Presentation is loading. Please wait.

Presentation is loading. Please wait.

RFID Security and Privacy Part 2: security example.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "RFID Security and Privacy Part 2: security example."— Presentation transcript:

1 RFID Security and Privacy Part 2: security example

2 Zoom in: Authentication Should be mutual –reader should recognise tags –tag should recognise readers EMAP: Efficient Mutual Authentication Protocol for Low-cost RFID Tags. –proposed by P. Peris-Lopez, J. C. Hernandez- Castro, J. M. Estevez-Tapiador, and A. Ribagorda, November 2006.

3 EMAP model IDS 1 Key 1 …… IDS n Key n Updated after each session Identification ID (m bits) Key (4m bits) = K 1 ||K 2 ||K 3 ||K 4 Pseudonym IDS (m bits) || concatenation DB

4 EMAP protocol Reader Tag hello IDS Database IDS K 1 ||K 2 ||K 3 ||K 4 Random n 1,n 2 A||B||C A = IDS  K 1  n 1 B = (IDS  K 2 )  n 1 C = IDS  K 3  n 2 Check A  B. Infer n 1,n 2 D||E D = IDS  K 4  n 2 E = (IDS  n 1  n 2 )  ID  K 1  K 2  K 3  K 4 Update IDS and K 1...K 4 Check D. Update IDS and K 1...K 4

5 Update … IDS’ = IDS  n 2  K 1. K 1 ’ = K 1  n 2  (ID 1/2 || F(K 4 ) || F(K 3 )) –ID 1/2 – first m/2 bits of ID –F(X) – parity function Divide X in m/4 4-bit blocks Compute a parity bit for each block K 2 ’ = K 2  n 2  (F(K 1 ) || F(K 4 ) || ID 2/2 ) K 3 ’ = K 3  n 1  (ID 1/2 || F(K 4 ) || F(K 2 )) K 4 ’ = K 4  n 1  (F(K 3 ) || F(K 1 ) || ID 2/2 )

6 EMAP is efficient Tag memory: –Rewritable memory: 4m bits (keys) + m (IDS) –ROM: m bits (ID) –Very reasonable for m = 96… Operations: –tag does cheap processing: , , , || –random number generation – reader only! –no expensive operations (e.g hash function, multiplication)

7 Further advantages of EMAP tag anonymity –the same ID but different messages! forward security –knowledge of K 1...K 4 does not reveal updated key

8 Li and Deng: EMAP is vulnerable "Vulnerability Analysis of EMAP- An Efficient RFID Mutual Authentication Protocol " April 2007

9 Attack 1: Desynchronisation Tag hello IDS A||B||C' infer n 2 ' instead of n 2 wrong D'||E' Update IDS and the key Reader random n 1,n 2 Update IDS and the key Intruder hello IDS j s.t. IDS(j) = 0 A||B||C Toggle j in C D||E Toggle j in D' and E' n 2 ' = n 2  e j

10 expected: D = (IDS  K 4 )  n 2 received: ( (IDS  K 4 )  n 2 ’ )  e j –i.e. (IDS  K 4 )  n 2  e j  e j = D Attack 1: Reader accepts D

11 expected: E = (IDS  n 1  n 2 )  ID  K 1  K 2  K 3  K 4 received: (IDS  n 1  n 2 ’)  ID  K 1  K 2  K 3  K 4  e j compare: IDS  n 1  n 2 vs. (IDS  n 1  n 2 ’)  e j –look at j th bit: IDS(j) = 0  (IDS  n 1  n 2 )(j) = n 2 (j) Attack 1: received E is correct

12 Attack 1: Tag update IDS’ = IDS  n 2  K 1. K 1 ’ = K 1  n 2  (ID 1/2 || F(K 4 ) || F(K 3 )) K 2 ’ = K 2  n 2  (F(K 1 ) || F(K 4 ) || ID 2/2 ) K 3 ’ = K 3  n 1  (ID 1/2 || F(K 4 ) || F(K 2 )) K 4 ’ = K 4  n 1  (F(K 3 ) || F(K 1 ) || ID 2/2 )  Desynchronisation on IDS, K 1 and K 2  You can also attack n 1 rather than n 2 or both (see the paper)

13 What kind of problem has been demonstrated? A.Ethical issues B.Illicit tracking of the tags C.Skimming D.Tag cloning E.Cross-contamination F.Tag killing G.Invasive attack / side channel attack H.Jamming

14 Countermeasure: Error-correcting codes? Can report/correct a number of 1-0 errors –can detect the attack as presented above BUT –the attack can be generalised to replace (n 1,n 2 ) by (n 1 ’,n 2 ’) toggling multiple bits simultaneously… –… and fooling the error-correcting codes!

15 Murphy’s Law Just when you think things cannot get any worse, they will.

16 Attack 2 Full disclosure attack Run EMAP (a number of times) and discover ID and all the keys! Want to know more? Read the paper

Download ppt "RFID Security and Privacy Part 2: security example."

Similar presentations

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
1 An Ultra-lightweight Authentication Protocol in RFID Speaker: 魏家惠.

1 An Ultra-lightweight Authentication Protocol in RFID Speaker: 魏家惠.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
RFID Security and Privacy. RFID Radio Frequency IDentification Warning: RFID tag can mean a lot of things.

RFID Security and Privacy. RFID Radio Frequency IDentification Warning: "RFID tag" can mean a lot of things.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.

Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.
Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.

Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.
A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.

A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.
Lecture 40 CSE 331 Dec 11, 2009. Announcements Solutions to HW 10 and graded HW 9 at end of the lecture Review session on Monday: see blog for details.

Lecture 40 CSE 331 Dec 11, Announcements Solutions to HW 10 and graded HW 9 at end of the lecture Review session on Monday: see blog for details.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.

RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.
Quantum Key Distribution Yet another method of generating a key.

Quantum Key Distribution Yet another method of generating a key.
Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.

Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.
1 電子商務代理人與無線射頻系統上安全設計之研究 The Study of Secure Schemes on Agent-based Electronic Commerce Transaction and RFID system 指導教授 : 詹進科 教授 (Prof. Jinn-Ke Jan) 陳育毅.

1 電子商務代理人與無線射頻系統上安全設計之研究 The Study of Secure Schemes on Agent-based Electronic Commerce Transaction and RFID system 指導教授 : 詹進科 教授 (Prof. Jinn-Ke Jan) 陳育毅.
YA-TRAP: Yet Another Trivial RFID Authentication Protocol Gene Tsudik International Conference on Pervasive Computing and Communications, PerCom 2006.

YA-TRAP: Yet Another Trivial RFID Authentication Protocol Gene Tsudik International Conference on Pervasive Computing and Communications, PerCom 2006.

Similar presentations

Ads by Google