A Security and Performance Evaluation of Hash-based RFID Protocols Tong Lee Lim, Tieyan Li & Yingjiu...
-
Upload
egbert-glenn -
Category
Documents
-
view
216 -
download
2
Transcript of A Security and Performance Evaluation of Hash-based RFID Protocols Tong Lee Lim, Tieyan Li & Yingjiu...
A Security and Performance Evaluation of Hash-based RFID
Protocols
Tong Lee Lim, Tieyan Li & Yingjiu Li
Cryptography and Security Department Institute for Infocomm Research (I2R)
17 Dec. 2008
Inscrypt 2008
Inscrypt’08 – RFID Authentication
2
Project Summary - what will be doneOutline Introduction on RFID, and its security & privacy issues
Introduction on hash-based RFID authentication protocols
The Hash chain family of protocols and weaknesses Okhubo – Hash chain Henrici – Triggered hash chain Lim – CRTH, FRTH
The TRAP family of protocols and weaknesses Dimitriou – CR Tsudik – YA-TRAP Burmester – YA-TRAP+, O-TRAP Conti – RIPP-FS
The Tree family of protocols and weaknesses Molnar – TBPA Lu – SPA
Remarks…
Inscrypt’08 – RFID Authentication
3
Project Summary - why should it be done?RFID Debate• Promoters
• Wal-Mart, Gillette, METRO…
• Vendors • Microsoft, IBM, SAP…
• Players • TAGSYS, ALIEN, SAVI…
• New: Mojix, RF controls…
• Governments, industries, researchers …
An age of RFID is coming … But security and privacy?
Inscrypt’08 – RFID Authentication
4
4
Passive RFIDT
ag• The reader has a powerful antenna and a power supply• The reader surrounds itself with an electromagnetic
field• The tag is illuminated by the field, providing it with
power
Reader
Inscrypt’08 – RFID Authentication
5
5
ReaderTag Data Exchange
Tag
• The reader sends commands to the tag via pulse amplitude modulation
• The tag sends responses to the reader via backscatter modulation
Reader
Inscrypt’08 – RFID Authentication
6
Project Summary - why should it be done?RFID Security & Privacy Issues• RFID tags have many technical limitations:
– Limited power consumption (vs. energy consumption of battery powered devices) ~ 10µA average
– Limited area consumption (less problem with evolving Smart Card technologies) < 1mm²
– Limited execution time (set by batch tag reading protocol)– Limited backward channel (initiated by reader only)– Limited memory access (hundreds bits to few kBytes and
slow)– No physical protection possible
• Cryptography is not applicable immediately.– Worst case assumption is not always true for RFID– Weakened adversarial model is typically assumed for RFID
• In RFID, there are many security solutions.– E.g., shielding, killing, tearing, blocking, proxy, policies,
obfuscation, etc. for different scenarios.
Inscrypt’08 – RFID Authentication
7
Project Summary - why should it be done?RFID Security & Privacy Issues• Typically, RFID security means Authentication
and Privacy.
– Authentication:• Tag/reader authentication:
– Both tag and reader need to prove their claimed identities.• Product authentication:
– The secure binding of the tag and product need to be guaranteed.
– Privacy: • Anonymity:
– The identity information of a person of event is not disclosed by reading a tag.
• Untraceability: – The itinerary of a person or a series of events can not be
tracked by reading a tag.
Inscrypt’08 – RFID Authentication
8
Project Summary - why should it be done?Countermeasures• Physical Protection
– Private tag-to-reader channel; e.g., Clipped tag (IBM), Faraday Cage, Shielding…
– Physical tag removal or destruction.– WORM; e.g., ISO/IEC 15963 defines a unique Tag ID.
