Post on 31-Dec-2015
description
1
Initial SRAM State as a Fingerprint and Source of True Random Number for RFID Tags
Daniel E. Holcomb, Wayne P. Burleson and Kevin Fu
University of Massachusetts, USA.
Slides by Oded Argon
FERNS - InfoSec Seminar TAU 2009 2
Overview
What is RFID?RFID Identification SchemesRandom numbersWhat is FERNS?SRAM cellFERNS experimental workConclusionQuestions
FERNS - InfoSec Seminar TAU 2009 3
What is RFID?
Small ID tagHas no power source – Low power
Even ultra low – the ‘RF’ part of RFIDPowered up by the reader for every “ID
request”Different applications
ID cardDigital cash card Inventory management
FERNS - InfoSec Seminar TAU 2009 4
What is RFID? – cont.
Need an IDThe ‘ID’ part of RFID
Need Random numbers For security reasonsNeed a new random number for every
power upNeed to be low cost
Billions of RFID tags
FERNS - InfoSec Seminar TAU 2009 5
RFID Identification Schemes
Non volatile memoriesStatic and reliableComplicated CMOS processProgramming is needed
FingerprintUsing some process variationsNeed dedicated circuitry (?) Impacted by noise
FERNS - InfoSec Seminar TAU 2009 6
Random Numbers
PRNGsPseudo Random Noise GeneratorUsing some mathematical functionFully deterministic
TRNGsTrue Random Noise GeneratorUsing some physical random processUnpredictable
FERNS - InfoSec Seminar TAU 2009 7
Random Numbers – cont.
Needed by almost every cryptographic algorithmAnd thus by RFID tags
Needs to be unpredictable to be “strong” – TRNGs
FERNS - InfoSec Seminar TAU 2009 8
What is FERNS?
Fingerprint Extraction and Random Numbers in SRAM
Set out to get the ID and RNG without dedicated circuitryUsing existing CMOS storage – SRAM
Initial SRAM state based ID and RNG
FERNS - InfoSec Seminar TAU 2009 9
FERNS and RFID
Gives the tag its IDRNG for securityMatches passive tags usage model
Get ID and a random number for every powerup
FERNS - InfoSec Seminar TAU 2009 10
Standard SRAM cell
Made out of 6 transistors
Threshold voltage mismatch sets the initial state of each cell
FERNS - InfoSec Seminar TAU 2009 11
SRAM cell – Initial state
Cells with large threshold mismatch consistently stabilize to the same stateThese make out the fingerprint
Cells with well matched thresholds are highly sensitive to noisePhysically random noise will set its initial
stateThese are used to for the RNG
FERNS - InfoSec Seminar TAU 2009 12
SRAM cell – Initial state – cont.
Black bits – reliably initialize to 0White bits – reliably initialize to 1Gray – can initialize to
either one
FERNS - InfoSec Seminar TAU 2009 13
Testing Platforms
160 Virtual tags256Byte blocks8 * 512KB SRAM chipsLarge datasetAble to test corner correlation cases
FERNS - InfoSec Seminar TAU 2009 14
Testing platforms – cont.
10 TI MSP430 Chips256Byte SRAM memoryUltra low powerNot passively poweredRead out through JTAG
FERNS - InfoSec Seminar TAU 2009 15
Testing platforms – cont.
3 WISPs – Wireless Identification and Sensing Platform Passively powered256Byte SRAM
FERNS - InfoSec Seminar TAU 2009 16
FERNS for Identification
Latent printA single print (initial state) Is effected by noise
Known printBitwise mean of latent prints
FERNS - InfoSec Seminar TAU 2009 17
FERNS for Identification – cont.
Black – ‘0’, White – ‘1’, Gray - Random
FERNS - InfoSec Seminar TAU 2009 18
FERNS for Identification – cont.
Three relevant distance quantitiesLatent fingerprint and known fingerprint of
same deviceLatent fingerprint and all other devices
known fingerprintAll distances between all known fingerprints
A simple hamming distance is used for testing
FERNS - InfoSec Seminar TAU 2009 19
Test results analysis
160 Virtual tags800 latent fingerprintsIncorrect prints differ by at least 685 bits
(out of 2048 bits)Comparing known prints to other known
prints gives similar resultsCorrect prints differ by less than 109 bits
FERNS - InfoSec Seminar TAU 2009 20
Test results analysis – cont.
FERNS - InfoSec Seminar TAU 2009 21
Test results analysis – cont.
MSP430 – 10 known fingerprints300 latent fingerprints2700 incorrect matchings
Less than 10 came within 600 bits300 correct matchings
Only 4 differed by more than 425 bitsNo fully reliable threshold available
FERNS - InfoSec Seminar TAU 2009 22
Test results analysis – cont.
FERNS - InfoSec Seminar TAU 2009 23
Test results analysis – cont.
3 WISPs – 256 Byte each15 known prints – 64 bit
150 latent fingerprints2100 incorrect matchings
None within 20 bits150 correct mathings
Only 3 differed by more than 8 bits
FERNS - InfoSec Seminar TAU 2009 24
Test results analysis – cont.
FERNS - InfoSec Seminar TAU 2009 25
FERNS Identification – security
Randomized IDCan be used as a large ID space for each
tagNo two fingerprints of the same tag came up
during testingCan help prevent reply attacks by recording
historyAn adversary can still generate a
randomized print
FERNS - InfoSec Seminar TAU 2009 26
FERNS for TRNG
Well matched cells capture physically random noise
Well matched cells are randomly scattered around the SRAMRandomness is unpredictably scattered
The randomness is parallelContrary to most other TRNGs
Amount of entropy is unpredictable
FERNS - InfoSec Seminar TAU 2009 27
FERNS for TRNG - Security
The source of entropy is obscureCan’t tell where are the well matched cells
Proximity of cellsTrying to influence one will likely influence
others
FERNS - InfoSec Seminar TAU 2009 28
FERNS for TRNG - Analysis
Tested on the virtual tagsLeast random of the three platformsMost challenging
An average of 0.103 bits of entropy per memory bitAround 210 bits out of 2048 raw bits
Possible to produce 128 bit “keys”
FERNS - InfoSec Seminar TAU 2009 29
FERNS for TRNG - Analysis
Raw bits fail to pass entropy testsTested using NIST test suite
NH polynomial (PH) universal hash function as an entropy extractorPasses the same tests
Future workTest the min-entropy of the raw bitsWill ensure randomness of the hashed
output
FERNS - InfoSec Seminar TAU 2009 30
Conclusion
RFID tags are a challenging platformCost and security wise
Initial testing of FERNS seem to provide a system for fingerprints and true random numbers for RFIDS
Quality of both need to be further tested
31
Questions?