1. Steve Bono1 Matthew Green1 Adam Stubblefield1 Avi Rubin1
1 The Johns Hopkins University Information Security Institute
Baltimore, MD 21211, USA
Ari Juels2
Michael Szydlo2
2 RSA Laboratories
Bedford, MA 01730, USA
Original Images by Paul Sagona

2. Overview Introduction Related Work Significance and Implications
Reverse Engineering
Key Cracking
RF Protocol Analysis and Simulation
Conclusion
First I’m going to give you an introduction, discussing a little about RFID: types, give a brief overview of this project and the authors attack strategy to tackle this problem
Talk about some related work, mainly dealing with reverse engineering and key cracking examples.
Significance and implications to discuss the implications of performing and presenting such results, as wells as providing example scenarios where events like this could take place.
Then I’ll go into their Reverse engineering procedure, lots of details
I will also discuss their key cracking methods
And lastly I’ll discuss their analysis and simulation, and present their conclusion.

3. Introduction: RFID Radio-Frequency Identification
Identification method for storing and remotely retrieving data using an RF device
Mass deployment and global adoption plans have spawned a large amount of attention from the scientific and commercial communities
Studies such as this have brought its large-scale usage into question
This research has had a broad impact on this technology
When people refer to the scrutiny of this some RFID technology, they refer to this paper. Very similar to the harvard group that cracked a voting machine.
(and showed how security by obscurity failed again)

4. Introduction: RFID EPC (Electronic Product Code) Tags
Class 1 Generation 2 standard
Inexpensive (5 cents/unit)
Wal-Mart and the United States Department of Defense have published requirements that their vendors place RFID tags on all shipments [1]
“Wireless Barcodes”
Limited circuitry, unable to implement any cryptographic primitives
One of the top forms of RFID that is receiving a lot of scrutiny are EPCs. Walmart is a huge player, requiring in 2005 that its top 100 vendors to include EPC on products.
“…difficulties implementing RFID systems. In practice, the successful read rates currently run only 80%, due to radio wave attenuation caused by the products and packaging. In time it is expected that even small companies will be able to place RFID tags on their outbound shipments.”

5. Introduction: RFID EPC (Electronic Product Code) Tags
ALN "Squiggle™"
World Tag: global operation 860 to 960 MHz
The EPC Class 1 Gen 2 price/performance benchmark
High performance solution for most packaging including products containing metal and water
97mm x 11mm
ALN "Squiggle®-SQ"
Global operation to 960 MHz
Ideal for item level tagging of plastic packaging such as pharmaceutical pill bottles and apparel hang tags
Near-field and far-field communication modes
23mmx 23m
Alien Technology provides UHF Radio Frequency Identification (RFID) products and services to customers in retail, consumer goods, manufacturing, defense, transportation and logistics, pharmaceuticals and other industries. Organizations use Alien's RFID products and services to improve the effectiveness, efficiency and security of their supply chains, logistics and asset tracking operations. Alien's products include RFID tags, RFID readers and related training and professional services. Alien's patented Fluidic Self Assembly (FSA) technology and related proprietary manufacturing processes are designed to enable the manufacture of high volume, low cost RFID tags.
Alien was founded in l994. Alien’s facilities include: its corporate headquarters in Morgan Hill, CA; RFID tag manufacturing facility in Fargo, ND; the Alien RFID Solutions Center in the Dayton, Ohio area, Quatrotec’s offices at the San Francisco International Airport (SFO); and its sales offices in the US, Europe and Asia. Alien is a member of EPCGlobal.

