Handling Security Threats to the RFID System of EPC Networks J. Garcia-Alfaro, M. Barbeau, E....

Handling Security Threats to the RFID System of EPC Networks

J. Garcia-Alfaro, M. Barbeau, E. Kranakis

Presenter Gicheol Wang

presented by gcwang

RFID Tags

Radio frequency devices that transmit information (e.g., serial numbers) to compliant readers in a contactless manner

Classified in the literature as: Passive: transmission power is derived from reader Active: energy comes from on-board battery Semi-passive: battery powered chips, but transmission powered by reader

Electronic Product Code (EPC) tags Main kind of low-cost tags in use on today’s RFID supply chain

applications Passive UHF RFID tags EPCglobal inc: Main organization controlling EPC development

204/20/23

presented by gcwang

Sample representation of an EPC number

3

ELECTRONIC PRODUCT CODE

Header Manager number Object class Serial number

RFID Tag

04/20/23

presented by gcwang

Back-end services

Middleware

Readers

Security Problems

Threats to and from front-end components (i.e., tags and readers) Privacy concerns during the receiving of information

Lack of authentication between readers & tags Necessity of a fine grained access control for the interaction of principals

4

Tags

Secure

wired

channel

Insecure

wireless

channel

Security threats

04/20/23

presented by gcwang

Threat Analysis Methodology

5

Possible

Likely

HighModerateLow

Motivation

None

Solvable

Strong Unlikely

Dif

ficu

lty

High Medium Low

Impact

Unlikely

Possible

Likely

Lik

elihood

Minor

Major

Critical

04/20/23

Likelihood and risk function this framework was proposed by ETSI

presented by gcwang

EPC Inventory Protocol

Lack of authentication between readers & tags

- 16-bit random sequences (denoted as RN16) to acknowledge the process

Any compatible reader can obtain the code

- Illicit readers can impersonate legal readers

6

4. Tag ID

1. Query

3. ACK(RN16)

2. RN16

Reader Tag

04/20/23

presented by gcwang

Rogue Scanning

Powering the tag to obtain tag ID- The use of special hardware (e.g., highly sensitive receivers

and high gain antennas) can ease the attack.

7

Reader TagReaderIllicit

Motivation Difficulty Likelihood Impact Risk

High Solvable Possible High Critical

04/20/23

presented by gcwang

Reader TagReaderIllicit

Eavesdropping Reader Channel

Passive observation or recording of the communication- The distance at which an attacker can eavesdrop the signal of an EPC

reader can be much longer than the operating environment of the tag. - Some data items (e.g., 16-bit random sequences) can be eavesdropped at

long distances.

8


High Solvable Possible High Critical

04/20/23

presented by gcwang

Cloning of Tags

Using the codes eavesdropped or scanned, an attacker may successfully clone the tags

9


Moderate Solvable Possible Medium Major

TagReaderIllicit1. TagID 2. write TagID

04/20/23

presented by gcwang

Location Tracking

Adversaries can distinguish any given tag by just getting the EPC

Correlating reader’s position, adversary can trace location of bearers

It can also provide useful data for fingerprinting and profiling

10



Illicit Reader

TagID

04/20/23

presented by gcwang

Tampering of Data (1/3)

Gen2 tags are required to be writable Although this feature can be protected with a 32-bit password,

bypassing the protection is solvable

11

1. Query

2. RN16

3. ACK(RN16)

4. Tag ID

5. Req_RN(RN16)

6. Handle

Reader Tag

04/20/23

presented by gcwang




12

Reader Tag

7. Req_RN(Handle)

8. RN16'

9. Access(PIN31:16 RN16')

10. Handle

11. Req_RN(Handle)

04/20/23

presented by gcwang




13


Moderate Solvable Possible High Critical

12. RN16''

13. Access(PIN15:0 RN16'')

14. Handle

15. Write(membank,wordptr,data, handle)

16. Header, Handle

Reader Tag

04/20/23

presented by gcwang

Denial of Service

Tag data destruction or interference by attacks such as (1) attacks targeting writing or self-destruction routines and (2) use of jamming or strong electromagnetic pulses.

14



TagIllicit Reader

write/kill command

(1) (2) Tag Jamming device

04/20/23

presented by gcwang

Evaluation of Threats (Summary)

15

Threats Motivation Difficulty Likelihood Impact Risk

Eavesdropping,Rogue Scanning High Solvable Possible High Critical

Cloning of Tags,Location Tracking


Tampering of Data Moderate Solvable Possible High Critical

Destruction of Data, Denial of

ServiceModerate Solvable Possible Medium Major

04/20/23

presented by gcwang

How to deal with these threats ?

• Shielding or jamming the signal It may work on some other RFID applications, but not on EPC setups

Third party blockers or guardians Requires the management of new components

Use of lightweight countermeasures, such as: Message Authentication Codes Lock-based Access Control Schemes Random Pseudonyms Threshold Cryptography Physically Unclonable Functions

04/20/23 16

presented by gcwang

Message Authentication Codes

17

Keyed Hash Function

Message Secret

ReaderTag

MAC

{Message, MAC}

Keyed Hash Function

SecretMessage

Output

MAC

?

