RFID: Secure or Not? Paper Presented for Masters Data Communications course U. Politécnica de P.R. P.R. - Dr J. Sola Sloan Winter 2012 Ricardo Robles, Xavier Solá, Josué Acevedo, Marcos Avilés
Ricardo Robles Robles Webanointed Weba nointed Systems Consultants twitter: @rickyreys B.B.A. Management Info Systems, Universidad Interamericana de P.R.(1993) B.S. Computer Engineering, Universidad Politécnica de P.R. (2009) Current M.Eng. Computer Engineering student, Universidad Politécnica de P.R. Health, Insurance, Vehicles, Manufacturing, Legal, Retail Industries Recent years interest in Computer Security Infragard Member (FBI civilian association)
What is RFID RFID (Radio Frequency Identification) is a technology technology,, which uses radio waves to automatically identify objects. The most practical use is to attach unique RFID tags with the purpose of identifying the object with the tag. The Readers connected with a database systems communicate with RFID tags embedded in objects gather the information. The earliest predecessor of the RFID concept is believed to be a Soviet spy gadget that retransmitted incident radio waves with audio information. One of the earliest applications of RF transponders was the Friend-or-Foe (IFF: Identification, Friend or Foe) air- craft identification system that was used by the Royal Air Force during World War War II to distinguish between enemy and Allied aircraft.
RFID There is a standard that define the RFID system of communication model. The standard is called ISO/IEC1800 and it consists of three (3) layers: Physical Layer (Tag) – consist of embedded antenna & integrated circuit. Correspondence Layer (Reader) – Interrogate the tag when in Range.
Application Layer (Interface) (Interface) - essentially a type of software that acts as an interface between the hardware layers, and the software application.
RFID RFID TAGS
RFID Readers
RFID RFID Structure
RFID RFID USE Electronic Product Code (EPC) Animal Tracking Device Highway Toll System Time Measurement in Sport Events Supply Chain Management (Walmart) ( Walmart)
RFID
RFID
RFID
RFID ATTACKS
RFID Major Threats are: Individual privacy threats, data security threats, and security attack threats. Eavesdropping – An attacker monitors unsecured wi-fi communication & obtains information transmitted by the TAG. Spoofing - The attacker imitates the original labeling of a Tag replacing it for a FAKE one. i.e., to buy an item at a lower price. (Nobody here has done that)
RFID Masquerade of Service – Attacks are realized to avoid /bypass Security Systems. Relay Attack – Attacker is like a Man in the Middle, uses devices devices to deceive /intercept the radio signal or modify it. i.e., modifies TAG Stored info Buffer Overflow – Attacker sends same block of Data to Overflow a Buffer in the middleware. Major Threat & Serious Big Security Problem in RFID. i.e., Used to exploit Stored Data or Code on a TAG. Malicious Code Injection – Attacker uses TAG memory space to propagate Malicious Code or a Virus/Worm.
RFID Side-Channel Attacks - timing information; power consumption and electromagnetic leaks are acquired during physical implementation Timing Attack – Where they both take a step between sending & receiving. To avoid this, this, an artificial tine delay is inserted in the backend Server. Encryption Algorithm Exploring Attack - Time consuming and deadly attack, uses high-end equipment to analyze tags and wifi authentication entity & obtain its encryption algorithm.
RFID
RFID COUNTERMEAUSERS 1. Have assurance of the trust of the backend server and that it is physically secured. 2. Share a private key between Server and each Tag. Tag. 3. Having RFID responses appear to an attacker as random, uniformly distributed. 4. Values of Server challenges and Tag Tag responses must be unpredictable (cryptographically) pseudo-random.
RFID PROTOCOLS As we know the RFID have limited memory space which makes encryption and authentication traditional technology such as RSA, MD5, SHA-1, SHA-2 cannot be used. Therefore the design of security protocols safely and effectively, and inexpensively remains a difficult issue.
RFID Two Main Categories: 1. Physical Approach 2. Encryption Mechanism & Protocols There are 2 direction in which the developers of authentication protocols have been focus on: the design of security protocols with lower cost as the lightweight security protocol with reasonable security functionality, and in the design of security protocols to make the security functionality as strong as possible, regardless of the cost.
RFID M2 AP Protocol – Minimalist Mutual Authentication Protocol, Based on XOR, OR, AND, and Sum Of Modulo. To To hold Security a Secret key Update has been introduced. SASI Protocol – It is called Chien’s Protocol, ultra lightweight scheme, it has three share secret key k1 and 2 random number n1, n2. n2. The Secret Key & Random Number update each time.
RFID Other Protocols with Strong Functionality, Functionality, but higher Cost: Hopper and Blum (HB), HB+, HB++ protocols protocol s as a family, which has used LPN (algorithm) to provide stronger security functionality, and Digital Library RFID protocol which employs a pre-sharing secret mechanism. EAPMR Protocol - The idea of this protocol is to give every legal reader a unique identifier RID. For messages send out by tag, reader must subjoin a data segment containing its RID to them.
RFID RIPTA-DA Protocol - employs a stochastic dynamic multi-key mechanism to encrypt the information and introduces the noise disturbance technology. XTEA Based Authentication Protocol – eXtended Tiny Encryption Algorithm, This authentication protocol uses a cipher to encrypt the message and processes how those messages are handled.
RFID
RFID FINALLY The RFID systems has much vulnerabilities that could be exploited and causes serious harms like data loss, data medication, money loss, identity theft and interception of communications. On the other hand, wide spread of RFID use keeps increasing in almost every form you can imagine.
RFID
RFID
RFID
RFID FINITO
[email protected] [email protected] Twitter: @rickyreys