Security Analysis of a Cryptographically- Enabled RFID Device Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Avi Rubin, Michael Szydlo Usenix.

Slides:



Advertisements
Similar presentations
Ryan Kagin University of Illinois Fall 2007
Advertisements

Part 4: combinational devices
Gone in 360 Seconds: Hijacking with Hitag2
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Low Cost Attack on Tamper Resistant Devices Ross Anderson, Markus Kuhn Songpol Manoonpong.
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
Block Ciphers and the Data Encryption Standard
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
FIT3105 Smart card based authentication and identity management Lecture 4.
Security in RFID Presented By… NetSecurity-Spring07
Steve Bono1 Matthew Green1 Adam Stubblefield1 Avi Rubin1
Risk of Using RFID chips in Passports Oscar Mendez.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
RFID Devices and Cryptography Analysis of the DST40
Technical Issues in Library RFID Privacy David Molnar UC-Berkeley Computer Science.
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.
Radio Frequency Identification By Bhagyesh Lodha Vinit Mahedia Vishnu Saran Mitesh Bhawsar.
Security Analysis of a Cryptographically-Enabled RFID Device Authors: Steve Bono Matthew Green Adam Stubblefield Adam Stubblefield Ari Juels Ari Juels.
1 UCR Hardware Security Primitives with focus on PUFs Slide credit: Srini Devedas and others.
CPU Design. Introduction – The CPU must perform three main tasks: Communication with memory – Fetching Instructions – Fetching and storing data Interpretation.
Cracking DES Cryptosystem A cryptosystem is made of these parts: Two parties who want to communicate over an insecure channel An encryption algorithm that.
Strength of Cryptographic Systems Dr. C F Chong, Dr. K P Chow Department of Computer Science and Information Systems The University of Hong Kong.
Niv Gafni, Yair Offir and Eliav Ben-zaken Information System Engineering Ben Gurion University 1.
1 Lect. 7 : Data Encryption Standard. 2 Data Encryption Standard (DES)  DES - History 1976 – adopted as a federal standard 1977 – official publication.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.
TinySec : Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Anil Karamchandani 10/01/2007.
1. Hardware: each component on the microcontroller will need to be tested individually using multi-meters, logic analyzers, and circuit probe analysis.
Chapter 3 Encryption Algorithms & Systems (Part D)
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
Cracking the DES Encryption
Design Team : Advisor: Dr. Edwin Project Web Site: Client: Paul
Azam Supervisor : Prof. Raj Jain
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
Aquarius Mission Simulation A realistic simulation is essential for mission readiness preparations This requires the ability to produce realistic data,
Reverse Engineering. Reverse engineering is the general process of analyzing a technology specifically to ascertain how it was designed or how it operates.
DES: Data Encryption Standard
CSE SW Metrics and Quality Engineering Copyright © , Dennis J. Frailey, All Rights Reserved CSE8314M37 8/20/2001Slide 1 SMU CSE 8314 /
Technical lssues for the Knowledge Engineering Competition Stefan Edelkamp Jeremy Frank.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Attacking an obfuscated cipher by injecting faults Matthias Jacob Dan Boneh Edward.
CST 312 Pablo Breuer. A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length Typically a block size of 64 or.
Flavio Garcia University of Birmingham
1 CPCS425: Information Security (Topic 5) Topic 5  Symmetrical Cryptography  Understand the principles of modern symmetric (conventional) cryptography.
Getting Ready for the NOCTI test April 30, Study checklist #1 Analyze Programming Problems and Flowchart Solutions Study Checklist.
Security in Opened versus Closed Systems – The Dance of Boltzmann, Coase and Moore Presented By Chad Frommeyer.
Faculty of technical education, King Mongut’s Institute of Technology North Bangkok 1518, Pibulsongkram Road, Bangsue, Bangkok 10800, Thailand Mr.Phadungsak.
Computer Organization and Machine Language Programming CPTG 245
Microcontroller Evolution
HiTag2 RTLab 이재근.
Overview on Hardware Security
By Theodora Kontogianni
RFID: The Problems of Cloning and Counterfeiting
332:437 Lecture 7 Verilog Hardware Description Language Basics
PART VII Security.
332:437 Lecture 7 Verilog Hardware Description Language Basics
332:437 Lecture 7 Verilog Hardware Description Language Basics
Security Implementation Using Present-Puffin Protocol
Block Ciphers (Crypto 2)
Microcontroller Evolution
Hashing Hash are the auxiliary values that are used in cryptography.
Hash Function Requirements
Advanced Encryption Standard
Presentation transcript:

Security Analysis of a Cryptographically- Enabled RFID Device Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Avi Rubin, Michael Szydlo Usenix Security Symposium 2005 Presented By Himanshu Pagey (For CDA 6938 Class Presentation)

How realistic is this Scenario? Realistic ( I own a TI vehicle immobilizer, I am going to get it changed right after the class). Sounds good for a paper but really no body can steal my car! Ohh well ! Can they? The paper suggest that such threats are well within the realm of practical execution and is applicable to wide variety of applications. We hope that none of the car thieves are reading this paper.

RFID Primer (Souce:Wiki) Automatic identification method. Data is retrieved from RFID Tags ( tags as small as millimeter by 0.15-m illimeter have been manufactured by hitachi) Passive tags do not require power source Active tags require power source Heavy implementation in supply chain industry. Well we don’t want to implement unsecure systems. Unsecured systems is as good as “No System”

Questions that the paper answers How to stage the Attack? (Details) What resources are needed to stage such an Attack? (Hardware/software/network) How serious is this threat? ( Wide deployed?) What are the counter measures ? Why was the attack possible? Is Texas Instruments Listening?

Attack Details( How?) Step 1 : Reverse Engineer the Cipher Black Box Or Oracle DST Easy to reverse engineer the functionality of the black Box

Step 1 … Black Box Or Oracle DST Difficult to reverse engineer the functionality of the black Box

Step 1 … TI has not published their algorithm or Block Diagram, citing “ security by obscurity”. Their aim is to figure out the cipher used by the DST by reverse engineering under constraint of minimum resource requirement. ( Software packages were not used due to copyright issues). The authors observed the logical output of the DST by specifying varying inputs. They compared the logical output to the predicted output to determine the behavior of the hardware circuit The Authors were lucky that the DST cipher (hardware implementation) was easy to decode.

Step 1… Such reverse engineering efforts have been successfully attempted in the past. For e.g. Bunny Huang Reverse engineered a XBOX to allow it to run Linux. With the help of block DST block Diagram published in the Dr Kaisers publication and after much trial and error effort the authors were able to extract all the required information. The required information will be used in later stages to simulate the digital transponder.

Step 1… The authors were able to recover – The key schedule – The routing mechanism – The logical functions computed by the f g and h boxes – The Feistel structure of the DST cipher Feistel structure of an cipher can be considered as steps of the algorithm ( Order in which various operations are performed)

Step 2 Key Cracking The authors compiled a hardware circuit to crack the key (40 Bit key). A single circuit was able to crack the 40 bit key in under 21 hours. To speed up search (under 1 hour for realistic scenarios) the authors assembled 16 such circuits in parallel(<3500$). The authors were able to find the keys of 5 TI provided tags in under 5 hours to verify the correctness of the algorithm. ( This was a challenge issued by TI)

Step 3 Putting it all together Reader Powers up the DST and sends a command Encrypts and sends the response Looks up the secret key based on the serial id broadcast by the DST sends a command Sends a response

Strengths of the Paper Exploits a realistic weakness in a production system. ( Texas Instruments) They make their results available to TI. They actually stage on attack on “SpeedPass” System. They reverse engineer a Hardware circuit by probing the logical output of the circuit.

Weakness The authors probably had enough working knowledge of a cipher implementation to decipher the structure of the hardware circuits, by probing the logical outputs. ( Since RSA produces security hardware components) A Thief should have enough technical knowledge to register such an attack, hence current 40 bit key Immobilizers still act as deterrent.

Suggested Improvement At the time of publication, TI had plans to ship DST with 128 bit keys. Can we still register an successful attack with this change? Was the cipher structure one of the causes of vulnerability?

Questions ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.