6. Introduction: RFID Digital Signal Transponder
Manufactured by Texas Instruments
Vehicle immobilizer keys
RFID ID embedded in Key
Condition for enabling Fuel-Injection system
Electronic Payment
Exxon-Mobil SpeedPass™
The main form of wireless RFID device that the authors focus on is the Digital Signal Transponder
More than 150 million vehicle
immobilizer keys shipped with many current
automobiles, including e.g model
Fords [7], use Texas Instruments low-frequency
RFID transponders
RFID transponder embedded
in the ignition key as a condition of enabling
the fuel-injection system of the vehicle. The devices
have been credited with significant reductions
in auto theft rates, as much as 90%
DSTs are used in the Exxon-
Mobil SpeedPassTM system, with more than seven
million cryptographically-enabled keychain tags accepted
at 10,000 locations worldwide [2].
It was originally developed by Verifone. As of 2004, more than seven million individuals possess Speedpass tags, which can be used at approximately 10,000 Exxon, Mobil and Esso gas stations worldwide. At one point, Speedpass was deployed experimentally in fast-food restaurants and supermarkets in select markets. McDonald's alone deployed Speedpass in over 400 Chicagoland restaurants. Additionally, Stop & Shop grocery chain tested Speedpass at their Boston area stores and removed the units in early The test was deemed a failure and McDonald's removed the scanners from all their restaurants in mid Speedpass has also been previously available through a Speedpass Car Tag and Speedpass-enabled Timex watch. [2]
[2].

7. Introduction: RFID Digital Signal Transponder
Consists of microchip and antenna cased in plastic or glass
Passive RFID device
Allows for small design and long life
Contains secret 40-bit Key
Reader initiates connection, DST emits 24-bit identifier (factory-set)
DST authenticates itself via a Challenge-Response protocol

8. Introduction: RFID
Digital Signal Transponder: Challenge-Response protocol
Reader initiates protocol with 40-bit challenge
DST encrypts challenge using its key and truncates resulting cyphertext to return a 24-bit response
“It is thus the secrecy of the key that ultimately protects the DST against cloning and simulation”

9. Introduction: ATTACK!
Able to break system by recovering secret key after collecting two challenge-response pairs
With arbitrary challenge, able to find key in less than an hour using array of 16 FPGAs
Pairs derived from predetermined-challenges (chosen-plaintext) can be cracked in minutes due to a time-space trade-off
Authors Successfully attacked the
Texas Instruments DST system. able to recover
the secret cryptographic key from a target DST device
after harvesting just two challenge-response pairs.
A field-programmable gate array is a
semiconductor device containing programmable logic components called "logic blocks", and programmable interconnects
Chosen-response attack will appear in future work
Hellman. A cryptanalytic time-memory
trade-off.
What does this mean for DTS’s????

10. Introduction: ATTACK!
Team showed that with cheap commodity hardware, an attacker could break the DTS system
Recover key by actively scanning at short range for fraction of a second (skimming)
With FPGA, attacker can simulate target after capturing multiple transcripts

11. Introduction: ATTACK! To validate:
Team found key from their purchased SpeedPass™ and simulated the DTS to successfully make a purchase at an Exxon-Mobil Station
Team found cryptographic key from DST ignition key, and was able to start a vehicle
Essentially hot-wiring the car.
Purpose:
To show again, that “security by obscurity” is ineffective for large-scale cryptographic systems.
And to provide security community with guidance for requirements for secure RFID systems.
Not to bring down the entire speedpass netowrk.

12. Introduction: ATTACK! Phase 1: Reverse Engineering
After obtaining rough schematic of the block cipher for the challenge response, they were able to determine all details of the cipher
Required experimental observation of inputs and outputs

13. Introduction: ATTACK! Phase 2: Key Cracking
Assembled array of 16 FPGA’s working in parallel
Able to crack arbitrary challenge in less than an hour
Also assembled FPGA for time-space trade-off [12]
Hellman. A cryptanalytic time-memory
trade-off.
12] HELLMAN, M. A cryptanalytic time-memory
trade-off. IEEE Transactions on Information Theory
26, 4 (July 1980), 410–416.

