Lesson Title: Media Interface Threats, Risks, and Mitigation Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Slides:

Advertisements

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Advertisements

Lesson Title: RFID Modulation, Encoding, and Data Rates Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Bridging the gap between software developers and auditors.

Lesson Title: Tag Threats, Risks, and Mitigation Dale R. Thompson and Jia Di Computer Science and Computer Engineering Dept. University of Arkansas

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Nurbek Saparkhojayev and Dale R. Thompson, Ph.D., P.E. Computer Science and Computer Engineering Dept. University of Arkansas Matching Electronic Fingerprints.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Threats to and by an RFID system Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Lesson Title: Electromagnetics and Antenna Overview Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Singulation Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This material.

Secure Software Development Chris Herrick 01/29/2007.

Storage Security and Management: Security Framework

Lesson Title: Hacking RFID and other RF devices Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.

Lesson Title: History of RFID Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

Lesson Title: Fast Fourier Transform Overview Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: RFID Frequency Bands Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

1 Presented by July-2013, IIM Indore. 2  RFID = Radio Frequency IDentification.  RFID is ADC (Automated Data Collection) technology that:-  uses radio-frequency.

CSE 403 Lecture 14 Safety and Security Requirements.

MIXNET for Radio Frequency Identification Jaanus Uudmae, Harshitha Sunkara, Dale R. Thompson, Sean Bruce, and Jayamadhuri.

Lesson Title: Introduction to RFID Applications Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

SEC835 Practical aspects of security implementation Part 1.

1 RFID Technology and Threat Modeling Presented by: Neeraj Chaudhry University of Arkansas.

Lesson Title: Privacy Overview Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

Lesson Title: RFID Stakeholders Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1.

Broadening Expertise in Critical Infrastructure Protection Mobile Devices Module Funded through NSF Grant Award # DUE Any opinions, findings, conclusions.

Lesson Title: EPCglobal and ISO/IEC Item Management Standards Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

1 RFID Technical Tutorial and Threat Modeling Presented by: Neeraj Chaudhry University of Arkansas.

What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.

Lesson Title: Types of RFID Tags Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1.

Lesson Title: Guidelines for Securing RFID Systems Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Chapter 1 COMPUTER AND NETWORK SECURITY PRINCIPLES.

Lesson Title: EPCglobal Gen2 Tag Finite State Machine Dale R. Thompson and Jia Di Computer Science and Computer Engineering Dept. University of Arkansas.

Practical Threat Modeling for Software Architects & System Developers

Lesson Title: Social Implications of RFID Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Module 2: Designing Network Security

What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.

Lesson Title: FCC Rules for ISM Band Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

CSE 403, Software Engineering Lecture 6

Computer Science, Software Engineering & Robotics Workshop, FGCU, April 27-28, 2012 RFID Security Nicholas Alteen Computer Science Program Florida Gulf.

Computers and Security by Calder Jones. What is Computer Security Computer Security is the protection of computing systems and the data that they store.

Chapter 1: Security Governance Through Principles and Policies

Lesson Title: ThingNet Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This material.

Lesson Title: Tag Architecture Dale R. Thompson and Jia Di Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Animal Identification Standards Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Threat Modeling: Employing the 5 Ws Security Series, December 13, 2013 Jeff Minelli Penn State ITS

Lesson Title: RFID Nominal Read Range in Far Field Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Training Arkansas Computing Teachers (TACT)

Off-line Risk Assessment of Cloud Service Provider

Information and Network Security

Discussion and Conclusion

Which Management Frames Need Protection?

Lesson Title: Reader Architecture and Antenna Configurations

Title of Poster Site Visit 2017 Introduction Results

Title of session For Event Plus Presenters 12/5/2018.

Copyright © 2008 by Dale R. Thompson Dale R. Thompson

CS 465 Terminology Slides by Kent Seamons Last Updated: Sep 7, 2017.

Copyright Gupta Consulting, LLC.

Title of Poster Site Visit 2018 Introduction Results

Vulnerability Reporting Process

This material is based upon work supported by the National Science Foundation under Grant #XXXXXX. Any opinions, findings, and conclusions or recommendations.

