Scheme for RFID Tags and Sensor Nodes

mittenturkeyElectronics - Devices

Nov 26, 2013 (3 years and 8 months ago)

95 views

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

1


TU Graz/Computer Science/IAIK/VLSI

2009



VLSI
A Low
-
Resource Public
-
Key Identification
Scheme for RFID Tags and Sensor Nodes

March 16
-
18, 2009, Zurich, Switzerland

Martin Feldhofer

IAIK


Graz University of Technology

Martin.Feldhofer@iaik.tugraz.at

www.iaik.tugraz.at

Yossef Oren

School of Electrical Engineering

Tel
-
Aviv University

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

2


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Outline

Motivation

Introduction of WIPR

Requirements for RFID tag hardware

Implementation of WIPR scheme in hardware

Comparison of crypto implementations

Conclusions

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

3


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Why Security for RFID Systems?


Threats

Counterfeiting


5
-

7% of world trade


~$600 billion USD a year
(ICC 2009)


Privacy violation


Monitoring communication
is easy (contactless,
broadcast)


http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

4


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
How Can Cryptography Help Us?

Encrypted communication


Prevents from reading data by unauthorized parties


Prevents tracking by unique identifier


Authentication of reader/tag


Proves identity of party


Prevents from cloning tagged goods

Identification


Claim to be somebody / something

Authentication


Prove the claim

(by characteristic, shared knowledge,
possession)

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

5


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Tag
-
Authentication Protocol

Challenge
-
response (strong authentication)


Proves knowledge of shared secret key (or private key)


Requires random “challenge”


“Response” depends on challenge and key (encryption result)


Compatibility

to

existing

standards

A

B

r
A

f
K
( r
A

)


Key K

Key K

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

6


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
State
-
of
-
the
-
Art in Secure RFID

Symmetric crypto on tags is feasible


Results of AES
-
128 hardware module have been shown




Disadvantage of symmetric solutions


Key distribution is difficult

In open systems
public
-
key cryptography

is much better


Many untrusted parties (goods and tag manufacturer, tag integrators,
warehouses, retailers, customer etc.)

But what about the feasibility on passive RFID tags?

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

7


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Overview of WIPR Identification Scheme

WIPR stands for
W
eizmann
-
I
AIK
P
ublic
-
Key for
R
FID

1024
-
bit RSA
-
like public key


80 bits security level

Full probabilistic encryption


Anonymity (encryption of ID)


Authentication (prove knowledge of secret)

Main features


4700 gate equivalents (including memory, full functionality)


600ms / 14µA at 100KHz


Works great with the EPC C1G2 standard


High payload capacity can be used for example in sensor nodes

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

8


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
WIPR in Theory

Rabin’s encryption scheme:


Private key: primes p, q. Public key: n =
p∙q


Encryption: C = P
2

(mod n)


Decryption has four possible results (probabilistic)

Low
-
resource version by
Naccache

and Shamir


Encryption: C = P
2

+
r

n
, random r


Indistinguishable from Rabin’s scheme (if r is appropriately
chosen)

Ultra
-
low
-
resource version (this work):


Specially
-
formed n stored within 200 GEs


Long random strings created on
-
the
-
fly using “
Feistel

structure“

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

9


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Security Features

Secrecy and privacy


ID is kept secret (by encryption)


Tracking is prevented

No private key on tag


Only secret ID


“Crack one


run one” situation

Encryption of arbitrary data


Data of sensor nodes

No tag rewrites or coupons


No fixed number of uses

Reader authentication possible


Secure backward channel is possible

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

10


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
The WIPR Protocol for Authentication

Reader
Tag
Knows
:
PrivKey p q
,
ID
Generates r
R
Knows
:
PubKey n
,
ID
Generates r
T
1
,
r
T
2
Challenge r
R
Response
(
r
R
#
r
T
1
#
ID
)
2

+
r
T
2
n
Verification of ID
by decryption
But what about the implementation costs?

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

11


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Secure RFID System Architecture

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

12


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Hardware Requirements for Passive RFID
Tags

Power consumption


Determines operating range (~1m required)


Maximum 25 µW


Below
15µA

(1.5 V) mean current consumption


0.35 µm CMOS: ~15 D
-
FF @ 1MHz

Chip area


Die size equals silicon costs (5
-
20 Cent)


Less than
5000

gate equivalents for security


BUT


Very low data rates (10
-
200 kbps)


low clock frequency


High number of available
clock cycles

RF field
RF field
V
dd
I
IC
I
Supply
V
ddMIN
V
dd
I
IC
I
Supply
V
ddMIN
http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

13


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Low
-
Power Design

Power dissipation


P
Total

= P
Static

+ P
SC

+ P
Dynamic


P
Dynamic

= C
L

∙ V
DD
2

∙ f

Design for power reduction


Lowering V
DD


Use lowest possible clock frequency (<100 kHz)


Clock gating


Avoiding glitching activity (sleep
-
mode logic)

Optimization goal


Minimize triple (I
mean

[µA], Chip area [GE], #Clock cycles)


P
Dynamic
= C
L

∙ V
DD
2

∙ f ∙ p
sw


http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

14


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
WIPR Hardware Implementation

