Transcript Crypto on Tags

VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
A Low-Resource Public-Key Identification
Scheme for RFID Tags and Sensor Nodes
March 16-18, 2009, Zurich, Switzerland
Martin Feldhofer
Yossef Oren
IAIK – Graz University of Technology
[email protected]
www.iaik.tugraz.at
School of Electrical Engineering
TU Graz/Computer Science/IAIK/VLSI
Tel-Aviv University
2009
1
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Outline
Motivation
Introduction of WIPR
Requirements for RFID tag hardware
Implementation of WIPR scheme in hardware
Comparison of crypto implementations
Conclusions
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
2
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Why Security for RFID Systems? –
Threats
Counterfeiting
Privacy violation
 5 - 7% of world trade
 ~$600 billion USD a year
(ICC 2009)
 Monitoring communication
is easy (contactless,
broadcast)
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
3
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
How Can Cryptography Help Us?
Encrypted communication
 Prevents from reading data by unauthorized parties
 Prevents tracking by unique identifier
Authentication of reader/tag
 Proves identity of party
 Prevents from cloning tagged goods
Identification
 Claim to be somebody / something
Authentication
 Prove the claim
(by characteristic, shared knowledge,
possession)
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
4
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Tag-Authentication Protocol
Challenge-response (strong authentication)




Proves knowledge of shared secret key (or private key)
Requires random “challenge”
“Response” depends on challenge and key (encryption result)
Compatibility to existing standards
A
Key K
rA
fK( rA )
B
Key K
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
5
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
State-of-the-Art in Secure RFID
Symmetric crypto on tags is feasible
 Results of AES-128 hardware module have been shown
Disadvantage of symmetric solutions
 Key distribution is difficult
In open systems public-key cryptography is much better
 Many untrusted parties (goods and tag manufacturer, tag integrators,
warehouses, retailers, customer etc.)
But what about the feasibility on passive RFID tags?
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
6
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Overview of WIPR Identification Scheme
WIPR stands for Weizmann-IAIK Public-Key for RFID
1024-bit RSA-like public key
 80 bits security level
Full probabilistic encryption
 Anonymity (encryption of ID)
 Authentication (prove knowledge of secret)
Main features




4700 gate equivalents (including memory, full functionality)
600ms / 14µA at 100KHz
Works great with the EPC C1G2 standard
High payload capacity can be used for example in sensor nodes
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
7
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
WIPR in Theory
Rabin’s encryption scheme:
 Private key: primes p, q. Public key: n = p·q
 Encryption: C = P2 (mod n)
 Decryption has four possible results (probabilistic)
Low-resource version by Naccache and Shamir
 Encryption: C = P2 + r·n, random r
 Indistinguishable from Rabin’s scheme (if r is appropriately
chosen)
Ultra-low-resource version (this work):
 Specially-formed n stored within 200 GEs
 Long random strings created on-the-fly using “Feistel structure“
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
8
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Security Features
Secrecy and privacy
 ID is kept secret (by encryption)
 Tracking is prevented
No private key on tag
 Only secret ID
 “Crack one – run one” situation
Encryption of arbitrary data
 Data of sensor nodes
No tag rewrites or coupons
 No fixed number of uses
Reader authentication possible
 Secure backward channel is possible
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
9
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
The WIPR Protocol for Authentication
Reader
Tag
Knows: PrivKey p q, ID
Generates rR
Knows: PubKey n, ID
Generates rT1, rT2
Challenge rR
Response (rR # rT1 # ID)2 + rT2 n
Verification of ID
by decryption
But what about the implementation costs?
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
10
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Secure RFID System Architecture
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
11
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Hardware Requirements for Passive RFID
Tags
RF field
ISupply
Power consumption




Determines operating range (~1m required)
Maximum 25 µW
Below 15µA (1.5 V) mean current consumption V
0.35 µm CMOS: ~15 D-FF @ 1MHz
dd
Chip area
 Die size equals silicon costs (5-20 Cent)
 Less than 5000 gate equivalents for security
VddMIN
IIC
BUT
 Very low data rates (10-200 kbps)  low clock frequency
 High number of available clock cycles
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
12
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Low-Power Design
Power dissipation
 PTotal = PStatic + PSC + PDynamic
 PDynamic = CL · VDD2 · f
Design for power reduction




