Tag Layer CSCE 4013 RFID INFOSEC Instructor: Dr. Jia Di JBHT 523 5-5728, jdi@uark.edu

Outline RFID Tag Overview Tag Architecture Memory Tag Protocol Managing Tag Populations Threats and Mitigation

RFID Tag Overview

Classification of RFID Tags Class-1: Identity Tags (Normative) Higher-Class Tags (Informative) Class-2: Higher-Functionality Tags Class-3: Semi-Passive Tags Class-4: Active Tags Higher-class tags shall not conflict with the operation of, nor degrade the performance of, Class-1 tags located in the same RF environment.

Classification of RFID Tags (Cont’) Class-1: Identity Tags An electronic product code (EPC) identifier A tag identifier A ‘kill’ function that permanently disable the tag Optional password-protected access control Optional user memory Class-2: Higher-Functionality Tags An extended Tag ID Extended user memory Authenticated access control Optional other features Class-3: Semi-Passive Tags An integral power source Integrated sensing circuitry Class-4: Active Tags Tag-to-tag communications Active communications Ad-hoc networking capabilities *Note that each higher-class tag has its extended features above and beyond its immediate predecessor *We focus on Class-1, UHF RFID Tags

Review of Reader-Tag Communication A reader transmits information to a tag by modulating an RF signal in the 860 MHz – 960 MHz frequency range. The tag receives both information and operating energy from this RF signal. A reader receives information from a tag by transmitting a continuous-wave RF signal to the tag. The tag responds by modulating the reflection coefficient of its antenna, thereby backscattering an information signal to the reader. Communication is half-duplex, meaning that readers talk and tags listen, or vice versa.

Tag Architecture

Reader-Tag Communication Protocol Overview Physical Layer Tag-identification layer Select Inventory Access

Circuit Block Diagram

Antenna K. V. S. Rao, P. V. Niktin, S. F. Lam, “Antenna design for UHF RFID tags: a review and a practical application,” IEEE Transactions on Antenna and Propagation, Vol. 53, Issue 12, Dec. 2005

Power Generation and Management Circuit Rectifier Charge Pump Voltage Regulator Reset Circuit

Rectifier Convert alternating current to rectified direct current Half-wave rectification Full-wave rectification

Charge Pump Use capacitors as energy storage elements to create either a higher or lower voltage power source Multi-stage operation It can double, triple, halve, invert, fractionally multiply or scale voltages

Voltage Regulator Maintain a constant voltage level Low Dropout (LDO) regulator – a DC linear voltage regulator which has a very small input-output differential voltage

Reset Circuit Generate reset signal for the whole chip Power-on reset

Demodulator Envelope detector Comparator Ring oscillator Bias generator

Envelope Detector Take a high-frequency signal as input, and provide an output which is the “envelope” of the original signal

Comparator

Ring Oscillator A chain containing odd number of inverters, with the output of the last inverter feeds back to the input of the first inverter

Modulator Phase modulator – represent information as variations in the instantaneous phase of a carrier wave

Memory

Memory Banks Four distinct banks, each has its own address space Reserved Memory – contain kill and/or access passwords EPC Memory – contain a CRC, Protocol-Control (PC) bits, and an identification code TID Memory – contain an ISO/IEC allocation class identifier, and sufficient identifying information User Memory – contain user-specific data storage

Logical Memory Map

Memory Access Commands have a MemBank parameter to select which bank to access (00-Reserved, 01-EPC, 10-TID, 11-User), and an address parameter to select a particular memory location within the bank Operations in one logical memory bank shall not access memory locations in another bank Readers may lock, permanently lock, unlock, or permanently unlock memory 16-bit word

Tag Protocol

Basic Operations Select – choose a tag population for inventory and access Inventory – identify tags Access – communicate with (reading from and/or writing to) a tag

Sessions and Inventory Flags Four sessions (S0, S1, S2, S3) Tag participates in one and only one session during an inventory round Two or more readers can use sessions to independently inventory a common tag population Tags maintain an independent Inventoried flag for each session – two value (A/B) At the beginning of each and every inventory round a reader chooses to inventory either A or B tags in one of the four sessions Tags participating in an inventory round in one session shall neither use nor modify the Inventoried flag for a different session All other tag resources are shared among sessions except the Inventoried flags After singulating a tag a reader may issue a command that causes the tag to invert its Inventoried flag for that session

Session Diagram

Tag Inventoried Flags Power-On Status Persistence time S0 Inventoried flag – set to A S1 Inventoried flag – set to A or B S2 Inventoried flag – set to A or B S3 Inventoried flag – set to A or B Question – since the power-on status of some flags are unknown by the reader, how can a reader inventory all tags in the field? Selected flag – SL

