Security_Analysis_Himanshu_Pagey by junxinglj


									Security Analysis of a Cryptographically-
          Enabled RFID Device
 Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels,
                      Avi Rubin,
                    Michael Szydlo

            Usenix Security Symposium 2005

                      Presented By
                    Himanshu Pagey
            (For CDA 6938 Class Presentation)
    How realistic is this Scenario?
• Realistic ( I own a TI vehicle immobilizer , I am
  going to get it changed right after the class).
• Sounds good for a paper but really no body
  can steal my car!
• Ohh well ! Can they?
• The paper suggest that such threats are well
  within the realm of practical execution and is
  applicable to wide variety of applications .
• We hope that none of the car thieves are
  reading this paper. 
           RFID Primer (Souce:Wiki)
• Automatic identification method.
• Data is retrieved from RFID Tags ( tags as small as 0.15-
    millimeter by 0.15-m illimeter have been manufactured by hitachi)
• Passive tags do not require power source
• Active tags require power source
• Heavy implementation in supply chain industry.
• Well we don’t want to implement unsecure
• Unsecured systems is as good as “No System”
Questions that the paper answers
• How to stage the Attack? (Details)
• What resources are needed to stage such an
  Attack? (Hardware/software/network)
• How serious is this threat? ( Wide deployed?)
• What are the counter measures ?
• Why was the attack possible?
• Is Texas Instruments Listening?
             Attack Details( How?)
• Step 1 : Reverse Engineer the Cipher

                3                                       6
     4                                                            8
     5                                                            10

                             Black Box Or Oracle

         Easy to reverse engineer the functionality of the black Box
                      Step 1 ….

3                                                           42345
4                                                           98003
5                                                           100000

                        Black Box Or Oracle

    Difficult to reverse engineer the functionality of the black Box
                         Step 1 …
• TI has not published their algorithm or Block
  Diagram, citing “ security by obscurity” .
• Their aim is to figure out the cipher used by the
  DST by reverse engineering under constraint of
  minimum resource requirement.( Software packages
  were not used due to copyright issues).
• The authors observed the logical output of the
  DST by specifying varying inputs. They compared
  the logical output to the predicted output to
  determine the behavior of the hardware circuit
• The Authors were lucky that the DST cipher
  (hardware implementation) was easy to decode.
                  Step 1…
• Such reverse engineering efforts have been
  successfully attempted in the past.
• For e.g. Bunny Huang Reverse engineered a
  XBOX to allow it to run Linux.
• With the help of block DST block Diagram
  published in the Dr Kaisers publication and
  after much trial and error effort the authors
  were able to extract all the required
• The required information will be used in later
  stages to simulate the digital transponder.
                    Step 1…
• The authors were able to recover
  – The key schedule
  – The routing mechanism
  – The logical functions computed by the f g and h
  – The Feistel structure of the DST cipher
• Feistel structure of an cipher can be
  considered as steps of the algorithm ( Order in
  which various operations are performed)
           Step 2 Key Cracking
• The authors compiled a hardware circuit to
  crack the key (40 Bit key).
• A single circuit was able to crack the 40 bit key
  in under 21 hours.
• To speed up search (under 1 hour for realistic
  scenarios) the authors assembled 16 such
  circuits in parallel(<3500$).
• The authors were able to find the keys of 5 TI
  provided tags in under 5 hours to verify the
  correctness of the algorithm. ( This was a
  challenge issued by TI)
          Step 3 Putting it all together
                         Encrypts and sends the response

          Reader              Powers up the DST
                              and sends a command
Looks up the secret key
based on the serial id
broadcast by the DST Sends a response

           sends a command
        Strengths of the Paper
• Exploits a realistic weakness in a production
  system. ( Texas Instruments)
• They make their results available to TI.
• They actually stage on attack on “SpeedPass”
• They reverse engineer a Hardware circuit by
  probing the logical output of the circuit.
• The authors probably had enough working
  knowledge of a cipher implementation to
  decipher the structure of the hardware
  circuits, by probing the logical outputs. ( Since
  RSA produces security hardware components)
• A Thief should have enough technical
  knowledge to register such an attack, hence
  current 40 bit key Immobilizers still act as
  deterrent. 
       Suggested Improvement
• At the time of publication, TI had plans to ship
  DST with 128 bit keys.
• Can we still register an successful attack with
  this change?
• Was the cipher structure one of the causes of
Questions ?

To top