Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tag Layer CSCE 4013 RFID INFOSEC Instructor: Dr. Jia Di JBHT 523

Published byEdward Shepherd Modified over 6 years ago

Similar presentations

Presentation on theme: "Tag Layer CSCE 4013 RFID INFOSEC Instructor: Dr. Jia Di JBHT 523"— Presentation transcript:

1 Tag Layer CSCE 4013 RFID INFOSEC Instructor: Dr. Jia Di JBHT 523
5-5728,

2 Outline RFID Tag Overview Tag Architecture Memory Tag Protocol
Managing Tag Populations Threats and Mitigation

3 RFID Tag Overview

4 Classification of RFID Tags
Class-1: Identity Tags (Normative) Higher-Class Tags (Informative) Class-2: Higher-Functionality Tags Class-3: Semi-Passive Tags Class-4: Active Tags Higher-class tags shall not conflict with the operation of, nor degrade the performance of, Class-1 tags located in the same RF environment.

5 Classification of RFID Tags (Cont’)
Class-1: Identity Tags An electronic product code (EPC) identifier A tag identifier A ‘kill’ function that permanently disable the tag Optional password-protected access control Optional user memory Class-2: Higher-Functionality Tags An extended Tag ID Extended user memory Authenticated access control Optional other features Class-3: Semi-Passive Tags An integral power source Integrated sensing circuitry Class-4: Active Tags Tag-to-tag communications Active communications Ad-hoc networking capabilities *Note that each higher-class tag has its extended features above and beyond its immediate predecessor *We focus on Class-1, UHF RFID Tags

6 Review of Reader-Tag Communication
A reader transmits information to a tag by modulating an RF signal in the 860 MHz – 960 MHz frequency range. The tag receives both information and operating energy from this RF signal. A reader receives information from a tag by transmitting a continuous-wave RF signal to the tag. The tag responds by modulating the reflection coefficient of its antenna, thereby backscattering an information signal to the reader. Communication is half-duplex, meaning that readers talk and tags listen, or vice versa.

7 Tag Architecture

8 Reader-Tag Communication Protocol Overview
Physical Layer Tag-identification layer Select Inventory Access

9 Circuit Block Diagram

10 Antenna K. V. S. Rao, P. V. Niktin, S. F. Lam, “Antenna design for UHF RFID tags: a review and a practical application,” IEEE Transactions on Antenna and Propagation, Vol. 53, Issue 12, Dec. 2005

11 Power Generation and Management Circuit
Rectifier Charge Pump Voltage Regulator Reset Circuit

12 Rectifier Convert alternating current to rectified direct current
Half-wave rectification Full-wave rectification

13 Charge Pump Use capacitors as energy storage elements to create either a higher or lower voltage power source Multi-stage operation It can double, triple, halve, invert, fractionally multiply or scale voltages

14 Voltage Regulator Maintain a constant voltage level
Low Dropout (LDO) regulator – a DC linear voltage regulator which has a very small input-output differential voltage

15 Reset Circuit Generate reset signal for the whole chip Power-on reset

16 Demodulator Envelope detector Comparator Ring oscillator
Bias generator

17 Envelope Detector Take a high-frequency signal as input, and provide an output which is the “envelope” of the original signal

18 Comparator

19 Ring Oscillator A chain containing odd number of inverters, with the output of the last inverter feeds back to the input of the first inverter

20 Modulator Phase modulator – represent information as variations in the instantaneous phase of a carrier wave

21 Memory

22 Memory Banks Four distinct banks, each has its own address space
Reserved Memory – contain kill and/or access passwords EPC Memory – contain a CRC, Protocol-Control (PC) bits, and an identification code TID Memory – contain an ISO/IEC allocation class identifier, and sufficient identifying information User Memory – contain user-specific data storage

23 Logical Memory Map

24 Memory Access Commands have a MemBank parameter to select which bank to access (00-Reserved, 01-EPC, 10-TID, 11-User), and an address parameter to select a particular memory location within the bank Operations in one logical memory bank shall not access memory locations in another bank Readers may lock, permanently lock, unlock, or permanently unlock memory 16-bit word

25 Tag Protocol

26 Basic Operations Select – choose a tag population for inventory and access Inventory – identify tags Access – communicate with (reading from and/or writing to) a tag

27 Sessions and Inventory Flags
Four sessions (S0, S1, S2, S3) Tag participates in one and only one session during an inventory round Two or more readers can use sessions to independently inventory a common tag population Tags maintain an independent Inventoried flag for each session – two value (A/B) At the beginning of each and every inventory round a reader chooses to inventory either A or B tags in one of the four sessions Tags participating in an inventory round in one session shall neither use nor modify the Inventoried flag for a different session All other tag resources are shared among sessions except the Inventoried flags After singulating a tag a reader may issue a command that causes the tag to invert its Inventoried flag for that session

