Security Analysis of a Cryptographically- Enabled RFID Device Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Avi Rubin, Michael Szydlo Usenix Security Symposium 2005 Presented By Himanshu Pagey (For CDA 6938 Class Presentation) How realistic is this Scenario? • Realistic ( I own a TI vehicle immobilizer , I am going to get it changed right after the class). • Sounds good for a paper but really no body can steal my car! • Ohh well ! Can they? • The paper suggest that such threats are well within the realm of practical execution and is applicable to wide variety of applications . • We hope that none of the car thieves are reading this paper. RFID Primer (Souce:Wiki) • Automatic identification method. • Data is retrieved from RFID Tags ( tags as small as 0.15- millimeter by 0.15-m illimeter have been manufactured by hitachi) • Passive tags do not require power source • Active tags require power source • Heavy implementation in supply chain industry. • Well we don’t want to implement unsecure systems. • Unsecured systems is as good as “No System” Questions that the paper answers • How to stage the Attack? (Details) • What resources are needed to stage such an Attack? (Hardware/software/network) • How serious is this threat? ( Wide deployed?) • What are the counter measures ? • Why was the attack possible? • Is Texas Instruments Listening? Attack Details( How?) • Step 1 : Reverse Engineer the Cipher 3 6 4 8 5 10 Black Box Or Oracle DST Easy to reverse engineer the functionality of the black Box Step 1 …. 3 42345 4 98003 5 100000 Black Box Or Oracle DST Difficult to reverse engineer the functionality of the black Box Step 1 … • TI has not published their algorithm or Block Diagram, citing “ security by obscurity” . • Their aim is to figure out the cipher used by the DST by reverse engineering under constraint of minimum resource requirement.( Software packages were not used due to copyright issues). • The authors observed the logical output of the DST by specifying varying inputs. They compared the logical output to the predicted output to determine the behavior of the hardware circuit • The Authors were lucky that the DST cipher (hardware implementation) was easy to decode. Step 1… • Such reverse engineering efforts have been successfully attempted in the past. • For e.g. Bunny Huang Reverse engineered a XBOX to allow it to run Linux. • With the help of block DST block Diagram published in the Dr Kaisers publication and after much trial and error effort the authors were able to extract all the required information. • The required information will be used in later stages to simulate the digital transponder. Step 1… • The authors were able to recover – The key schedule – The routing mechanism – The logical functions computed by the f g and h boxes – The Feistel structure of the DST cipher • Feistel structure of an cipher can be considered as steps of the algorithm ( Order in which various operations are performed) Step 2 Key Cracking • The authors compiled a hardware circuit to crack the key (40 Bit key). • A single circuit was able to crack the 40 bit key in under 21 hours. • To speed up search (under 1 hour for realistic scenarios) the authors assembled 16 such circuits in parallel(<3500$). • The authors were able to find the keys of 5 TI provided tags in under 5 hours to verify the correctness of the algorithm. ( This was a challenge issued by TI) Step 3 Putting it all together Encrypts and sends the response Reader Powers up the DST and sends a command Looks up the secret key based on the serial id broadcast by the DST Sends a response sends a command Strengths of the Paper • Exploits a realistic weakness in a production system. ( Texas Instruments) • They make their results available to TI. • They actually stage on attack on “SpeedPass” System. • They reverse engineer a Hardware circuit by probing the logical output of the circuit. Weakness • The authors probably had enough working knowledge of a cipher implementation to decipher the structure of the hardware circuits, by probing the logical outputs. ( Since RSA produces security hardware components) • A Thief should have enough technical knowledge to register such an attack, hence current 40 bit key Immobilizers still act as deterrent. Suggested Improvement • At the time of publication, TI had plans to ship DST with 128 bit keys. • Can we still register an successful attack with this change? • Was the cipher structure one of the causes of vulnerability? Questions ?
Pages to are hidden for
"Security_Analysis_Himanshu_Pagey"Please download to view full document