• Access Control– EPC Gen2 Access and Kill passwords.– ID obfuscation or pseudonym
• Cryptographic Measures– Lightweight primitives (e.g., Present-80, Grain, Trivium, etc.)– Lightweight authentication schemes (e.g., HB family)
• Active Device– Blocker tag– REP, RFIDguardian
Inscrypt’08 – RFID Authentication
9
Project Summary - what will be doneOutline Introduction on RFID, and its security & privacy issues
Introduction on hash-based RFID authentication protocols
The Hash chain family of protocols and weaknesses Okhubo – Hash chain Henrici – Triggered hash chain Lim-Li – CRTH, FRTH
The TRAP family of protocols and weaknesses Dimitriou – CR Tsudik – YA-TRAP Burmester – YA-TRAP+, O-TRAP Conti – RIPP-FS
The Tree family of protocols and weaknesses Molnar – TBPA Lu – SPA
Remarks…
Inscrypt’08 – RFID Authentication
10
Project Summary - what will be doneResearch literature• Solutions that used classic cryptographic primitives
– PRNGs alone, (Juels; Piramuthu; Tsudik; Chatmon; Duc; Molnar)– Hashs alone, (Engberg; Avoine; Dimitriou; Yang; Weis; Henrici; Choi)– PRNGs and hashs, (Gao; Rhee; Lee;)– PRNGs and Symmetric crypto, (Molnar; Dimitriou; Bailey; Dominikus)
• In 2002, Sarma et al. first proposed to use hash functions– Hash lock, by Rivest et al. (03)– Randomized hash lock, by Weis et al. (03)
– Hash chain, by Okhubo et al. (RFIDsec’03)– Hash-based ID variation, by Henrici et al. (Percom’04)– Triggered hash chain, by Henrici et al. (Percom’08)– CRTH, FRTH, By Lim and Li (ICPADS’08)
– YA-TRAP, by Tsudik et al. (PercomW’06)– YA-TRAP+, O-TRAP (O-FRAP, O-FRAKE), by Burmester et al. (06)– RIPP-FS, by Conti et al. (PercomW’07)
– Hash tree, by Molnar et al. (SAC’05)– Dynamic hash tree, by Lu et al. (Percom’07)
Inscrypt’08 – RFID Authentication
11
Project Summary - what will be doneRFID Authentication Characteristics
• There are some fundamental characteristics that distinguish RFID authentication from general purpose authentication:
– Lightweightness, Many RFID platforms can only implement symmetric key crypto techniques.
– Anonymity, General purpose authentication protocols may not support anonymity. For RFID applications, anonymity is essential, because rogue readers can easily track them.
– Availability, RFID devices are subject to attacks by rogue readers in which they may assume a state from which they may no longer be able to authenticate themselves.
– Forward security, RFID devices may be discarded, are easily captured, and may be highly vulnerable to side channel attacks on the stored keys. It is important to guarantee the privacy of past sessions if key is compromised.
Inscrypt’08 – RFID Authentication
12
Project Summary - what will be doneRFID Authentication Properties
• Besides the characteristics, in RFID authentications, we ensure some major security properties:
– Session Unlinkability: Any two protocol sessions involving the same tag can not be linked.
– Tag Authenticity: The authenticity of a tag is verified to prevent an adversary from impersonating the tag.
– Reader Authenticity: A reader needs to be authenticated before it can be allowed to access confidential data on tags.
– Desynchronization Resilience: An adversary is not able to bring an inconsistent state to the tag and its backend database.
Inscrypt’08 – RFID Authentication
13
Project Summary - what will be doneSecurity modelByzantine threat model
– All entities (tags, readers, back-end server) including the adversary (the attackers) have polynomial bounded resources.
– The adversary controls the delivery schedule of all communication channels, and may eavesdrop into, or modify their contents.
– The adversary may also instantiate new communication channels and directly interact with honest parties.
– However, the reader-server channels are assumed to be secure.
In this paper, we classify 4 levels of adversaries:
– Level 1 (Passive attack): Ability to perform passive eavesdropping over legitimate protocol sessions.
– Level 2 (Active attack with protocol participation): Ability to communicate with a legitimate tag or reader by following the steps specified under the protocol and to replay messages.
– Level 3 (Active attack with protocol disruption): Ability to actively corrupt, block or inject (replace) messages exchanged during a protocol session between a legitimate tag and an authorized reader.
