SFS_presentation.ppt
-
Upload
petersam67 -
Category
Business
-
view
578 -
download
0
Transcript of SFS_presentation.ppt
Implications of Data Remanence on the Use of RAM for True Random Number
Generation on RFID Tags
Nitesh Saxena and Jonathan [email protected], [email protected]
Polytechnic Institute of New York UniversityDepartment of Computer Science and Engineering
We Can Remember it for You Wholesale
2
The Problem: RFID Random Number Generation
Most security and privacy solutions for RFID tags require true random number generation (RNG) True randomness: Uses physical noise Pseudorandomness: Uses a seeded function
Due to costs, RFID tags are constrained in terms of: Memory Computation Power User interfaces
What is the best way to perform RNG on RFID tags?
3
Potential Solution: RAM Based RNG
Recent proposal: Fingerprint Extraction and Random Numbers in SRAM (FERNS) by Holcomb et. al [RFIDSec ‘07][ToC ‘09]
Derives a fingerprint from uninitialized memory
Fingerprint can be used as: An identifier A source of randomness
Huge advantage: No new hardware required for RNG
4
Potential Limitations of RAM Based RNG
Amount of randomness is restricted by amount of unused memory RFID tags don’t have much to begin with Other functionalities also utilize RAM
After a portion of memory has been used for RNG, must wait for it to become uninitialized before using again How often does this occur with standard RFID
usage? Can RAM based RNG generate sufficient
randomness for RFID security and privacy protocols?
5
RFID Overview
RFID infrastructure consists of: Tags – small transponders Readers – wirelessly query tags
Tags commonly: Are passive – derive power from reader transmissions Have little memory and computational power
For research, utilized Wireless Identification and Sensing Platform (WISP) by Intel Research First programmable passive tag Allowed work with a live RFID device
6
Using Memory for RNG
FERNS approach RAM cells power up into a stable ‘0’ or ‘1’
state Which state depends on physical
properties Large threshold voltage mismatch: reliably
enter one state Small mismatch: take on value randomly
Physical noise of well matched cells supplies entropy
7
Data Remanence
Popular belief: data held in RAM is lost as soon as power is removed Not accurate! Data takes time to decay
Brief interval after power loss where data remains intact Known as data remanence
Decay rate varies: Between particular chips With temperature
What implications does this have on RAM initialization frequency?
Source: Halderman et. al [USENIX ‘08]
8
RFID Authentication (1)
RFID tags designed to respond promiscuously to any query
Tag forging is relatively simple: Query a tag to obtain its data Program a new tag with an identical
value Cryptography is expensive, so
traditional solutions are ill-suited to low cost tags
9
RFID Authentication (2)
New authentication solutions developed to address tag shortcomings HB+ is one of the best known
Requires only bitwise logic gates and high quality random numbers For 80-bit security, either:
80 rounds where tag generates a 224 bit random value
Single round where tag generates a 17,920 bit random value
Can RAM based RNG generate sufficient randomness for protocols like HB+?
10
WISP RNG Implementation
Implemented FERNS on a WISP tag Preliminary test:
Tag generates a single 37 bit hash from 512 bits of uninitialized RAM
Tag transmits hash value to the reader through its EPC ID
Noticed identical values being transmitted Certainly not random! Why?
11
WISP Data Remanence (1)
Broke WISP memory into blocks and sent through EPC ID
Uninitialized memory was not changing! Data was being retained between queries
Tags derive power from reader transmission While continuously polling, tag never loses
power Memory not reinitialized between queries
12
WISP Data Remanence (2)
How long is data retained in WISP memory?
Used data remanence methodology from Halderman et. al [USENIX ‘08]
Attached WISP to debugger Provides power Allows direct reads/writes to tag memory
Fill WISP memory with a pseudorandom pattern
13
WISP Data Remanence (3)
Next, detached WISP from debugger Deprives tag of power
Waited a certain length of time Reattached to debugger and read back
memory contents Decay rate is the Hamming distance
between the original pattern and the value read back Since pattern was pseudorandom, expected to
have equal amount of each bit Thus Hamming distance of 50% pattern length
indicates full decay
14
Remanence Results
15
Remanence Results (3)
Initial 15 second period of little (< 1%) decay
15 seconds of rapid decay Slow decay of whatever remained Depending on particular tag, WISPs
require 25 to 30 seconds without power for complete decay
16
Available Memory on WISPs
How much uninitialized RAM is available on a WISP? At the very least, EPC protocol stack must be in
RAM Loaded tags with default firmware Checked how much space was available
for additional data 512 – 136 = 376 bytes available
This is a best case Entire EPC protocol not implemented 5-10 cent RFID tag projected to have 128 bits
max – Juels and Weis [CRYPTO ‘05]
17
Practicality of RAM Based RNG (1)
How feasible is it to use RAM Based RNG for RFID authentication protocols? Taking HB+ and HB# as examples
For 80 bit security, Parallel HB+ requires 17,920 random bits HB# requires 512 random bits (but requires
more memory itself) Estimated 0.103 bits of entropy per byte
of RAM - Holcomb et. al [RFIDSec ‘07] Based on remanence results, a 30 second
wait time is required between reads
18
Practicality of RAM Based RNG (2)
For WISP 4.1: 309 random bits available For HB+:
58 memory hashes required 28.5 minutes of wait time
For HB#: 2 memory hashes required 30 seconds of wait time
19
Effect on RFID Usage Model
Consider contactless RFID access card usage model Reader continuously polling User swipes card in front of reader
Access card would have to be taken out of range of reader to let memory “cool down”
Users would have to repeatedly bring card in and out of reader range How to tell when you are out of range and for how long?
Potential for new attacks If an adversary could continuously supply power, could force tag to reuse RAM values
20
Conclusion
Have shown practical shortcomings of RAM based RNG for RFID tags Memory is in short supply Data remanence leads to longer than expected
wait times between RAM uses RAM Based randomness is still attractive
due to hardware reuse But seems insufficient on its own
Future work - investigate: Use of sensors as an entropy source Efficiency of alternative extractors
21
Thank you!