14. Introduction: ATTACK! Phase 3: Simulation
Given the key and serial number for a DST device, they were able to simulate its output
Simulation in software radio
Required careful analysis of the DST reader output

15. Related Work
Classic Black-box example: Duplicating the Purple encipher machine to reconstruct the Japanese Foreign Officer cipher during second World War
Reverse-engineering of RC4 cipher as well as A5/1 and A5/2 ciphers in GSM phones
No published black-box reverse-engineering of recent ciphers; developed custom techniques
machine without ever having physical access to one [13].
There are a number of well known contemporary examples
of the reverse-engineering of proprietary cryptographic
algorithms. For example, the RC4 cipher, formerly
protected as a trade secret by RSA Data Security
Inc., was publicly leaked in 1994 as the result of what
was believed to be reverse-engineering of software implementations
[4]. The A5/1 and A5/2 ciphers, employed
for confidentiality in GSM phones, were likewise publicly
disclosed as a result of reverse engineering. The
exact method of reverse-engineering has not been disclosed,
although the source was purportedly “an actual
GSM phone” [6].
There are also numerous

16. Related Work Key Recovery more well known
FPGA scheme similar to Deep Crack for recovering DES keys
Chosen-challenge pairs uses time-space tradeoff as Hellman describes in his work
Authors also use “distinguished point” enhancement of Rivest

17. Significance and Implications
Purpose is not to undermine the SpeedPass™ network, nor to allow easier theft of vehicles
Exxon-Mobil has several layers of security, including fraud detection
Largest threat to SpeedPass™ is attacker simulating multiply DSTs (suspicious use disables it)
network has on-line fraud detection mechanisms
loosely analogous to those employed for traditional
credit-card transaction processing. Thus an attacker
that simulates a target DST cannot do so with
complete impunity; suspicious usage patterns may result
in flagging and disabling of a SpeedPassTM device
in the network.

18. Significance and Implications
Serious threat to Vehicles
Renders vehicle as vulnerable as one without the immobilizer
Significant decline in auto-thefts is attributed to the immobilizers
Up to 90% decrease. If criminals get there hands on this that’ll change significantly
Over 1 mill boosts a year.

19. Significance and Implications
Effective Attack Range
Two different methods for capturing signals from DST: Active Scanning and Passive Eavesdropping
Active Scanning: attacker brings their own reader within range of DST (up to several inches) for only a few seconds
This type of attack could allow for an attacker to harvest two chosen-challenge transcripts and perform look-ups on Hellman tables on the cracking device
From the standpoint of an attacker, active scanning
has the advantage of permitting a chosen-challenge attack.
Hence this type of attack permits the use of precomputed
Hellman tables as touched on above. In principle,
therefore, it would be possible for an attacker with
appropriate engineering expertise to construct a completely
self-contained cloning device about the size of
an Apple iPod. When passed in close proximity to a target
DST, this device would harvest two chosen-challenge
transcripts, perform a lookup in an on-board set of precomputed
Hellman tables in the course of a minute or so,
and then simulate the target DST. We estimate that the
cost of constructing such a device would be on the order
of several hundred dollars.

20. Significance and Implications
Effective Attack Range
Two different methods for capturing signals from DST: Active Scanning and Passive Eavesdropping
Passive Eavesdropping : an attacker listens to legitimate communication between DST and reader during authentic session
Range depends on the ability to intercept signal from DST
Range not found in this study
From the standpoint of an attacker, active scanning
has the advantage of permitting a chosen-challenge attack.
Hence this type of attack permits the use of precomputed
Hellman tables as touched on above. In principle,
therefore, it would be possible for an attacker with
appropriate engineering expertise to construct a completely
self-contained cloning device about the size of
an Apple iPod. When passed in close proximity to a target
DST, this device would harvest two chosen-challenge
transcripts, perform a lookup in an on-board set of precomputed
Hellman tables in the course of a minute or so,
and then simulate the target DST. We estimate that the
cost of constructing such a device would be on the order
of several hundred dollars.
It is worth
noting purported U.S. Department of Homeland Security
reports, however, of successful eavesdropping of this
kind on Mhz tags at a distance of some tens of
feet [24]. The DST, as we explain below, operates at
134 kHz. Signals at this considerably lower frequency
penetrate obstacles more effectively, which may facilitate
eavesdropping. On the other hand, larger antennas
are required for effective signal interception.
Lower freq have a longer wavelength

