Steve Bono1 Matthew Green1 Adam Stubblefield1 Avi Rubin1 1 The Johns Hopkins University Information Security Institute Baltimore, MD 21211, USA Ari Juels2 Michael Szydlo2 2 RSA Laboratories Bedford, MA 01730, USA Original Images by Paul Sagona
Overview Introduction Related Work Significance and Implications Reverse Engineering Key Cracking RF Protocol Analysis and Simulation Conclusion First I’m going to give you an introduction, discussing a little about RFID: types, give a brief overview of this project and the authors attack strategy to tackle this problem Talk about some related work, mainly dealing with reverse engineering and key cracking examples. Significance and implications to discuss the implications of performing and presenting such results, as wells as providing example scenarios where events like this could take place. Then I’ll go into their Reverse engineering procedure, lots of details I will also discuss their key cracking methods And lastly I’ll discuss their analysis and simulation, and present their conclusion.
Introduction: RFID Radio-Frequency Identification Identification method for storing and remotely retrieving data using an RF device Mass deployment and global adoption plans have spawned a large amount of attention from the scientific and commercial communities Studies such as this have brought its large-scale usage into question This research has had a broad impact on this technology When people refer to the scrutiny of this some RFID technology, they refer to this paper. Very similar to the harvard group that cracked a voting machine. (and showed how security by obscurity failed again)
Introduction: RFID EPC (Electronic Product Code) Tags Class 1 Generation 2 standard Inexpensive (5 cents/unit) Wal-Mart and the United States Department of Defense have published requirements that their vendors place RFID tags on all shipments [1] “Wireless Barcodes” Limited circuitry, unable to implement any cryptographic primitives One of the top forms of RFID that is receiving a lot of scrutiny are EPCs. Walmart is a huge player, requiring in 2005 that its top 100 vendors to include EPC on products. “…difficulties implementing RFID systems. In practice, the successful read rates currently run only 80%, due to radio wave attenuation caused by the products and packaging. In time it is expected that even small companies will be able to place RFID tags on their outbound shipments.” http://en.wikipedia.org/wiki/RFID
Introduction: RFID EPC (Electronic Product Code) Tags ALN-9540 - "Squiggle™" World Tag: global operation 860 to 960 MHz The EPC Class 1 Gen 2 price/performance benchmark High performance solution for most packaging including products containing metal and water 97mm x 11mm ALN-9529 - "Squiggle®-SQ" Global operation - 860 to 960 MHz Ideal for item level tagging of plastic packaging such as pharmaceutical pill bottles and apparel hang tags Near-field and far-field communication modes 23mmx 23m Alien Technology provides UHF Radio Frequency Identification (RFID) products and services to customers in retail, consumer goods, manufacturing, defense, transportation and logistics, pharmaceuticals and other industries. Organizations use Alien's RFID products and services to improve the effectiveness, efficiency and security of their supply chains, logistics and asset tracking operations. Alien's products include RFID tags, RFID readers and related training and professional services. Alien's patented Fluidic Self Assembly (FSA) technology and related proprietary manufacturing processes are designed to enable the manufacture of high volume, low cost RFID tags. Alien was founded in l994. Alien’s facilities include: its corporate headquarters in Morgan Hill, CA; RFID tag manufacturing facility in Fargo, ND; the Alien RFID Solutions Center in the Dayton, Ohio area, Quatrotec’s offices at the San Francisco International Airport (SFO); and its sales offices in the US, Europe and Asia. Alien is a member of EPCGlobal.
