able to bring an
inconsistent state to the tag and its backend database.
12
Inscrypt’08 – RFID Authentication
Security model
Project Summary - what will be done
Byzantine threat model
–
–
–
–
All entities (tags, readers, back-end server) including the adversary (the attackers) have
polynomial bounded resources.
The adversary controls the delivery schedule of all communication channels, and may
eavesdrop into, or modify their contents.
The adversary may also instantiate new communication channels and directly interact with
honest parties.
However, the reader-server channels are assumed to be secure.
In this paper, we classify 4 levels of adversaries:
–
Level 1 (Passive attack): Ability to perform passive eavesdropping over legitimate protocol
sessions.
–
Level 2 (Active attack with protocol participation): Ability to communicate with a legitimate
tag or reader by following the steps specified under the protocol and to replay messages.
–
Level 3 (Active attack with protocol disruption): Ability to actively corrupt, block or inject
(replace) messages exchanged during a protocol session between a legitimate tag and an
authorized reader.
–
Level 4 (Active attack with secret compromise): Ability to capture a legitimate tag and extract
its secrets through physical and side channel attacks.
13
Inscrypt’08 – RFID Authentication
Outline
Project Summary - what will be done
 Introduction on RFID, and its security & privacy issues
 Introduction on hash-based RFID authentication protocols
 The Hash chain family of protocols and weaknesses
 Okhubo – Hash chain
 Henrici – Triggered hash chain
 Lim – CRTH, FRTH
 The TRAP family of protocols and weaknesses




Dimitriou – CR
Tsudik – YA-TRAP
Burmester – YA-TRAP+, O-TRAP
Conti – RIPP-FS
 The Tree family of protocols and weaknesses
 Molnar – TBPA
 Lu – SPA
 Remarks…
14
Inscrypt’08 – RFID Authentication
OSK: Hash Chain
Project Summary - what will be done
15
Inscrypt’08 – RFID Authentication
OSK: Hash Chain
Project Summary - what will be done
• Process
• Elegant approach (simple, forward secure, etc.), but:
• Problems:
– no synchronization between tag and “backend”
– does not provide authentication (mimicking possible)
•
Protocol cannot be used in practice
16
Inscrypt’08 – RFID Authentication
Henrici: Hash-based ID Variation
Project Summary - what will be done
• Process
17
Inscrypt’08 – RFID Authentication
Henrici: Hash-based ID Variation
Project Summary - what will be done
• Based on a message exchange
• Keep two database records for each tag to cope with message
loss
• Hash values are used for mutual authentication and ensuring
message integrity
• Transaction counter “t” prevents replay attacks and helps in
synchronization between tag and backend
• Transmitting differences between transaction counters prevents
the latter to be abused for recognition and tracking
• New identifier is not transmitted in clear; instead, calculate new
identifier using old internal identifier and transmitted random
number
18
Inscrypt’08 – RFID Authentication
Henrici: Triggered hash chain
Project Summary - what will be done
19
Inscrypt’08 – RFID Authentication
Henrici: Triggered hash chain
Project Summary - what will be done
• Process
20
Inscrypt’08 – RFID Authentication
Henrici: Triggered hash chain
Project Summary - what will be done
• Relation to Hash Chains
– Self-refreshment of internal tag identifier
– Simple and elegant
• Relation to Hash-based ID Variation
– Message exchange
– Two database records for each tag in backend
– Authentication by running protocol twice
• But improvements:
– No transaction counter “hacks” (like in Hash-based ID
Variation)
– No need to stay online (like in Hash-based ID Variation)
– No synchronization problems (like in Hash Chains)
21
Inscrypt’08 – RFID Authentication
CRTH (Lim et al.)
Project Summary - what will be done
• Challenge-Response Triggered Hash
22
Inscrypt’08 – RFID Authentication
FRTH (Lim et al.)
Project Summary - what will be done
• Forward-Rolling Triggered Hash
23
Inscrypt’08 – RFID Authentication
Comparison (security)
Project Summary - what will be done
All 5 protocols support:
– Tag anonymity
– Forward security
Level 3
attacker
Tag
authenticity
Reader
authenticity
Session
unlinkability
Desynchronization
Resilience
Hash chain
x
x

x
Hash ID
x

x

Triggered Hash
x

x

CRTH


x

FRTH




24
Inscrypt’08 – RFID Authentication
Outline
Project Summary - what will be done
 Introduction on RFID, and its security & privacy issues
 Introduction on hash-based RFID authentication protocols
 The Hash chain family of protocols and weaknesses
 Okhubo – Hash chain
 Henrici – Triggered hash chain
 Lim – CRTH, FRTH
 The TRAP family of protocols and weaknesses




Dimitriou – CR
Tsudik – YA-TRAP
Burmester – YA-TRAP+, O-TRAP
Conti – RIPP-FS
 The Tree family of protocols and weaknesses
 Molnar – TBPA
 Lu – SPA
 Remarks…
25
Inscrypt’08 – RFID Authentication
CR protocols
Project Summary - what will be done
•
Typical Challenge-Response RFID protocol

Pass 1: the Reader sends a challenge that may include a timestamp, a random
nonce, or other information.

