RFID
Security and Privacy
Part 2: security example
Zoom in: Authentication
• Should be mutual
– reader should recognise tags
– tag should recognise readers
• EMAP:
Efficient Mutual Authentication Protocol
for Low-cost RFID Tags.
– proposed by P. Peris-Lopez, J. C. HernandezCastro, J. M. Estevez-Tapiador, and A. Ribagorda,
November 2006.
EMAP model
DB
Identification ID (m bits)
IDS1 Key1
…
…
Updated after
each session
Key (4m bits) = K1||K2||K3||K4
Pseudonym IDS (m bits)
IDSn Keyn
|| concatenation
EMAP protocol
Tag
Reader
Database
hello
IDS
IDS
K1||K2||K3||K4
Random n1,n2
A = IDS  K1  n1
A||B||C
D = IDS  K4  n2
B = (IDS  K2)  n1
C = IDS  K3  n2
Check D.
Update IDS
and K1...K4
Check AB.
Infer n1,n2
D||E
E = (IDS  n1  n2) 
ID  K1  K2  K3  K4
Update IDS
and K1...K4
Update …
• IDS’ = IDS  n2  K1.
• K1’ = K1  n2  (ID1/2 || F(K4) || F(K3))
– ID1/2 – first m/2 bits of ID
– F(X) – parity function
• Divide X in m/4 4-bit blocks
• Compute a parity bit for each block
• K2’ = K2  n2  (F(K1) || F(K4) || ID2/2)
• K3’ = K3  n1  (ID1/2 || F(K4) || F(K2))
• K4’ = K4  n1  (F(K3) || F(K1) || ID2/2)
EMAP is efficient
• Tag memory:
– Rewritable memory: 4m bits (keys) + m (IDS)
– ROM: m bits (ID)
– Very reasonable for m = 96…
• Operations:
– tag does cheap processing: ,,, ||
– random number generation – reader only!
– no expensive operations
(e.g hash function, multiplication)
Further advantages of EMAP
• tag anonymity
– the same ID but different messages!
• forward security
– knowledge of K1...K4 does not reveal updated key
Li and Deng:
EMAP is vulnerable
"Vulnerability Analysis of EMAPAn Efficient RFID Mutual Authentication Protocol "
April 2007
Attack 1: Desynchronisation
Tag
Intruder
Reader
hello
j s.t. IDS(j) = 0
hello
IDS
IDS
random n1,n2
A||B||C Toggle j in C
D||E
Update IDS
and the key
Toggle j in D'
and E'
A||B||C'
infer n2'
instead of n2
wrong D'||E'
Update IDS
and the key
n2' =
n2  ej
Attack 1: Reader accepts D
• expected: D = (IDS  K4)  n2
• received: ( (IDS  K4)  n2’ )  ej
– i.e. (IDS  K4)  n2  ej  ej
=D
Attack 1: received E is correct
• expected: E = (IDS  n1  n2)
 ID  K1  K2  K3  K4
• received: (IDS  n1  n2’)
 ID  K1  K2  K3  K4  ej
• compare: IDS  n1  n2 vs.
– look at jth bit: IDS(j) = 0
 (IDS  n1  n2)(j) = n2(j)
(IDS  n1  n2’)  ej
Attack 1: Tag update
• IDS’ = IDS  n2  K1.
• K1’ = K1  n2  (ID1/2 || F(K4) || F(K3))
• K2’ = K2  n2  (F(K1) || F(K4) || ID2/2)
• K3’ = K3  n1  (ID1/2 || F(K4) || F(K2))
• K4’ = K4  n1  (F(K3) || F(K1) || ID2/2)
 Desynchronisation on IDS, K1 and K2
 You can also attack n1 rather than n2 or both
(see the paper)
What kind of problem has been demonstrated?
A. Ethical issues
B. Illicit tracking of the tags
C. Skimming
D. Tag cloning
E. Cross-contamination
F. Tag killing
G. Invasive attack / side channel attack
H. Jamming
Countermeasure:
Error-correcting codes?
• Can report/correct a number of 1-0 errors
– can detect the attack as presented above
• BUT
– the attack can be generalised to replace (n1,n2) by
(n1’,n2’) toggling multiple bits simultaneously…
– … and fooling the error-correcting codes!
Murphy’s Law
Just when you think things
cannot get any worse,
they will.
Attack 2
Full disclosure attack
Run EMAP (a number of times) and discover ID
and all the keys!
Want to know more? Read the paper