Security Analysis of a Cryptographically-Enabled RFID Device
38
Security Analysis of a Security Analysis of a Cryptographically-Enabled RFID Cryptographically-Enabled RFID Device Device Authors: Steve Bono Steve Bono Matthew Green Matthew Green Adam Stubblefield Adam Stubblefield Ari Juels Ari Juels Avi Rubin Avi Rubin Michael Szydlo Michael Szydlo Publisher: Usenix Security Symposium 2005 Usenix Security Symposium 2005 Presented by: Chowdhury, Abu Rahat Chowdhury, Abu Rahat
-
Upload
petersam67 -
Category
Business
-
view
345 -
download
3
Transcript of Security Analysis of a Cryptographically-Enabled RFID Device
Security Analysis of a Security Analysis of a Cryptographically-Enabled RFID Cryptographically-Enabled RFID
DeviceDevice Authors:
Steve Bono Steve Bono Matthew GreenMatthew Green
Adam StubblefieldAdam Stubblefield Ari JuelsAri Juels
Avi Rubin Avi Rubin Michael SzydloMichael Szydlo
Publisher:Usenix Security Symposium 2005Usenix Security Symposium 2005
Presented by: Chowdhury, Abu RahatChowdhury, Abu Rahat
Today’s OutlineToday’s Outline
• The Authors and the Main Theme• Recap, DST & Objective • Attack Range, Scenarios & three
step Process the authors used• Reverse Engineering • Key Cracking• Simulation
• Comments.
Adam StubblefieldAssistant Research Professor Johns Hopkins University
Steve Bono Grad Student/ Musician ?????
Johns Hopkins University
Matthew D. Green
PhD Student - Johns Hopkins University
The AuthorsThe Authors
Dr. Ari Juels
Chief Scientist
Director, RSA Laboratories
Michael Szydlo Senior Software Developer. Akamai, Cambridge
Aviel D. Rubin Professor Johns Hopkins University
The Main Theme The Main Theme
This paper describes the success in defeating the security of an RFID device known as a Digital Signature Transponder (DST) which is produced by Texas Instrument.
The paper concludes that the cryptographic protection afforded by the DST device is relatively weak.
The Authors – Headlined The Authors – Headlined Students crack the Code Students crack the Code
Today’s OutlineToday’s Outline
• The Authors and the Main Theme• Recap, DST & ObjectiveRecap, DST & Objective • Attack Range, Scenarios & Three
step Process the authors used• Reverse Engineering • Key Cracking• Simulation
• Comments.
Recap RFIDRecap RFID
Various technologies are used to track Various technologies are used to track and automatically ID people, products, and automatically ID people, products, and other objectsand other objects
– – BarcodesBarcodes– – Optical Character Recognition Optical Character Recognition (OCR)(OCR)– – BiometricsBiometrics
• • Voice recognition and ID systemsVoice recognition and ID systems• • Fingerprint ID systemsFingerprint ID systems
– – Smart cardsSmart cards– – Memory cardsMemory cards– – Microprocessor cardsMicroprocessor cards
Tracking Technologies andTracking Technologies andAutomatic ID SystemsAutomatic ID Systems
RFID: What is it ?RFID: What is it ?