21. Significance and Implications
Example Attack Scenarios
Example 1: Auto theft via eavesdropping
Eve owns can with necessary equipment
Parks close enough to target to eavesdrop
Observe two successful session, Eve can extract key at her convenience using FPGA
Eve returns to steal vehicle by picking door lock, disabling immobilizer with found, and hot-wiring ignition

22. Significance and Implications
Example Attack Scenarios
Example 2: Auto theft via active attack
Eve gets access to valet key storage to scan immobilizer keys of patrons
Record registration numbers (to get owner info)
Eve then can simulate devices and steal the vehicles from owner’s home
Why not just steal the keys then?

23. Significance and Implications
Example Attack Scenarios
Example 3: SpeedPassTM theft via active attack
Eve brings reader and short-range antenna on subway
Harvests challenge-response pairs and serials from SpeedPass™ devices
Eve can recover crypto keys at her convenience
Uses key in software radio to purchase gasoline

24. Significance and Implications
Fixes
Underlying protocols should be based on publicly scrutinized standards with sufficient key length, such as the Advanced Encryption Algorithm
Problems:
Cost to make capable devices would significantly increase
Backwards compatibility (significant cost to refit/recall existing devices)

25. Significance and Implications
Fixes
Faraday shielding provides a partial solution
Users can encase DSTs in adequate shielding like aluminum foil to reflect radio while not in use
Protects against active scanning, but not eavesdropping
Possible shielding around reader to defend against eavesdropping
inconvenient, and would
probably prove an unworkable imposition on most users

26. Reverse Engineering The only
substantive technical information we were able to locate
on DST40 was a rough schematic available in a presentation
by Dr. Ulrich Kaiser, which was published on the Internet
[14], and in a published conference paper [11] coauthored
by Dr. Kaiser with Texas Instruments employees.
We show the schematic here in Figure 1

27. Reverse Engineering
Authors found schematic by Dr. Kaiser and TI in a presentation
Functional components were clear, but critical details of logic and interconnects were not
Certain features in schematic were wrong
Chose “black-box” approach by examining logical outputs
Authors Purchased TI Series 2000 – LF RFID Evaluation Kit and DST devices

28. Reverse Engineering DST 40 is essentially a feedback shift register
During each round, inputs from challenge register and key register pass through collection of logical units
These units produce an output that is put back into the challenge register

29. Reverse Engineering
Single round as all units is referred to as F. F has three logical layers:
First layer: represented as f1 to f16 (f-boxes)
The second layer is represented as f17 to f20, referred to as g-boxes, which are four functional units that takes the outputs of set of four f-boxes as inputs
The third layer is a single unit, f21, in which takes in the outputs of the g-boxes, called the h-box, returns the output of the full function F
The full collection of units operating in a single round (operating on a single set of inputs with no feed back) is referred to as F. F has three logical layers:
First layer: represented as f1 to f16 (f-boxes) in the figure, these 16 functional units take a small number of bits from the key reg. and the challenge reg.
Each f-box either takes 3 key bits and 2 challenge bits or 2 key bits and 3 challenge bits
Two special f-boxes take only 2 bits from each reg. as an input
The second layer is represented as f17 to f20, referred to as g-boxes, which are four functional units that takes the outputs of set of four f-boxes as inputs
The authors refer to these units as a g-box
The third layer is a single unit, f21, in which takes in the outputs of the g-boxes
This last unit, the h-box, returns the output of the full function F