Pass 2: the Tag responds by evaluating a function f (k; c; ) on the challenge.

Its input may include a value r that may embed a nonce, and an identifier or a
(mutable) pseudonym for tag recognition.
Reader
RFID tag
c
f(k, c, …)
Stores secret
Stores secret for each tag
26
Inscrypt’08 – RFID Authentication
CR (Dimitriou)
Project Summary - what will be done
27
Inscrypt’08 – RFID Authentication
YA-TRAP
Project Summary - what will be done
• YA-TRAP [Tsudik] Assumptions:
Reader shares a secret with each tag
Reader has database with entry
<hash(secret, time), secret> for each tag
Server (K, Table(K,r))
Tag (HK , ttag)
S activates the tag with tsys
tsys
If tsys < ttag or tsys > tmax,
send r. Else send HK(tsys)
h = HK(tsys)
ttag  tsys
28
Inscrypt’08 – RFID Authentication
YA-TRAP
Project Summary - what will be done
• YA-TRAP
[Tsudik]
– Reader looks up hash in database to get secret
– Issue: time must only increase
• Drawback:
– DoS attack; bogus reader sends t’sys = tmax
– Future time attack; bogus reader sends t’sys, i < tsys
29
Inscrypt’08 – RFID Authentication
YA-TRAP
Project Summary
+ - what will be done
• YA-TRAP+
[Chatmon]
30
Inscrypt’08 – RFID Authentication
O-TRAP
Project Summary - what will be done
• Optimistic Trivial RFID Authentication Protocol
Server (K, Table(K,r))
Tag (HK , rtag)
S updates rsys at regular periods
rsys
rtag , h = HK(rsys,rtag)
rtag  HK(rtag)
If  (K,rtag) Table(K,r) & h=HK(rsys,rtag),
Or  K K : h=HK(rsys,rtag) accept
update Table(K,r): rtag  HK(rtag)
Else reject
31
Inscrypt’08 – RFID Authentication
O-TRAP
Project Summary - what will be done
Table(K,r)
keys
K1 K 2
...
Kn
strings
rK1 rK 2
...
rK n
• When the adversary is not active, the server gets the key of the tag
from the look-up Table(K,r).
• Otherwise the value of rK stored in the table may be out-of-sync
with the value of the tag.
• In this case the server must search exhaustively by hashing the pairs
(rsys, rtag) for each key value.
32
Inscrypt’08 – RFID Authentication
RIPP-FS
Project Summary - what will be done
RIPP-FS
•
[Conti]
Lamport hash value
to authenticate the
reader.
Drawback:
•
•
Replay attack
Infinite hash chain
33
Inscrypt’08 – RFID Authentication
Comparison (security)
Project Summary - what will be done
All 5 protocols support:
– Tag anonymity
– Session unlinkability (except Dimitriou’s CR protocol)
Level 3/4
attacker
Tag
authenticity
Reader
authenticity
Forward
security
Deynchronization
Resilience
CR



x
YA-TRAP
x
x
x
x
YA-TRAP+

x
x
*
O-TRAP

x
x
*
RIPP-FS

x


34
Inscrypt’08 – RFID Authentication
Outline
Project Summary - what will be done
 Introduction on RFID, and its security & privacy issues
 Introduction on hash-based RFID authentication protocols
 The Hash chain family of protocols and weaknesses
 Okhubo – Hash chain
 Henrici – Triggered hash chain
 Lim – CRTH, FRTH
 The TRAP family of protocols and weaknesses




Dimitriou – CR
Tsudik – YA-TRAP
Burmester – YA-TRAP+, O-TRAP
Conti – RIPP-FS
 The Tree family of protocols and weaknesses
 Molnar – TBPA
 Lu – SPA
 Remarks…
35
Inscrypt’08 – RFID Authentication
TBPA (Molnar et al.)
Project Summary - what will be done
36
Inscrypt’08 – RFID Authentication
SPA (Lu et al.)
Project Summary - what will be done
37
Inscrypt’08 – RFID Authentication
Comparison (security)
Project Summary - what will be done
All 2 protocols support:
– Tag anonymity
– Tag authenticity
– Reader authenticity
Level 3
attacker
Forward
security
Session
unlinkability
Desynchronization
Resilience
TBPA
x


SPA

x
x
38
Inscrypt’08 – RFID Authentication
Comparison (computation)
Project Summary - what will be done
39
Inscrypt’08 – RFID Authentication
Comparison (storage)
Project Summary - what will be done
40
Inscrypt’08 – RFID Authentication
Comparison (communication)
Project Summary - what will be done
41
Inscrypt’08 – RFID Authentication
Remarks…
Project Summary - why should it be done?
• We have reviewed a class of hash based authentication protocols.
• Note that hash functions can be implemented using lightweight
block ciphers, which can be implemented more efficiently.
• Can we design an elegant protocol fulfilling all properties in RFID
context?
• RFID will be deployed “unawarely” anywhere in our daily life, new
threats are to be addressed and defended with “balanced” security
& privacy solutions.
• We have no backyard but to prevent the unforeseen threats
beforehand.
Thank you!
42