Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lesson Title: Media Interface Threats, Risks, and Mitigation Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Published byEleanor Garrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Lesson Title: Media Interface Threats, Risks, and Mitigation Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas"— Presentation transcript:

1 Lesson Title: Media Interface Threats, Risks, and Mitigation Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas http://rfidsecurity.uark.edu 1 This material is based upon work supported by the National Science Foundation under Grant No. DUE-0736741. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF). Copyright © 2008, 2009 by Dale R. Thompson {d.r.thompson@ieee.org}

2 Apply STRIDE* How can you spoof the system? How can you tamper with data? How can you repudiate your actions? How can you cause the system to disclose information (information disclosure) that should be confidential? How can you deny service to authorized users? How can you elevate your privilege? http://rfidsecurity.uark.edu 2 *M. Howard and D. LeBlanc, Writing Secure Code 2nd ed., Redmond, Washington: Microsoft Press, 2003.

3 Media Interface Layer Threats http://rfidsecurity.uark.edu 3 STRIDE* Category Threat Spoofing Identity - Replay tag responses - Replay reader responses - Relay attack Tampering with data Intercept and modify signal (difficult) Repudiation None Information disclosure Eavesdropping on reader and tag signals Denial of service - Jamming - Shielding - Coupling - Blocker tag Elevation of privilege None *M. Howard and D. LeBlanc, Writing Secure Code 2nd ed., Redmond, Washington: Microsoft Press, 2003.

4 Which threat seems the most important? http://rfidsecurity.uark.edu 4

5 Media Interface Layer Mitigation http://rfidsecurity.uark.edu 5 STRIDE* Category ThreatMitigation Spoofing Identity - Replay tag responses - Replay reader responses - Relay attack - Authentication - Authentication - Authentication Tampering with data Intercept and modify signal (difficult) Repudiation None Information disclosure Eavesdropping on reader and tag signals - Cryptography Denial of service - Jamming - Shielding - Coupling - Blocker tag Easy to detect Elevation of privilege None *M. Howard and D. LeBlanc, Writing Secure Code 2nd ed., Redmond, Washington: Microsoft Press, 2003.

6 Gen2 Passwords Access Password: 32-bit password to prevent changing of EPC either temporarily or permanently Kill Password: 32-bit password to prevent killing of the tag Locking – Lock – Unlock – Permanently Lock – Permanently Unlock http://rfidsecurity.uark.edu 6

7 Gen2 Locking Options Read unlocked Read locked – password required to read Write locked – password required to write Read permanently unlocked – Memory can be read and never locked Write permanently unlocked – Password required to write – Memory cannot be locked http://rfidsecurity.uark.edu 7

8 Gen2 Memory sections that can be locked Kill password memory Access password memory EPC memory TID memory User memory Options: Locked, Unlocked, Permanently Locked, or Permanently Unlocked http://rfidsecurity.uark.edu 8

9 Gen2 Cover-Coding Write, Kill, and Access commands use one- time pad to obscure transmitted word from the reader – Reader asks tag for new RN16 – Tag whispers the RN16 to the reader – Reader does a bit-wise exclusive-OR (XOR) of RN16 and 16-bit word to be transmitted – Tag decrypts by doing bit-wise XOR of the received word with the RN16 it sent http://rfidsecurity.uark.edu 9

10 Apply DREAD* What is the damage potential? How easy is the threat to reproduce? How easy is the threat to exploit? Rank the number of affected users that the threat affects. How easy is it for the threat to be discovered? http://rfidsecurity.uark.edu 10 *M. Howard and D. LeBlanc, Writing Secure Code 2nd ed., Redmond, Washington: Microsoft Press, 2003.

11 Contact Information Dale R. Thompson, Ph.D., P.E. Associate Professor Computer Science and Computer Engineering Dept. JBHT – CSCE 504 1 University of Arkansas Fayetteville, Arkansas 72701-1201 Phone: +1 (479) 575-5090 FAX: +1 (479) 575-5339 E-mail: d.r.thompson@ieee.org WWW: http://comp.uark.edu/~drt/ http://rfidsecurity.uark.edu 11

12 Copyright Notice, Acknowledgment, and Liability Release Copyright Notice – This material is Copyright © 2008, 2009 by Dale R. Thompson. It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or incorporated in commercial documents without the written permission of the copyright holder. Acknowledgment – These materials were developed through a grant from the National Science Foundation at the University of Arkansas. Any opinions, findings, and recommendations or conclusions expressed in these materials are those of the author(s) and do not necessarily reflect those of the National Science Foundation or the University of Arkansas. Liability Release – The curriculum activities and lessons have been designed to be safe and engaging learning experiences and have been field-tested with university students. However, due to the numerous variables that exist, the author(s) does not assume any liability for the use of this product. These curriculum activities and lessons are provided as is without any express or implied warranty. The user is responsible and liable for following all stated and generally accepted safety guidelines and practices. http://rfidsecurity.uark.edu 12

Download ppt "Lesson Title: Media Interface Threats, Risks, and Mitigation Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas"

Similar presentations

Sachin Rawat Crypsis SDL Threat Modeling.

Sachin Rawat Crypsis SDL Threat Modeling.
Lesson Title: RFID Modulation, Encoding, and Data Rates Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: RFID Modulation, Encoding, and Data Rates Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.

Lesson Title: Threat Modeling Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Bridging the gap between software developers and auditors.

Bridging the gap between software developers and auditors.
Lesson Title: Tag Threats, Risks, and Mitigation Dale R. Thompson and Jia Di Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Tag Threats, Risks, and Mitigation Dale R. Thompson and Jia Di Computer Science and Computer Engineering Dept. University of Arkansas
A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
Nurbek Saparkhojayev and Dale R. Thompson, Ph.D., P.E. Computer Science and Computer Engineering Dept. University of Arkansas Matching Electronic Fingerprints.

Nurbek Saparkhojayev and Dale R. Thompson, Ph.D., P.E. Computer Science and Computer Engineering Dept. University of Arkansas Matching Electronic Fingerprints.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Lesson Title: Threats to and by an RFID system Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Threats to and by an RFID system Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson Title: Electromagnetics and Antenna Overview Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Electromagnetics and Antenna Overview Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Lesson Title: Singulation Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This material.

Lesson Title: Singulation Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas 1 This material.
Secure Software Development Chris Herrick 01/29/2007.

Secure Software Development Chris Herrick 01/29/2007.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Lesson Title: Hacking RFID and other RF devices Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Hacking RFID and other RF devices Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.

1 Threat Modeling at Symantec OWASP WWW, Irvine, CA, January 28, 2011 Threat Modeling at Symantec Edward Bonver Principal Software Engineer, Symantec Product.

Similar presentations

Ads by Google