Lesson Title: Tag Threats, Risks, and Mitigation Dale R. Thompson and Jia Di Computer Science and...
-
Upload
roman-spray -
Category
Documents
-
view
214 -
download
1
Transcript of Lesson Title: Tag Threats, Risks, and Mitigation Dale R. Thompson and Jia Di Computer Science and...
Lesson Title: Tag Threats, Risks, and
Mitigation
Dale R. Thompson and Jia DiComputer Science and Computer Engineering Dept.
University of Arkansas
http://rfidsecurity.uark.edu 1
This material is based upon work supported by the National Science Foundation under Grant No. DUE-0736741.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF).
Copyright © 2008, 2009 by Dale R. Thompson {[email protected]} and Jia Di {[email protected]}
Tag ThreatsSTRIDE Category Threat
Spoofing Identity
- Tag counterfeiting/cloning- Tag emulation
Tampering with data
- Add, modify, rearrange or delete data
Repudiation None
Information disclosure
- Probing tag- Side-channel attacks- Tracking- Tracing
Denial of service
- Shielding- Coupling
Elevation of privilege None
http://rfidsecurity.uark.edu 3
Counterfeiting Mitigation
• Tag Authentication– Store secrets on the tag that can be verified– Secret keys, symmetric key and public key
cryptography
• Physical unclonable functions (PUFs)• Electronic fingerprint (E-Fingerprint)
http://rfidsecurity.uark.edu 5
Physical Unclonable Function (PUF)
• A function that can be read but not copied– One is logic that has multiple race conditions
• PUF added to a tag• General Steps
– Enrollment• Responses to several challenges are recorded. The
responses are unique to this PUF– Verification
• Challenge PUF and determine if correct response
http://rfidsecurity.uark.edu 7
E-Fingerprint Approach
• Identification becomes a function of what the device “is” instead of a secret it “knows.”
http://rfidsecurity.uark.edu 8
Minimum power response at multiple frequencies (MPRMF) Five same-model tags from the same roll
http://rfidsecurity.uark.edu 9
Tampering with Data Mitigation in Gen-2
• Lock: make memory unreadable and unchangeable unless 32-bit password is provided
• Permalock: make memory unchangeable• Tag identification (TID) memory: encodes chip
manufacturer and model. Some have suggested putting a serial number in TID memory that cannot be changed to identify tag.
http://rfidsecurity.uark.edu 10
Side-Channel Attacks(Information Disclosure threat)
• Secret information is leaked through an unexpected channel (side-channel)
• Safecracker listens to tumblers to open safe
• Attackers measure power and timing differences of tag to determine secret key– Circuits may use different
amount of power when processing a data-1 or data-0
– A circuit’s timing delays may be different for data-1 or data-0.
http://rfidsecurity.uark.edu 11
Side-Channel Attacks
• Power-based attacks (SPA, DPA, HO-DPA)• Timing-based attacks• Electromagnetic-based attacks• Fault-injection attacks
http://rfidsecurity.uark.edu 12
CMOS Circuit Power and Delay
Lon
DDL
CRt
VCP
2
http://rfidsecurity.uark.edu 13
Power consumption and timing delay are highly correlated to switching activities
Synchronous Circuit Power Fluctuation Simulation
http://rfidsecurity.uark.edu 14
0.00%
20000.00%
40000.00%
60000.00%
80000.00%
100000.00%
120000.00%
0x0 1x1 2x2 3x3 4x4
0.00%
50000.00%
100000.00%
150000.00%
200000.00%
250000.00%
300000.00%
350000.00%
00 01 10 11
(a) (b)
Boolean circuits are vulnerable to side-channel attacks
Power Side-Channel Mitigation
• Randomize power consumption – add noise to reader/tag
Use random initial point Random power management Random code injection
• De-correlate power consumption from internal data pattern being processed
New transistor-level gate designs (SABL, DyCML, SDDL, WDDL, etc.) Current compensation Execute both nominal and complementary data Dual-rail asynchronous logic
http://rfidsecurity.uark.edu 15
Balancing the Switching Activities between Two Rails
• Dual-spacer Dual-rail Delay-insensitive Logic (D3L)
State Rail 1 Rail 0
All-zero spacer 0 0
DATA 0 0 1
DATA 1 1 0
All-one spacer 1 1
Data #3All-zero Spacer
Data #2All-one Spacer
Data #1All-zero Spacer
http://rfidsecurity.uark.edu 16
Rail 1
Rail 0
AZSDATA1AOSDATA0AZSDATA1
D3L vs NCL Simulations
http://rfidsecurity.uark.edu 17
0.00%
1.00%
2.00%
3.00%
4.00%
5.00%
6.00%
7.00%
8.00%
9.00%
0x0 1x1 2x2 3x3 4x4
NCLD3L
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
00 01 10 11
NCLD3L
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
50.00%
00 01 10 11
NCLD3L
Contact InformationDale R. Thompson, Ph.D., P.E.Associate ProfessorComputer Science and Computer Engineering Dept.JBHT – CSCE 5041 University of ArkansasFayetteville, Arkansas 72701-1201
Phone: +1 (479) 575-5090FAX: +1 (479) 575-5339E-mail: [email protected]: http://comp.uark.edu/~drt/
http://rfidsecurity.uark.edu 18
Copyright Notice, Acknowledgment, and Liability Release
• Copyright Notice– This material is Copyright © 2008, 2009 by Dale R. Thompson and Jia Di. It may be freely
redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or incorporated in commercial documents without the written permission of the copyright holder.
• Acknowledgment– These materials were developed through a grant from the National Science Foundation at the
University of Arkansas. Any opinions, findings, and recommendations or conclusions expressed in these materials are those of the author(s) and do not necessarily reflect those of the National Science Foundation or the University of Arkansas.
• Liability Release– The curriculum activities and lessons have been designed to be safe and engaging learning
experiences and have been field-tested with university students. However, due to the numerous variables that exist, the author(s) does not assume any liability for the use of this product. These curriculum activities and lessons are provided as is without any express or implied warranty. The user is responsible and liable for following all stated and generally accepted safety guidelines and practices.
http://rfidsecurity.uark.edu 19