Introduction: RFID Digital Signal Transponder Manufactured by Texas Instruments Vehicle immobilizer keys RFID ID embedded in Key Condition for enabling Fuel-Injection system Electronic Payment Exxon-Mobil SpeedPass™ The main form of wireless RFID device that the authors focus on is the Digital Signal Transponder More than 150 million vehicle immobilizer keys shipped with many current automobiles, including e.g. 2005 model Fords [7], use Texas Instruments low-frequency RFID transponders RFID transponder embedded in the ignition key as a condition of enabling the fuel-injection system of the vehicle. The devices have been credited with significant reductions in auto theft rates, as much as 90% DSTs are used in the Exxon- Mobil SpeedPassTM system, with more than seven million cryptographically-enabled keychain tags accepted at 10,000 locations worldwide [2]. It was originally developed by Verifone. As of 2004, more than seven million individuals possess Speedpass tags, which can be used at approximately 10,000 Exxon, Mobil and Esso gas stations worldwide. At one point, Speedpass was deployed experimentally in fast-food restaurants and supermarkets in select markets. McDonald's alone deployed Speedpass in over 400 Chicagoland restaurants. Additionally, Stop & Shop grocery chain tested Speedpass at their Boston area stores and removed the units in early 2005. The test was deemed a failure and McDonald's removed the scanners from all their restaurants in mid 2004. Speedpass has also been previously available through a Speedpass Car Tag and Speedpass-enabled Timex watch. [2] [2]. http://en.wikipedia.org/wiki/Exxon-Mobil_Speedpass
Introduction: RFID Digital Signal Transponder Consists of microchip and antenna cased in plastic or glass Passive RFID device Allows for small design and long life Contains secret 40-bit Key Reader initiates connection, DST emits 24-bit identifier (factory-set) DST authenticates itself via a Challenge-Response protocol
Introduction: RFID Digital Signal Transponder: Challenge-Response protocol Reader initiates protocol with 40-bit challenge DST encrypts challenge using its key and truncates resulting cyphertext to return a 24-bit response “It is thus the secrecy of the key that ultimately protects the DST against cloning and simulation”
Introduction: ATTACK! Able to break system by recovering secret key after collecting two challenge-response pairs With arbitrary challenge, able to find key in less than an hour using array of 16 FPGAs Pairs derived from predetermined-challenges (chosen-plaintext) can be cracked in minutes due to a time-space trade-off Authors Successfully attacked the Texas Instruments DST system. able to recover the secret cryptographic key from a target DST device after harvesting just two challenge-response pairs. A field-programmable gate array is a semiconductor device containing programmable logic components called "logic blocks", and programmable interconnects http://en.wikipedia.org/wiki/Field-programmable_gate_array Chosen-response attack will appear in future work Hellman. A cryptanalytic time-memory trade-off. What does this mean for DTS’s????
Introduction: ATTACK! Team showed that with cheap commodity hardware, an attacker could break the DTS system Recover key by actively scanning at short range for fraction of a second (skimming) With FPGA, attacker can simulate target after capturing multiple transcripts
Introduction: ATTACK! To validate: Team found key from their purchased SpeedPass™ and simulated the DTS to successfully make a purchase at an Exxon-Mobil Station Team found cryptographic key from DST ignition key, and was able to start a vehicle Essentially hot-wiring the car. Purpose: To show again, that “security by obscurity” is ineffective for large-scale cryptographic systems. And to provide security community with guidance for requirements for secure RFID systems. Not to bring down the entire speedpass netowrk.
Introduction: ATTACK! Phase 1: Reverse Engineering After obtaining rough schematic of the block cipher for the challenge response, they were able to determine all details of the cipher Required experimental observation of inputs and outputs
Introduction: ATTACK! Phase 2: Key Cracking Assembled array of 16 FPGA’s working in parallel Able to crack arbitrary challenge in less than an hour Also assembled FPGA for time-space trade-off [12] Hellman. A cryptanalytic time-memory trade-off. 12] HELLMAN, M. A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory 26, 4 (July 1980), 410–416.
Introduction: ATTACK! Phase 3: Simulation Given the key and serial number for a DST device, they were able to simulate its output Simulation in software radio Required careful analysis of the DST reader output
Related Work Classic Black-box example: Duplicating the Purple encipher machine to reconstruct the Japanese Foreign Officer cipher during second World War Reverse-engineering of RC4 cipher as well as A5/1 and A5/2 ciphers in GSM phones No published black-box reverse-engineering of recent ciphers; developed custom techniques machine without ever having physical access to one [13]. There are a number of well known contemporary examples of the reverse-engineering of proprietary cryptographic algorithms. For example, the RC4 cipher, formerly protected as a trade secret by RSA Data Security Inc., was publicly leaked in 1994 as the result of what was believed to be reverse-engineering of software implementations [4]. The A5/1 and A5/2 ciphers, employed for confidentiality in GSM phones, were likewise publicly disclosed as a result of reverse engineering. The exact method of reverse-engineering has not been disclosed, although the source was purportedly “an actual GSM phone” [6]. There are also numerous
Related Work Key Recovery more well known FPGA scheme similar to Deep Crack for recovering DES keys Chosen-challenge pairs uses time-space tradeoff as Hellman describes in his work Authors also use “distinguished point” enhancement of Rivest
Significance and Implications Purpose is not to undermine the SpeedPass™ network, nor to allow easier theft of vehicles Exxon-Mobil has several layers of security, including fraud detection Largest threat to SpeedPass™ is attacker simulating multiply DSTs (suspicious use disables it) network has on-line fraud detection mechanisms loosely analogous to those employed for traditional credit-card transaction processing. Thus an attacker that simulates a target DST cannot do so with complete impunity; suspicious usage patterns may result in flagging and disabling of a SpeedPassTM device in the network.