28 Session Diagram

29 Tag Inventoried Flags Power-On Status
Persistence time S0 Inventoried flag – set to A S1 Inventoried flag – set to A or B S2 Inventoried flag – set to A or B S3 Inventoried flag – set to A or B Question – since the power-on status of some flags are unknown by the reader, how can a reader inventory all tags in the field? Selected flag – SL

30 FSM At a glance

31 Ready State A “holding state” for energized tags that are neither killed nor currently participating in an inventory round After power-on, tag maintains in Ready state until it receives a Query command whose inventoried parameter and sel parameter match its current flag values It will then draw a Q-bit number from RNG, load it into the slot counter, and transition to the Arbitrate state if the number is nonzero, or to the Reply state if the number is zero

32 Arbitrate State A “holding state” for tags that are participating in the current inventory round but whose slot counters hold nonzero values Decrement its slot counter every time it receives a QueryRep command whose session parameter matches the session for the inventory round currently in progress Transition to the Reply state when its slot counter reaches 0000h If tag returns to Arbitrate state with slot counter as 0000, upon next QueryRep the tag decrements it to 7FFFh, and remains in Arbitrate state

33 Reply State Tag backscatters an RN16
If tag receives a valid ACK it transitions to the Acknowledged state; otherwise returns to the Arbitrate state

34 Acknowledged State May transition to any state except Killed state depending on the command Upon receiving a valid ACK containing the correct RN16, the tag re-backscatters its PC, EPC, and CRC-16; otherwise returns to Arbitrate state

35 Open State A tag in the Acknowledged state whose access password is nonzero shall transition to Open state upon receiving a Req_RN command, backscattering a new RN16 (handle) Execute all access commands except Lock May transition to any state except Acknowledged state Upon receiving a valid ACK containing the correct handle, the tag re-backscatters it PC, EPC, and CRC-16

36 Secured State A tag in the Acknowledged state whose access password is zero shall transition to the Secured state upon receiving a Req_RN command, backscattering a new RN16 (handle) A tag in the Open state whose access password is nonzero shall transition to Secured state upon receiving a valid Access command sequence Execute all access commands May transition to any state except Open or Acknowledged Upon receiving a valid ACK containing the correct handle, the tag re-backscatters it PC, EPC, and CRC-16

37 Killed State A tag in either the Open or Secured states shall enter the Kill state upon receiving a Kill command sequence with a valid nonzero kill password and valid handle Kill permanently disables a tag Upon entering the Killed state a tag shall notify the reader that the kill operation was successful, and shall not respond to a reader thereafter Killed tags shall remain in the Killed state under all circumstances and shall immediately enter Killed state upon subsequent power-ups A kill operation is not reversible

38 Random Number Generator and Slot Counter
RNG – random or pseudo-random number generator generates 16-bit random number RN16 Slot Counter – a 15-bit counter, preload a value between 0 and 2Q-1 upon receiving a Query or QueryAdjust command

39 Managing Tag Populations

40 Reader/Tag Operation

41 Selecting Tag Populations
Single command – Select Assert/deassert a tag’s SL flag, or set a tag’s Inventoried flag to either A or B in any one of the four sessions Parameters – Target, Action, MemBank, Pointer, Length, Mask, and Truncate By issuing multiple identical Select commands a reader can asymptotically single out all tags matching the selection criteria even though tags may undergo short-term RF fades

42 Inventorying Tag Populations
Several commands – Query, QueryAdjust, QueryRep, ACK, and NAK Query sets a slot-count parameter Q. Tags pick a random value in the range of [0, 2Q-1], and load the value into their slot counter. Tags that pick a zero transition to the reply state and reply immediately; others transition to the arbitrate state and await a QueryAdjust or QueryRep command.

