EPC for Security Applications

By Jacob Ammons & Joe D’Amato

RFIDs

● An electronic tag which can be used to relay information to a reader using RF fields

● Can be read from outside line of sight

RFIDs In Identity Documents

In 2008 the Western Hemisphere Travel Initiative announced that US citizens must now use either a passport or enhanced drivers license for travel to U.S., Canada, or Bermuda by sea and land.

“A vicinity Radio Frequency Identification (RFID) chip that will signal a secure system to pull up your biographic and biometric data for the CBP officer as you approach the border inspection booth” DHS.gov

Original Thoughts on Security

● uses Class-1 Gen-2 tags - Standard of passive RFID tags

● State department and members of Congress expressed concern of security and privacy of tags

● NIST approved RFID to ISO standard

Original Thoughts on Security cont.

● RFID tags have a Tag Identifier (TID)- unique to each tag

“the risk of cloning RFID enabled cards and an impostor with similar physical features gaining illegal entry into the U.S., while unlikely, is real. Fortunately, there is a powerful tool that can be used to remove the risk of cloning. This tool is the Tag Identifier, or TID. The TID is available on all Gen 2 RFID tags.” United States Department of Homeland Security

Problems w/ RFIDs in ID Document

● The TIDs found inside passport cards and enhanced license are a E2 type class meaning they only contain manufacture and model id numbers. Thus no unique identification number is associated.

● This allows for a clone of the EPC and TID values onto a commercially available off-the-shelf tag.

Kill Pin

● The Kill Pin of the EDL is not locked. It has been verified on a cloned EDL that a reader could be used to set the kill pin over-the-air rendering it useless to the owner.

● Known as Pkill - 32 bit pin

Read Range Experiments

● The range of reading an RFID is key to security

● Agencies provide sleeves to act as faraday cages

● Position of ID is important to read range

Read Range Experiments Results

Results with Secure sleeves or without

Results for position of ID

+ means they ran out of space

Kill Based Authentication

● Based off the RFID tag sending back Not Enough Power replay to a kill command from the reader which has enough power to make the tag respond but not kill itself

● Based on the knowledge of a reader knowing Pkill● Sends an invalid Pin Pkill’ and the Pkill ● invalid is dropped and the correct Pin is acknowledged● ½ probability is enough to catch a cloned

KBA cont.

● KBA can be improved by sending N-1 incorrect PINS and the one correct pin

● Make probability of detection 1- 1/N

● Problems: may unintentionally kill tag

● To get the power level ramp power till you get a successful replay from the tag

Simple KBA Experiment Designing a method to reduce unintentional kills

1. Use an increasing power range 15 dBm to 30 dBm in 0.25 dB increments transmitting a KILL command at each power level in turn until the reader successfully receives a reply from the target tag, the power level is fixed.

2. The reader then sends a total of N KILL commands, with N − 1 bogus PINs, and 1 real PIN.

3. Wait for successful authentication response. If fail - go back to (1)

Note: Unintentional kills at short distances (power can’t be adjusted low enough)

Scaled KBAA good KBA algorithm should support:

- Reading

Therefore we need a good KBA algorithm that allows reading without unintentionally killing the device.

*By altering μ and δ we can achieve authentication and readability. ( μ : potential to kill back off )

Scaled KBA

PWRW - PWRR < μ

Min and max power levels for these tests

Conclusion

● Cloning is a problem on EPC IDs● KBA is a viable way to authenticate RFID

tags)

Reference

K. Koscher, V. Brajkovic, T. Kohno,A. Juels, " EPC RFID Tag Security Weaknesses and Defenses: Passport Cards, Enhanced Drivers Licenses, and Beyond ,CCS’09, November 2009, :http://homes.cs.washington.edu/~yoshi/papers/RFID/ccs280-koscher.pdf.