Significance and Implications Serious threat to Vehicles Renders vehicle as vulnerable as one without the immobilizer Significant decline in auto-thefts is attributed to the immobilizers Up to 90% decrease. If criminals get there hands on this that’ll change significantly Over 1 mill boosts a year.
Significance and Implications Effective Attack Range Two different methods for capturing signals from DST: Active Scanning and Passive Eavesdropping Active Scanning: attacker brings their own reader within range of DST (up to several inches) for only a few seconds This type of attack could allow for an attacker to harvest two chosen-challenge transcripts and perform look-ups on Hellman tables on the cracking device From the standpoint of an attacker, active scanning has the advantage of permitting a chosen-challenge attack. Hence this type of attack permits the use of precomputed Hellman tables as touched on above. In principle, therefore, it would be possible for an attacker with appropriate engineering expertise to construct a completely self-contained cloning device about the size of an Apple iPod. When passed in close proximity to a target DST, this device would harvest two chosen-challenge transcripts, perform a lookup in an on-board set of precomputed Hellman tables in the course of a minute or so, and then simulate the target DST. We estimate that the cost of constructing such a device would be on the order of several hundred dollars.
Significance and Implications Effective Attack Range Two different methods for capturing signals from DST: Active Scanning and Passive Eavesdropping Passive Eavesdropping : an attacker listens to legitimate communication between DST and reader during authentic session Range depends on the ability to intercept signal from DST Range not found in this study From the standpoint of an attacker, active scanning has the advantage of permitting a chosen-challenge attack. Hence this type of attack permits the use of precomputed Hellman tables as touched on above. In principle, therefore, it would be possible for an attacker with appropriate engineering expertise to construct a completely self-contained cloning device about the size of an Apple iPod. When passed in close proximity to a target DST, this device would harvest two chosen-challenge transcripts, perform a lookup in an on-board set of precomputed Hellman tables in the course of a minute or so, and then simulate the target DST. We estimate that the cost of constructing such a device would be on the order of several hundred dollars. It is worth noting purported U.S. Department of Homeland Security reports, however, of successful eavesdropping of this kind on 13.56 Mhz tags at a distance of some tens of feet [24]. The DST, as we explain below, operates at 134 kHz. Signals at this considerably lower frequency penetrate obstacles more effectively, which may facilitate eavesdropping. On the other hand, larger antennas are required for effective signal interception. Lower freq have a longer wavelength
Significance and Implications Example Attack Scenarios Example 1: Auto theft via eavesdropping Eve owns can with necessary equipment Parks close enough to target to eavesdrop Observe two successful session, Eve can extract key at her convenience using FPGA Eve returns to steal vehicle by picking door lock, disabling immobilizer with found, and hot-wiring ignition
Significance and Implications Example Attack Scenarios Example 2: Auto theft via active attack Eve gets access to valet key storage to scan immobilizer keys of patrons Record registration numbers (to get owner info) Eve then can simulate devices and steal the vehicles from owner’s home Why not just steal the keys then?
