securing rfid systems by detecting tag cloning
TRANSCRIPT
Securing RFID Systems byDetecting Tag CloningSynchronized Secrets Approach
Mikko Lehtonen, Daniel Ostojic, Alexander Ilic, Florian MichahellesInstitute of Technology Management (ITEM),University of St. Gallen (HSG)Department of Management, Technology, and Economics (DMTEC),ETH ZurichNara, Japan / May 13th, 2009
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 2
Agenda
§ Introduction
§ Synchronized secrets
§ Level of security
§ Implementation
§ Conclusions
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 3
Radio frequency identification (RFID) in a nutshell
Source: Floerkemeier/Lampe
§ RFID tags are “leaves”of pervasivesystems
§ EPCglobal vision: replace barcodeswith 5¢ tags
– Openloop, industrywide networks
– Security comes only afterwards
§ Frequencies– 13.56 MHz, 862956 MHz, 2.45 GHz
§ Reach– Up to 7 m
§ Tag Energy– Passive
§ Applications– Visibility for supply chain
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 4
Many RFID applications need security…
Access control Ticketing
AntiCounterfeiting
Mobile payment
Supply chain security
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 5
… but lowcost tags are not secure against copying
§ Lowcost RFID tags will be deployed in billions
§ Only very few resources (transistors, electric power) for security
§ E.g. EPC Class1 Gen2 tags– EPC = Electronic Product Code (64 bits / 96 bits)– PWD = Access password (32 bits)– TID = Transponder ID (32 bits / 64 bits)
500.001.001
EPC
TID
111.222.333
Tag A
500.001.723EP
CTI
D
Tag B
111.222.333
= rewritable memory
= readonly memory
PWD
PWD
632.267.796632.267.796
Skimming
Eavesdropping,Brute force
Reprogramming?Impersonation device
500.001.001Copied Tag
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 6
Security is a process
Prevention(Cost to break)
Detection(Detection rate)
Response(Expected fine)
RFID Security§ TID, ACCESS§ Lowcost crypto1
(XOR, Hash, PRNG)§ Strong crypto2 (AES,
ECC)§ Physical Unclonable
Function3 (PUF)
RFID Security§ White lists / black lists§ Intrusion detection4
§ Track and tracechecks5
Best practices§ Confiscation / seizures§ Prosecution§ Ending business
relationships
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 7
Agenda
§ Introduction
§ Synchronized secrets
§ Level of security
§ Implementation
§ Conclusions
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 8
Detecting tag cloning with synchronized secrets
§ Alarm = tag cloning attack has occurred– But: Alarm the tag that raised an alarm is the cloned one
§ Minimalist tag hardware requirements: 32 bits EEPROM
§ Pinpoints time window of cloning
§ Same principle proposed for ownership transfer6, access control7
509t3111.222.333
928t2111.222.333
…
STimeID
928S
Tag
111.222.333ID
Backend system
S (new)
ID, S
= rewritable memory
509 Match?
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 9
Example: Anticounterfeiting
WholesalerManufacturer Distributor Hospital
ID509012
509 = 509 OK012 = 012 OKnew secret
677
Backend
677 012 ALARM
ID
509 012 677new secret
Tag co
pying
attac
k
counterfeit
ID012
Investigatio
n
CounterfeitManufacturer
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 10
Vulnerabilities and countermeasures
Permalock ID numbers, protect synchronizedsecret with ACCESS password
Adversary tampers with the tagmemory (denial of service)
Hold the readers in a secure environmentAdversary spoofs genuine tags(denial of service)
Use strong mutual readertobackendauthentication (trusted readers, PKI)
Adversary impersonates backend orperforms man in the middle betweenreader and backend
Use long enough synchronized secrets(e.g. 32 bits, guessing probability 2 x 109)
Adversary guesses the synchronizedsecret
CountermeasureVulnerability
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 11
Agenda
§ Introduction
§ Synchronized secrets
§ Level of security
§ Implementation
§ Conclusions
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 12
Level of security
§ Security ~ Detection of cloned tags = function(scan rate, attack delay)– Prevention rate = Probability(Case 1)
– Detection rate = Probability(Case 1 OR Case 2)
timeCase 1: Cloned tagraises an alarm
timeCase 2: Genuine tagraises an alarm
timeCase 3: No alarm
A
ACloning attack
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 13
Mathematical model of the level of security
Analytical solution for prevention rate
Θ:yprobabilitscanningRe:ion)impersonat to(cloningdelayAttack
:scansbetweenTime
attack
update
TT
<−⋅Θ= 02
Pr)1CasePr( attackupdate TT
),(~),,(~: variablesddistributenormallyAssuming
