rfid-tutorial-threats

advertisement
RFID Technology and Threat
Modeling
Presented by: Neeraj Chaudhry
University of Arkansas
1
Presentation layout
•
•
•
•
•
•
Introduction of RFID
Application of RFID
RFID System
Classification of RFID tags
RFID frequencies
RFID interms of EPC
– EPC code format
– Communication Link
• Inductive Coupling
• Backscatter Coupling
– Encoding and modulation
– Anti-collision Protocols
• Tag Anti-collision Protocol
• Reader Anti-collision protocol
2
Presentation Layout
•
•
•
•
Standardization ( EPCglobal and ISO)
Comparison of EPC and UPC
EPC tags
EPCglobal UHF class 0 tag
–
–
–
–
•
•
•
•
Reader to tag Link
Reader to tag symbols
Tag to reader Link
Binary tree Scanning Anti-collision Protocol
EPCglobal UHF class 1 Gen. 1
EPCglobal UHF class 1 Gen. 2
EPCglobal Network
RFID Threats based on STRIDE model
–
–
–
–
–
–
Spoofing Identity
Tampering data
Repudiation
Information disclosure
Denial of service
Elevation of Privilege
3
What is RFID?
• Stands for Radio Frequency Identification
• Uses radio waves for identification
• New frontier in the field of information
technology
• One of Automatic Identification
• Provides unique identification of an object
4
Applications
•
•
•
•
•
•
•
Mobil Speedpass systems
Automobile Immobilizer systems
Fast-lane and E-Zpass road toll system
Animal Identification
Secure Entry cards
Humans
Supply chain management
5
RFID System
• Tags consists of antenna and a microchip
• Readers consists of a transmitter, receiver,
and one or more antennas
• Management system
• Communication protocol
• Computer Networks
6
RFID system
TAG
TAG
Request
TAG
Response
READER
Internet
Management System
ONS Server
PML Server
RFID System
7
RFID Tag
• Tag is a device used to transmit
information such as a serial number to the
reader in a contact less manner
• Classified as :
– Passive
– Active
– Semi-passive
8
Classification of Passive and Active tag
Characteristics
Passive RFID tag
Active RFID tag
Power Source
Provided by a reader
Inbuilt
Availability of power
Within the field of reader
Continuous
Signal Strength (Reader
to Tag)
High
Low
Signal Strength (Tag to
Reader)
Low
High
Communication range
< 3meters
>100 meters
Tag reads
< 20 moving tags @
3mph in few seconds
>1000 moving tags @
100mph in 1 sec
Memory
128 bytes
128 Kbytes
Applicability in supply
chain
Applicable where
tagged items movement
is constrained
Applicable where
tagged items movement
is variable and
unconstrained
9
RFID Reader
• Also known an interrogator
• Can be handheld or stationary
• Consists of:
–
–
–
–
–
–
–
–
Transmitter
Receiver
Antenna
Microprocessor
Memory
Controller or Firmware
Communication channels
Power
10
Communication Link
• Inductive Coupling
• Backscatter Coupling
11
Modulation
• Process of changing the characteristics of
radio waves to encode data and to
transmit it to the other end
• Techniques used depends on the power
consumption, reliability and available
bandwidth.