Lowering VDD
Use lowest possible clock frequency (<100 kHz)
Clock gating
Avoiding glitching activity (sleep-mode logic)
Optimization goal
 Minimize triple (Imean [µA], Chip area [GE], #Clock cycles)
 PDynamic = CL · VDD2 · f · psw
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
13
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
WIPR Hardware Implementation
Tag calculates (rR | rT1 | ID)  (rR | rT1 | ID) + rT2  n
Result is calculated and sent byte by byte beginning at
least significant byte (no need for storing it)
data in
Feistel
Rt1a
16x8-bit
Rr
128x8-bit
Const
ID(i)
Feistel
Rt1b
CRC(i)
Feistel
Logic
Mux
8x8-bit
Multiplier
25-bit
Adder
AMBA Interface
Mux
FSM Controller
Feistel
Rt2
25-bit
Accumulator
WIPR
Datapath
data out
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
14
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Implementation of Const n
(rR | rT1 | ID)  (rR | rT1 | ID) + rT2  n
 n has special format
 Upper half is 0xAAA….AAA
data in
 Only 200 GEs to store a 1024-bit
Feistel Feistel 16x8-bit 128x8-bit
Feistel
constant
R
R
R
Const
R
t2
t1a
r
t1b
ID(i)
CRC(i)
Feistel
Logic
Mux
FSM Controller
Mux
8x8-bit
Multiplier
25-bit
Adder
25-bit
Accumulator
WIPR
Datapath
data out
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
15
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Implementation of Challenge rR
(rR | rT1 | ID)  (rR | rT1 | ID) + rT2  n
 Register-based 8-bit RAM
 1000 GEs to store the 128-bit
data in
random challenge
Feistel
Rt1a
16x8-bit
Rr
128x8-bit
Const
ID(i)
Feistel
Rt1b
CRC(i)
Mux
Feistel
Logic
Mux
FSM Controller
Feistel
Rt2
8x8-bit
Multiplier
25-bit
Adder
25-bit
Accumulator
WIPR
Datapath
data out
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
16
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Impl. of Random Strings rT1a, rT1b and rT2
(rR | rT1a | ID)  (rR | rT1b | ID) + rT2  n
Random bit strings
Only sequential access
data in
Use reversible stream cipher
Feistel Feistel 16x8-bit 128x8-bit
Feistel
Store only short seed values
R
R
R
Const
R
Use “roll left” and “roll right”
ID(i)
CRC(i)
Mux
Mux
function
 2700 GEs to store a 2048-bit
Feistel
8x8-bit
random of tag
Logic
Multiplier
t2
t1a
r
t1b
25-bit
Adder
25-bit
Accumulator
WIPR
Datapath
data out
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
17
FSM Controller





VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Sequential Memory Access of rT1a, rT1b and rT2
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
18
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Rolling Functions
Roll Right
One-way
Funct ion
r[i-2]
r[i-1]
r[i]
r[i+ 1]
r[i+ 2]
r[i+ 1]
r[i+ 2]
St at e
Roll Left
One-way
Funct ion
r[i-2]
r[i-1]
r[i]
St at e
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
19
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Hardware Results
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
20
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Comparison of Implementations
Algorithm
AES-128
SHA-256
SHA-1
MD5
Trivium
Grain
TEA
ECC-192
WIPR
Type
Block cipher
Hash
Hash
Hash
Stream cipher
Stream cipher
Block cipher
Public key
Public key
Chip area
Imean
[GEs]
[µA @ 100kHz, 1.5V]
3400
10 868
8120
8001
3090
3360
2633
23 600
4682
3.0
5.83
3.93
3.16
0.68
0.80
3.79
13.3
14.2
# Clock cycles
1032
1128
1274
712
(1,603) + 176
(130) + 104
289
500 000
66 048
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
21
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Comparison of Different Algorithms
Hardware implementations
 Implemented on same platform
WIPR
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
22
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Compatibility with EPC C1G2 Scheme
Int errogat or
Quer y
RN16
A CK ( R
N16)
1]
V er si on
R
P
I
[W
Chal l en
ge( RN
16)
Handl e
A CK R
ep( Han
dl
e)
t es]
t ext by
r
e
h
p
i
[C
A CK R
ep( Han
dl e)
yt es]
r t ext b
e
h
p
i
C
[
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
23
VLSI
Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security
Conclusions
Strong cryptography required for protection of RFID
systems
Design for low power consumption necessary
Symmetric-key crypto is feasible on tags
 AES-128 module has been shown
WIPR allows public-key crypto on RFID tags
 Uses Rabin encryption scheme
 Optimized for low gate count and low power consumption
Contact information
 Martin Feldhofer
IAIK – TU Graz
[email protected]
http://www.iaik.tugraz.at
TU Graz/Computer Science/IAIK/VLSI/Feldhofer
24