RFID Security without Extensive Cryptography Sindhu Karthikeyan Mikhail Nesterenko Kent State University SASN November 07, 2005

211/7/2005 SASN RFIDs: Current State RFIDs allow effective identification of a large number of tagged items without physical or visual contact. RFID systems reduce the time and cost of processing tagged items adopters:  Wal-Mart stores use RFID tags for tracking and maintaining their inventory  Boeing and Airbus plan to use RFID tags to simplify identifying and tracking the airplane parts  Kodak uses RFID to track reusable containers in its manufacturing facilities  libraries use RFID tags to track books circulation  toll booths can automatically collect toll by inspecting a tag attached to the windshield of a car currently: crate/palette tagging even more effective: individual item tagging

311/7/2005 SASN Security Problems of Individual Item Tagging major obstacle to individual item tagging: personal privacy  intruder can read tags without authorization or  eavesdrop on reader-tag communication novel types of security threats [MW04] intruder may  track: learn the itinerary of tag holder by periodically querying tag or eavesdropping on communications between tag and reader  hotlist: compile list of items of particular interest and then singles out individuals in possession of these items  profile: learn what items a particular individual has

411/7/2005 SASN How to Deal with Privacy Threat? erase info from tag after scanning  does not allow repeated use of tag and thus limits the utility of the technology periodically use secure channels for trust establishment or key refresh  limits use of technology blocker tag  requires the user to carry and manipulate the blocker which may not be practical use (classic) cryptography  due to tag resource limits crypto primitives (such as encode/ decode, digital sigs, crypto hash, quality random numbers) are not available tag-side

511/7/2005 SASN Our Proposal secure tag authentication algorithm based on matrix multiplication, does not use extensive crypto  modest tag-side storage and computation requirements  can be implemented using currently available RFID technology secure against  known-ciphertext attacks  RFID-specific attacks multiple tag sequencing  extends the algorithm so that the reader can concurrently identify multiple tags

611/7/2005 SASN Outline security identification algorithm  RFID system outline  algorithm description  security discussion multiple tag sequencing resource requirements estimate extensions and future work

711/7/2005 SASN tagged item RFID System Overview RFID tag – a miniature electronic circuit (500 to 5000 gates) capable of elementary information storage, processing and radio communication RFID reader – device designed to identify the tag  connected to database containing information about tag and tagged item tag and reader communicate over radio channel intruder - an entity who tries to compromise the RFID system  has complete access to radio channel radio channel database intruder has access to channel cannot access memory of reader/tag/database tag stores a limited amount of data performs elementary operations such as byte-size integer addition and multiplication runs a timer reader has sizable communication and storage facilities tag reader

811/7/2005 SASN Secure Tag Authentication tag stores square p×p matrices: M 1 and M 2 -1, reader maintains another two matrices: M 2 and M 1 -1 of same size tag and reader share a key K – a vector of size q = rp X= KM 1 uniquely identifies the tag when reader receives X, it can obtain the rest of information about tag and tagged item from its database if reader authentication fails or the reader fails to respond before the timeout expires, the tag stops further communication until reset readertag identify tag by matching X hello start timer X compute X ← KM 1 K, M 1, M 2 -1 K, M 1 -1, M 2 phase I Y, Z verify YM 2 -1 = (K 1  K 2  …  K r ), get fresh key K ← ZM 2 -1 stop timer phase II pick K new, compute Y← (K 1  K 2  …  K r ) M 2 Z← K new M 2

911/7/2005 SASN Security Discussion recovering the multiplicand or multiplier from the product of matrix multiplication is computationally difficult  the intruder can not discover the key or the matrices used by the tag and the reader  assume no known plaintext  can’t find tag id  can’t mount hotlisting or profiling attacks  as the intruder cannot deduce either the key or the matrices, he cannot authenticate himself to the tag:  any identification session with the intruder is aborted  can’t do effective tracking

1011/7/2005 SASN Outline security identification algorithm  RFID system outline  algorithm description  security discussion multiple tag sequencing resource requirements estimate extensions and future work

1111/7/2005 SASN Problem Statement & Assumptions problem  tags share channel  don’t have channel arbitration capabilities assume  can detect collision  can send key one bit at a time

1211/7/2005 SASN Proposed Scheme augments our tag identification algorithm to enable the reader to communicate with multiple tags phase I run concurrently  the reader learns the keys of all the tags present  each tag learns its key's position in the order (e.g., ascending) of the keys of the tags participating in the identification session phase II  the reader broadcasts the messages for the tags in the order of their keys  each tag receives the message sent specifically to it and ignores the rest

1311/7/2005 SASN a 0 b d f 011 c e h g path from root to leaf – tag’s key growth point – part of path already learned trial – discover next bit on path after growth point & determine if the paths split collision Reader-Side Sequencing

1411/7/2005 SASN Resource Requirements Estimate key size of 8 bytes provides sufficient key space for most RFID applications. the matrices of 4×4 bytes provide adequate security. a few byte-size integer counters are necessary to implement multiple tag sequencing. during the identification session, the reader and the tag exchange a hello- message and two messages of 8 and 9 bytes respectively the storage requirements of our algorithm are modest most of the chip-space is occupied by the byte-multiplier the requirements are within the current capabilities of RFID tags

1511/7/2005 SASN Extensions and Future Work denial of service attack possible  intruder can block the tags from further identification by botching authentication sessions  need protection need secure channel to unblock tags and refresh tag-side info  may be time/resource consuming, especially if items are hard to access (airplane parts?)  need effective secure channel or way to avoid using it possible compromise if intruder can track tag over multiple sessions outside radio channel  additional key to generate longer non-repeating keys brute-force guessing attack potentially possible  may need to increase size of matrix/key

RFID Security without Extensive Cryptography Sindhu Karthikeyan Mikhail Nesterenko thank you

1711/7/2005 SASN Tag-Side Sequencing the tag has to participate in trials as well as determine its position in the sequence of keys to be able to do that, the tag maintains the number of growth points in front and behind the growth point that leads to its own key. the tag keeps track as to which growth point is being examined at the current trial. if there is a collision the appropriate number of growth points is incremented. after the entire tree is descended the growth points terminate in the concrete keys and the tag learns its position in the key sequence.