1. RFID: The Problems of Cloning and Counterfeiting
Ari Juels
RSA Laboratories
19 October 2005

2. RFID devices take many forms

3. “RFID” really denotes a spectrum of devices
Automobile
ignition key
Mobile phone
Toll payment
plaque
Basic
“smart
label”

4. “Smart label” RFID tag Passive device – receives power from reader
Range of up to several meters
Simply calls out (unique) name and static data
“74AB8”
“5F8KJ3”
“Evian bottle
# ”

5. Capabilities of “smart label” RFID tag
Little memory
Static 96-bit+ identifier in current ultra-cheap tags
Hundreds of bits soon
Little computational power
Several thousand gates (mostly for basic functionality)
No real cryptographic functions possible
Pricing pressure may keep it this way for a while, i.e., Moore’s Law will have delayed impact

6. The grand vision: EPC (Electronic Product Code) tags
Barcode
EPC tag
Fast, automated
scanning
Line-of-sight
Radio contact
Provides pointer
to database entry
for every object,
i.e., unique,
detailed history
Specifies object type
Uniquely specifies object

7. Impending explosion in (EPC) RFID use
EPCglobal
Joint venture of UCC and EAN
Wal-Mart, Procter & Gamble, DoD, etc.
Recently ratified new EPC-tag standard (Class 1 Gen 2)
Pallet and case tagging first
Item-level retail tagging, automated tills, seem years away
Estimated costs
2008: $0.05 per tag; hundreds of dollars per reader (?)
Beyond: $0.01 per tag; several dollars per reader (?)

8. Other forms of RFID
Automobile immobilizers
Payment devices
Currency?

9. Other forms of RFID
“Not Really Mad”
Tracking cattle
Passports

10. Other forms of RFID Medical compliance RFID readers in mobile handsets
Showtimes:
16.00, 19.00

11. The privacy problem Mr. Jones in 2015 Bad readers, good tags Wig
model #4456 (cheap polyester)
Das Kapital and Communist-party handbook
1500 Euros
in wallet
Serial numbers:
597387,389473…
30 items
of lingerie
Replacement hip
medical part #459382

12. The authentication problem
Good readers, bad tags
Mr. Jones’s car!
Mr. Jones in 2015
Counterfeit!
Replacement hip
medical part #459382
Counterfeit!
1500 Euros
in wallet
Serial numbers:
597387,389473…
Mad-cow
hamburger
lunch

13. RFID and sensors will underpin critical infrastructure
Authentication therefore has many facets:
Physical security
Consumer goods and pharmaceuticals safety
Transaction security
Brand value
…but it’s getting short shrift
I’ll talk about three different projects on RFID authentication

14. The Digital Signature Transponder (DST)
Joint work with S. Bono, M. Green, A. Stubblefield, A. Rubin, and M. Szydlo
USENIX Security ‘05

15. The Digital Signature Transponder (DST)
“I’m tag #123” f
40-bit challenge C
Car #123
24-bit response R = fK(C)
(simplified)
Helps secure tens of millions of automobiles
Philips claims more than 90% reduction in car theft thanks to RFID! (TI did at one point.)
Also used in millions of payment transponders

16. The Digital Signature Transponder (DST)
“I’m tag #123” f
40-bit challenge C
Car #123
24-bit response R = fK(C)
(simplified)
The key K is only 40 bits in length!

17. The Digital Signature Transponder (DST)
“I’m tag #123” f
40-bit challenge C
Car #123
24-bit response R = fK(C)
(simplified)
Our aim: Demonstrate security vulnerability
by cloning real DSTs

18. The Digital Signature Transponder (DST)
“I’m tag #123” f
40-bit challenge C
Car #123
24-bit response R = fK(C) f
(simplified)
But what is the cryptographic function f ???