Significance and Implications Example Attack Scenarios Example 3: SpeedPassTM theft via active attack Eve brings reader and short-range antenna on subway Harvests challenge-response pairs and serials from SpeedPass™ devices Eve can recover crypto keys at her convenience Uses key in software radio to purchase gasoline
Significance and Implications Fixes Underlying protocols should be based on publicly scrutinized standards with sufficient key length, such as the Advanced Encryption Algorithm Problems: Cost to make capable devices would significantly increase Backwards compatibility (significant cost to refit/recall existing devices)
Significance and Implications Fixes Faraday shielding provides a partial solution Users can encase DSTs in adequate shielding like aluminum foil to reflect radio while not in use Protects against active scanning, but not eavesdropping Possible shielding around reader to defend against eavesdropping inconvenient, and would probably prove an unworkable imposition on most users
Reverse Engineering The only substantive technical information we were able to locate on DST40 was a rough schematic available in a presentation by Dr. Ulrich Kaiser, which was published on the Internet [14], and in a published conference paper [11] coauthored by Dr. Kaiser with Texas Instruments employees. We show the schematic here in Figure 1
Reverse Engineering Authors found schematic by Dr. Kaiser and TI in a presentation Functional components were clear, but critical details of logic and interconnects were not Certain features in schematic were wrong Chose “black-box” approach by examining logical outputs Authors Purchased TI Series 2000 – LF RFID Evaluation Kit and DST devices
Reverse Engineering DST 40 is essentially a feedback shift register During each round, inputs from challenge register and key register pass through collection of logical units These units produce an output that is put back into the challenge register
Reverse Engineering Single round as all units is referred to as F. F has three logical layers: First layer: represented as f1 to f16 (f-boxes) The second layer is represented as f17 to f20, referred to as g-boxes, which are four functional units that takes the outputs of set of four f-boxes as inputs The third layer is a single unit, f21, in which takes in the outputs of the g-boxes, called the h-box, returns the output of the full function F The full collection of units operating in a single round (operating on a single set of inputs with no feed back) is referred to as F. F has three logical layers: First layer: represented as f1 to f16 (f-boxes) in the figure, these 16 functional units take a small number of bits from the key reg. and the challenge reg. Each f-box either takes 3 key bits and 2 challenge bits or 2 key bits and 3 challenge bits Two special f-boxes take only 2 bits from each reg. as an input The second layer is represented as f17 to f20, referred to as g-boxes, which are four functional units that takes the outputs of set of four f-boxes as inputs The authors refer to these units as a g-box The third layer is a single unit, f21, in which takes in the outputs of the g-boxes This last unit, the h-box, returns the output of the full function F
Reverse Engineering There are two main technical details missing from the schematic: Does not describe the logical operations of the f, g, and h-boxes Does not describe the routing array for the mapping of key and challenge bits to the f-boxes In other words, there is no indication of which bits in the challenge and key registers are input to which fboxes
Reverse Engineering Obtaining a Single-Round Output Since the contents of the f-boxes and critical routing was unknown, the authors could not directly verify if their DSTs followed the Kaiser schematic Required to treat evaluation DST as a “Black-box” From the schematic, the authors noted that the only round dependence is in the key scheduler used the string of ‘0’ bits for their starting experiments Obtaining a Single-Round Output From the figure, if a string of ‘0’ bits were entered, they would remain unchanged in the key register throughout the execution The authors used the string of ‘0’ bits for their starting experiments, since it is possible to see each step of the algorithm independent of the round
Reverse Engineering Obtaining a Single-Round Output After each cycle, there were only small changes to contents of the challenge register: Each was shifted right one bit The output of the h-box was inserted into the left-most bit position Challenge/Response two possible sequences, either: C0 = 0|C or C1 = 1|C, where | denotes concatenation after the first cycle, h-box output assumes challenge register is either C0 or C1 after first cycle See paper for a little more detail Based on our observation above, after a single cycle, the challenge register in the DST contains one of two possible sequences, either C0 = 0|C or C1 = 1|C, where | denotes concatenation. Therefore, recovering the output of the h-box can be reduced to a determination of whether the challenge register assumes the value C0 or C1 after the first cycle.