30. Reverse Engineering
There are two main technical details missing from the schematic:
Does not describe the logical operations of the f, g, and h-boxes
Does not describe the routing array for the mapping of key and challenge bits to the f-boxes
In other
words, there is no indication of which bits in the
challenge and key registers are input to which fboxes

31. Reverse Engineering Obtaining a Single-Round Output
Since the contents of the f-boxes and critical routing was unknown, the authors could not directly verify if their DSTs followed the Kaiser schematic
Required to treat evaluation DST as a “Black-box”
From the schematic, the authors noted that the only round dependence is in the key scheduler
used the string of ‘0’ bits for their starting experiments
Obtaining a Single-Round Output
From the figure, if a string of ‘0’ bits were entered, they would remain unchanged in the key register throughout the execution
The authors used the string of ‘0’ bits for their starting experiments, since it is possible to see each step of the algorithm independent of the round

32. Reverse Engineering Obtaining a Single-Round Output
After each cycle, there were only small changes to contents of the challenge register:
Each was shifted right one bit
The output of the h-box was inserted into the left-most bit position
Challenge/Response
two possible sequences, either: C0 = 0|C or C1 = 1|C, where | denotes concatenation
after the first cycle, h-box output assumes challenge register is either C0 or C1 after first cycle
See paper for a little more detail
Based on our observation
above, after a single cycle, the challenge register in
the DST contains one of two possible sequences, either
C0 = 0|C or C1 = 1|C, where | denotes concatenation.
Therefore, recovering the output of the h-box can
be reduced to a determination of whether the challenge
register assumes the value C0 or C1 after the first cycle.

33. Reverse Engineering Obtaining a Single-Round Output
Tests failed, indicating that the DST40 differs from the Kaiser cipher
Authors found that testing next-state challenge response values succeeded when they modeled the h-box output as two bits
Authors then questioned elements of the schematic including number of rounds and key update schedule

34. Reverse Engineering Obtaining a Single-Round Output
Since the authors were able to recover the output of F on a single iteration, they were able to observe the entirety of each round of a cipher execution by repeatedly guessing the next state of challenge register
They established that the encryption took over 200 cycles and the DST gets its response from the right-most 24 bits of the challenge register

35. Reverse Engineering Recovering the Key Schedule
Using the ‘0’ bit key would restrict ability to experiment with algorithm internals
They required the ability to observe single-round outputs based on different values in the challenge and key registers
Using a non-zero key makes the algorithm round dependent
Needed to provide black-box with equivalent next key register state

36. Reverse Engineering Recovering the Key Schedule
By following the diagram, the authors assumed new key bits were computed by exclusive-or of several bits of the key every few seconds
They determined the key is updated every three cycles (beginning with the second cycle)
Let ki denote the ith bit in the key register beginning with 0
The key update is defined by: k0 = k k k k18
Using this model in place of the ‘0’ bit key, they were able to simulate steps for any key
By querying
The black box, they determined that the key is updated every
three cycles, beginning with the second cycle – not
the first, as suggested by the Kaiser diagram.
also
determined that while four bits are indeed exclusive-ored
together, they are not the bits shown in the dia-gram

37. Reverse Engineering Recovering the Key Schedule
Previously only had to guess each possibility for a 2-bit output of single round
For a non-zero key, need to guess six successive bits (three bit-pairs) of output for the h-box at the same time, since the key schedule only repeats every 3 cycles
This meant testing 64 possible candidate challenge-response states
To test, they set the k’ corresponding to the key-register state after 6 cycles applied to k
DST can
process 6-8 challenges per second, so this test requires a
minimum of 8 seconds or so. It is thus significantly more
time-consuming than previous tests, although it returns
the output of three execution cycles, rather than one.