19. Black-box cryptanalysis
key K f? C
R = fK(C)
Programmable DST

20. Not implemented this way!
Texas Instruments DST40 cipher (not original schematic)
???
Challenge register
Routing Network
??? f1 f2 f3 f4 f5 f6 f7 f8 f9
f10
f11
f12
f13
f14
f15
f16
f17
f21
f18
f19
f20
Routing Network
Key register
Not implemented this way!
400 clocks / 3 cycles

21. Not implemented this way!f1 f2 f3 f4 f5 f6 f7 f8 f9
f10
f11
f12
f13
f14
f15
f16
Routing Network
f17
f18
f19
f20
f21
Challenge register
Key register
400 clocks / 3 cycles
Texas Instruments DST40 cipher (not original schematic)
???
Not implemented this way!
f17
f18
f19
f20
f21

22. Black-box cryptanalysis

23. One internal wire
Case A

24. Or two internal wires?
Case B

25. Black-box cryptanalysis1 1

27. 2 possible values
4 possible values
Case A
Case B

28. Same principle applies to more complex structures…
f17
f21
f18
f19
f20

29. Same principle applies to more complex structures…

30. Consider two particular input wires…

31. Or do two inputs go to same box?
Case A

32. Do two inputs go to different boxes?
Case B

33. One internal wire
Two internal wires
Case A
Case B

34. Not implemented this way!
???
??? f
Not implemented this way!

35. The full cloning process
Skimming
Key cracking
Simulation

36. The full cloning process
Step 1: Skimming
Step 1: Skimming
Obtain responses
r1,r2
to two challenges,
c1, c2
Takes only
1/4 second!

37. The full cloning process
Step 2: Key cracking C
Find secret key k such that
r1=fk(c1)
and
r2 = fk(c2)
(30 mins. on 16-way parallel cracker;
Faster with Hellman table)

38. The full cloning process
Step 3: Simulation
Simulate radio protocols with computation of fk

39. “Human” authentication for RFID tags
Joint work with Steve Weis
Crypto ‘05

40. RFID tags are a little like people≈
Very limited memory for numbers
Very limited ability for arithmetic computation

41. Hopper-Blum (HB) Human Identification Protocol

42. Hopper-Blum (HB) Human Identification Protocol
Challenge A
Response f(X,A)
Secret X

43. Hopper-Blum (HB) Human Identification Protocol
Challenge A
R = (X • A) + Nη
modular dot product
noise w.p. η
Secret X

44. HB Protocol
Example, mod 10
(0, 4, 7)
R = 5 7
X = (3,2,1)

45. Learning Parity in the presence of Noise (LPN)
Given multiple rounds of protocol, find X (or other equally good secret)
Given q challenge-response pairs (A1,R1)…(Aq,Rq) ,, find X’ such that Ri = X’ • Ai on at most ηq instances, for constant η > 0
Binary values
Note that noise is critical!
LPN is NP-hard – even within approx. of 2
Theoretical and empirical evidence of average-case hardness
Poly. adversarial advantage in HB protocol → LPN

46. Problem: Not secure against
HB Protocol C R X X
Problem: Not secure against
active adversaries!

47. HB+ Protocol C D
(D • Y) Nη
R = (C • X)
X,Y
X,Y

48. HB+ Protocol D
(D • Y) Nη
X,Y
X,Y

49. HB+ Protocol C D X,Y X,Y R = (C • X) (D • Y) + + Nη Intuition:
Add extra HB protocol with prover-generated challenge
Adversary effectively cannot choose challenge here

50. In the paper
Most of paper elaborates security reduction from HB+ to LPN
Implementation of algorithm seems very practical – just linear number of ANDs and XORs and a little noise!
Looks like EPC might be amenable, but…

51. Further work Security reduction is concrete, but very loose
What concrete security parameters – key length and communications complexity – yield adequate security?
Limited model: “We win if counterfeiter detected”
Assume counterfeiter aims to duplicate tag without alerting verifier, i.e., detection model
Appropriate for centralized verifier (with DoS controls), e.g., prox cards, casino chips, etc.
Gilbert, Robshaw, and Sibert demonstrate man-in-the-middle attack in stronger prevention model
Can HB techniques be extended to prevention model?

