Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 1 TU Graz/Computer Science/IAIK/VLSI/SCA Leuven, BCRYPT Workshop Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology Side-Channel and Fault Attacks on RFID Michael Hutter BCRYPT RFID Security Workshop 2010

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 2 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Presentation Outline  Side Channel Analysis on RFID  Measurement Setups  Attacks  Results  Fault Attacks on RFID  Measurement Setups  Attacks  Results  Conclusions

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 3 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop A typical SCA Setup…

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 4 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop SCA on RFID ?  No resistor  No trigger  Low power  Strong reader field

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 5 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Practical Solutions  …electromagnetic measurements  Trigger on RFID communication  Use analog amplifiers  Apply pre-processing techniques  Apply reader-signal cancelation techniques

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 6 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Reader-Signal Cancelation Techniques  Frequency Selective Measurements Picture R&S®

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 7 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Reader-Signal Cancelation Techniques  Frequency Selective Measurements  Helmholtz Arrangement Picture R&S®

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 8 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Reader-Signal Cancelation Techniques  Frequency Selective Measurements  Helmholtz Arrangement  Phase-Shifted Signal Subtraction Picture R&S® Shift xº

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 9 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Another Solution… …Contact-based Power Analysis

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 10 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop SCA Results ISO C Gen2 UHF tagISO HF tag

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 11 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Interesting Observation…  The power consumption raises earlier for certain input values…  …because many RFID tags process data serially  This can be exploited in timing attacks

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 12 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop How to perform Fault Attacks on RFID?

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 13 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Solutions  EM Fault Injections

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 14 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Solutions  EM Fault Injections  Antenna Tearing

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 15 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Solutions  EM Fault Injections  Antenna Tearing  Optical Inductions

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 16 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Another Solution… …Contact-based Fault Injection Setup

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 17 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop sweep

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 18 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Fault Analysis Results  Faults cause the tags to write faulty values into the memory  The value can be influenced by the adversary  Optical Fault Inductions allow unnoticed writing of faulty values

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 19 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Conclusion  EM as well as power-analysis attacks pose a serious threat in security-enabled RFID applications  Fault attacks can be used to write faulty values into the tag’s memory without detection

Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security 20 TU Graz/Computer Science/IAIK/VLSI/SCA BCRYPT Workshop Michael Hutter IAIK – Graz University of Technology Side-Channel and Fault Attacks on RFID