Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Analysis of a Cryptographically- Enabled RFID Device Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Avi Rubin, Michael Szydlo Usenix.

Published byHugh Cunningham Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Analysis of a Cryptographically- Enabled RFID Device Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Avi Rubin, Michael Szydlo Usenix."— Presentation transcript:

1 Security Analysis of a Cryptographically- Enabled RFID Device Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Avi Rubin, Michael Szydlo Usenix Security Symposium 2005 Presented By Himanshu Pagey (For CDA 6938 Class Presentation)

2

3 How realistic is this Scenario? Realistic ( I own a TI vehicle immobilizer, I am going to get it changed right after the class). Sounds good for a paper but really no body can steal my car! Ohh well ! Can they? The paper suggest that such threats are well within the realm of practical execution and is applicable to wide variety of applications. We hope that none of the car thieves are reading this paper.

4 RFID Primer (Souce:Wiki) Automatic identification method. Data is retrieved from RFID Tags ( tags as small as 0.15- millimeter by 0.15-m illimeter have been manufactured by hitachi) Passive tags do not require power source Active tags require power source Heavy implementation in supply chain industry. Well we don’t want to implement unsecure systems. Unsecured systems is as good as “No System”

5 Questions that the paper answers How to stage the Attack? (Details) What resources are needed to stage such an Attack? (Hardware/software/network) How serious is this threat? ( Wide deployed?) What are the counter measures ? Why was the attack possible? Is Texas Instruments Listening?

6 Attack Details( How?) Step 1 : Reverse Engineer the Cipher 3 6 4 8 5 10 Black Box Or Oracle DST Easy to reverse engineer the functionality of the black Box

7 Step 1 …. 342345 498003 5100000 Black Box Or Oracle DST Difficult to reverse engineer the functionality of the black Box

8 Step 1 … TI has not published their algorithm or Block Diagram, citing “ security by obscurity”. Their aim is to figure out the cipher used by the DST by reverse engineering under constraint of minimum resource requirement. ( Software packages were not used due to copyright issues). The authors observed the logical output of the DST by specifying varying inputs. They compared the logical output to the predicted output to determine the behavior of the hardware circuit The Authors were lucky that the DST cipher (hardware implementation) was easy to decode.

9 Step 1… Such reverse engineering efforts have been successfully attempted in the past. For e.g. Bunny Huang Reverse engineered a XBOX to allow it to run Linux. With the help of block DST block Diagram published in the Dr Kaisers publication and after much trial and error effort the authors were able to extract all the required information. The required information will be used in later stages to simulate the digital transponder.

10

11 Step 1… The authors were able to recover – The key schedule – The routing mechanism – The logical functions computed by the f g and h boxes – The Feistel structure of the DST cipher Feistel structure of an cipher can be considered as steps of the algorithm ( Order in which various operations are performed)

12 Step 2 Key Cracking The authors compiled a hardware circuit to crack the key (40 Bit key). A single circuit was able to crack the 40 bit key in under 21 hours. To speed up search (under 1 hour for realistic scenarios) the authors assembled 16 such circuits in parallel(<3500$). The authors were able to find the keys of 5 TI provided tags in under 5 hours to verify the correctness of the algorithm. ( This was a challenge issued by TI)

13 Step 3 Putting it all together Reader Powers up the DST and sends a command Encrypts and sends the response Looks up the secret key based on the serial id broadcast by the DST sends a command Sends a response

14 Strengths of the Paper Exploits a realistic weakness in a production system. ( Texas Instruments) They make their results available to TI. They actually stage on attack on “SpeedPass” System. They reverse engineer a Hardware circuit by probing the logical output of the circuit.

15 Weakness The authors probably had enough working knowledge of a cipher implementation to decipher the structure of the hardware circuits, by probing the logical outputs. ( Since RSA produces security hardware components) A Thief should have enough technical knowledge to register such an attack, hence current 40 bit key Immobilizers still act as deterrent.

16 Suggested Improvement At the time of publication, TI had plans to ship DST with 128 bit keys. Can we still register an successful attack with this change? Was the cipher structure one of the causes of vulnerability?

17 Questions ?

Download ppt "Security Analysis of a Cryptographically- Enabled RFID Device Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Avi Rubin, Michael Szydlo Usenix."

Similar presentations

Ryan Kagin University of Illinois Fall 2007

Ryan Kagin University of Illinois Fall 2007
Part 4: combinational devices

Part 4: combinational devices
Gone in 360 Seconds: Hijacking with Hitag2

Gone in 360 Seconds: Hijacking with Hitag2
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Low Cost Attack on Tamper Resistant Devices Ross Anderson, Markus Kuhn Songpol Manoonpong.

Low Cost Attack on Tamper Resistant Devices Ross Anderson, Markus Kuhn Songpol Manoonpong.
Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.

Differential Power Analysis of Smartcards How secure is your private information? Author: Ryan Junee Supervisor: Matt Barrie.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Security in RFID Presented By… NetSecurity-Spring07

Security in RFID Presented By… NetSecurity-Spring07
Steve Bono1 Matthew Green1 Adam Stubblefield1 Avi Rubin1

Steve Bono1 Matthew Green1 Adam Stubblefield1 Avi Rubin1
Risk of Using RFID chips in Passports Oscar Mendez.

Risk of Using RFID chips in Passports Oscar Mendez.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
RFID Devices and Cryptography Analysis of the DST40

RFID Devices and Cryptography Analysis of the DST40
Technical Issues in Library RFID Privacy David Molnar UC-Berkeley Computer Science.

Technical Issues in Library RFID Privacy David Molnar UC-Berkeley Computer Science.
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.

Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.

© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.

Similar presentations

Ads by Google