38. Reverse Engineering Uncovering the Feistel Structure of DST40
To measure the effect, the authors generated a random key and challenge, and determined the output of F
For each of the 40 challenge bits, they determined whether F changed upon flipping a bit
Repeated 150 times

39. Reverse Engineering Uncovering the Feistel Structure of DST40
Let ci denote the ith bit of the challenge register, starting
with 0. The first notable feature of our graph is the
effect of bits c38 and c39 of the challenge register. While
the other key and challenge bits have limited influence
on the output of a single round, these two bit always affect
the output of the h-box. Further experimentation revealed
that the two bits affect the first and second bit of
the two-bit round output respectively. This indicated that
the cycle output derived from the exclusive-or of these
bits with the output of the F function.

40. Reverse Engineering Uncovering the Feistel Structure of DST40
The XOR of bits c38 and c39 showed that the algorithm was an invertible permutation and it is a form of Unbalanced Feistel Network
The authors speculate that the round function was chosen so that collisions would not multiply and responses would have uniform distribution

41. Reverse Engineering Recovering the Bit Routing Networks
Next step was to recover internal routing network of bits
Assumption that the h-box (f21) was the only box with a 2-bit output
Structure of Kaiser cipher shows that h gets a single bit from each of the g-boxes and returns one or four possible outputs
After identifying the general structure of the cipher, our
next step was to uncover the internal routing network of
bits, i.e., which bits act as inputs to each of the f-boxes,
as well as the boolean functions computed by each fbox.
The structure of the Kaiser cipher is such that h receives
a single input bit from each of the g-boxes, and
produces one or four possible output values. This fact
lays the groundwork for identifying which bits of the
challenge and key are routed to each of the g-boxes
Recovering the Bit Routing Networks
Allows the identification of which bits of the challenge and key are routed to each g-box
Altering a single input bit of h can at most generate two distinct outputs
Altering the output of only one g-box can never cause h to output more than two values (altering the output of more than one can produce up to 4 distinct values)

42. Reverse Engineering Recovering the Bit Routing Networks
Using this observation, the authors devised a test to see which groups of input bits of the challenge and key are routed to each of four g-boxes
Test requires many repetitions since two test bits could be routed to different g-boxes, and different value outputs still produce two or fewer distinct outputs
The routing network was arranged in a regular pattern, and after uncovering most of the bits dealing with g1 and the authors were able to infer and validate the remainder of g-boxes
If at any time these four bit
combinations produce more than two different outputs,
then they cannot possibly be routed through the same
g-box. It should be noted that this test of g-box membership
produces false positives. In particular, it is very
possible (and indeed common) that for two test bits that
are not routed to the same g-box, and for a given set of
fixed bits, different value assignments to the test bits still
produce two or fewer distinct outputs from the h-box.
Therefore this test requires many repetitions with different
sets of fixed bits.
We employed this test first so as to exclude all bits that
are not in the same g-box as bit 0 of the challenge. After
excluding 60 such bits, we discovered all of the bits
that are routed to g1. We repeated the test for the remaining
g-boxes, ignoring bits previously associated with a g
box so as to decrease the search space. To our benefit,
the routing network of bits that go through each g-box is
arranged in a rather regular pattern, and it was not necessary
to perform an exhaustive search. After uncovering
most of the bits related to g1, we were able to infer and
then quickly verify the remainder of the g-boxes.
Recovering the Bit Routing Networks
More in-depth task for determining the challenge and key register bits that serve as each f-box input
Let B = {b b5} be a set of challenge and key-register bits
Let B denote all other bits registers
The output of the cipher will show an invariant if B is the set of input bits to a single f-box

43. Reverse Engineering Recovering the Bit Routing Networks
An f-box uses a fixed boolean function z on five bit inputs
Suppose that B is the set of inputs to this f-box:
Then let’s define A0 to be the set of value assignments to the bits in B such that z(b b5) = 0
Also, define A1 analogously for z(b b5) = 1
Notice that for a fixed setting of B, the output of h will be invariant for the setting of B to any value in A0.
Likewise, for a fixed value assignment to B, the output of h will be invariant for any setting of B to a value in A1.

