Network Security - IT653 Deepti Agrawal KReSIT, IIT Bombay RFID SECURITY Network Security - IT653 Deepti Agrawal KReSIT, IIT Bombay

What is RFID? Radio-Frequency Identification Tag Antenna Chip Holds a small amount of unique data – a serial number or other unique attribute of the item The data can be read from a distance – no contact or even line of sight necessary Antenna Chip

How Does RFID Work? Tags (transponders) Reader (transceiver) Database 02.3DFEX4.78AF51 EasyToll card #816 Radio signal (contactless) Range: from 3-5 inches to 3 yards Tags (transponders) Attached to objects, call out their (unique) name and/or static data on a special radio frequency Reader (transceiver) Reads data off the tags without direct contact Database Matches tag IDs to physical objects

RFID Tag Power Sources Passive (this is what mostly used now) Tags are inactive until the reader’s interrogation signal “wakes” them up Cheap, but short range only Semi-passive On-board battery, but cannot initiate communication Can serve as sensors, collect information from environment: for example, “smart dust” for military applications More expensive, longer range Active On-board battery, can initiate communication

The capabilities of a basic RFID tag Little memory Static 64-to-128-bit identifier in current ultra-cheap generation Little computational power A few thousand gates Static keys for read/write permission Not enough resources to support public- or symmetric-key cryptography Cannot support modular arithmetic (RSA, DSS), elliptic curves, DES, AES; Hash functions barely feasible Recent progress on putting AES on RFID tag

RFID is the Barcode of the Future Fast, automated scanning (object doesn’t have to leave pocket, shelf or container) Line-of-sight reading Reader must be looking at the barcode Reading by radio contact Reader can be anywhere within range “Write Capabilities” Products carry updated info as they move through the supply chain Static Data No cryptographic operations possible Specifies object type E.g., “I am a pack of Juicy Fruit” Specifies unique object id E.g., “I am a pack of Juicy Fruit #86715-A” Can look up this object in the database

Commercial Applications of RFID Physical-access cards Inventory control Gillette Mach3 razor blades, pet tracking Logistics and supply-chain management Track a product from manufacturing through shipping to the retail shelf Gas station and highway toll payment Libraries Euro banknotes

The consumer privacy problem

…and the tracking problem Wig serial #A817TS8 Mr. Jones pays with a credit card; his RFID tags now linked to his identity; determines level of customer service Think of car dealerships using drivers’ licenses to run credit checks… Mr. Jones attends a political rally; law enforcement scans his RFID tags Mr. Jones wins Turing Award; physically tracked by paparazzi via RFID

Risks Personal privacy I’ll furtively scan your briefcase and learn how much cash you are carrying and which prescription medications you are taking … Corporate espionage : Privacy is not just a consumer issue Track your competitor’s inventory Skimming: read your tag and make my own In February, JHU-RSA Labs team skimmed and cloned Texas Instruments’ RFID device used in car anti-theft protection and SpeedPass gas station tokens

Blocking Unwanted Scanning FARADAY CAGE Container made of foil or metal mesh, impenetrable by radio signals of certain frequencies Invitation to Shoplifters Maybe works for a wallet, but huge hassle in general – locomotion difficult

Blocking Unwanted Scanning (Contd.) “KILL” tag after purchase Special command permanently de-activates tag after the product is purchased RFID tags are much too useful in “live” state… Disables many futuristic applications.

Futuristic Applications Tagged products Clothing, appliances, CDs, etc. tagged for store returns and locatable in house “Smart” appliances Refrigerators that automatically create shopping lists and when milk expires Closets that tell you what clothes you have available, and search the Web for advice on current styles, etc. Washing machines that detect improper wash cycle “Smart” print Airline tickets that indicate your location in the airport Business cards Recycling Plastics that sort themselves Consumers will not want their tags “killed,” but should still have a right to privacy!

Blocking Unwanted Scanning (Contd.) The “BLOCKER TAG” Blocker simulates all (billions of) possible tag serial numbers!! 1,2,3, …, 2023 pairs of sneakers and… (reading fails)…

How does blocker tag work? When the reader sends a signal, more than one RFID tag may respond: this is a collision Reader cannot accurately read information from more than one tag at a time Example: every tagged item in a supermarket cart responds to the cashier’s RFID reader “Tree-walking” protocol for identifying tags recursively asks question: “What is your next bit?” Blocker tag always says both ‘0’ and ‘1’! Guarantees collision no matter what tags are present To talk to a tag, reader must traverse every tree path With 128-bit IDs, reader must try 2128 values – infeasible! To prevent illegitimate blocking, make blocker tag selective (block only certain ID ranges) E.g., blocker tag blocks all IDs with first bit=1 Items on supermarket shelves have first bit=0 Can’t block tags on unpurchased items (anti-shoplifting) After purchase, flip first bit on the tag from 0 to 1

“Tree-walking” anti-collision protocol for RFID tags 1 ? 00 01 10 11 000 001 010 011 100 101 110 111

Example: Supermarket Cart 1. Prefix=“empty” Next=0 Next=1 Collision! prefix=0 prefix=1 No collision Next=1 1a. Prefix=0 1b. Prefix=1 Next=0 No collision 2. Prefix=00 2. Prefix=11 prefix=00 prefix=01 No collision Next=1 Collision! Next=1 Next=0 3. ID=001 Talk to tag 001 3a. ID=110 Talk to tag 110 prefix=10 prefix=11 3b. ID=111 Talk to tag 111 000 001 010 011 100 101 110 111

Pseudonym rotation Set of pseudonyms known only by trusted verifier Pseudonyms stored on tag Limited storage means at most, e.g., 10 pseudonyms Tag cycles through pseudonyms “74AB8” “MMW91” = ?

Hash Locks Reader RFID tag Why is this not a perfect solution? [Rivest, Weis, Sharma, Engels] Goal: authenticate reader to the RFID tag Reader “Who are you?” RFID tag metaID key Compute hash(key) and compare with stored metaID “My real ID is…” Stores metaID=hash(key) Stores key; hash(key) for any tag Unique key for each tag Why is this not a perfect solution?

Analysis of Hash Locks Relatively cheap to implement Tag has to store hash implementation and metaID Security based on weak collision-resistance of hash function metaID looks random Problem: tag always responds with the same value Attacker can track the same tag from place to place even if he cannot learn its real ID

Randomized Hash Locks Reader RFID tag [Weis et al.] Goal: authenticate reader to the RFID tag Reader RFID tag “Who are you?” Generate random R R, hash(R,IDk) Compute hash(R,IDi) for every known IDi and compare “You must be IDk” Stores its own IDk Stores all IDs: ID1, … ,IDn

Analysis of Randomized Hash Locks Tag must store hash implementation and pseudo-random number generator Secure against tracking because tag response is different each time Reader must perform brute-force ID search Effectively, reader must stage a mini-dictionary attack to unlock the tag Alternative: use a block cipher Need a very efficient implementation of AES

External re-encryption approach Suggested for RFID-embedded banknotes privacy protection Banknote tag serial numbers are encrypted with a law enforcement public key Periodic re-encryption to reduce the linkability of different appearances of a given tag. Resources limited on tag, so re-encryption done by external agents, usually the reader

References The material covered in the slides has been taken from : RFID Security and Privacy : http://www.google.co.in/url?sa=U&start=1&q=http://www.cs.utexas.edu/~shmat/courses/cs378_spring05/&e=9797 RFID: Security and Privacy for Five-Cent Computers : http://www.rsasecurity.com/rsalabs/staff/bios/ajuels/publications/five_cent/RFID_five%20cent.ppt

Questions ?