RFID Security without Extensive Cryptography

1
RFID Security without Extensive Cryptography

• Sindhu Karthikeyan
• Mikhail Nesterenko
• Kent State University
• SASNNovember 07, 2005

2
RFIDs Current State

• RFIDs allow effective identification of a large
  number of tagged items without physical or visual
  contact.
• RFID systems reduce the time and cost of
  processing tagged items
• adopters
• Wal-Mart stores use RFID tags for tracking and
  maintaining their inventory
• Boeing and Airbus plan to use RFID tags to
  simplify identifying and tracking the airplane
  parts
• Kodak uses RFID to track reusable containers in
  its manufacturing facilities
• libraries use RFID tags to track books
  circulation
• toll booths can automatically collect toll by
  inspecting a tag attached to the windshield of a
  car
• currently crate/palette tagging
• even more effective individual item
  tagging

3
Security Problems of Individual Item Tagging

• major obstacle to individual item tagging
  personal privacy
• intruder can read tags without authorization or
• eavesdrop on reader-tag communication
• novel types of security threats MW04intruder
  may
• track learn the itinerary of tag holder by
  periodically querying tag or eavesdropping on
  communications between tag and reader
• hotlist compile list of items of particular
  interest and then singles out individuals in
  possession of these items
• profile learn what items a particular individual
  has

4
How to Deal with Privacy Threat?

• erase info from tag after scanning
• does not allow repeated use of tag and thus
  limits the utility of the technology
• periodically use secure channels for trust
  establishment or key refresh
• limits use of technology
• blocker tag
• requires the user to carry and manipulate the
  blocker which may not be practical
• use (classic) cryptography
• due to tag resource limits crypto primitives
  (such as encode/ decode, digital sigs, crypto
  hash, quality random numbers) are not available
  tag-side

5
Our Proposal

• secure tag authentication algorithm
• based on matrix multiplication, does not use
  extensive crypto
• modest tag-side storage and computation
  requirements
• can be implemented using currently available RFID
  technology
• secure against
• known-ciphertext attacks
• RFID-specific attacks
• multiple tag sequencing
• extends the algorithm so that the reader can
  concurrently identify multiple tags

6
Outline

• security identification algorithm
• RFID system outline
• algorithm description
• security discussion
• multiple tag sequencing
• resource requirements estimate
• extensions and future work

7
RFID System Overview

• RFID tag a miniature electronic circuit (500
  to 5000 gates) capable of elementary information
  storage, processing and radio communication
• RFID reader device designed to identify the tag
• connected to database containing information
  about tag and tagged item
• tag and reader communicate over radio channel
• intruder - an entity who tries to compromise the
  RFID system
• has complete access to radio channel

tag
radio channel
taggeditem
database
reader

• tag
• stores a limited amount of data
• performs elementary operations such as
  byte-size integer addition and multiplication
• runs a timer

• intruder
• has access to channel
• cannot access memory of reader/tag/database

• reader
• has sizable communication and storage
  facilities

8
Secure Tag Authentication

• tag stores square pp matrices M1 and M2-1,
• reader maintains another two matrices M2 and
  M1-1 of same size
• tag and reader share a key K a vector of size q
  rp
• X KM1 uniquely identifies the tag
• when reader receives X, it can obtain the rest
  of information about tag and tagged item from
  its database
• if reader authentication fails or the reader
  fails to respond before the timeout expires, the
  tag stops further communication until reset

9
Security Discussion

• recovering the multiplicand or multiplier from
  the product of matrix multiplication is
  computationally difficult
• the intruder can not discover the key or the
  matricesused by the tag and the reader
• assume no known plaintext
• cant find tag id
• cant mount hotlisting or profiling attacks
• as the intruder cannot deduce either the key or
  the matrices, he cannot authenticate himself to
  the tag
• any identification session with the intruder is
  aborted
• cant do effective tracking

10
Outline

• security identification algorithm
• RFID system outline
• algorithm description
• security discussion
• multiple tag sequencing
• resource requirements estimate
• extensions and future work

11
Problem Statement Assumptions

• problem
• tags share channel
• dont have channel arbitration capabilities
• assume
• can detect collision
• can send key one bit at a time

12
Proposed Scheme

• augments our tag identification algorithm to
  enable the reader to communicate with multiple
  tags
• phase I run concurrently
• the reader learns the keys of all the tags
  present
• each tag learns its key's position in the order
  (e.g., ascending) of the keys of the tags
  participating in the identification session
• phase II
• the reader broadcasts the messages for the tags
  in the order of their keys
• each tag receives the message sent specifically
  to it and ignores the rest

13
Reader-Side Sequencing

• path from root to leaf tags key
• growth point part of path already learned
• trial discover next bit on path after growth
  point determine if the paths split

a
0
1
collision
b
c
1
1
0
0
collision
d
e
0
0
1
1
0
0
1
1
g
f
h
011
100
101
14
Resource Requirements Estimate

• key size of 8 bytes provides sufficient key space
  for most RFID applications.
• the matrices of 44 bytes provide adequate
  security.
• a few byte-size integer counters are necessary to
  implement multiple tag sequencing.
• during the identification session, the reader and
  the tag exchange a hello-message and two messages
  of 8 and 9 bytes respectively
• the storage requirements of our algorithm are
  modestmost of the chip-space is occupied by the
  byte-multiplier
• the requirements are within the current
  capabilities of RFID tags

15
Extensions and Future Work

• denial of service attack possible
• intruder can block the tags from further
  identification by botching authentication
  sessions
• need protection
• need secure channel to unblock tags and refresh
  tag-side info
• may be time/resource consuming, especially if
  items are hard to access (airplane parts?)
• need effective secure channel or way to avoid
  using it
• possible compromise if intruder can track tag
  over multiple sessions outside radio channel
• additional key to generate longer non-repeating
  keys
• brute-force guessing attack potentially possible
• may need to increase size of matrix/key

16
RFID Security without Extensive Cryptography

• Sindhu KarthikeyanMikhail Nesterenko

thank you
17
Tag-Side Sequencing

• the tag has to participate in trials as well as
  determine its position in the sequence of keys
• to be able to do that, the tag maintains the
  number of growth points in front and behind the
  growth point that leads to its own key.
• the tag keeps track as to which growth point is
  being examined at the current trial.
• if there is a collision the appropriate number of
  growth points is incremented.
• after the entire tree is descended the growth
  points terminate in the concrete keys and the tag
  learns its position in the key sequence.