RFID combines many of the features of RFID combines many of the features of several of these technologiesseveral of these technologies
– – Like barcodes, RFID is used to identify and Like barcodes, RFID is used to identify and track objectstrack objects
– – RFID also can be used like smart cards, RFID also can be used like smart cards, memory card, and microprocessor cards to memory card, and microprocessor cards to store information and provide interactive store information and provide interactive data processingdata processing
Current Technology Current Technology
Market & ApplicationMarket & Application
Key Industry Drivers Leading Us Toward Key Industry Drivers Leading Us Toward RFIDRFID
Industrial Industrial
ProductsProducts Logistics/ Logistics/
Trans.Trans. Retail Retail
Products Products ConsumeConsume
r r
ProductsProducts
HomelanHomeland d
SecuritySecurity
Other Other
ServiceService
Review DSTReview DST
Sophisticated RFID devices Sophisticated RFID devices can offer cryptographic can offer cryptographic functionalityfunctionality
Digital Signature Digital Signature Transponder Transponder (DST) is such a device(DST) is such a device
Manufactured by Manufactured by Texas InstrumentsTexas Instruments
Application of DSTApplication of DST
Vehicle ImmobilizersVehicle Immobilizers•150 million immobilizer keys use RFID150 million immobilizer keys use RFID•Older keys use fixed-code transponders Older keys use fixed-code transponders with no cryptographic securitywith no cryptographic security•Newer model use DSTNewer model use DST
Electronic PaymentElectronic Payment•Exxon-Mobil SpeedPass systemExxon-Mobil SpeedPass system•Seven million cryptographically-Seven million cryptographically-enabled keychain tags accepted at 10k enabled keychain tags accepted at 10k locations worldwidelocations worldwide
Characteristics of a DSTCharacteristics of a DST
•DST emits a 24-bit, factory DST emits a 24-bit, factory set ID set ID
•Then authentication process Then authentication process startsstarts
•Reader sends a 40-bit Reader sends a 40-bit challengechallenge
Small microchip and antenna coil with no onboard power source
Contains a secret 40-bit cryptographic key that is field-programmable via RF command
Interaction with a reader:
ObjectiveObjective
Several attacking steps were accomplished using inexpensive off-the-shelf equipment, and with minimal RF expertise.
Manufactured by Texas Instruments, DST (and variant) devices help secure millions of SpeedPass payment transponders and automobile ignition keys.
Questions that the paper Questions that the paper answersanswers
How to stage the Attack? (Details)
What resources are needed to stage such an Attack? (Hardware/software/network)
How serious is this threat?
What are the counter measures ?
Why was the attack possible?
Is Texas Instruments Listening?
The Big PictureThe Big Picture
Source : Pagey
Today’s OutlineToday’s Outline
• The Authors and the Main ThemeThe Authors and the Main Theme• Recap, DST & ObjectiveRecap, DST & Objective • Attack Range, Scenarios & Three Attack Range, Scenarios & Three
step Process the authors usedstep Process the authors used• Reverse Engineering • Key Cracking• Simulation
• Comments.Comments.
Effective Attack RangeEffective Attack Range
• DSTs are designed for short range scanning, only few centimeters
• DSTs can respond to as many as 8 queries/sec
• Active scanning– Attacker brings her own reader within scanning
range of the victim– Permits a chosen-challenge attack
• Passive eavesdropping– Eavesdrop on the communication between the
victim and a legitimate reader
Example Attack ScenariosExample Attack Scenarios
• Auto theft via eavesdroppingAuto theft via eavesdropping– Own a van with eavesdropping equipmentOwn a van with eavesdropping equipment– Park near victim’s car and wait to capture key Park near victim’s car and wait to capture key
to reader transmissionsto reader transmissions– Make a key based on data collectedMake a key based on data collected
• Auto theft via active attackAuto theft via active attack– Suborn/bribe a valet at a parking facility to Suborn/bribe a valet at a parking facility to
scan immobilizer keys while parking their carsscan immobilizer keys while parking their cars
• SpeedPass theft via active attackSpeedPass theft via active attack– Carry a reader and a short-range antenna and Carry a reader and a short-range antenna and
scan nearby passengers in a subwayscan nearby passengers in a subway
Attack processAttack process
• Reverse engineering– Experimental observation of responses output by
the device– Aim was to get a schematic if the block cipher used
in the challenge-response protocol
• Key cracking– Recover a key in under an hour
• Simulation– Given the key, a simulator for the RF output was
constructed so as to spoof readers
Reverse EngineeringReverse Engineering
• Where to start?– Can purchase TI software (but license
agreements issue)– Only Information – rough schematic by
Dr. Ulrich Kaiser• Black-box testing (to uncover the DST technique)
– With a TI 2000 LF RFID kit– Remember, DST is field-programmable!
The Rough SchematicThe Rough Schematic
Reverse EngineeringReverse Engineering
They observed the logical output of They observed the logical output of the DST by specifying varying inputs the DST by specifying varying inputs and predicted output of the hardware and predicted output of the hardware circuitcircuit
TI has not published their algorithm or Block Diagram, citing “ security by obscurity” .