52. Addressing Cloning of EPC Tags
WiSe ‘05

53. Inevitable reliance on EPC tags for anti-counterfeiting
Drug tracing / anti-counterfeiting
Made in
Canada
EPC (Class-1 Gen-2) is easy to countefeit: It’s basically just a wireless barcode!
Tight tracking is useful per se in combating counterfeiting, e.g., via duplicate detection
But integrity of tag is needed where data coordination is loose
What can we do today to prevent cloning of EPC tags?
We can use the “kill” feature!

54. “morituri te salutamus”
The kill function
“Kill” + 32-bit PIN K’
K = K’
“morituri te salutamus”
Kill PIN K
Only mandatory EPC security feature is for privacy!
Idea: Cause tags on consumer items to self-destruct before they leave shop

55. The kill function
“Kill” + 32-bit PIN K’
K ≠ K’
Bad PIN; [Reset]
Kill PIN K
“Kill” authenticates reader, but not very useful for tag authentication since it kills tags!

56. K ≠ K’ Low signal strength “Kill” + 32-bit PIN K’ Bad PIN; [Reset]
Kill PIN K

57. Good PIN; insufficient power!
Low signal strength
“Kill” + 32-bit PIN K’
K = K’
Good PIN; insufficient power!
Kill PIN K
Tag achieves accept/reject function for PINs:
“Good PIN” is accept
“Bad PIN” is reject

58. How to authenticate a tag with low signal strength
“Kill” + PIN K
“Kill” + random PIN K’
Kill PIN K
If tag accepts K and rejects K’, then tag is good; otherwise bad
Counterfeit EPC tag will fail with high probability
“Intelligent” counterfeit tag succeeds with probability at most ½!
(Can boost detection probability with more bogus PINs, but expensive)

59. Implementing this Scheme
Calibrating signal strength from reader would be hard
Manufacturer can exchange privacy kill feature for authentication kill feature
Just set tag power threshold required for “kill” very high
Tag always thinks signal strength is too low
Still complies with EPC standard, which does not specify power threshold
Does not comply with conformance specifications
Prob. ½ detection not high for individual clone, but very high for broad supply chain
A little like scheme for detecting fraudulent ballots
Shortcomings:
Vulnerable to short-range eavesdropping
Limited execution on untrusted readers
But much better than no authentication!

60. Conclusions

61. Moral 1: Standard crypto modeling fails for cheap RFID
Welcome to Hell
IT Department

62. Welcome to Hell IT Department
A cheap RFID tag cannot survive here… but worst case often isn’t reality for RFID
Welcome to Hell
IT Department

63. We need new primitives and flexible modeling
Low-cost tags will probably not be able to do full-blown crypto for some time
Moore’s Law opposed by pricing pressure…
Crypto community should not take black and white view, e.g., abandon crypto-challenged tags to wolves (EPC Class-1 type)
We need new primitives:
E.g., can we build good PRFs with really low gate count, e.g., hundreds of gates?
And new modeling:
What special characteristics do RFID tags present to attackers?
E.g., physical and radio layers
What security properties can we sacrifice in the real world?
Learning to cut the right corners…

64. Moral 2
“We have not received one reported incident of fraud in the eight years [the DST] has been used by consumers and we are confident the systems remain secure.”
- Texas Instruments, 10 February 2005
1980: Not one reported incident of a computer virus in the wild
1999: Not one reported incident of a major DDoS attack on the Internet
“This year TI will begin ramping [up] production of its 128-bit encrypted RFID chips first introduced in early 2003…”

65. Moral 2
“We have not received one reported incident of fraud in the eight years [the DST] has been used by consumers and we are confident the systems remain secure.”
- Texas Instruments, 10 February 2005
1980: Not one reported incident of a computer virus in the wild
1999: Not one reported incident of a multi-pronged DDoS attack on the Internet
“This year TI will begin ramping [up] production of its 128-bit encrypted RFID chips first introduced in early 2003…”
RFID is a new critical infrastructure in the making
We should learn from the history of the Internet, where phishing, spam, etc. are crippling e-commerce
Security community must promote and address security in RFID systems before problems become costly and pervasive

66. To learn more Primers and current RFID news: RSA Labs RFID Web site:
RSA Labs RFID Web site:
(unofficial)
JHU/RSA RFID Web site:
New survey (and all papers described here) at