RFID Security Tony Arous Vincent Yu
Recap Current RFID protocols can be cracked very quickly As little as 15 minutes Need to authenticate readers to block insecure use
Questions from Last Time Are the devices going to be active (battery-powered) or passive? We plan on using passive tags in order to keep the functionality and ease of use factors. Does the encryption change the power consumption? No, power is a concern when working with long-range applications.
Questions from Last Time How will you build on existing systems and change devices that are out there? Upgraded firmware on the individual tags will be needed. Some tags will require full hardware replacement. Will you experiment/simulate the real RFID tags? Hopefully, yes. Under the time constraints, offering suggestions to the existing protocols will be more realistic.
Different Encryption Schemes Data Encryption Standard (DES) 56-bit key Triple DES Advanced Encryption Standard (AES) 128 bit key
Data Encryption Standard Effectively DES is only a 56-bit encryption 8-bits are used as parity. DES encrypts and decrypts data in 64-bit blocks, using a 64-bit key. Takes 64-bit plain text and outputs 64-bit cipher text. Normally DES has 16 rounds (repeats 16 times) to produce the cipher text. As the number of rounds increase, the security increases exponentially.
How a DES Key is Made
The DES Sub-key 1. Start with round (R) 1 and go to 16 2. Split the current 56-bit key, K, up into two 28-bit blocks, L (the left-hand half) and R (the right-hand half). 3. Rotate L and R left by the number of bits specified in the table above. 4. Join L and R together to get the new K. 5. Apply Permuted Choice 2 (PC-2) to K to get the final K[R], where R is the round number we are on. 6. Repeat the procedure until 16 subkeys K[1]-K[16] have been determined.
Problems with DES As computers become more powerful, brute force methods to crack DES encryption became easier. A new encryption method was needed to secure information
Triple DES Basically the same as DES, but runs it three times 3x64 = 192-bit encryption Problems: 3 times slower than DES
Advanced Encryption Standard AES is a symmetric key encryption technique which was created to replace DES Block size of 128-bits and key size of 128, 192 or 256-bits. The AES algorithm is based on permutations and substitutions. Permutations are rearrangements of data, and substitutions replace one unit of data with another. AES performs permutations and substitutions using several different techniques.
Creating AES keys 4 Step Process 1. SubBytes 2. ShiftRows 3. MixColumns 4. AddRoundKey
AES Encryption SubBytes
AES Encryption ShiftRows
MixColumns MixColumns
AES Encryption AddRoundKey
Juels-Pappu Banknote Protection Scheme Protocol being used by European Central Bank in Euro notes Advantages: Block banknote counterfeiting Track illicit monetary flows by authorized parties (such as airports) Prohibit tracking by unauthorized parties
J-P BP Scheme Each banknote has serial number Signed by European bank Used for anti-counterfeiting When requested, the tag sends the encrypted value of the serial number and not the number itself “Periodic probabilistic” re-encryptions of the serial number take place by the merchants
J-P BP Scheme Re-encryption process requires visual contact with each note A specific key is printed on each banknote However, law enforcement agencies can access the tag without the key
J-P BP Scheme Requirements Each tag requires an EEPROM of at least 780 bits Fortunately, most RFIDs already have about 950 bits of storage available Valid instructions: Read Write Keyed-Read Keyed-Write Not widespread today
J-P BP Scheme Initialization Routine Select serial number S and compute: ∑=Sign(SKB,S||den) Compute access key D, such that: D = h(∑) Encrypt C with random number r, such that: C = Enc(PKL, ∑||S,r) Results on tags: C=> λ-cell, r=> δ-cell Print onto banknote: S and ∑
J-P BP Scheme Re-Encryption Read S and ∑ visually and compute: D = h(∑) Using D, find C and r. Verify that: C = Enc(PKL, ∑||S,r) Choose a new r and keyed-write it into δ. Compute the new C = Enc(PKL, ∑||S,r) and put it into λ.
J-P BP Scheme Tracing Freely obtain C from cell λ Decrypt C using SKL and then obtain: Dec(SKL,C) = ∑||S Check if ∑ is a valid signature
ElGamal Encryption Messages/information (m) are encrypted with a public key (k): E*(k,m)=(Easym(k,r,h1(r,m)),Esym(h2(r),m)) Esym is a symmetric encryption with the key. Easym is an asymmetric encryption with the key and a random value. Primary ElGamal Encryption h1 and h2 are hash functions.
Problems Re-encryption is critical to the success of this technique The actions is sparked by an external entity, not the tag itself Therefore, invalid re-encryptions can easily take place
Problems Use of a pre-determined access-key (the serial number) is useful for requiring visual access At the same time, it causes problems with tracing the tag
Next Time… Our final recommendations Backward-compatibility issues Merging a protocol scheme with a sophisticated encryption technique Backward-compatibility issues