43 Inventorying Tag Populations (Cont’)
Assuming that a single tag replies The tag backscatters an RN16 as it enters reply The reader acknowledges the tag with an ACK containing this same RN16 The acknowledged tag transitions to the acknowledged state, backscattering its PC, EPC, and CRC-16 The reader issues a QueryAdjust or QueryRep, causing the identified tag to invert its inventoried flag and transition to ready, and potentially causing another tag to initiate a query-response dialog with the reader If the tag fails to receive a correct ACK, it returns to arbitrate

44 Inventorying Tag Populations (Cont’)
If multiple tags reply, the reader, by detecting the resolving collisions at the waveform level, can resolve an RN16 from one of the tags, the reader can ACK the resolved tag. Unresolved tags receive erroneous RN16s and return to arbitrate without backscattering their PC, EPC, and CRC-16

45 Accessing Individual Tags
Several commands – Req_RN, Read, Write, Kill, Lock, Access, BlockWrite, BlockErase A reader accesses a tag in acknowledged state The reader issues a Req_RN to the tag The tag generates and stores a new RN16 (handle), backscatters the handle, and transitions the open if its access password is nonzero, or to secured if zero The reader may now issue further access commands

46 Accessing Individual Tags (Cont’)
Handle is an important parameter to access a tag Write, Kill, and Access commands send a 16-bit word to the tag using one-time-pad based link cover-coding to obscure the word being transmitted The reader issues Req_RN. Tag responds by backscattering a new RN16. The reader then generate a 16-bit ciphertext string comprising a bit-wise XOR of the 16-bit word to be transmitted with the new RN16, and issues the command with this ciphertext string as parameter The tag decrypts the received ciphertext string by performing a bit-wise XOR of the received 16-bit ciphertext string with the original RN16 Multi-step procedure – Kill, issuing an access password Memory lock

47 Tag Layer Threats and Mitigation Methods
Some Slides Borrowed from Kris Tiri, Hwasun Chang, Yossef Oren, and Pankaj Rohatgi

48 Limitations of Class I Gen 2 RFID Tags
Cost Power Wireless communication nature

49 Attacks for Impersonation
Tag Cloning / Counterfeiting Tag Spoofing Relay Attack Replay Attack

50 Tag Cloning / Counterfeiting
An adversary can easily copy the memory content of an authentic tag to create an identical yet cloned tag EPC Class I tags have no mechanism for preventing cloning In many cases, cloned tags are indistinguishable from authentic ones

51 Tag Spoofing Emulation A variation of tag cloning
An adversary uses a custom designed electronic device to imitate, or emulate, the authentic tag The adversary needs to have full access to legitimate communication channel as well as knowledge of the protocols and secrets used in the authentication process

52 Mitigating Tag Cloning / Counterfeiting / Spoofing Attacks
Challenge-response authentication protocol Physical Unclonable Function (PUF) Fragile watermarking Tag Fingerprinting

53 Relay Attack Man-in-the-middle
Close proximity assumption (<~25 feet) This assumption can be utilized by an adversary to “fool” the authentic tag and reader by letting them believe they are communicating with each other directly, while they are actually talking to “the middle man”

54 Replay Attack Similar to relay attack
An adversary may use the captured valid reader-tag communication data at a later time to other readers or tags for impersonation

55 Mitigating Relay Attacks
Detect the distance between reader and tag Limit the direction of radio signals

56 Mitigating Replay Attacks
Add timestamps One-time password Incremental sequence numbers Clock synchronization

57 Attacks for Information Leakage
Unauthorized Tag Reading Covert Channel Eavesdropping Tag Modification Side-Channel Attacks (to be covered later)

58 Unauthorized Tag Reading
An adversary places an illegitimate reader within the proximity of the target tag to access the tag data Tags do not have on/off switches Simple yet effective

59 Covert Channel Covert channels are unintended or unauthorized communication paths that can be used to transfer information in a manner that violates system security policies It is possible to create covert communication channels through the use of user-defined memory banks on tag

60 Eavesdropping / Sniffing
An adversary uses an electronic device with antenna to listen to the legitimate reader-tag communication and record the messages Reader-to-tag (forward channel) Tag-to-reader (backward channel)

61 Mitigating Unauthorized Tag Reading / Covert Channel / Eavesdropping Attacks
Break the reader-tag communication link when the tag is not being accessed Tag shielding Blocker tag RFID Guardian Apply access control mechanisms to the tag Communication Encryption Kill the tag after use Reduce the availability of the memory resource on tag

62 Tag Modification An adversary tries to modify the data stored on tag
User-writeable memory

63 Mitigating Tag Modification and Reprogramming Attacks
Use read-only tags Adopt efficient coding / cryptographic algorithms to secure the on-tag data Reader authentication

64 Attacks for Denial-of-Service (DoS)
KILL Command Abuse Passive Interference Active Jamming

65 Kill Command Abuse If an adversary obtains the password for the Kill command, he/she can use it to issue unauthorized Kill commands Lock Permanent Lock

66 Passive Interference The RF communication link between reader and tag is susceptible to interferences Absorption Bound back Collision An adversary may use foil-lined bags to shield tags from EM waves sent from a legitimate reader to block the access