FSM Controller
AMBA Interface
25
-
bit
Accumulator
25
-
bit
Adder
8
x
8
-
bit
Multiplier
Mux
Mux
Feistel
R
t
1
a
Feistel
R
t
1
b
Feistel
R
t
2
128
x
8
-
bit
Const
16
x
8
-
bit
R
r
data
in
data
out
ID
(
i
)
CRC
(
i
)
WIPR
Datapath
Feistel
Logic

Tag calculates (r
R

| r
T1

| ID)


(r
R

| r
T1

| ID) + r
T2



n


Result is calculated and sent byte by byte beginning at


least significant byte (no need for storing it)


http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

15


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Implementation of
Const n


n has special format


Upper half is 0xAAA….AAA


Only 200 GEs to store a 1024
-
bit

constant

FSM Controller
AMBA Interface
25
-
bit
Accumulator
25
-
bit
Adder
8
x
8
-
bit
Multiplier
Mux
Mux
Feistel
R
t
1
a
Feistel
R
t
1
b
Feistel
R
t
2
128
x
8
-
bit
Const
16
x
8
-
bit
R
r
data
in
data
out
ID
(
i
)
CRC
(
i
)
WIPR
Datapath
Feistel
Logic
(r
R

| r
T1

| ID)


(r
R

| r
T1

| ID) + r
T2



n

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

16


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
FSM Controller
AMBA Interface
25
-
bit
Accumulator
25
-
bit
Adder
8
x
8
-
bit
Multiplier
Mux
Mux
Feistel
R
t
1
a
Feistel
R
t
1
b
Feistel
R
t
2
128
x
8
-
bit
Const
16
x
8
-
bit
R
r
data
in
data
out
ID
(
i
)
CRC
(
i
)
WIPR
Datapath
Feistel
Logic
Implementation of
Challenge
r
R


Register
-
based 8
-
bit RAM


1000 GEs to store the 128
-
bit

random challenge



(
r
R

| r
T1

| ID)


(
r
R

| r
T1

| ID) + r
T2



n

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

17


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
FSM Controller
AMBA Interface
25
-
bit
Accumulator
25
-
bit
Adder
8
x
8
-
bit
Multiplier
Mux
Mux
Feistel
R
t
1
a
Feistel
R
t
1
b
Feistel
R
t
2
128
x
8
-
bit
Const
16
x
8
-
bit
R
r
data
in
data
out
ID
(
i
)
CRC
(
i
)
WIPR
Datapath
Feistel
Logic
Impl. of
Random Strings
r
T1a
, r
T1b

and r
T2



Random bit strings


Only sequential access


Use reversible stream cipher


Store only short seed values


Use “roll left” and “roll right”

function


2700 GEs to store a 2048
-
bit

random of tag



(r
R

|

r
T1a

| ID)


(r
R

|

r
T1b

| ID) +

r
T2



n

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

18


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Sequential Memory Access of
r
T1a
, r
T1b

and r
T2


http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

19


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Rolling Functions

One
-
way
Funct ion
r
[
i
]
r
[
i
+
1
]
r
[
i
+
2
]
r
[
i
-
1
]
r
[
i
-
2
]
Roll

Righ
t
St at e
r
[
i
]
r
[
i
+
1
]
r
[
i
+
2
]
r
[
i
-
1
]
r
[
i
-
2
]
Roll

Left
St at e
One
-
way
Funct ion
http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

20


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Hardware Results

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

21


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Comparison of Implementations

Algorithm

Type

Chip area

[GEs]

I
mean


[µA @ 100kHz, 1.5V]

# Clock cycles

AES
-
128

Block cipher

3400

3.0

1032

SHA
-
256

Hash

10 868

5.83

1128

SHA
-
1

Hash

8120

3.93

1274

MD5

Hash

8001

3.16

712

Trivium

Stream cipher

3090

0.68

(1,603) + 176

Grain

Stream cipher

3360

0.80

(130) + 104

TEA

Block cipher

2633

3.79

289

ECC
-
192

Public key

23 600

13.3

500 000

WIPR

Public key

4682

14.2

66 048

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

22


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
WIPR

Hardware implementations


Implemented on same platform

Comparison of Different Algorithms

http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

23


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Compatibility with EPC C1G2 Scheme

Int errogat or
Query
RN
16
ACK
(
RN
16
)
[
WIPR Version
1
]
Challenge
(
RN
16
)
Handle
ACKRep
(
Handle
)
[
Ciphertext bytes
]
ACKRep
(
Handle
)
[
Ciphertext bytes
]
http://www.iaik.tugraz.at

Institute for Applied Information Processing and Communications (IAIK)


VLSI & Security

24


TU Graz/Computer Science/IAIK/VLSI/Feldhofer



VLSI
Conclusions

Strong cryptography required for protection of RFID
systems

Design for low power consumption necessary

Symmetric
-
key crypto is feasible on tags


AES
-
128 module has been shown

WIPR allows public
-
key crypto on RFID tags


Uses Rabin encryption scheme


Optimized for low gate count and low power consumption


Contact information


Martin Feldhofer

IAIK


TU Graz

Martin.Feldhofer@iaik.tugraz.at