Reverse Engineering Obtaining a Single-Round Output Tests failed, indicating that the DST40 differs from the Kaiser cipher Authors found that testing next-state challenge response values succeeded when they modeled the h-box output as two bits Authors then questioned elements of the schematic including number of rounds and key update schedule
Reverse Engineering Obtaining a Single-Round Output Since the authors were able to recover the output of F on a single iteration, they were able to observe the entirety of each round of a cipher execution by repeatedly guessing the next state of challenge register They established that the encryption took over 200 cycles and the DST gets its response from the right-most 24 bits of the challenge register
Reverse Engineering Recovering the Key Schedule Using the ‘0’ bit key would restrict ability to experiment with algorithm internals They required the ability to observe single-round outputs based on different values in the challenge and key registers Using a non-zero key makes the algorithm round dependent Needed to provide black-box with equivalent next key register state
Reverse Engineering Recovering the Key Schedule By following the diagram, the authors assumed new key bits were computed by exclusive-or of several bits of the key every few seconds They determined the key is updated every three cycles (beginning with the second cycle) Let ki denote the ith bit in the key register beginning with 0 The key update is defined by: k0 = k39 k37 k20 k18 Using this model in place of the ‘0’ bit key, they were able to simulate steps for any key By querying The black box, they determined that the key is updated every three cycles, beginning with the second cycle – not the first, as suggested by the Kaiser diagram. also determined that while four bits are indeed exclusive-ored together, they are not the bits shown in the dia-gram
Reverse Engineering Recovering the Key Schedule Previously only had to guess each possibility for a 2-bit output of single round For a non-zero key, need to guess six successive bits (three bit-pairs) of output for the h-box at the same time, since the key schedule only repeats every 3 cycles This meant testing 64 possible candidate challenge-response states To test, they set the k’ corresponding to the key-register state after 6 cycles applied to k DST can process 6-8 challenges per second, so this test requires a minimum of 8 seconds or so. It is thus significantly more time-consuming than previous tests, although it returns the output of three execution cycles, rather than one.
Reverse Engineering Uncovering the Feistel Structure of DST40 To measure the effect, the authors generated a random key and challenge, and determined the output of F For each of the 40 challenge bits, they determined whether F changed upon flipping a bit Repeated 150 times
Reverse Engineering Uncovering the Feistel Structure of DST40 Let ci denote the ith bit of the challenge register, starting with 0. The first notable feature of our graph is the effect of bits c38 and c39 of the challenge register. While the other key and challenge bits have limited influence on the output of a single round, these two bit always affect the output of the h-box. Further experimentation revealed that the two bits affect the first and second bit of the two-bit round output respectively. This indicated that the cycle output derived from the exclusive-or of these bits with the output of the F function.
Reverse Engineering Uncovering the Feistel Structure of DST40 The XOR of bits c38 and c39 showed that the algorithm was an invertible permutation and it is a form of Unbalanced Feistel Network The authors speculate that the round function was chosen so that collisions would not multiply and responses would have uniform distribution
Reverse Engineering Recovering the Bit Routing Networks Next step was to recover internal routing network of bits Assumption that the h-box (f21) was the only box with a 2-bit output Structure of Kaiser cipher shows that h gets a single bit from each of the g-boxes and returns one or four possible outputs After identifying the general structure of the cipher, our next step was to uncover the internal routing network of bits, i.e., which bits act as inputs to each of the f-boxes, as well as the boolean functions computed by each fbox. The structure of the Kaiser cipher is such that h receives a single input bit from each of the g-boxes, and produces one or four possible output values. This fact lays the groundwork for identifying which bits of the challenge and key are routed to each of the g-boxes Recovering the Bit Routing Networks Allows the identification of which bits of the challenge and key are routed to each g-box Altering a single input bit of h can at most generate two distinct outputs Altering the output of only one g-box can never cause h to output more than two values (altering the output of more than one can produce up to 4 distinct values)
Reverse Engineering Recovering the Bit Routing Networks Using this observation, the authors devised a test to see which groups of input bits of the challenge and key are routed to each of four g-boxes Test requires many repetitions since two test bits could be routed to different g-boxes, and different value outputs still produce two or fewer distinct outputs The routing network was arranged in a regular pattern, and after uncovering most of the bits dealing with g1 and the authors were able to infer and validate the remainder of g-boxes If at any time these four bit combinations produce more than two different outputs, then they cannot possibly be routed through the same g-box. It should be noted that this test of g-box membership produces false positives. In particular, it is very possible (and indeed common) that for two test bits that are not routed to the same g-box, and for a given set of fixed bits, different value assignments to the test bits still produce two or fewer distinct outputs from the h-box. Therefore this test requires many repetitions with different sets of fixed bits. We employed this test first so as to exclude all bits that are not in the same g-box as bit 0 of the challenge. After excluding 60 such bits, we discovered all of the bits that are routed to g1. We repeated the test for the remaining g-boxes, ignoring bits previously associated with a g box so as to decrease the search space. To our benefit, the routing network of bits that go through each g-box is arranged in a rather regular pattern, and it was not necessary to perform an exhaustive search. After uncovering most of the bits related to g1, we were able to infer and then quickly verify the remainder of the g-boxes. Recovering the Bit Routing Networks More in-depth task for determining the challenge and key register bits that serve as each f-box input Let B = {b1 . . . b5} be a set of challenge and key-register bits Let B denote all other bits registers The output of the cipher will show an invariant if B is the set of input bits to a single f-box
Reverse Engineering Recovering the Bit Routing Networks An f-box uses a fixed boolean function z on five bit inputs Suppose that B is the set of inputs to this f-box: Then let’s define A0 to be the set of value assignments to the bits in B such that z(b1 . . . b5) = 0 Also, define A1 analogously for z(b1 . . . b5) = 1 Notice that for a fixed setting of B, the output of h will be invariant for the setting of B to any value in A0. Likewise, for a fixed value assignment to B, the output of h will be invariant for any setting of B to a value in A1.
