Presentation is loading. Please wait.

Presentation is loading. Please wait.

RFID Devices and Cryptography Analysis of the DST40

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "RFID Devices and Cryptography Analysis of the DST40"— Presentation transcript:

1 RFID Devices and Cryptography Analysis of the DST40
A review of the article: Bono, S.C., et al, Security Analysis of a Cryptographically-Enabled RFID Device. In P. McDaniel, ed., USENIX Security '05, pp Dennis Galvin Practical Aspects of Modern Cryptography 07-Mar-2006

2 DST40 Texas Instruments Cryptographically Secured RFID system
TI spec sheet photo Texas Instruments Cryptographically Secured RFID system DST :: Digital Signature Transponder 40-bit key Used in a number of applications Exxon Mobil SpeedPass(TM) Automotive Immobilizers 2005 Ford Some European Mfgrs – 2005

3 Sample TI DST40 Based Immobilizer System from:

4 Sample TI DST40 Based Immobilizer System from:

5 Breaking the DST40 Reverse engineer the cipher Build a key cracker
Build the whole system – proof is in the pudding What's the big deal? Black box Use DST as oracle

6 Reverse engineering the cipher
Kaiser, U. Universal immobilizer crypto engine. In Fourth Conference on the Advanced Encryption Standard (AES) (2004). Guest Presentation.:

7 Reverse engineering the cipher
What's missing? Kaiser, U. Universal immobilizer crypto engine. In Fourth Conference on the Advanced Encryption Standard (AES) (2004). Guest Presentation.:

8 Reverse engineering the cipher
What's missing? Routing Networks Key Scheduling Alg f-box internals g-box internals h-box internals Theory vs practice Kaiser, U. Universal immobilizer crypto engine. In Fourth Conference on the Advanced Encryption Standard (AES) (2004). Guest Presentation.:

9 Build the key cracker High end Intel based PC (3.4 GHz)

10 Build the key cracker High end Intel based PC (3.4 GHz) Hardware based
Xilinx FPGA parallelize operations put 32 cores down on an FPGA each core does full encryption in 200 clock cycles 100 Mhz clock now can search whole 40-bit keyspace in 21 hrs on average only need to search half of the space

11 Build the key cracker High end Intel based PC (3.4 GHz) Hardware based
Xilinx FPGA parallelize operations put 32 cores down on an FPGA each core does full encryption in 200 clock cycles 100 Mhz clock now can search whole 40-bit keyspace in 21 hrs on average only need to search half of the space Parallelize again put 16 FPGA's to the task 512 cores Cracked 5 DSTs from TI in less than 2 hrs.

12 Build the key cracker High end Intel based PC (3.4 GHz) Hardware based
Xilinx FPGA parallelize operations put 32 cores down on an FPGA each core does full encryption in 200 clock cycles 100 Mhz clock now can search whole 40-bit keyspace in 21 hrs on average only need to search half of the space Parallelize again put 16 FPGA's to the task 512 cores Cracked 5 DSTs from TI in less than 2 hrs. Hellman Time-Memory Tradeoff (future work)

13 Putting it all together: RF Protocol
Easiest Piece of the puzzle Build the device to actively interrogate DST Antenna from TI's development kit 12-bit DAC/ADC board capable of 1 Mhz From this can actively interrogate responses to known challenges, feed back into the key cracker

14 Putting it all together: RF Protocol
Easiest Piece of the puzzle Build the device to actively interrogate DST Antenna from TI's development kit 12-bit DAC/ADC board capable of 1 Mhz From this can actively interrogate responses to known challenges, feed back into the key cracker Build the device to simulate a DST Use the same physical setup as above Now can take information from the active attack plus the cracked keys and use it Start the car Buy gas

15 What happenned What went wrong? 40 bits too weak Security by Obscurity
LFSR, only 80-bits state

16 What happenned What went wrong? How to fix 40 bits too weak
Security by Obscurity LFSR, only 80-bits state How to fix Use bigger key Don't use LFSR SHA1, maybe even SHA256

17 Implications Other Crypto enabled applications of RFID
RFID Scheduled for Passports Possible use in Identity cards Medical Insurance Cards Hospital Bracelets?

18 Web sites: http://rfid-analysis.org/ (authors' web site)
(Texas Instr.)

Download ppt "RFID Devices and Cryptography Analysis of the DST40"

Similar presentations

Authentication Protocols Security Computer Science Tripos part 2 Ross Anderson.

Authentication Protocols Security Computer Science Tripos part 2 Ross Anderson.
Gone in 360 Seconds: Hijacking with Hitag2

Gone in 360 Seconds: Hijacking with Hitag2
14. Aug. 2013 Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.

14. Aug Towards Practical Lattice-Based Public-Key Encryption on Reconfigurable Hardware SAC 2013, Burnaby, Canada Thomas Pöppelmann and Tim Güneysu.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CryptoBlaze: 8-Bit Security Microcontroller. Quick Start Training Agenda What is CryptoBlaze? KryptoKit GF(2 m ) Multiplier Customize CryptoBlaze Attacks.

CryptoBlaze: 8-Bit Security Microcontroller. Quick Start Training Agenda What is CryptoBlaze? KryptoKit GF(2 m ) Multiplier Customize CryptoBlaze Attacks.
The Hardware Security Module. Agenda MAHOhard members To give background Project details Design and implementation.

The Hardware Security Module. Agenda MAHOhard members To give background Project details Design and implementation.
Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”

Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”
Cryptanalysis on FPGA Based Hardware

Cryptanalysis on FPGA Based Hardware
Cryptography and Authentication Lab ECE4112 Group4 Joel Davis Scott Allen Quinn.

Cryptography and Authentication Lab ECE4112 Group4 Joel Davis Scott Allen Quinn.
Ruhr University Bochum Cryptography in Heavily Constraint Environments Christof Paar EUROBITS Center for IT Security COmmunication SecuritY (COSY) Group.

Ruhr University Bochum Cryptography in Heavily Constraint Environments Christof Paar EUROBITS Center for IT Security COmmunication SecuritY (COSY) Group.
Problem 1 3/10/2011Practical Aspects of Modern Cryptography.

Problem 1 3/10/2011Practical Aspects of Modern Cryptography.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Announcements: Get your ch 1-2 quiz if you haven’t. Get your ch 1-2 quiz if you haven’t. Grading change: Grading change: Homeworks are mixed programming.

Announcements: Get your ch 1-2 quiz if you haven’t. Get your ch 1-2 quiz if you haven’t. Grading change: Grading change: Homeworks are mixed programming.
Cryptography Basic (cont)

Cryptography Basic (cont)
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Steve Bono1 Matthew Green1 Adam Stubblefield1 Avi Rubin1

Steve Bono1 Matthew Green1 Adam Stubblefield1 Avi Rubin1
CSE331: Introduction to Networks and Security Lecture 18 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 18 Fall 2002.
FIT5037 Advanced Network Security --- Modern Computing and Security --- Lecture 1.

FIT5037 Advanced Network Security --- Modern Computing and Security --- Lecture 1.
VHDL AES 128 Encryption/Decryption

VHDL AES 128 Encryption/Decryption
CS470, A.SelcukIntroduction1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIntroduction1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Similar presentations

Ads by Google