1. Security Analysis of a Cryptographically-Enabled RFID Device Authors: Steve Bono Matthew Green Adam Stubblefield Adam Stubblefield Ari Juels Ari Juels Avi Rubin Michael Szydlo Avi Rubin Michael Szydlo Publisher: Usenix Security Symposium 2005 Presented by: Chowdhury, Abu Rahat Chowdhury, Abu Rahat

2. Today’s Outline The Authors and the Main Theme Recap, DST & Objective Attack Range, Scenarios & three step Process the authors used Reverse Engineering Key Cracking Simulation Comments.

3. Adam Stubblefield Assistant Research Professor Johns Hopkins University Steve Bono Grad Student/ Musician ????? Johns Hopkins University Matthew D. Green PhD Student - Johns Hopkins University The Authors Dr. Ari Juels Chief Scientist Director, RSA Laboratories Michael Szydlo Senior Software Developer. Akamai, Cambridge Aviel D. Rubin Professor Johns Hopkins University

4. The Main Theme This paper describes the success in defeating the security of an RFID device known as a Digital Signature Transponder (DST) which is produced by Texas Instrument. The paper concludes that the cryptographic protection afforded by the DST device is relatively weak.

5. The Authors – Headlined Students crack the Code

6. Today’s Outline The Authors and the Main Theme Recap, DST & ObjectiveRecap, DST & Objective Attack Range, Scenarios & Three step Process the authors used Reverse Engineering Key Cracking Simulation Comments.

7. Recap RFID Various technologies are used to track and automatically ID people, products, and other objects – Barcodes – Optical Character Recognition (OCR) – Biometrics Voice recognition and ID systems Voice recognition and ID systems Fingerprint ID systems Fingerprint ID systems – Smart cards – Memory cards – Microprocessor cards Tracking Technologies and Automatic ID Systems

8. RFID: What is it ? RFID combines many of the features of several of these technologies – Like barcodes, RFID is used to identify and track objects – RFID also can be used like smart cards, memory card, and microprocessor cards to store information and provide interactive data processing

9. Current Technology

10. Market & Application Key Industry Drivers Leading Us Toward RFID Industrial Products Logistics/ Trans. Retail Products Retail Products Consumer Products Homeland Security Other Service

11. Review DST Sophisticated RFID devices can offer cryptographic functionality Digital Signature Transponder (DST) is such a device Manufactured by Texas Instruments

12. Application of DST Vehicle Immobilizers 150 million immobilizer keys use RFID150 million immobilizer keys use RFID Older keys use fixed-code transponders with no cryptographic securityOlder keys use fixed-code transponders with no cryptographic security Newer model use DSTNewer model use DST Electronic Payment Exxon-Mobil SpeedPass systemExxon-Mobil SpeedPass system Seven million cryptographically-enabled keychain tags accepted at 10k locations worldwideSeven million cryptographically-enabled keychain tags accepted at 10k locations worldwide

13. Characteristics of a DST DST emits a 24-bit, factory set ID DST emits a 24-bit, factory set ID Then authentication process starts Then authentication process starts Reader sends a 40-bit challenge Reader sends a 40-bit challenge Small microchip and antenna coil with no onboard power source Contains a secret 40-bit cryptographic key that is field- programmable via RF command Interaction with a reader:

14. Objective Several attacking steps were accomplished using inexpensive off-the- shelf equipment, and with minimal RF expertise. Manufactured by Texas Instruments, DST (and variant) devices help secure millions of SpeedPass payment transponders and automobile ignition keys.

15. Questions that the paper answers How to stage the Attack? (Details) What resources are needed to stage such an Attack? (Hardware/software/network) How serious is this threat? What are the counter measures ? Why was the attack possible? Is Texas Instruments Listening?

16. The Big Picture

17. Source : Pagey

18. Today’s Outline The Authors and the Main ThemeThe Authors and the Main Theme Recap, DST & ObjectiveRecap, DST & Objective Attack Range, Scenarios & Three step Process the authors usedAttack Range, Scenarios & Three step Process the authors used Reverse Engineering Key Cracking Simulation Comments.Comments.