44. Reverse Engineering Recovering the Bit Routing Networks
Using the invariant, the authors performed tests to exclude combinations of bits that can’t be inputs the same f-box
Next step was to Iterate over all 32 value assignments to B and record the output pattern from F
They then repeated the experiment over B
If no invariant like described, the B cannot consist of inputs to a single f-box
Test repeated until excluded all possible inputs except for correct ones
On first inspection, it would appear as though there
is a large number of possible sets of input bits to any
given f-box. In fact, though, we can narrow the pool
of candidate sets thanks to two observations: (1) The set
of inputs to a single f-box must also serve as inputs (at
one remove) to the same g-box; and (2) For any f-box,
three input bits come from the challenge register and two
from the key register (or vice versa). By working with
inputs corresponding to a single g-box and by searching
in particular for the f-box that includes bit 0 of the chall
enge register, we started with a search space of size only 19 2 × 20 + 19 1 3
= Moreover, once we
identified the inputs to one f-box, each subsequent fbox
corresponding to the same g-box had far fewer combinations
of input bits to test.
Furthermore, again to our benefit, the f-box inputs in
DST40 are ordered in a very regular manner. In particular,
given the structure of inputs associated with one gbox,
we were readily able to infer those for the remaining
g-boxes.

45. Reverse Engineering Building Logical Tables for the f, g, and h-boxes
Once the corresponding bits to each f-box were identified, the authors constructed tables to represent logical functions computed by all the boxes
To calculate the f-box tables, they simply iterated through 32 possible input value for the set B that corresponds to the f-box
To calculate a given g-box, four corresponding f-boxes and iterated over all 24 = 16 combinations of their output values
It’s essentially the same method to construct the h-box table; though the h-box outputs two bits instead of one
See Appendix A for the full DST40 algorithm description.

46. Key Cracking The DST40 Keycracker First implemented in software
To slow for a keycracker
Software could only compute less than 200,000 encryptions per second on 3.4 GHz Pentium
Time would take more than 2 weeks for a 10 node cluster
Decided to implement the keycracker in hardware
We also wished to test our implementation against actual
fielded tags in SpeedPassTM tokens and automobile
ignition keys. The cryptographic keys in these devices
are immutable once locked at the factory. Without knowing
the key on a fielded tag, we had no way to determine
whether the algorithm used by such tags was as hypothesized.
Therefore, recovering an actual key became necessary.

47. Key Cracking The DST40 Keycracker
Each node consisted of a single Xilinx XC3S1000 FPGA
32 cores per FPGA
Since DST40 outputs 24 bits per 40 bit challenge, at least two challenge/response pairs are needed to determine a unique key
Clock on board was fixed to 100 MHz, allowing for 16 million keys per second
Entire 40 bit key-space can be exhausted in less than 21 hours

48. Key Cracking The DST40 Keycracker
Single FPGA board was enough to verify testing
Cracker recoverd key from SpeedPass™ in under 11 hours
Bought a total 16 evaluation boards to get a significantly reduced crack time
Cracked 5 TI DST tags and recovered all keys in less than 2 hours

49. Key Cracking The Hellman Time-Space Tradeoff
As described, Software key cracker uses Hellman tables
Estimates suggest a 99+% success rate
Requires 10 GB of storage
Should finish in under one minute on fast PC
Table construction requires a large amount of pre-computation
At the
time of writing of this paper, we are in the process of table
building and hope soon to report results of this work.