– Level 4 (Active attack with secret compromise): Ability to capture a legitimate tag and extract its secrets through physical and side channel attacks.
Inscrypt’08 – RFID Authentication
14
Project Summary - what will be doneOutline Introduction on RFID, and its security & privacy issues
Introduction on hash-based RFID authentication protocols
The Hash chain family of protocols and weaknesses Okhubo – Hash chain Henrici – Triggered hash chain Lim – CRTH, FRTH
The TRAP family of protocols and weaknesses Dimitriou – CR Tsudik – YA-TRAP Burmester – YA-TRAP+, O-TRAP Conti – RIPP-FS
The Tree family of protocols and weaknesses Molnar – TBPA Lu – SPA
Remarks…
Inscrypt’08 – RFID Authentication
16
Project Summary - what will be doneOSK: Hash Chain• Process
• Elegant approach (simple, forward secure, etc.), but:
• Problems: – no synchronization between tag and “backend”– does not provide authentication (mimicking
possible)
• Protocol cannot be used in practice
Inscrypt’08 – RFID Authentication
17
Project Summary - what will be doneHenrici: Hash-based ID Variation
• Process
Inscrypt’08 – RFID Authentication
18
Project Summary - what will be doneHenrici: Hash-based ID Variation
• Based on a message exchange• Keep two database records for each tag to cope with
message loss• Hash values are used for mutual authentication and
ensuring message integrity• Transaction counter “t” prevents replay attacks and
helps in synchronization between tag and backend• Transmitting differences between transaction counters
prevents the latter to be abused for recognition and tracking
• New identifier is not transmitted in clear; instead, calculate new identifier using old internal identifier and transmitted random number
Inscrypt’08 – RFID Authentication
19
Project Summary - what will be doneHenrici: Triggered hash chain
Inscrypt’08 – RFID Authentication
20
Project Summary - what will be doneHenrici: Triggered hash chain
• Process
Inscrypt’08 – RFID Authentication
21
Project Summary - what will be doneHenrici: Triggered hash chain• Relation to Hash Chains
– Self-refreshment of internal tag identifier– Simple and elegant
• Relation to Hash-based ID Variation– Message exchange– Two database records for each tag in backend– Authentication by running protocol twice
• But improvements:– No transaction counter “hacks” (like in Hash-
based ID Variation)– No need to stay online (like in Hash-based ID
Variation)– No synchronization problems (like in Hash
Chains)
Inscrypt’08 – RFID Authentication
22
Project Summary - what will be doneCRTH (Lim et al.)• Challenge-Response Triggered Hash
Inscrypt’08 – RFID Authentication
23
Project Summary - what will be doneFRTH (Lim et al.)• Forward-Rolling Triggered Hash
Inscrypt’08 – RFID Authentication
24
Project Summary - what will be doneComparison (security)All 5 protocols support:
– Tag anonymity– Forward security
Level 3attacker
Tag authenticit
y
Reader authenticity
Session unlinkabilit
y
Desynchronization
Resilience
Hash chain x x xHash ID x x
Triggered Hash
x x CRTH x FRTH
Inscrypt’08 – RFID Authentication
25
Project Summary - what will be doneOutline Introduction on RFID, and its security & privacy issues
Introduction on hash-based RFID authentication protocols
The Hash chain family of protocols and weaknesses Okhubo – Hash chain Henrici – Triggered hash chain Lim – CRTH, FRTH
The TRAP family of protocols and weaknesses Dimitriou – CR Tsudik – YA-TRAP Burmester – YA-TRAP+, O-TRAP Conti – RIPP-FS
The Tree family of protocols and weaknesses Molnar – TBPA Lu – SPA
Remarks…
Inscrypt’08 – RFID Authentication
26
Project Summary - what will be doneCR protocols• Typical Challenge-Response RFID protocol
Pass 1: the Reader sends a challenge that may include a timestamp, a random nonce, or other information.
Pass 2: the Tag responds by evaluating a function f (k; c; ) on the challenge. Its input may include a value r that may embed a nonce, and an identifier or a
(mutable) pseudonym for tag recognition.