• Tags & readers share a secret that allows the verification of the integrity and authenticity of exchanged messages

04/20/23

presented by gcwang

• Simplified Scheme:– Readers and tags share a common secret – When a tag receives a proof ownership of the secret (e.g., a hash of it), it locks itself

when interrogated, it only answers with this pseudo ID– Tag unlocks itself when it receives the secret

Lock-based Access Control Schemes

hash(secret)

Reader Tag

secret

Reader Tag

(1)

(2)

04/20/23 18

presented by gcwang

Random Pseudonyms

19

• Tags storing a pseudonym, or a list of pseudonyms, instead of the real object or tag identifier (i.e., EPC number)

• To handle the location tracking threat, pseudonyms must be generated at random and they must change frequently

• Authorized readers must know how to match the pseudonyms to the real tag identifiers

04/20/23

presented by gcwang

Threshold Cryptography

Exploit the natural movement of tag populations on the supply chain to distribute secrets and enforce privacy

20

T1

…

k out of n tags can reconstruct the secret

…T2 Tk Tn

Secret

Secret04/20/23

Secret Sharing

presented by gcwang

Physically Unclonable Functions (1/2)

21

• Originated from optical mechanisms for generating unique secrets in the form of physical variations

• E.g.:

Light Binary output

04/20/23

presented by gcwang

Physically Unclonable Functions (2/2)

22

• Promising for the implementation of challenge-response protocols in low-cost EPC tags.

• Optical designs have been improved towards new schemes exploiting other physical random variations - Delays of wires and logic gates of integrated circuits

- SRAM startup values as origin of randomness

• Can be used to handle the authentication threat, as well as the cloning and location tracking threats

04/20/23

presented by gcwang2323年 4月 20日

Secret Sharing(I)

Motivation of Secret SharingMy colleagues and I accidentally discovered a mapthat would lead us to a treasure island. We agreed to start the trip together tomorrow. The problem is who possesses the map until the start time

They don’t really trust one anotherNow, They can happily go home


Secret Sharing(II)

Problem of Secret Sharing in above example, if someone who has the part of the

map burns his(hers) intentionally they never go to the treasure island

(n, t) Secret Sharing = threshold cryptography greater than or equal to t parties can recover original s less than t parties have no information about s

You have never imagine

I’m a spy.I’ll destroy my

key.


Secret Sharing(III)

Design of (n,t) secret sharing generate a polynomial f(x)=ax(t-1) + bx(t-2) … + cx + M (mod

p) a prime ‘p’ which is larger than the number of shares required ‘t’ is the number of shares necessary to reconstruct the secret ‘a’, …, ‘c’ are random secret coefficients which are discarded

once the data has been distributed ‘M’ is the secret to be distributed

evaluate f(x) at x=1, x=2, …, x=n distribute the resulting f(1), f(2), …, f(n) values as the

shared data any ‘t’ shares can be used to create the same polynomial

f(x) a linear algebra(Lagrange Interpolation) can be used to solve

for M


Secret Sharing(IV)

Example of (n,t) secret sharing generate a polynomial ax2 + bx + M (mod p) Assumption

a (5,3) threshold scheme is employed M=5, a=4, b=6, and p=13

f(x) = 4x2 + 6x + 5 (mod 13) f(1) = 4+6+5 (mod 13)=2, f(2)=16+12+5 (mod 13)=7, f(3)=7,

f(4)=2, f(5)=5 {x, f(x)} is distributed to any five nodes

any node which gets three of these shares(for example share 1, 3, 5) can acquire the original polynomial through the following equation.

13) (mod 8

25487

)35)(15(

)3)(1(5

)53)(13(

)5)(1(7

)51)(31(

)5)(3(2)(

2

3

xxxxxxxx

xP


Secret Sharing(V)

Lagrange interpolation We can compute the lagrange interpolation polynomial

using four points , , , as the following

5 13) (mod 51)13mod( 8

25-M

,13) (mod 6b

,4 13) (mod 56 13) (mod 8

7 a

13) (mod 8

25487)(

2

3

-

xxxP


An Example of secret sharing

(3,2) threshold signature K/k

m

s1

s2

s3

c

server 1

server 2

server 3

PS(m, s1)

PS(m, s3)

<m>k

m : messagePS : partial signatureEx) PS(m, s1) is a partial signature of m via share s1 c : combiner<m>k : fully signature of m signed by private key

Secret Sharing(VI)

Return

Handling Security Threats to the RFID System of EPC Networks J. Garcia-Alfaro, M. Barbeau, E....

Documents

Transcript of Handling Security Threats to the RFID System of EPC Networks J. Garcia-Alfaro, M. Barbeau, E....