11 anti-cloning protocol suitable to epcglobal class-1 generation-2 rfid systems eun young choi,...
TRANSCRIPT
11
Anti-cloning protocol suitable to EPCglobal Class-1 Generation-2
RFID systems
Eun Young Choi, Dong Hoon Lee, Jong In Lim, Computer Standards & Interfaces, Vol. 31, No. 6,
pp. 1124-1130, November 2009.
22
Outline• Environment
– EPCglobal– RFID
• Frequency of the RFID• Electric of the RFID• Classification of RFID Tag
– Ultra-Lightweight
• Related work– The protocol– Security analysis
• On the Security of SASI
3
EPCglobal
• EPCglobal系統是一種基於 EAN/UCC編碼的系統
• 統一編碼協會 (Uniform Code Council; UCC)與歐洲商品條碼 (European Article Number; EAN) 所成立的非營利組織接替 Auto-ID 中心的工作,負責產品電子碼的研發與管理,目標是將產品電子碼發展成全球通用標準– 產品電子碼的註冊– 管理與維護產品電子碼的編碼及網路
4
RFID
• Reader
• Tag
• Backend database
ReaderBackend server
Tags
5
The frequency of RFID• Low Frequency
– 125KHz-134KHz– Short distance– campus card, animal monitor, tracking products
• High Frequency– 13.56MHz– Large data deliver– Door control
• Ultr High Frequency– 860MHz-960MHz (Microwave 2.45GHz-5.4GHz)– Long distance, high price– Monitor of the car, ETC
6
The energy of RFID
• Active– a battery inside the tag, active transmit
electric wave – Long distance
• Passive– no battery, it need energy by the reader– Short distance
• Semi-passive– a battery inside the tag, but not active deliver
electric wave to the reader
7
The classifications of RFID Tag
• Class 0:– Reader only, range 10m– The electronic product code (EPC) is setting on chip and does
not modify
• Class 1– Write once, reader many time, range 10m– Wal-Mart
• Class 2 – Read and write many time, range 10m– Adopt product code, large volume of data
• Class 3– Similar with class 2, but include sensor, range 30m
• Class 4– A battery, active, range 100m
8
Class 1 Generate 2
• 於 2006 年被 ISO 組織批准併入了 ISO/IEC18000-6c 標準裡,使得全球 RFID 技術發展得到規範
• 渥爾瑪於 2006 年開始用 Gen2 標籤,所有新進入渥爾瑪配送網路的貨物都必須貼上 Gen2 標籤,當前許多新的供應商都決定支持 Gen2 ,這樣製造商就可以在統一標準的基礎上充分發揮各種標籤、晶片、印表機或者編碼器通用性的優點
頻率 860-960MHz
電力來源 被動式記憶容量 32-1k bits
安全功能之電路 250-4K gates 不支援標準的密碼函數讀取距離 最遠 3 公尺實體攻擊 無法抵抗
被動式攻擊抵抗性 有主動式攻擊抵抗性 沒有
99
Requirement of Class-1 Generation-2 RFID
• Tag anonymity• Tracking• Forward security• Denial of Service• Man-in-the-middle attack• De-synchronization attack• Mutual authentication
10
Karthikeyan et al.’s scheme
• M1*M1-1=
100
010
001
11
The weaknesses of Karthikeyan et al.’s scheme
• Cannot resist the DOS attack– The tag does not authenticate the Z, an attacker can replace Z
with an random Z*, K*=M2-1Z*
– The legitimate reader and the tag cannot authenticate each other
• Replay attack– If an attacker can replace Z with an old Zold, Kold=M2
-1Zold,
– Replay Yold
• Individual tracing– Record the transmitted data from above mentioned attack
12
Duc et al.’s scheme
13
The weaknesses of Duc et al.’s scheme
• Cannot resist the DOS attack– If “end session” is intercepted, it will be out of synchronization
• Cannot detect the disguise of tag– If “end session” is intercepted, the server will hold the old key
– The counterfeit tag can replay the old data (M1, r, C)
• Cannot provide forward secrecy– Suppose a tag is compromised, the attacker get the (EPC, PIN, K i)
of the tag– M1♁M2=CRC(EPC♁r)♁CRC(EPC PIN r), using the ∥ ∥
compromised values (EPC, PIN, Ki) and r
– The past communications of a compromised tag can be traced
14
Chien et al.’s scheme
15
ReaderTags
Backend server
Index Encrypted EPC(Ci) EPC Key KillPW AccessPW
… … … … … …
I(Ci) EKI(EPCi T_SN∥ i) EPCi Ki PW_Killi PW_Accessi