Reader RFID tag
Stores secret for each tag
Stores secret
c
f(k, c, …)
Inscrypt’08 – RFID Authentication
28
Project Summary - what will be doneYA-TRAP
Server (K, Table(K,r)) Tag (HK , ttag)
S activates the tag with tsys tsys
If tsys < ttag or tsys > tmax,
send r. Else send HK(tsys)
h = HK(tsys)
ttag tsys
• YA-TRAP [Tsudik] Assumptions: Reader shares a secret with each tag Reader has database with entry <hash(secret, time), secret> for each tag
Inscrypt’08 – RFID Authentication
29
Project Summary - what will be doneYA-TRAP
• YA-TRAP [Tsudik]
– Reader looks up hash in database to get secret– Issue: time must only increase
• Drawback:– DoS attack; bogus reader sends t’sys = tmax
– Future time attack; bogus reader sends t’sys, i < tsys
Inscrypt’08 – RFID Authentication
30
Project Summary - what will be doneYA-TRAP+
• YA-TRAP+ [Chatmon]
Inscrypt’08 – RFID Authentication
31
Project Summary - what will be doneO-TRAP• Optimistic Trivial RFID Authentication Protocol
Server (K, Table(K,r)) Tag (HK , rtag)
S updates rsys at regular periods rsys
rtag , h = HK(rsys,rtag)
rtag HK(rtag)
If (K,rtag) Table(K,r) & h=HK(rsys,rtag),
Or K K : h=HK(rsys,rtag) accept
update Table(K,r): rtag HK(rtag)
Else reject
Inscrypt’08 – RFID Authentication
32
Project Summary - what will be doneO-TRAP
• When the adversary is not active, the server gets the key of the tag from the look-up Table(K,r).
• Otherwise the value of rK stored in the table may be out-of-sync with the value of the tag.
• In this case the server must search exhaustively by hashing the pairs (rsys, rtag) for each key value.
nKKK
n
rrrstrings
KKKkeys
...
...
21
21
Table(Table(K,rK,r) )
Inscrypt’08 – RFID Authentication
33
Project Summary - what will be doneRIPP-FS
RIPP-FS [Conti]• Lamport hash
value to authenticate the reader.
Drawback:• Replay attack• Infinite hash chain
Inscrypt’08 – RFID Authentication
34
Project Summary - what will be doneComparison (security)All 5 protocols support:
– Tag anonymity– Session unlinkability (except Dimitriou’s CR protocol)
Level 3/4 attacker
Tag authenticity
Reader authenticity
Forward security
Deynchronization
Resilience
CR xYA-TRAP x x x xYA-TRAP+ x x *O-TRAP x x *RIPP-FS x
Inscrypt’08 – RFID Authentication
35
Project Summary - what will be doneOutline Introduction on RFID, and its security & privacy issues
Introduction on hash-based RFID authentication protocols
The Hash chain family of protocols and weaknesses Okhubo – Hash chain Henrici – Triggered hash chain Lim – CRTH, FRTH
The TRAP family of protocols and weaknesses Dimitriou – CR Tsudik – YA-TRAP Burmester – YA-TRAP+, O-TRAP Conti – RIPP-FS
The Tree family of protocols and weaknesses Molnar – TBPA Lu – SPA
Remarks…
Inscrypt’08 – RFID Authentication
38
Project Summary - what will be doneComparison (security)
All 2 protocols support:– Tag anonymity– Tag authenticity– Reader authenticity
Level 3attacker
Forward security
Session unlinkabilit
y
Desynchronization
Resilience
TBPA x SPA x x
Inscrypt’08 – RFID Authentication
42
Project Summary - why should it be done?Remarks…• We have reviewed a class of hash based authentication
protocols.
• Note that hash functions can be implemented using lightweight block ciphers, which can be implemented more efficiently.
• Can we design an elegant protocol fulfilling all properties in RFID context?
• RFID will be deployed “unawarely” anywhere in our daily life, new threats are to be addressed and defended with “balanced” security & privacy solutions.
• We have no backyard but to prevent the unforeseen threats beforehand.
Thank you!