19. Effective Attack Range DSTs are designed for short range scanning, only few centimeters DSTs can respond to as many as 8 queries/sec Active scanning –Attacker brings her own reader within scanning range of the victim –Permits a chosen-challenge attack Passive eavesdropping –Eavesdrop on the communication between the victim and a legitimate reader

20. Example Attack Scenarios Auto theft via eavesdroppingAuto theft via eavesdropping –Own a van with eavesdropping equipment –Park near victim’s car and wait to capture key to reader transmissions –Make a key based on data collected Auto theft via active attackAuto theft via active attack –Suborn/bribe a valet at a parking facility to scan immobilizer keys while parking their cars SpeedPass theft via active attackSpeedPass theft via active attack –Carry a reader and a short-range antenna and scan nearby passengers in a subway

21. Attack process Reverse engineering –Experimental observation of responses output by the device –Aim was to get a schematic if the block cipher used in the challenge-response protocol Key cracking –Recover a key in under an hour Simulation –Given the key, a simulator for the RF output was constructed so as to spoof readers

22. Reverse Engineering Where to start? –Can purchase TI software (but license agreements issue) –Only Information – rough schematic by Dr. Ulrich Kaiser Black-box testing (to uncover the DST technique) –With a TI 2000 LF RFID kit –Remember, DST is field-programmable!

23. The Rough Schematic

24. Reverse Engineering They observed the logical output of the DST by specifying varying inputs and predicted output of the hardware circuit TI has not published their algorithm or Block Diagram, citing “ security by obscurity”. The authors’ aim was to figure out the cipher used by the DST by reverse engineering under constraint of minimum resource requirement. (Software packages were not used due to copyright issues).

25. Such reverse engineering efforts have been successfully attempted in the past. For e.g. Bunny Huang Reverse engineered a XBOX to allow it to run Linux. With the help of block DST block Diagram published in the Dr Kaisers publication and after much trial and error effort the authors were able to extract all the required information. Reverse Engineering

26. Key Cracking The authors compiled a hardware circuit to crack the key (40 Bit key). A single circuit was able to crack the 40 bit key in under 21 hours. To speed up search (under 1 hour for realistic scenarios) the authors assembled 16 such circuits in parallel(<3500$).

27. Simulation

28. Conclusion It describe the success of defeating the security of an RFID device The authors hope that future cryptographic RFID system designers will embrace a critical lesson preached by the scientific community

29. Today’s Outline The Authors and the Main Theme Recap, DST & Objective Attack Range, Scenarios & Three step Process the authors used Reverse Engineering Key Cracking Simulation CommentsComments

30. Strengths Exploits a realistic weakness in a production system. (Texas Instruments) They make their results available to TI. They actually stage on attack on “SpeedPass” System.

31. Weaknesses The authors probably had enough working knowledge of a cipher implementation to decipher the structure of the hardware A Thief should have enough technical knowledge to register such an attack, hence current 40 bit key Immobilizers still act as deterrent

32. Suggestion Adequate key-length of the underlying DST40 cipher At the time of publication, TI had plans to ship DST with 128 bit keys Can we still register an successful attack with this change?

33. Reference & Back up Slide

34. References Security Analysis of a Cryptographically-Enabled RFID Device – Usenix Security '05 Paper http://usenix.org/events/sec05/tech/bono.html Automotive immobilizer anti-theft systems experience rapid growth in 1999, 1 June 1999. Texas Instruments Press Release. Available at http://www.ti.com/tiris/docs/news/news releases/ 90s/rel06- 01-99.shtml. Figure by Dr. Ulrich Kaiser, Texas Instruments Deutschland Google, Wikipedia,

35. Extra: The full DST protocol Reader transmits a challenge to the transponder consisting of a 8-bit opcode and 40-bit challenge The transponder encrypts the challenge using the secret 40-bit key it shares with the reader The transponder replies to the reader with its 24- bit serial number, the 24 least significant bits of encryption’s result and a 16-bit CRC –16-bit reverse CRC-CCITT initialized with a secret 16-bit value

36. Extra: Simulating a DST device PC equipped with a DAC board (digital-to-analog converter) Input and output of DAC board connected to an antenna tuned at 134 KHz Steps: –Analyze the A/D conversions received by the DAC board –Decode the AM signal containing the challenge sent from the reader –Perform an encryption of this challenge using the recovered secret DST key –Code the FM-FSK signal representing the correct response –Output this FM-FSK signal to the DAC board

37. Extra: Immobilizer

38. 0 1 1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1 1 0 1 1 0 1 1 1 1 0 1 1 0 1 1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1 1 0 1 1 0 1 0 1 1 0 1 1 1 0 1 1 0 1 1 1 1 0 1 1 0 1 1 0 1 1 1 0 1 1 0 1 1 1 1 0 1 1 0 1 1 0 1 1 1 0 1 1 0 1 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 01 01111110111111101010111111100111111111 0101010 0101010 0101010 0101010 0101010 0101010 0101010 0101010 Thank You