Techniques on Cryptographic-Enabled HF

cribabsurdΗλεκτρονική - Συσκευές

27 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

152 εμφανίσεις

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

1


TU Graz/Computer Science/IAIK/VLSI



Institute for Applied Information Processing and Communications (IAIK)

Graz University of Technology

VLSI



Thomas Plos

Evaluation of Side
-
Channel Preprocessing
Techniques on Cryptographic
-
Enabled HF
and UHF RFID
-
Tag Prototypes

Thomas Plos, Michael Hutter, Martin Feldhofer


Workshop on RFID Security 2008

09.
-

11.07.2008, Budapest, Hungary

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

2


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Outline


Motivation


Prevalent countermeasures


Hiding in time dimension


Attacking techniques on hiding


Arguments for using FFT


Conducted attacks


Tag prototypes


Measurement setup


Results


Conclusion


http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

3


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Motivation (1)



> 1 billion RFID tags


sold in 2006



Movement towards


“internet of things”



Current low
-
cost tags cannot prevent fake products



Enhanced functionality opens field for new applications


Sensors


Actuators



Weakest link of the system determines security


crypto on tags

RFID tags
(
in billions
)
1
billion
2017
2015
2010
2006
100
500
Year
© IDTechEx Ltd
http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

4


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Motivation (2)


It was long believed that strong crypto is unfeasible on
passive RFID tags



Meanwhile great effort to bring standardized crypto on
low
-
cost tags



Secure algorithm



獥捵牥s業灬i浥湴慴楯n



Side
-
channel analysis (SCA) exploits implementation
weaknesses



Protection via
countermeasures necessary

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

5


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Prevalent Countermeasures


Make power consumption independent of intermediate
values


Principally two ‘types’ of countermeasures:


Hiding


In time dimension:


random insertion of dummy cycles


shuffling


In amplitude dimension:


increase noise


reduce signal


Masking


Boolean masking (e.g.

)


Arithmetic masking (e.g. +, *)

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

6


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Hiding in Time Dimension


Highly
suitable

for
low
-
resource devices

like RFID
tags


Mainly effects control logic


Cost efficient in terms of hardware


Time

is
not

a
critical

parameter in RFID due to
rather low data rates in protocols


Using the example of AES:






D
D
AES
Time
Encryption
1
Encryption
2
Encryption
3
AES
AES
D
D
D
D
b
1
AES state
b
1
b
2
b
3
b
4
b
5
b
6
b
7
b
8
b
9
b
10
b
11
b
12
b
13
b
14
b
15
b
16
Encryption
1
Encryption
2
Encryption
3
b
1
b
2
b
3
b
4
b
5
b
6
b
7
b
8
b
9
...
b
5
b
6
b
7
b
8
b
9
b
10
b
11
b
12
b
4
...
b
13
b
14
b
15
b
16
b
1
b
2
b
3
b
4
...
b
11
Dummy operations

Byte shuffling

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

7


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Attacking Techniques on Hiding


Filtering (amplitude dimension)


Attenuation of disturbing signals


Requires knowledge of wanted signal/disturbing signal


Integration techniques (time dimension)


Summing up “specific points” defined by a
comb

or a
window


Requires knowledge of “specific points”


Identification of parameters

for
filtering/integration techniques could be
challenging


Can FFT help us?

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

8


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Arguments for Using FFT


FFT

is
time
-
shift invariant


Efficiency of randomization is diminished


Influence of misaligned traces during measurements is reduced


Filtering

of disturbing signals
not necessary

(e.g. carrier signal of RFID
reader)















D
ifferential
F
requency
A
nalysis (
DFA
) first mentioned by C. Gebotys
(CHES 2005)

Time domain
Time domain
Frequency
domain
FFT
Time domain
Frequency
domain
Filtering
Integrating
Aligning
DPA
/
DEMA
DFA
FFT
http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

9


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Conducted Attacks


Analysis of RFID devices (HF and UHF)


Current low
-
cost RFID tags do not contain
strong crypto + randomization


Using self
-
made tag prototypes


Integration of 128
-
bit AES with randomization


Comparing DEMA with DFA


Disturbing carrier signal:

DEMA + filtering


vs.

DFA


Disturbing carrier signal + randomization of AES:



DEMA + filtering + windowing

vs.

DFA

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

10


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Tag Prototypes


HF tag prototype


13.56MHz


ISO14443
-
A


Semi passive





UHF tag prototype


868MHz


ISO18000
-
6C


Semi passive


http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

11


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Measurement Setup













RFID
reader
Analog
front end
PC
μ
C
Reader
control
Tag prototype
Digital
-
storage
oscilloscope
EM
probe
EM signal
Trigger
Oscilloscope
control
http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

12


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Results (1)


HF tag prototype


Disturbing 13.56 MHz carrier signal











DEMA + filtering




DFA

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

13


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Results (2)


UHF tag prototype


Disturbing 868 MHz carrier signal











DEMA + filtering




DFA

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

14


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Results (3)


HF tag prototype


Disturbing 13.56 MHz carrier signal + randomization of
AES enabled








DEMA + filtering + windowing



DFA

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

15


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Results (4)


UHF tag prototype


Disturbing 868 MHz carrier signal + randomization of
AES enabled








DEMA + filtering + windowing



DFA

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

16


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Conclusion


Evaluation of SCA pre
-
processing techniques
on RFID devices using hiding in time domain


HF and UHF RFID
-
tag prototypes implementing
128
-
bit AES with randomization


DEMA + filtering (+windowing) vs. DFA


All attacks successful




DFA

offers
good results

without further

knowledge

about implementation




Hiding

alone as
countermeasure

for RFID
tags
not sufficient

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

17


TU Graz/Computer Science/IAIK/VLSI



VLSI

Thomas Plos

Side-Channel Analysis Lab
http://www.iaik.tugraz.at/research/sca
-
lab

Thomas.Plos@iaik.tugraz.at

Michael.Hutter@iaik.tugraz.at

Martin.Feldhofer@iaik.tugraz.at