Lesson Title: Regulations Affecting RFID

Presentation transcript:

Lesson Title: Media Interface Threats, Risks, and Mitigation Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This material is based upon work supported by the National Science Foundation under Grant No. DUE Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF). Copyright © 2008, 2009 by Dale R. Thompson

Apply STRIDE* How can you spoof the system? How can you tamper with data? How can you repudiate your actions? How can you cause the system to disclose information (information disclosure) that should be confidential? How can you deny service to authorized users? How can you elevate your privilege? 2 *M. Howard and D. LeBlanc, Writing Secure Code 2nd ed., Redmond, Washington: Microsoft Press, 2003.

Media Interface Layer Threats 3 STRIDE* Category Threat Spoofing Identity - Replay tag responses - Replay reader responses - Relay attack Tampering with data Intercept and modify signal (difficult) Repudiation None Information disclosure Eavesdropping on reader and tag signals Denial of service - Jamming - Shielding - Coupling - Blocker tag Elevation of privilege None *M. Howard and D. LeBlanc, Writing Secure Code 2nd ed., Redmond, Washington: Microsoft Press, 2003.

Which threat seems the most important? 4

Media Interface Layer Mitigation 5 STRIDE* Category ThreatMitigation Spoofing Identity - Replay tag responses - Replay reader responses - Relay attack - Authentication - Authentication - Authentication Tampering with data Intercept and modify signal (difficult) Repudiation None Information disclosure Eavesdropping on reader and tag signals - Cryptography Denial of service - Jamming - Shielding - Coupling - Blocker tag Easy to detect Elevation of privilege None *M. Howard and D. LeBlanc, Writing Secure Code 2nd ed., Redmond, Washington: Microsoft Press, 2003.

Gen2 Passwords Access Password: 32-bit password to prevent changing of EPC either temporarily or permanently Kill Password: 32-bit password to prevent killing of the tag Locking – Lock – Unlock – Permanently Lock – Permanently Unlock 6

Gen2 Locking Options Read unlocked Read locked – password required to read Write locked – password required to write Read permanently unlocked – Memory can be read and never locked Write permanently unlocked – Password required to write – Memory cannot be locked 7

Gen2 Memory sections that can be locked Kill password memory Access password memory EPC memory TID memory User memory Options: Locked, Unlocked, Permanently Locked, or Permanently Unlocked 8

Gen2 Cover-Coding Write, Kill, and Access commands use one- time pad to obscure transmitted word from the reader – Reader asks tag for new RN16 – Tag whispers the RN16 to the reader – Reader does a bit-wise exclusive-OR (XOR) of RN16 and 16-bit word to be transmitted – Tag decrypts by doing bit-wise XOR of the received word with the RN16 it sent 9

Apply DREAD* What is the damage potential? How easy is the threat to reproduce? How easy is the threat to exploit? Rank the number of affected users that the threat affects. How easy is it for the threat to be discovered? 10 *M. Howard and D. LeBlanc, Writing Secure Code 2nd ed., Redmond, Washington: Microsoft Press, 2003.

Contact Information Dale R. Thompson, Ph.D., P.E. Associate Professor Computer Science and Computer Engineering Dept. JBHT – CSCE University of Arkansas Fayetteville, Arkansas Phone: +1 (479) FAX: +1 (479) WWW:

Copyright Notice, Acknowledgment, and Liability Release Copyright Notice – This material is Copyright © 2008, 2009 by Dale R. Thompson. It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or incorporated in commercial documents without the written permission of the copyright holder. Acknowledgment – These materials were developed through a grant from the National Science Foundation at the University of Arkansas. Any opinions, findings, and recommendations or conclusions expressed in these materials are those of the author(s) and do not necessarily reflect those of the National Science Foundation or the University of Arkansas. Liability Release – The curriculum activities and lessons have been designed to be safe and engaging learning experiences and have been field-tested with university students. However, due to the numerous variables that exist, the author(s) does not assume any liability for the use of this product. These curriculum activities and lessons are provided as is without any express or implied warranty. The user is responsible and liable for following all stated and generally accepted safety guidelines and practices. 12