– Amplitude Shift Keying (ASK)
– Frequency Shift keying (FSK)
– Phase Shift Keying (PSK)
12
Encoding
BINARY
DIGITS
0 1
0
0 1 1
0 1
0 0 1
0
NRZ
RZ
MANCHESTER
PWM
PPM
MILLER
FM0
13
Anti-Collision Protocol
• Tag Anti-Collision protocol
– Aloha/Slotted Aloha
– Deterministic binary tree walking
– Query tree walking
• Reader Anti-Collision protocol
– TDM/FDM
14
RFID Frequency range
Frequency Band
Description
< 135 KHz
Low frequency
6.765 – 6.795 MHz
Medium frequency
7.4 – 8.8 MHz
Medium frequency
13.553 – 13.567 MHz
Medium frequency
26.957 – 27. 283 MHz
Medium frequency
433 MHz
UHF
868 – 870 MHz
UHF
902 – 928 MHz
UHF
2.4 – 2.483 GHz
SHF
5.725 – 5.875 GHz
SHF
15
Standarization
• ISO
– 18000–1: Generic air interfaces for globally accepted
frequencies
– 18000–2: Air interface for 135 KHz
– 18000–3: Air interface for 13.56 MHz
– 18000–4: Air interface for 2.45 GHz
– 18000–5: Air interface for 5.8 GHz
– 18000–6: Air interface for 860 MHz to 930 MHz
– 18000–7: Air interface at 433.92 MHz
• EPCglobal
– UHF Class-0
– UHF Class-1 Generation-1 (Class-1 Gen-1)
– UHF Class-1 Generation-2 (Class-1 Gen-2)
16
Electronic Product Code Global
(EPCglobal) Network
• EPCglobal Network consists of five
component
– Electronic Product Code (EPC) number
– ID system (tags and readers)
– EPC middleware
– Discovery Service (ONS)
– Information service
17
Electronic Product Code (EPC)
Version
EPC Manager Object Class
Serial Number
2 bit
21 bit
17 bit
24 bit
64 Bit Type I
2 bit
15 bit
13 bit
34 bit
64 Bit Type II
2 bit
26 bit
13 bit
23 bit
64 Bit Type III
8 bit
28 bit
24 bit
36 bit
96 Bit
EPC codes
18
Comparison of EPC and UPC (Barcodes)
• Both are forms of Automatic identification
technologies
• UPC require line of sight and manual
scanning whereas EPC do not
• UPC require optical reader to read
whereas EPC reader reads via radio
waves
• EPC tags possess a memory and can be
written while UPC do not
19
EPC Tag Classes
Class 0
Passive
Read only
Class 1
Passive
Read only write once
Class 2
Passive
65 KB read-write
Class 3
Semi-passive
Class 4
Active
Built-in battery
Class 5
Active
Communicates with other
class 5 tags and devices
65 KB read-write with
built-in battery
20
EPCglobal UHF Class-0 Tag
• Describes physical layer reader-to-tag link,
tag-to-reader link and data link anticollision protocol
• Reader to tag link use 100% or 20% modulation
amplitude modulated (AM) carrier signal
• Use binary tree anti-collision protocol
21
Class-0 Reader-to-Tag Symbols
BINARY 0
BINARY 1
NULL
22
Binary tree anti-collision protocol for
Class-0
1
0
0
0
0000
1
0
1
1
0
0
0001 0010
1
0
0011 0100
1
1
0
0101
0110
0
0
1
1
0
1 0
1 0
1
0
0111
1001
1011
1100
1000
1010
1
1
0
1
1101
1110
1111
23
EPCglobal UHF Class-1 Gen-1
• Employs same modulation and
encoding techniques as UHF Class-0
• Use query tree walking anti-collision
protocol
– Reader queries by using group of bits,
matching tags responds with an 8-bit
response during one of eight time slots.
SLOT
000
SLOT
001
SLOT
010
SLOT
011
SLOT
100
SLOT
101
SLOT
110
SLOT
111
Eight time slot for tags response
24
Query Tree Protocol for Class-1
Gen-1 and first step of Gen-2
6
1
NO COLLISION
COLLISION
0
1
IDENTIFIED
2
3
00
100
01
4
010
5
011
25
EPCglobal UHF Class-1 Gen-2
• Use one of ASK, FSK or PSK modulation
with PWM encoding referred as pulseinterval encoding (PIE) format.
• Reader chooses the encoding format for
tag-to-reader link.
– FM0
– Miller
• Use Aloha based random anti-collision
protocol called Q protocol
26
Q Protocol anti-collision protocol
•
•
•
•
•
•
•
•
•
•
•
Reader cycle through the select, inventory and access phase to mange
population.
Select phase is used to single out particular tag population like query tree
protocol.
Inventory phase identifies individual tag using Q protocol, which is slotted
Aloha-based protocol.