67 Active Jamming Powered interference
An adversary uses an electronic device to send out radio signals to disrupt the reader-tag communication

68 Mitigating Kill Command Abuse / Passive Interference / Active Jamming Attacks
Improve the physical security of the authorized reader-tag communication channel Secure password management

69 Attacks through Physical Manipulation
Physical Tampering Tag Swapping Tag Removal Tag Destruction Tag Reprogramming

70 Side-Channels Information leakage from implementation
Example: safecracker feels tumblers impacting and opens lock without trying each combination Similarly: hacker observes time/power and cracks cipher without trying each key Device in normal operation, no physical harm Covert channel without conspiracy/consent

71 Side-Channel Attacks in a Nutshell
e.g. estimated power = number of changing bits can be lousy model AES: 128-bit secret key brute force impossible P = S-1(KGC) E = HmW(P) estimation device key fragment guess unknown secret key input measurement model analysis P = S-1(KGC) E = HmW(P) compare both and choose key guess with best match e.g. guess 8 bits brute force easy

72 Power Analysis Example
Unprotected ASIC AES with 128-bit datapath, key scheduling Measurement: Ipeak in round 11 Estimation: HamDistance of 8 internal bits Comparison: correlation Key bits easily found despite algorithmic noise 128-bit key under 3 min. ‘start encryption’-signal clock cycle of interest supply current

73 With Incorrect Key Guess
DPA Result Example Average Power Consumption Power Consumption Differential Curve With Correct Key Guess With Incorrect Key Guess

74 EM-attack example: TESTED BIT = 0 IN BOTH TRACES

75 EM-attack example: TESTED BIT DIFFERENT
O

76 Side-Channel Attacks Power-based attacks (SPA, DPA, HO-DPA)
Timing-based attacks Electromagnetic-based attacks Fault-injection attacks

77 Remote Power Analysis to RFID Tags
Most of the payload of today’s RFID tags is public – that’s what they’re for However, tags still have secrets! Today – EPC tags have secret access and kill passwords Tomorrow – cryptographic keys?

78 A Closer Look at Backscatter Modulation
The current flowing through the tag antenna results in an electromagnetic field Busy tag = More current = stronger field We call this effect parasitic backscatter Reader Tag

79 Existence of parasitic backscatter (1)
Trace shows the signal reflected from a Generation 1 tag during a kill command Tag is supposed to be completely silent Is it? Let’s zoom in… Power Time 79

80 Existence of parasitic backscatter (2)
The distinctive saw-tooth pattern is added by the tag to the clean reader signal Reflection from tag Original signal from reader Power Time 80

81 Full power analysis attack from parasitic backscatter
Experiment was done with one tag at a fixed location Tag was programmed with kill password “ ”, then “ ” In both cases we tried to kill it with the wrong password “ ” 81 81

82 Extracting one password bit
In both cases, tag gets “ ” Here, the tag is expecting “ ” Here, it is expecting “ ” 82

83 CMOS Circuit Power Consumption
CMOS circuits are built out of transistors, which act as voltage-controlled switches Switching activities at internal circuit nodes cause power and delay

84 CMOS Circuit Power and Delay
Power consumption and timing delay are highly correlated to switching activities

85 Imbalance of Switching Activities among Processing Different Data

86 Synchronous Circuit Power Fluctuation Simulation
Boolean circuits are vulnerable to side-channel attacks

87 What can we do about it? Randomize power consumption – add noise to reader/tag Use random initial point Random power management Random code injection De-correlate power consumption from internal data pattern being processed New transistor-level gate designs (SABL, DyCML, SDDL, WDDL, etc.) Current compensation Execute both nominal and complementary data Dual-rail asynchronous logic

88 Asynchronous Logic No clock High power efficiency Potential speed up
Low noise / emission Flexible timing requirement Robust operation

89 Attempting to Balance Power Fluctuation – Traditional Asynchronous Method
NULL Convention Logic (NCL) Multi-rail encoding DATA-NULL cycle State Rail 1 Rail 0 NULL DATA 0 1 DATA 1 Invalid Rail 1 Rail 0 1 N N 1 N Number of switching is independent of data pattern

90 However, Power Fluctuation Still Exists
Rail 1 Rail 0 1 N 1 N 1 N Rail 1 Rail 0 N N N Imbalance of switching activities between the two rails still cause power fluctuation

91 Balancing the Switching Activities between Two Rails
Dual-spacer Dual-rail Delay-insensitive Logic (D3L) State Rail 1 Rail 0 All-zero spacer DATA 0 1 DATA 1 All-one spacer Rail 1 Rail 0 DATA1 AZS DATA0 AOS DATA1 AZS