FSM At a glance

Ready State A “holding state” for energized tags that are neither killed nor currently participating in an inventory round After power-on, tag maintains in Ready state until it receives a Query command whose inventoried parameter and sel parameter match its current flag values It will then draw a Q-bit number from RNG, load it into the slot counter, and transition to the Arbitrate state if the number is nonzero, or to the Reply state if the number is zero

Arbitrate State A “holding state” for tags that are participating in the current inventory round but whose slot counters hold nonzero values Decrement its slot counter every time it receives a QueryRep command whose session parameter matches the session for the inventory round currently in progress Transition to the Reply state when its slot counter reaches 0000h If tag returns to Arbitrate state with slot counter as 0000, upon next QueryRep the tag decrements it to 7FFFh, and remains in Arbitrate state

Reply State Tag backscatters an RN16 If tag receives a valid ACK it transitions to the Acknowledged state; otherwise returns to the Arbitrate state

Acknowledged State May transition to any state except Killed state depending on the command Upon receiving a valid ACK containing the correct RN16, the tag re-backscatters its PC, EPC, and CRC-16; otherwise returns to Arbitrate state

Open State A tag in the Acknowledged state whose access password is nonzero shall transition to Open state upon receiving a Req_RN command, backscattering a new RN16 (handle) Execute all access commands except Lock May transition to any state except Acknowledged state Upon receiving a valid ACK containing the correct handle, the tag re-backscatters it PC, EPC, and CRC-16

Secured State A tag in the Acknowledged state whose access password is zero shall transition to the Secured state upon receiving a Req_RN command, backscattering a new RN16 (handle) A tag in the Open state whose access password is nonzero shall transition to Secured state upon receiving a valid Access command sequence Execute all access commands May transition to any state except Open or Acknowledged Upon receiving a valid ACK containing the correct handle, the tag re-backscatters it PC, EPC, and CRC-16

Killed State A tag in either the Open or Secured states shall enter the Kill state upon receiving a Kill command sequence with a valid nonzero kill password and valid handle Kill permanently disables a tag Upon entering the Killed state a tag shall notify the reader that the kill operation was successful, and shall not respond to a reader thereafter Killed tags shall remain in the Killed state under all circumstances and shall immediately enter Killed state upon subsequent power-ups A kill operation is not reversible

Random Number Generator and Slot Counter RNG – random or pseudo-random number generator generates 16-bit random number RN16 Slot Counter – a 15-bit counter, preload a value between 0 and 2Q-1 upon receiving a Query or QueryAdjust command

Managing Tag Populations

Reader/Tag Operation

Selecting Tag Populations Single command – Select Assert/deassert a tag’s SL flag, or set a tag’s Inventoried flag to either A or B in any one of the four sessions Parameters – Target, Action, MemBank, Pointer, Length, Mask, and Truncate By issuing multiple identical Select commands a reader can asymptotically single out all tags matching the selection criteria even though tags may undergo short-term RF fades

Inventorying Tag Populations Several commands – Query, QueryAdjust, QueryRep, ACK, and NAK Query sets a slot-count parameter Q. Tags pick a random value in the range of [0, 2Q-1], and load the value into their slot counter. Tags that pick a zero transition to the reply state and reply immediately; others transition to the arbitrate state and await a QueryAdjust or QueryRep command.

Inventorying Tag Populations (Cont’) Assuming that a single tag replies The tag backscatters an RN16 as it enters reply The reader acknowledges the tag with an ACK containing this same RN16 The acknowledged tag transitions to the acknowledged state, backscattering its PC, EPC, and CRC-16 The reader issues a QueryAdjust or QueryRep, causing the identified tag to invert its inventoried flag and transition to ready, and potentially causing another tag to initiate a query-response dialog with the reader If the tag fails to receive a correct ACK, it returns to arbitrate

Inventorying Tag Populations (Cont’) If multiple tags reply, the reader, by detecting the resolving collisions at the waveform level, can resolve an RN16 from one of the tags, the reader can ACK the resolved tag. Unresolved tags receive erroneous RN16s and return to arbitrate without backscattering their PC, EPC, and CRC-16

Accessing Individual Tags Several commands – Req_RN, Read, Write, Kill, Lock, Access, BlockWrite, BlockErase A reader accesses a tag in acknowledged state The reader issues a Req_RN to the tag The tag generates and stores a new RN16 (handle), backscatters the handle, and transitions the open if its access password is nonzero, or to secured if zero The reader may now issue further access commands

