6_rfid
description
Transcript of 6_rfid
-
RFID RFID
Erik PollDigital Security
Radboud University Nijmegen
1
-
RFID tags
RFID = Radio-Frequency IDentification RFID devices are called tags or transponders
M f l RFID t l ll d More powerful RFID tags also calledcontactless smartcards
Inductive coupling is used for energy transfer to card transmission of clock signal transmission of clock signal data transfer
simple tags only support data transfer f h dfrom the tag to reader
2
-
Various kinds of RFID tags
Animal identification RFID tags (ISO 11784 & 11785) only transmit permanently programmed id code
Advanced transponders (ISO 14223) have more data and support writing & write-protection
compatible with ISO 11785 compatible with ISO 11785 Contactless smartcards
close coupling: a few mm (ISO 10536) close coupl ng a few mm (ISO 0536) proximity: less than 10 cm (ISO 14443) vicinity: more than 10 cm (ISO 15693)
Many of these contactless smartcards are not very smart:memory cards instead of microprocessor cards
3
y p
-
Various kinds of RFID tags
Container identification (ISO 10374) active battery-operated - transponder
Anti-theft systems (VDI 4470) only one bit of information
Item management (ISO 18000 + others) Item management (ISO 18000 + others) essentially RFID bar codes GTAG (Global Tag), joined effort of EAN (European Article ( g) j ( p
Numbering Association) and UCC (Universal Code Council)
4
-
stupid memory transpondersd l read-only
ie tag just shouts its serial number communication one way onlyy y
writable, no write-protection 1 byte to 64 Kbyte, in fixed blocks, eg 16 bit, 4 byte,..
i i i no protection on writing writable, some write-protection
password/key or more complicated authentication procedurepassword/key or more complicated authentication procedure state machine operating system possible offering segmented memory
h i h i k each memory segment with its own key important standard: MIFARE (Classic) othersothers: DESfire, Calypso, ATMEL CryptoMemory, Legic,
5
, yp , yp y, g ,
-
smart microprocessor transponders
like normal smartcard, ie smart, but (also) wireless but with a lot less power
ISO 14443 5 mW GSM 11.11 50 mW ISO 7816 300 mWISO 7816 300 mW
NB reduced resources for serious crypto or countermeasures
Dual contact cards can allow different functionality via contacts and contactless
6
-
NFC = Near Field Communication NFC = Near Field Communication
Implemented in mobile phonesp p compatible with ISO14443 proximity cards Phone can act as reader (active mode)
or as a tag (passive mode)or as a tag (passive mode) The next big thing in the mobile phones?
First trial with payments with NFC mobile phones in Leiden now
Erik Poll SoS - Radboud University Nijmegen
7
-
pros & cons of contact vs contactless?
pros contactless easy of use
& f d d l no wear & tear of contacts on card and terminal less maintenance less susceptible to vandalismless susceptible to vandalism
cons contactless easier to eavesdrop on communication?
terminal communication easier to eavesdrop than tag communication communication possible without owner's consent
for replay or relay man-in-the-middle attacks cheap tags have limited capabilities to provide security
(eg amount of data, access control model, crypto)
8
-
passive vs active attacks on RFIDpassive vs active attacks on RFID
passive attacks eavesdropping on
active attacks unauthorised access to tag pp g
communication between passport & reader
possible from several
gwithout owner's knowledge
possible up to 25 cmactivatin RFID ta possible from several
meters activating RFID tag
requires powerful field!
aka virtual pickpocketing variant: relay attack
-
Anti-collision
Additional complexity of contactless cards: several cards may be activated by readery y anti-collision protocol needed for terminal to
select one card to talk to
10
-
MIFARE
-
MIFARE
widely used proprietary standard by NXP (formerly Philips) closely related to and basis for - ISO 14443 several versions, incl.
MIFARE Ultralight, provides only memory with some write restrictions (locking)( g)
MIFARE standard 4k, also provides authentication and communication encryption by proprietary CRYPTO-1 algorithm
Crypto-1 was logically reverse-engineered and broken by Nijmegen cryptanalysis researchers
12
-
Other RFID tags with (broken) propietary cryptoOther RFID tags with (broken) propietary crypto
Other cards investigated and broken by the Nijmegen g y jm gcryptanalysis team (Flavio Garcia, Gerhard de Koning Gans, and Roel Verdult):ATMEL SecureMemory CryptoMemory and CryptoRF ATMEL SecureMemory, CryptoMemory and CryptoRF
HID iClass, iClass Elite Hitag2 (used in car keys)Hitag2 (used in car keys) Megamos crypto (used in car immobilisers)
Moral of the story: dont use propietary crypto, obviously
-
google for MIFARE & youtube
14
-
Common weakness, irrespective of crypto used
75% of MIFARE RFID applications use default (transport) keys or keys used in examples in documentationdocumentation[Source: Lukas Grunwald, DEFCON14, 2007]
A0A1A2A3A4A5 is an initial transport key that many tags ship with. Googling for A0A1A2A3A4A5 produces links to documentation with other produces links to documentation with other example keys to try!
15
-
MIFARE UltralightMIFARE Ultralight
No keys or crypto to protect memory access Relies on read-only and write once memory for security Memory organised in 16 pages of 4 bytes
f d l first part is read-only includes 7 byte serial number
second part is One Time Programmable (OTP)second part is One Time Programmable (OTP) you can write 1's, not 0's includes data for lockingg
third part is readable & writable
NB it l id d b OTP b l ki d h i NB security only provided by OTP, by locking pages, and having signed/encrypted data in pages, where crypto is done by terminals, not the tag
16ad
-
Fundamental weaknessFundamental weakness
No way to protect against spoofing of tags.y p g p f g f g
Ghost device for spoofingRFID signals
17
-
MIFARE Ultralight memory layoutMIFARE Ultralight memory layoutPage byte 0 byte 1 byte 2 byte 30 sn0 sn1 sn2 checksum serial noread 0 sn0 sn1 sn21 sn3 sn4 sn5 sn62 checksum ??? lock 0 lock1
only
OTP3 OTP 0 OTP 1 OTP 2 OTP 34
OTP
5
6application
dataread/ 6
7
8
dataread/write
8
9
1810
11