RFID Security and Privacy Part 2: security example Zoom in: Authentication • Should be mutual – reader should recognise tags – tag should recognise readers • EMAP: Efficient Mutual Authentication Protocol for Low-cost RFID Tags. – proposed by P. Peris-Lopez, J. C. HernandezCastro, J. M. Estevez-Tapiador, and A. Ribagorda, November 2006. EMAP model DB Identification ID (m bits) IDS1 Key1 … … Updated after each session Key (4m bits) = K1||K2||K3||K4 Pseudonym IDS (m bits) IDSn Keyn || concatenation EMAP protocol Tag Reader Database hello IDS IDS K1||K2||K3||K4 Random n1,n2 A = IDS K1 n1 A||B||C D = IDS K4 n2 B = (IDS K2) n1 C = IDS K3 n2 Check D. Update IDS and K1...K4 Check AB. Infer n1,n2 D||E E = (IDS n1 n2) ID K1 K2 K3 K4 Update IDS and K1...K4 Update … • IDS’ = IDS n2 K1. • K1’ = K1 n2 (ID1/2 || F(K4) || F(K3)) – ID1/2 – first m/2 bits of ID – F(X) – parity function • Divide X in m/4 4-bit blocks • Compute a parity bit for each block • K2’ = K2 n2 (F(K1) || F(K4) || ID2/2) • K3’ = K3 n1 (ID1/2 || F(K4) || F(K2)) • K4’ = K4 n1 (F(K3) || F(K1) || ID2/2) EMAP is efficient • Tag memory: – Rewritable memory: 4m bits (keys) + m (IDS) – ROM: m bits (ID) – Very reasonable for m = 96… • Operations: – tag does cheap processing: ,,, || – random number generation – reader only! – no expensive operations (e.g hash function, multiplication) Further advantages of EMAP • tag anonymity – the same ID but different messages! • forward security – knowledge of K1...K4 does not reveal updated key Li and Deng: EMAP is vulnerable "Vulnerability Analysis of EMAPAn Efficient RFID Mutual Authentication Protocol " April 2007 Attack 1: Desynchronisation Tag Intruder Reader hello j s.t. IDS(j) = 0 hello IDS IDS random n1,n2 A||B||C Toggle j in C D||E Update IDS and the key Toggle j in D' and E' A||B||C' infer n2' instead of n2 wrong D'||E' Update IDS and the key n2' = n2 ej Attack 1: Reader accepts D • expected: D = (IDS K4) n2 • received: ( (IDS K4) n2’ ) ej – i.e. (IDS K4) n2 ej ej =D Attack 1: received E is correct • expected: E = (IDS n1 n2) ID K1 K2 K3 K4 • received: (IDS n1 n2’) ID K1 K2 K3 K4 ej • compare: IDS n1 n2 vs. – look at jth bit: IDS(j) = 0 (IDS n1 n2)(j) = n2(j) (IDS n1 n2’) ej Attack 1: Tag update • IDS’ = IDS n2 K1. • K1’ = K1 n2 (ID1/2 || F(K4) || F(K3)) • K2’ = K2 n2 (F(K1) || F(K4) || ID2/2) • K3’ = K3 n1 (ID1/2 || F(K4) || F(K2)) • K4’ = K4 n1 (F(K3) || F(K1) || ID2/2) Desynchronisation on IDS, K1 and K2 You can also attack n1 rather than n2 or both (see the paper) What kind of problem has been demonstrated? A. Ethical issues B. Illicit tracking of the tags C. Skimming D. Tag cloning E. Cross-contamination F. Tag killing G. Invasive attack / side channel attack H. Jamming Countermeasure: Error-correcting codes? • Can report/correct a number of 1-0 errors – can detect the attack as presented above • BUT – the attack can be generalised to replace (n1,n2) by (n1’,n2’) toggling multiple bits simultaneously… – … and fooling the error-correcting codes! Murphy’s Law Just when you think things cannot get any worse, they will. Attack 2 Full disclosure attack Run EMAP (a number of times) and discover ID and all the keys! Want to know more? Read the paper