92 Data Sequence Examples
Rail 1 Rail 0 AZS DATA1 AOS DATA1 AZS DATA1 AOS DATA1 AZS Rail 1 Rail 0 AZS DATA0 AOS DATA0 AZS DATA0 AOS DATA0 AZS Rail 1 Rail 0 AZS DATA0 AOS DATA1 AZS DATA1 AOS DATA0 AZS Switching activities between two rails are perfectly balanced

93 The Flip Side Both NCL and D3L exhibit average case performance, i.e., the same input pattern always takes the same amount of time to process Significantly facilitate timing-based side-channel attacks Solution – timing randomization using delay elements

94 Delay Element Used in D3L Circuits

95 Controlling the Delay Element

96 Test Vehicle – AES Core

97 Simulation Setup Three AES Cores – Synchronous, NCL, D3L (two versions) IBM 5AM 0.5μm Process Differential Power Analysis on all three designs Timing Analysis on D3L designs (with and without delay elements) Synopsys Nanosim

98 DPA Results

99 Timing Analysis Results

Download ppt "Tag Layer CSCE 4013 RFID INFOSEC Instructor: Dr. Jia Di JBHT 523"

Similar presentations

Lesson Title: Tag Threats, Risks, and Mitigation Dale R. Thompson and Jia Di Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Tag Threats, Risks, and Mitigation Dale R. Thompson and Jia Di Computer Science and Computer Engineering Dept. University of Arkansas
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.
1 Remote Power Analysis of RFID Tags Joint work with Adi Shamir yossi.oren[at]weizmann.ac.il 28/Aug/06.

1 Remote Power Analysis of RFID Tags Joint work with Adi Shamir yossi.oren[at]weizmann.ac.il 28/Aug/06.
Daniel E. Holcomb, Wayne P. Burleson and Kevin Fu

Daniel E. Holcomb, Wayne P. Burleson and Kevin Fu
EPC Radio Frequency Identify Protocols Class1 Generation-2 UHF RFID 860 MHZ – 960 MHZ EPCglobal.

EPC Radio Frequency Identify Protocols Class1 Generation-2 UHF RFID 860 MHZ – 960 MHZ EPCglobal.
1 EPCglobal Training Suite. 2 Introduction Tag Protocol - UHF Class 1 Gen 2 Ultra High Frequency (UHF) Generation 2 (Generation 1 is deprecated) Class.

1 EPCglobal Training Suite. 2 Introduction Tag Protocol - UHF Class 1 Gen 2 Ultra High Frequency (UHF) Generation 2 (Generation 1 is deprecated) Class.
Chip tag A radio-frequency identification system uses tags readers send a signal to the tag and read its response RFID tags can be either passive active.

Chip tag A radio-frequency identification system uses tags readers send a signal to the tag and read its response RFID tags can be either passive active.
Radio Frequency Identification By Bhagyesh Lodha Vinit Mahedia Vishnu Saran Mitesh Bhawsar.

Radio Frequency Identification By Bhagyesh Lodha Vinit Mahedia Vishnu Saran Mitesh Bhawsar.
Phase-Locked Loop Design S emiconducto r S imulation L aboratory Phase-locked loops: Building blocks in receivers and other communication electronics Main.

Phase-Locked Loop Design S emiconducto r S imulation L aboratory Phase-locked loops: Building blocks in receivers and other communication electronics Main.
Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.

Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?

Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?
Physical-layer Identification of UHF RFID Tags Authors: Davide Zanetti, Boris Danev and Srdjan Capkun Presented by Zhitao Yang 1.

Physical-layer Identification of UHF RFID Tags Authors: Davide Zanetti, Boris Danev and Srdjan Capkun Presented by Zhitao Yang 1.
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.

A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
Azam Supervisor : Prof. Raj Jain

Azam Supervisor : Prof. Raj Jain
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.

DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.

Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
Strategic Innovation Management Prof. Marc Gruber January 27, 2011.

Strategic Innovation Management Prof. Marc Gruber January 27, 2011.
Wireless LAN Requirements (1) Same as any LAN – High capacity, short distances, full connectivity, broadcast capability Throughput: – efficient use wireless.

Wireless LAN Requirements (1) Same as any LAN – High capacity, short distances, full connectivity, broadcast capability Throughput: – efficient use wireless.
Radio Equipment. Review: On the Transmitter Side The purpose of radio communications is to transfer information from one point to another. The information.

Radio Equipment. Review: On the Transmitter Side The purpose of radio communications is to transfer information from one point to another. The information.

Similar presentations

Ads by Google