RFID Security and Privacy Part 2: security example

Zoom in: Authentication Should be mutual –reader should recognise tags –tag should recognise readers EMAP: Efficient Mutual Authentication Protocol for Low-cost RFID Tags. –proposed by P. Peris-Lopez, J. C. Hernandez- Castro, J. M. Estevez-Tapiador, and A. Ribagorda, November 2006.

EMAP model IDS 1 Key 1 …… IDS n Key n Updated after each session Identification ID (m bits) Key (4m bits) = K 1 ||K 2 ||K 3 ||K 4 Pseudonym IDS (m bits) || concatenation DB

EMAP protocol Reader Tag hello IDS Database IDS K 1 ||K 2 ||K 3 ||K 4 Random n 1,n 2 A||B||C A = IDS  K 1  n 1 B = (IDS  K 2 )  n 1 C = IDS  K 3  n 2 Check A  B. Infer n 1,n 2 D||E D = IDS  K 4  n 2 E = (IDS  n 1  n 2 )  ID  K 1  K 2  K 3  K 4 Update IDS and K 1...K 4 Check D. Update IDS and K 1...K 4

Update … IDS’ = IDS  n 2  K 1. K 1 ’ = K 1  n 2  (ID 1/2 || F(K 4 ) || F(K 3 )) –ID 1/2 – first m/2 bits of ID –F(X) – parity function Divide X in m/4 4-bit blocks Compute a parity bit for each block K 2 ’ = K 2  n 2  (F(K 1 ) || F(K 4 ) || ID 2/2 ) K 3 ’ = K 3  n 1  (ID 1/2 || F(K 4 ) || F(K 2 )) K 4 ’ = K 4  n 1  (F(K 3 ) || F(K 1 ) || ID 2/2 )

EMAP is efficient Tag memory: –Rewritable memory: 4m bits (keys) + m (IDS) –ROM: m bits (ID) –Very reasonable for m = 96… Operations: –tag does cheap processing: , , , || –random number generation – reader only! –no expensive operations (e.g hash function, multiplication)

Further advantages of EMAP tag anonymity –the same ID but different messages! forward security –knowledge of K 1...K 4 does not reveal updated key

Li and Deng: EMAP is vulnerable "Vulnerability Analysis of EMAP- An Efficient RFID Mutual Authentication Protocol " April 2007

Attack 1: Desynchronisation Tag hello IDS A||B||C' infer n 2 ' instead of n 2 wrong D'||E' Update IDS and the key Reader random n 1,n 2 Update IDS and the key Intruder hello IDS j s.t. IDS(j) = 0 A||B||C Toggle j in C D||E Toggle j in D' and E' n 2 ' = n 2  e j

expected: D = (IDS  K 4 )  n 2 received: ( (IDS  K 4 )  n 2 ’ )  e j –i.e. (IDS  K 4 )  n 2  e j  e j = D Attack 1: Reader accepts D

expected: E = (IDS  n 1  n 2 )  ID  K 1  K 2  K 3  K 4 received: (IDS  n 1  n 2 ’)  ID  K 1  K 2  K 3  K 4  e j compare: IDS  n 1  n 2 vs. (IDS  n 1  n 2 ’)  e j –look at j th bit: IDS(j) = 0  (IDS  n 1  n 2 )(j) = n 2 (j) Attack 1: received E is correct

Attack 1: Tag update IDS’ = IDS  n 2  K 1. K 1 ’ = K 1  n 2  (ID 1/2 || F(K 4 ) || F(K 3 )) K 2 ’ = K 2  n 2  (F(K 1 ) || F(K 4 ) || ID 2/2 ) K 3 ’ = K 3  n 1  (ID 1/2 || F(K 4 ) || F(K 2 )) K 4 ’ = K 4  n 1  (F(K 3 ) || F(K 1 ) || ID 2/2 )  Desynchronisation on IDS, K 1 and K 2  You can also attack n 1 rather than n 2 or both (see the paper)

What kind of problem has been demonstrated? A.Ethical issues B.Illicit tracking of the tags C.Skimming D.Tag cloning E.Cross-contamination F.Tag killing G.Invasive attack / side channel attack H.Jamming

Countermeasure: Error-correcting codes? Can report/correct a number of 1-0 errors –can detect the attack as presented above BUT –the attack can be generalised to replace (n 1,n 2 ) by (n 1 ’,n 2 ’) toggling multiple bits simultaneously… –… and fooling the error-correcting codes!

Murphy’s Law Just when you think things cannot get any worse, they will.

Attack 2 Full disclosure attack Run EMAP (a number of times) and discover ID and all the keys! Want to know more? Read the paper