Accessing Individual Tags (Cont’) Handle is an important parameter to access a tag Write, Kill, and Access commands send a 16-bit word to the tag using one-time-pad based link cover-coding to obscure the word being transmitted The reader issues Req_RN. Tag responds by backscattering a new RN16. The reader then generate a 16-bit ciphertext string comprising a bit-wise XOR of the 16-bit word to be transmitted with the new RN16, and issues the command with this ciphertext string as parameter The tag decrypts the received ciphertext string by performing a bit-wise XOR of the received 16-bit ciphertext string with the original RN16 Multi-step procedure – Kill, issuing an access password Memory lock

Tag Layer Threats and Mitigation Methods Some Slides Borrowed from Kris Tiri, Hwasun Chang, Yossef Oren, and Pankaj Rohatgi

Limitations of Class I Gen 2 RFID Tags Cost Power Wireless communication nature

Attacks for Impersonation Tag Cloning / Counterfeiting Tag Spoofing Relay Attack Replay Attack

Tag Cloning / Counterfeiting An adversary can easily copy the memory content of an authentic tag to create an identical yet cloned tag EPC Class I tags have no mechanism for preventing cloning In many cases, cloned tags are indistinguishable from authentic ones

Tag Spoofing Emulation A variation of tag cloning An adversary uses a custom designed electronic device to imitate, or emulate, the authentic tag The adversary needs to have full access to legitimate communication channel as well as knowledge of the protocols and secrets used in the authentication process

Mitigating Tag Cloning / Counterfeiting / Spoofing Attacks Challenge-response authentication protocol Physical Unclonable Function (PUF) Fragile watermarking Tag Fingerprinting

Relay Attack Man-in-the-middle Close proximity assumption (<~25 feet) This assumption can be utilized by an adversary to “fool” the authentic tag and reader by letting them believe they are communicating with each other directly, while they are actually talking to “the middle man”

Replay Attack Similar to relay attack An adversary may use the captured valid reader-tag communication data at a later time to other readers or tags for impersonation

Mitigating Relay Attacks Detect the distance between reader and tag Limit the direction of radio signals

Mitigating Replay Attacks Add timestamps One-time password Incremental sequence numbers Clock synchronization

Attacks for Information Leakage Unauthorized Tag Reading Covert Channel Eavesdropping Tag Modification Side-Channel Attacks (to be covered later)

Unauthorized Tag Reading An adversary places an illegitimate reader within the proximity of the target tag to access the tag data Tags do not have on/off switches Simple yet effective

Covert Channel Covert channels are unintended or unauthorized communication paths that can be used to transfer information in a manner that violates system security policies It is possible to create covert communication channels through the use of user-defined memory banks on tag

Eavesdropping / Sniffing An adversary uses an electronic device with antenna to listen to the legitimate reader-tag communication and record the messages Reader-to-tag (forward channel) Tag-to-reader (backward channel)

Mitigating Unauthorized Tag Reading / Covert Channel / Eavesdropping Attacks Break the reader-tag communication link when the tag is not being accessed Tag shielding Blocker tag RFID Guardian Apply access control mechanisms to the tag Communication Encryption Kill the tag after use Reduce the availability of the memory resource on tag

Tag Modification An adversary tries to modify the data stored on tag User-writeable memory

Mitigating Tag Modification and Reprogramming Attacks Use read-only tags Adopt efficient coding / cryptographic algorithms to secure the on-tag data Reader authentication

Attacks for Denial-of-Service (DoS) KILL Command Abuse Passive Interference Active Jamming

Kill Command Abuse If an adversary obtains the password for the Kill command, he/she can use it to issue unauthorized Kill commands Lock Permanent Lock

Passive Interference The RF communication link between reader and tag is susceptible to interferences Absorption Bound back Collision An adversary may use foil-lined bags to shield tags from EM waves sent from a legitimate reader to block the access

Active Jamming Powered interference An adversary uses an electronic device to send out radio signals to disrupt the reader-tag communication

Mitigating Kill Command Abuse / Passive Interference / Active Jamming Attacks Improve the physical security of the authorized reader-tag communication channel Secure password management

Attacks through Physical Manipulation Physical Tampering Tag Swapping Tag Removal Tag Destruction Tag Reprogramming

Side-Channels Information leakage from implementation Example: safecracker feels tumblers impacting and opens lock without trying each combination Similarly: hacker observes time/power and cracks cipher without trying each key Device in normal operation, no physical harm Covert channel without conspiracy/consent

Side-Channel Attacks in a Nutshell e.g. estimated power = number of changing bits can be lousy model AES: 128-bit secret key brute force impossible 7 2 0 8 4 0 2 7 2 3 3 6 7 1 2 8 7 5 3 1 8 2 6 5 5 2 3 P = S-1(KGC) E = HmW(P) estimation device key fragment guess unknown secret key input measurement model analysis P = S-1(KGC) E = HmW(P) compare both and choose key guess with best match e.g. guess 8 bits brute force easy