Reader creates slot in which all tags backscatter at the beginning of the slot.
Query contains the parameter Q and session number.
Tags belong to requested session pick a random number in the range
[0,2^Q-1].
Tags that pick zero backscatter a 16 bit random number.
Remaining tags decrease their slot number depending upon readers
command and when reaches zero backscatters.
Reader acknowledges by sending 16-bit random number.
Then the chosen tag backscatters its EPC
In this way, the reader queries multiple tags in a session and can vary
parameter Q which is in the range [0,15].
27
RFID Threats Categorized with
STRIDE
•
•
•
•
•
•
Spoofing identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege
28
Spoofing Threats
• A competitor or thief performs an unauthorized
inventory.
• An attacker determines what organization is
assigned an EPC number by posing as an
authorized ONS user.
• An attacker determines the complete information
about an object by posing as an authorized user
of the database referenced by ONS.
• An attacker posing as an ONS server.
29
Tampering with Data Threats
•
•
•




•
•
•
An attacker modifies the EPC of a read/write tag.
An attacker adds a tag to an object.
An attacker physically removes or destroys a tag.
An attacker erases a tag.
An attacker “kills” a tag.
An attacker switches a high-priced item’s EPC number with the
lower price item’s EPC number.
An attacker reorders the data on a tag.
An attacker modifies the return signal from the tag to the reader.
An attacker poses as an ONS server and responds with the
incorrect URL in response to an ONS query from a manager .
An attacker modifies, adds, deletes, or reorders data in a database .
30
Repudiation Threats
• A retailer denies receiving a certain pallet,
case, or item.
• The owner of the EPC number denies
having information about the item to which
the tag is attached.
31
Information Disclosure Threats
• An unauthorized inventory of a store by scanning RFID EPC tags
with a reader to determine the types and quantities of items. A thief
could query a warehouse, truck, or store to help locate high-priced
items.
 A thief could create a duplicate RFID tag with the same EPC number
and return a forged item for an unauthorized refund.
 A fixed reader at any retail counter could identify the tags of a
person and show the similar products on the nearby screen to a
person to provide individualized marketing.
 A mugger marks a potential victim by querying the tags in
possession of an individual to determine if they are carrying valuable
or wanted items.
 An attacker blackmails an individual for having certain merchandise
in their possession.
32
Denial of Service Threats
•
•
•
•
•
•

•
•
A shoplifter carries a blocker tag that disrupts reader communication to conceal the
stolen item. An attacker can simulate many RFID tags simultaneously causing the
anti-collision to perform singulation on a large number of tags making the system
unavailable to authorized use.
An attacker disables all RFID EPC tags in a store or warehouse disrupting business
operations and causing a loss of revenue.
An attacker destroys or damages tag so that it will not respond to a query from a
reader.
An attacker sends a special “kill” command to the tag if the tag supports it to disable
it.
An attacker shields the tag from being read with a Faraday Cage.
An attacker with powerful reader jams the reader by creating a more powerful return
signal.
An attacker performs a traditional Internet denial-of-service attack against the servers
gathering EPC numbers from the readers.
An attacker performs a traditional Internet denial-of-service attack against ONS.
An attacker sends URL queries to a database causing it to do database queries and
therefore denying access to authorized users.
33
Elevation of Privilege Threats
• A user logging on to the database to know
the product’s information can become an
attacker by raising his/her status in the
information system from a user to a root
server administrator and write or add
malicious data into the system.
34
Contact Information
NEERAJ CHAUDHRY
705 West Putman Street,
Apt # R-2, Fayetteville, AR-72701
Email: nchaudh@uark.edu
Phone: (479) 599-9107
Dale R. Thompson, P.E., Ph.D.
Department of Computer Science and Computer Engineering
University of Arkansas
311 Engineering Hall
Fayetteville, Arkansas 72701
Phone: +1 (479) 575-5090
FAX: +1 (479) 575-5339
E-mail: d.r.thompson@ieee.org
WWW: http://csce.uark.edu/~drt/
35
Download