RFID Security Tony Arous Vincent Yu
Recap Most tags do not use any encryption today Of those that do, codes can be cracked within 15 minutes Need to provide more reliable and accurate techniques to reduce the security risk
Questions from Last Time Do you need to worry about the data storage? Some current tags already have the storage needed for the encryption techniques. What types of tags can utilize encryption? Both passive and active tags, but power can become a concern in passive. Improving accuracy rates will be critical to using passive in mainstream applications.
Questions from Last Time What are the performance characteristics for DES? Standard encryption requires 200-300 ms. DES takes about 1 second. Are the DES permutation tables unique? Yes.
Questions from Last Time Does the re-encryption process occur in real-time? Yes. Who funds the scanners in the Banknote Protection Scheme? Unclear, but we presume it is funded by the treasury right now.
Questions from Last Time Can the visual aspect of the Banknote Scheme be spoofed? Probably, since government agencies have the technology to access tags remotely.
Different Encryption Schemes Data Encryption Standard (DES) 56-bit key Triple DES Advanced Encryption Standard (AES) 128 bit key
Data Encryption Standard Effectively DES is only a 56-bit encryption 8-bits are used as parity. DES encrypts and decrypts data in 64-bit blocks, using a 64-bit key. Takes 64-bit plain text and outputs 64-bit cipher text. Normally DES has 16 rounds (repeats 16 times) to produce the cipher text. As the number of rounds increase, the security increases exponentially.
Reliability of DES DES code has been cracked through brute force. For example, supercomputers have resolved codes in 3 days.
Triple DES Basically the same as DES, but runs it three times 3x64 = 192-bit encryption Problems: 3 times slower than DES
Reliability of Triple DES Still acceptable, but since it is based on DES, it will likely be solved. AES is becoming the standard for all new implementations.
Advanced Encryption Standard AES is a symmetric key encryption technique which was created to replace DES Block size of 128-bits and key size of 128, 192 or 256-bits. The AES algorithm is based on permutations and substitutions. Permutations are rearrangements of data, and substitutions replace one unit of data with another. AES performs permutations and substitutions using several different techniques.
Creating AES keys 4 Step Process 1. SubBytes 2. ShiftRows 3. MixColumns 4. AddRoundKey
AES Encryption SubBytes
AES Encryption ShiftRows
MixColumns MixColumns
AES Encryption AddRoundKey
Banknote Protection Scheme Protocol being used by European Central Bank in Euro notes Advantages: Block banknote counterfeiting Track illicit monetary flows by authorized parties (such as airports) Prohibit tracking by unauthorized parties
Banknote Protection Scheme Each banknote has serial number Signed by European bank When requested, the tag sends the encrypted value of the serial number Re-encryption is handled by the merchants
Banknote Protection Scheme Re-encryption process requires visual contact with each note A specific key is printed on each banknote However, law enforcement agencies can access the tag without the key
Banknote Requirements Each tag requires an EEPROM of at least 780 bits Fortunately, most RFIDs already have about 950 bits of storage available Valid instructions: Read Write Keyed-Read Keyed-Write
Banknote Initialization Routine Select serial number S and compute: ∑=Sign(SKB,S||den) Compute access key D, such that: D = h(∑) Encrypt C with random number r, such that: C = Enc(PKL, ∑||S,r) Results on tags: C=> λ-cell, r=> δ-cell Print onto banknote: S and ∑
Banknote Re-Encryption Read S and ∑ visually and compute: D = h(∑) Using D, find C and r. Verify that: C = Enc(PKL, ∑||S,r) Choose a new r and keyed-write it into δ. Compute the new C = Enc(PKL, ∑||S,r) and put it into λ.
Banknote Tracing Freely obtain C from cell λ Decrypt C using SKL and then obtain: Dec(SKL,C) = ∑||S Check if ∑ is a valid signature
ElGamal Encryption Messages/information (m) are encrypted with a public key (k): E*(k,m)=(Easym(k,r,h1(r,m)),Esym(h2(r),m)) Esym is a symmetric encryption with the key. Easym is an asymmetric encryption with the key and a random value. Primary ElGamal Encryption h1 and h2 are hash functions.