Power Analysis Example Unprotected ASIC AES with 128-bit datapath, key scheduling Measurement: Ipeak in round 11 Estimation: HamDistance of 8 internal bits Comparison: correlation Key bits easily found despite algorithmic noise 128-bit key under 3 min. ‘start encryption’-signal clock cycle of interest supply current

With Incorrect Key Guess DPA Result Example Average Power Consumption Power Consumption Differential Curve With Correct Key Guess With Incorrect Key Guess

EM-attack example: TESTED BIT = 0 IN BOTH TRACES

EM-attack example: TESTED BIT DIFFERENT O

Side-Channel Attacks Power-based attacks (SPA, DPA, HO-DPA) Timing-based attacks Electromagnetic-based attacks Fault-injection attacks

Remote Power Analysis to RFID Tags Most of the payload of today’s RFID tags is public – that’s what they’re for However, tags still have secrets! Today – EPC tags have secret access and kill passwords Tomorrow – cryptographic keys?

A Closer Look at Backscatter Modulation The current flowing through the tag antenna results in an electromagnetic field Busy tag = More current = stronger field We call this effect parasitic backscatter Reader Tag

Existence of parasitic backscatter (1) Trace shows the signal reflected from a Generation 1 tag during a kill command Tag is supposed to be completely silent Is it? Let’s zoom in… Power Time 79

Existence of parasitic backscatter (2) The distinctive saw-tooth pattern is added by the tag to the clean reader signal Reflection from tag Original signal from reader Power Time 80

Full power analysis attack from parasitic backscatter Experiment was done with one tag at a fixed location Tag was programmed with kill password “1111 1111”, then “0000 0001” In both cases we tried to kill it with the wrong password “0000 0000” 81 81

Extracting one password bit In both cases, tag gets “0000 0000” Here, the tag is expecting “1111 1111” Here, it is expecting “0000 0001” 82

CMOS Circuit Power Consumption CMOS circuits are built out of transistors, which act as voltage-controlled switches Switching activities at internal circuit nodes cause power and delay

CMOS Circuit Power and Delay Power consumption and timing delay are highly correlated to switching activities

Imbalance of Switching Activities among Processing Different Data

Synchronous Circuit Power Fluctuation Simulation Boolean circuits are vulnerable to side-channel attacks

What can we do about it? Randomize power consumption – add noise to reader/tag Use random initial point Random power management Random code injection De-correlate power consumption from internal data pattern being processed New transistor-level gate designs (SABL, DyCML, SDDL, WDDL, etc.) Current compensation Execute both nominal and complementary data Dual-rail asynchronous logic

Asynchronous Logic No clock High power efficiency Potential speed up Low noise / emission Flexible timing requirement Robust operation

Attempting to Balance Power Fluctuation – Traditional Asynchronous Method NULL Convention Logic (NCL) Multi-rail encoding DATA-NULL cycle State Rail 1 Rail 0 NULL DATA 0 1 DATA 1 Invalid Rail 1 Rail 0 1 N N 1 N Number of switching is independent of data pattern

However, Power Fluctuation Still Exists Rail 1 Rail 0 1 N 1 N 1 N Rail 1 Rail 0 N N N Imbalance of switching activities between the two rails still cause power fluctuation

Balancing the Switching Activities between Two Rails Dual-spacer Dual-rail Delay-insensitive Logic (D3L) State Rail 1 Rail 0 All-zero spacer DATA 0 1 DATA 1 All-one spacer Rail 1 Rail 0 DATA1 AZS DATA0 AOS DATA1 AZS

Data Sequence Examples Rail 1 Rail 0 AZS DATA1 AOS DATA1 AZS DATA1 AOS DATA1 AZS Rail 1 Rail 0 AZS DATA0 AOS DATA0 AZS DATA0 AOS DATA0 AZS Rail 1 Rail 0 AZS DATA0 AOS DATA1 AZS DATA1 AOS DATA0 AZS Switching activities between two rails are perfectly balanced

The Flip Side Both NCL and D3L exhibit average case performance, i.e., the same input pattern always takes the same amount of time to process Significantly facilitate timing-based side-channel attacks Solution – timing randomization using delay elements

Delay Element Used in D3L Circuits

Controlling the Delay Element

Test Vehicle – AES Core

Simulation Setup Three AES Cores – Synchronous, NCL, D3L (two versions) IBM 5AM 0.5μm Process Differential Power Analysis on all three designs Timing Analysis on D3L designs (with and without delay elements) Synopsys Nanosim

DPA Results

Timing Analysis Results