Reverse Engineering Recovering the Bit Routing Networks Using the invariant, the authors performed tests to exclude combinations of bits that can’t be inputs the same f-box Next step was to Iterate over all 32 value assignments to B and record the output pattern from F They then repeated the experiment over B If no invariant like described, the B cannot consist of inputs to a single f-box Test repeated until excluded all possible inputs except for correct ones On first inspection, it would appear as though there is a large number of possible sets of input bits to any given f-box. In fact, though, we can narrow the pool of candidate sets thanks to two observations: (1) The set of inputs to a single f-box must also serve as inputs (at one remove) to the same g-box; and (2) For any f-box, three input bits come from the challenge register and two from the key register (or vice versa). By working with inputs corresponding to a single g-box and by searching in particular for the f-box that includes bit 0 of the chall enge register, we started with a search space of size only 19 2 × 20 + 19 1 3 = 54150. Moreover, once we identified the inputs to one f-box, each subsequent fbox corresponding to the same g-box had far fewer combinations of input bits to test. Furthermore, again to our benefit, the f-box inputs in DST40 are ordered in a very regular manner. In particular, given the structure of inputs associated with one gbox, we were readily able to infer those for the remaining g-boxes.
Reverse Engineering Building Logical Tables for the f, g, and h-boxes Once the corresponding bits to each f-box were identified, the authors constructed tables to represent logical functions computed by all the boxes To calculate the f-box tables, they simply iterated through 32 possible input value for the set B that corresponds to the f-box To calculate a given g-box, four corresponding f-boxes and iterated over all 24 = 16 combinations of their output values It’s essentially the same method to construct the h-box table; though the h-box outputs two bits instead of one See Appendix A for the full DST40 algorithm description.
Key Cracking The DST40 Keycracker First implemented in software To slow for a keycracker Software could only compute less than 200,000 encryptions per second on 3.4 GHz Pentium Time would take more than 2 weeks for a 10 node cluster Decided to implement the keycracker in hardware We also wished to test our implementation against actual fielded tags in SpeedPassTM tokens and automobile ignition keys. The cryptographic keys in these devices are immutable once locked at the factory. Without knowing the key on a fielded tag, we had no way to determine whether the algorithm used by such tags was as hypothesized. Therefore, recovering an actual key became necessary.
Key Cracking The DST40 Keycracker Each node consisted of a single Xilinx XC3S1000 FPGA 32 cores per FPGA Since DST40 outputs 24 bits per 40 bit challenge, at least two challenge/response pairs are needed to determine a unique key Clock on board was fixed to 100 MHz, allowing for 16 million keys per second Entire 40 bit key-space can be exhausted in less than 21 hours
Key Cracking The DST40 Keycracker Single FPGA board was enough to verify testing Cracker recoverd key from SpeedPass™ in under 11 hours Bought a total 16 evaluation boards to get a significantly reduced crack time Cracked 5 TI DST tags and recovered all keys in less than 2 hours
Key Cracking The Hellman Time-Space Tradeoff As described, Software key cracker uses Hellman tables Estimates suggest a 99+% success rate Requires 10 GB of storage Should finish in under one minute on fast PC Table construction requires a large amount of pre-computation At the time of writing of this paper, we are in the process of table building and hope soon to report results of this work.