The authors’ aim was to figure out the cipher used by the DST by reverse engineering under constraint of minimum resource requirement.(Software packages were not used due to copyright issues).
Such reverse engineering efforts have been successfully attempted in the past.
For e.g. Bunny Huang Reverse engineered a XBOX to allow it to run Linux.
With the help of block DST block Diagram published in the Dr Kaisers publication and after much trial and error effort the authors were able to extract all the required information.
Reverse EngineeringReverse Engineering
Key Cracking Key Cracking
The authors compiled a hardware circuit to crack the key (40 Bit key).
A single circuit was able to crack the 40 bit key in under 21 hours.
To speed up search (under 1 hour for realistic scenarios) the authors assembled 16 such circuits in parallel(<3500$).
SimulationSimulation
ConclusionConclusion
It describe the success of defeating the security of an RFID device
The authors hope that future cryptographic RFID system designers will embrace a critical lesson preached by the scientific community
Today’s OutlineToday’s Outline
• The Authors and the Main Theme• Recap, DST & Objective • Attack Range, Scenarios & Three
step Process the authors used• Reverse Engineering • Key Cracking• Simulation
• CommentsComments
StrengthsStrengths
• Exploits a realistic weakness in a production system. (Texas Instruments)
• They make their results available to TI.
• They actually stage on attack on “SpeedPass” System.
WeaknessesWeaknesses
The authors probably had enough working knowledge of a cipher implementation to decipher the structure of the hardware
A Thief should have enough technical knowledge to register such an attack, hence current 40 bit key Immobilizers still act as deterrent
SuggestionSuggestion
• Adequate key-length of the underlying DST40 cipher
• At the time of publication, TI had plans to ship DST with 128 bit keys
• Can we still register an successful attack with this change?
Reference & Back up SlideReference & Back up Slide
ReferencesReferences
• Security Analysis of a Cryptographically-Enabled RFID Device – Usenix Security '05 Paper http://usenix.org/events/sec05/tech/bono.html
• Automotive immobilizer anti-theft systems experience rapid growth in 1999, 1 June 1999. Texas Instruments Press Release. Available at http://www.ti.com/tiris/docs/news/news releases/90s/rel06-01-99.shtml.
• Figure by Dr. Ulrich Kaiser, Texas Instruments Deutschland
• Google, Wikipedia,
Extra: The full DST protocolExtra: The full DST protocol
• Reader transmits a challenge to the transponder consisting of a 8-bit opcode and 40-bit challenge
• The transponder encrypts the challenge using the secret 40-bit key it shares with the reader
• The transponder replies to the reader with its 24-bit serial number, the 24 least significant bits of encryption’s result and a 16-bit CRC– 16-bit reverse CRC-CCITT initialized with a
secret 16-bit value
Extra: Simulating a DST deviceExtra: Simulating a DST device
• PC equipped with a DAC board (digital-to-analog converter)• Input and output of DAC board connected to an antenna
tuned at 134 KHz• Steps:
– Analyze the A/D conversions received by the DAC board– Decode the AM signal containing the challenge sent
from the reader– Perform an encryption of this challenge using the
recovered secret DST key– Code the FM-FSK signal representing the correct
response– Output this FM-FSK signal to the DAC board
Extra: ImmobilizerExtra: Immobilizer
0 1 1 0 1 1 1 0 1 1 0 10 1 1 0 1 1 1 0 1 1 0 1
0 1 1 0 1 1 1 0 1 1 0 1
0 1 1 0 1
1 1 0 1 1 0 1 1 1 1 0 1 1
0 1 1 0 1 1 1 0 1 1 0 1
0 1 1 0 1 1 1 0 1 1 0 1
0 1 1 0 1
1 1 0 1 1 0 1 1 1 1 0 1 1
0 1 1 0 1
1 1 0 1 1 0 1 1 1 1 0 1 1
0 1 1 0 1 1 1 0 1 1 0 1
0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010
0101010 0101010 0101 0101010 0101010 0101010 0101010 0101010 0101010
0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010
0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010
0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010
0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010
0101010 010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010
0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010
01011111101111111010101111111001111111110101010
0101010 0101010 0101010 0101010 0101010 0101010 0101010
Thank YouThank You