… … … … … …
User
T_SNi
I(Ci)
PW_KilliPW_Accessi
Choi et al.’s scheme
16
ReaderTags
(2)Generate RT32
Compute M1=RT32♁PW_Killi
Query
M1
Backend server
(1) Issue a Query
(3) Acknowledge Tag ACK(M1)
(4) If valid M1, respond with I(Ci), CRC16EPCi, I(Ci), CRC16
(5) Forwards
M=(EPCi, I(Ci), CRC16)M
(6) Search I(Ci) finds info PW_Killi, PW_Accessi
PW_Killi, PW_Accessi
(7) Generate RR32
Compute M2
M2=RR32♁PW_Accessi
M1, M2
(8) If valid M1, pass handle
handle
User, T_SNi, I(Ci), PW_Killi, PW_Accessi
I(Ci), EPCi, EKi(EPCi T_SNi), K∥ i, PW_Killi, PW_Accessi
17
ReaderTags
Backend server
(9) Generate M3, M4
M3=f(RR32♁RT32)
M4=M3♁PW_Accessi M4, Read(TID)
(10) Compute M3’, M5, M6
M3’=f(RR32♁RT32)
PW_Accessi=M3’♁M4
M5=f(M3’)
M6=M5♁T_SNi
M6
(11) Compute M5’ = f(M3)
Extract T_SNi from M6T_SNi
(12) Verify T_SNi as
computing DKI(EPCi T_SN∥ i)
handle
1818
Authenticate Analysis
• Information leakage– Only the ciphertext EPCi, I(Ci), CRC16
– Obtain I(Ci) in step 4, but can not compute EKI(EPCi T_SN∥ i)
• Cloning attack– T_SN is stored in the memory of a tag
• Password disclosure– A kill password in M1 is xored with RT32 – an access password in M2 and M2 are xored with
RR32 and f(RR32♁RT32)
1919
The weaknesses of Choi et al.’s scheme
• Replay attack– M1=RT32♁PW_Killi– M2=RR32♁PW_Accessi
• Tracking– EPCi, I(Ci), CRC16
• Forward security– Suppose a tag is compromised, the attacker
get the (User, T_SNi, I(Ci), PW_Killi, PW_Accessi) of the tag
– M1=RT32♁PW_Killi and M2=RR32♁PW_Accessi,
using the compromised values (User, T_SNi,
I(Ci), PW_Killi, PW_Accessi)
• De-synchronization attack
20
ReaderTags
(2)Generate RT32
Compute M1=RT32♁PW_Killi
Query
M1♁K1
Backend server
(1) Issue a Query
(3) Acknowledge Tag ACK(M1♁K1)
(4) If valid M1, respond with I(Ci), CRC16I(Ci), CRC16
(5) Forwards
M=(I(Ci), CRC16)M
(6) Search I(Ci) finds info PW_Killi, PW_Accessi
PW_Killi, PW_Accessi
(7) Generate RR32
Compute M2
M2=RR32♁PW_Accessi
M1♁K1, M2♁K2
(8) If valid M1, pass handle
handle
M1 = RT32♁PW_Killi
M1* = RT32*♁PW_Killi
M1♁M1*= RT32♁PW_Killi♁ RT32*♁PW_Killi
21
ReaderTags
Backend server
(9) Generate M3, M4
M3=f(RR32♁K1♁RT32♁K2)
M4=M3♁PW_Accessi M4, Read(TID)
(10) Compute M3’, M5, M6
M3’=f(RR32♁RT32♁K1♁K2)
PW_Accessi=M3’♁M4
M5=f(M3’)
M6=M5♁T_SNiM6
(11) Compute M5’ = f(M3)
Extract T_SNi from M6T_SNi
(12) Verify T_SNi as
computing DKi(Ci)
handle
2222
Karthikeyan et al.’s scheme
Duc et al.’s scheme
Chien et al.’s scheme
Choi et al.’s scheme
Tag anonymity O O X O
Tracking X O X X
Replay attack X X O X
Forward security O X X X
Denial of Service X X O O
Man-in-the-middle attack O O O O
De-synchronization attack X X X X
Mutual authentication X O O O
Summary
23
ReaderTags
(2)Generate RT32
Compute M1=RT32 I(C♁ i) RR32♁
Query, RR32
M1
Backend server
(1) Issue a Query
(3) Acknowledge Tag ACK(M1♁K1)
(4) If valid M1, respond with I(Ci), CRC16I(Ci), CRC16
(5) Forwards
M=(I(Ci), CRC16)M
(6) Search I(Ci) finds info PW_Killi, PW_Accessi
PW_Killi, PW_Accessi
(7) Generate RR32
Compute M2
M2=RR32 PW_Access♁ i
M1, M2
(8) If valid M1, pass handle
handle
M1 = RT32 PW_Kill♁ i
M1* = RT32* PW_Kill♁ i
M1 M1*= RT32 PW_Killi ♁ ♁ ♁RT32* PW_Killi♁
Our protocol
24
ReaderTags
Backend server
(9) Generate M3, M4
M3=f(RR32 K1 RT32 K2)♁ ♁ ♁
M4=M3 PW_Access♁ i M4, Read(TID)
(10) Compute M3’, M5, M6
M3’=f(RR32 RT32 K1 K2)♁ ♁ ♁
PW_Accessi=M3’ M4♁
M5=f(M3’)
M6=M5 T_SN♁ iM6
(11) Compute M5’ = f(M3)
Extract T_SNi from M6T_SNi
(12) Verify T_SNi as
computing DKi(Ci)
handleOur protocol
25
Thanks