50. RF Protocol Analysis and Simulation
A reader in the DST system transmits power to the transponder at a 15-to-50 ms electromagnetic pulse at kHz
Once powered, transponder can perform session tasks
Reader transmits as a sequence of amplitude-modulated bits
Once transponder has received and processed a command, it discharges its power while transmitting response
Once the transponder has fully received and processed
a command, it discharges its stored power, while
transmitting its response using frequency modulated frequency
shift keying (FM-FSK). It communicates a bit via
16 RF cycles, specifying a ‘0’ or ‘1’ bit by transmitting at
134.2 kHz or kHz respectively.5 A preamble of ‘0’
bits followed by a start byte (7E hex) indicates the start
of a transmission and allows the reader to synchronize

51. RF Protocol Analysis and Simulation
Sniffing the Protocol
The team configured a portable PC with a digital-to-analog board
Designed to send and receive desired analog signals
The authors wrote routines for modulation and demodulation to produce the signals produced by the reader and FM-FSK signals produced from the transponder
Using this equipment can allow for successful eavesdropping or actively participate by emulating either reader or transponder

52. RF Protocol Analysis and Simulation
Putting Together the Pieces: the Full DST Protocol
First, the reader transmits a challenge request to the transponder
Consists of an 8-bit opcode followed by the 40-bit challenge (opcode specifies type of request being made)
The transponder encrypts the challenge using the shared secret 40-bit key
The least significant 24 bits in the transponder challenge register consitutes a 24-bit Signature

53. RF Protocol Analysis and Simulation
Putting Together the Pieces: the Full DST Protocol
The transponder then responds
Replies with 24-bit serial number, 24-bit signature, and a keyed 16-bit CRC of the transmitted data
Using the shared encryption key and secret CRC start value, the reader can then verify
The CRC is intended to add extra security as well as provide error checking
Using the shared encryption key
(which it may look up based on the transponder serial
number) and secret CRC start value, the reader can verify
that the signature is correct.
The CRC appended to each transmission is intended
to be an additional security measure as well as an error
checking device. The DST protocol specification
defines this as a 16-bit reverse CRC-CCITT that is initialized
with a secret 16-bit start value. However, this
feature provides no such security. A single interaction
with a DST allows for the recovery of a transmission and
accompanying keyed CRC. As this secret start value is
shared among all DSTs, it is only a matter of trying the
216 possible start values and computing the CRC of the
data returned to uncover the secret start value. The computational
time required for this is less than a second.
Therefore, the security of authentication in this system
depends on the supposition that the 40-bit secret key
contained in a valid transponder is available only to the
transponder and to valid readers, and that only knowledge
of this shared secret allows the correct generation of

54. RF Protocol Analysis and Simulation
Putting Together the Pieces: the Full DST Protocol
The stated aim of DST was to make it resistant to:
Signature-guessing attacks
Dictionary attacks
Attacks using known challenge-response pairs
Cryptanalytic attacks
Exhaustive key search
The system architects specified as a design
criterion that having access to a transponder or reader for
short periods of time should not lead to recovery of the
secret key [11]. Their stated aim was to make the DST
system resistant to signature-guessing attacks, dictionary
attacks using known challenge-response pairs, cryptanalytic
attacks, and exhaustive key search – even for an
attacker with full knowledge of the encryption algorithm

55. RF Protocol Analysis and Simulation
Simulating a DST Device
The authors software performs the following:
It analyzes the A/D conversions received from the DAC board
Decodes the AM signal containing the challenge sent from the reader
Performs an encryption of this challenge using the recovered secret DST key
Codes the FM-FSK signal representing the correct response
Outputs this FM-FSK signal to the DAC board

56. Conclusion
The weakness of DST40 cipher demonstrated by the authors is primarily due to an insufficient key-length
Further cryptanalysis may reveal weaknesses in the cipher
Systems with the strongest security are generally standard cryptographic algorithms with adequate key lengths

57. Questions?
Currently the most effective protections against this attack rely on user vigilance, e.g., protecting transponder keys, auditing Speedpass invoices for fraud, and optionally using a metallic shield (such as aluminum foil) to prevent unauthorized scanning of DST tags. This vulnerability has also spawned the creation of the RSA Blocker Tag and RFID Blocking Wallets.

58. References [1]. http://en.wikipedia.org/wiki/RFID
[2].