RF Protocol Analysis and Simulation A reader in the DST system transmits power to the transponder at a 15-to-50 ms electromagnetic pulse at 134.2 kHz Once powered, transponder can perform session tasks Reader transmits as a sequence of amplitude-modulated bits Once transponder has received and processed a command, it discharges its power while transmitting response Once the transponder has fully received and processed a command, it discharges its stored power, while transmitting its response using frequency modulated frequency shift keying (FM-FSK). It communicates a bit via 16 RF cycles, specifying a ‘0’ or ‘1’ bit by transmitting at 134.2 kHz or 123.2 kHz respectively.5 A preamble of ‘0’ bits followed by a start byte (7E hex) indicates the start of a transmission and allows the reader to synchronize
RF Protocol Analysis and Simulation Sniffing the Protocol The team configured a portable PC with a digital-to-analog board Designed to send and receive desired analog signals The authors wrote routines for modulation and demodulation to produce the signals produced by the reader and FM-FSK signals produced from the transponder Using this equipment can allow for successful eavesdropping or actively participate by emulating either reader or transponder
RF Protocol Analysis and Simulation Putting Together the Pieces: the Full DST Protocol First, the reader transmits a challenge request to the transponder Consists of an 8-bit opcode followed by the 40-bit challenge (opcode specifies type of request being made) The transponder encrypts the challenge using the shared secret 40-bit key The least significant 24 bits in the transponder challenge register consitutes a 24-bit Signature
RF Protocol Analysis and Simulation Putting Together the Pieces: the Full DST Protocol The transponder then responds Replies with 24-bit serial number, 24-bit signature, and a keyed 16-bit CRC of the transmitted data Using the shared encryption key and secret CRC start value, the reader can then verify The CRC is intended to add extra security as well as provide error checking Using the shared encryption key (which it may look up based on the transponder serial number) and secret CRC start value, the reader can verify that the signature is correct. The CRC appended to each transmission is intended to be an additional security measure as well as an error checking device. The DST protocol specification defines this as a 16-bit reverse CRC-CCITT that is initialized with a secret 16-bit start value. However, this feature provides no such security. A single interaction with a DST allows for the recovery of a transmission and accompanying keyed CRC. As this secret start value is shared among all DSTs, it is only a matter of trying the 216 possible start values and computing the CRC of the data returned to uncover the secret start value. The computational time required for this is less than a second. Therefore, the security of authentication in this system depends on the supposition that the 40-bit secret key contained in a valid transponder is available only to the transponder and to valid readers, and that only knowledge of this shared secret allows the correct generation of
RF Protocol Analysis and Simulation Putting Together the Pieces: the Full DST Protocol The stated aim of DST was to make it resistant to: Signature-guessing attacks Dictionary attacks Attacks using known challenge-response pairs Cryptanalytic attacks Exhaustive key search The system architects specified as a design criterion that having access to a transponder or reader for short periods of time should not lead to recovery of the secret key [11]. Their stated aim was to make the DST system resistant to signature-guessing attacks, dictionary attacks using known challenge-response pairs, cryptanalytic attacks, and exhaustive key search – even for an attacker with full knowledge of the encryption algorithm
RF Protocol Analysis and Simulation Simulating a DST Device The authors software performs the following: It analyzes the A/D conversions received from the DAC board Decodes the AM signal containing the challenge sent from the reader Performs an encryption of this challenge using the recovered secret DST key Codes the FM-FSK signal representing the correct response Outputs this FM-FSK signal to the DAC board
Conclusion The weakness of DST40 cipher demonstrated by the authors is primarily due to an insufficient key-length Further cryptanalysis may reveal weaknesses in the cipher Systems with the strongest security are generally standard cryptographic algorithms with adequate key lengths
Questions? Currently the most effective protections against this attack rely on user vigilance, e.g., protecting transponder keys, auditing Speedpass invoices for fraud, and optionally using a metallic shield (such as aluminum foil) to prevent unauthorized scanning of DST tags. This vulnerability has also spawned the creation of the RSA Blocker Tag and RFID Blocking Wallets.
References [1]. http://en.wikipedia.org/wiki/RFID [2]. http://en.wikipedia.org/wiki/Digital_Signature_Transponder