22attackattackattackupdateupdateupdate NTNT σµσµ
( )
+−
<⋅Θ=
22
4,
2~
where,0Pr)1CasePr(
attackupdate
attackupdateNZ
Z
σσ
µµ
Θupdateattack µµ −
10...05
222
==
==
attack
update
attackupdate
µµ
σσ
Illustration of the analytical solution
“Attackeris slow”
“Genuinetag always
rescanned”
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 14
Time (after last scan) / hour
Prob
abili
ty(s
ame
tag
is sc
anne
d ag
ain)
Evaluation in an RFID access control application8
Benchmark: Deckard4
63% Detection rate(@ 4% False alarm rate)
Prevention rate,Pr(Case 1)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 15
Quantitative evaluation in an RFID access controlapplication
10
10
5
6
# Cloned tagsdetected
10
10
256
375
# Manualverifications
6Hit rate 63.0%Falsealarm rate 3.7%
Benchmark (Mirowskiet al. 2007)4,8
5Hit rate 46.3%Falsealarm rate 2.5%
Benchmark (Mirowskiet al. 2007)4,8
7Prevention rate 72%Detection rate 99.15%
Synchronized secrets(24h attack delay)8
4Prevention rate 41%Detection rate 99.15%
Synchronized secrets(2h attack delay)8
# Cloned tagsprevented
ParametersMethod
A1: 10,000 tags scanned, 10 of which are clonedA2: Each alarm leads to a manual verification
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 16
Agenda
§ Introduction
§ Synchronized secrets
§ Level of security
§ Implementation
§ Conclusions
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 17
Implementation on offtheshelf RFID hardware
EPC Gen2 tag
+ backend webserverwith MySQL database
CAEN A828EU UHF Reader
Antenna
§ Standard lowcost RFID
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 18
Time measurements
§ Protocol increases a tag’s processing time by 180% (309 msè 864 ms)
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 19
Agenda
§ Introduction
§ Synchronized secrets
§ Level of security
§ Implementation
§ Conclusions
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 20
Conclusions
§ Detectionbased security method applicable for RFIDtags used in today’s supply chains
§ Implemented on offtheshelf hardware, analyzed witha mathematical model & by benchmarking
§ A high scan rate provides a high level of security
§ Disadvantage is possible delay before alarms,advantage is a small number of manual checks
§ Can be applied where tags are repeatedly scanned, butcompanies need a consensus of a common backend
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 21
You’re welcome to participate!
Securing Supply Chain with AutoIDLessons Learned from the SToP Project
27.5.2009, Zürich, Switzerlandwww.SToPproject.eu/Conference
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com
© ETH / HSGSynchronized Secrets / Mikko Lehtonen et al. /May 2009
Slide 22
Thank you for your attention!
Securing RFID Systems by Detecting Tag CloningSynchronized Secrets Approach
Mikko LehtonenETH Zurich, Information ManagementPhone: +41 44 632 8624Fax: +41 44 632 1045EMail: [email protected]
1 Juels, A.: Minimalist cryptography for lowcost RFID tag. In: Blundo, C., Cimato, S. (eds.) International Conference on Security in CommunicationNetworks SCN 2004. LNCS, vol. 3352, pp. 149164, Springer, Heidelberg (2004)2 Batina, L., Guajardo, J., Kerins, T., Mentens, N., Tuyls, P., Verbauwhede, I.: An Elliptic Curve Processor Suitable For RFIDTags. Cryptology ePrintArchive, Report 2006/227 (2006)3 Devadas, S., Suh, E., Paral, S., Sowell, R., Ziola, T., Khandelwal, V.: Design and Implementation of PUFBased "Unclonable" RFID ICs for AntiCounterfeiting and Security Applications. In: IEEE International Conference on RFID 2008, pp. 5864 (2008)4 Mirowski, L., Hartnett., J.: Deckard: A System to Detect Change of RFID Tag Ownership. International Journal of Computer Science and NetworkSecurity, 7(7) (2007)5 Lehtonen, M., Michahelles, F., Fleisch, E.: How to Detect Cloned Tags in a Reliable Way from Incomplete RFID Traces. In IEEE RFID 2009 Conference,Orlando, Florida, April 2009.6 Ilic, A., Michahelles, F., Fleisch, E.: The Dual Ownership Model: Using Organizational Relationships for Access Control in Safety Supply Chains. In: IEEEInternational Symposium on Ubisafe Computing (2007)7 Grummt, E., Ackermann, R.: Proof of Possession: Using RFID for largescale Authorization Management. In: Mhlhuser, M., Ferscha, A., Aitenbichler, E.(eds.) Constructing Ambient Intelligence, AmI07 Workshops Proceedings. Communications in Computer and Information Science, pp. 174182 (2008)8 Mirowski, L., Hartnett, J., Williams, R., Gray, T.: A RFID Proximity Card Data Set. Tech. Report University of Tasmania (2008).
Click t
o buy NOW!
PDFXCHANGE
www.docutrack.com Clic
k to buy N
OW!PDFXCHANGE
www.docutrack.com