Public-Key Cryptography for RFID Tags

Size: px

Start display at page:

Download "Public-Key Cryptography for RFID Tags"

Dina Gallagher
5 years ago
Views:

1 Public-Key Cryptography for RFID Tags L. Batina 1, T. Kerins 2, N. Mentens 1, Pim Tuyls 2, Ingrid Verbauwhede 1 1 Katholieke Universiteit Leuven, ESAT/COSIC, Belgium 2 Philips Research Laboratories, Eindhoven, The Netherlands Workshop on RFID Security July 13 th, 2006

2 Public-Key Cryptography for RFID Tags L. Batina 1, J. Guajardo 2, T. Kerins 2, N. Mentens 1, Pim Tuyls 2, Ingrid Verbauwhede 1 1 Katholieke Universiteit Leuven, ESAT/COSIC, Belgium 2 Philips Research Laboratories, Eindhoven, The Netherlands Workshop on RFID Security July 13 th, 2006

3 Public-Key Cryptography for RFID Tags L. Batina 1, J. Guajardo 2, T. Kerins 2, N. Mentens 1, Pim Tuyls 2, Ingrid Verbauwhede 1 1 Katholieke Universiteit Leuven, ESAT/COSIC, Belgium 2 Philips Research Laboratories, Eindhoven, The Netherlands Workshop on RFID Security July 13 th, 2006

4 Contents Motivation Authentication Options Parameter Choice A Word About Security EC Processor Architecture Results Conclusions 2

5 Contents Motivation Authentication Options Parameter Choice A Word About Security EC Processor Architecture Results Conclusions 2

The Counterfeiting Problem: Good readers, bad tags Prescription Drug Lot Number 459382 Here s Mr.

6 The Counterfeiting Problem: Good readers, bad tags Prescription Drug Lot Number Here s Mr. Jones in Euros in wallet Serial numbers: , * From a presentation by Ari Juels,

7 The Counterfeiting Problem: Good readers, bad tags Counterfeit! Prescription Drug Lot Number Here s Mr. Jones in Euros in wallet Serial numbers: , * From a presentation by Ari Juels,

8 The Counterfeiting Problem: Good readers, bad tags Counterfeit! Prescription Drug Lot Number Here s Mr. Jones in 2020 Counterfeit! 1500 Euros in wallet Serial numbers: , * From a presentation by Ari Juels,

9 The Counterfeiting Problem: Good readers, bad tags Counterfeit! Prescription Drug Lot Number Here s Mr. Jones in 2020 Mad-cow hamburger lunch Counterfeit! 1500 Euros in wallet Serial numbers: , * From a presentation by Ari Juels,

10 Counterfeiting of Goods $250 Billion/Yr Revenue losses Pay-TV: $1.5 Billion/Yr Spare Parts: $3 Billion/Yr Electronic Companies (Cisco, HP, Nortel, 3Com): $100 Billion/Yr Harms People: Murder by Medicine [Nature] National Security Damaged Brand [Source: Pira International Ltd 2005, IEEE Spectrum, May 2006 ] 4

11 Case Study: Pharmaceuticals [White Paper: Securing the Pharmaceutical Supply Chain ] 5

12 Case Study: Pharmaceuticals China: 40% drugs is fake! [White Paper: Securing the Pharmaceutical Supply Chain ] 5

13 Case Study: Pharmaceuticals Colombia: 40% drugs is fake! [White Paper: Securing the Pharmaceutical Supply Chain ] 5

14 Case Study: Pharmaceuticals Vietnam: 33% anti-malaria drugs are fake! [White Paper: Securing the Pharmaceutical Supply Chain ] 5

15 Case Study: Pharmaceuticals Nigeria: 50% of drugs is counterfeit! [White Paper: Securing the Pharmaceutical Supply Chain ] 5

16 Case Study: Pharmaceuticals US customs: 10% of intercepted medicine is fake! [White Paper: Securing the Pharmaceutical Supply Chain ] 5

17 Relevant? 6

18 Relevant? 6

19 Relevant? 6

20 RFID Security (Authentication) Problems 1. Cloning of tags (counterfeiting threat) 2. Corporate espionage (easy for competitors to gather supply-chain data) 3. Competitive marketing threat (competitors might gain information from data stored in RFID tags) 7

21 Idea: make RFID-tags suitable for anti-counterfeiting Embed an RFID-tag into product or package RFID tag gets secret information on which it can be authenticated Requirement: Withstand a cloning attack Produce a new Tag (chip) containing the original secret authentication information Reader can then not distinguish a cloned ftom an authentic chip 8

22 Contents Motivation Authentication Options Parameter Choice A Word About Security EC Processor Architecture Results Conclusions 9

23 Contents Motivation Authentication Options Parameter Choice A Word About Security EC Processor Architecture Results Conclusions 9

24 Authentication Options - PUFs Derive strings from a complex physical system that is inherently uncloneable (e.g. a large number (10 10 ) of randomly distributed particles). PUF = Physical Unclonable Function Easy to evaluate (by probing the physical system) Inherently tamper resistant Manufacturer not-reproducible PUFs can be used as a source of a large amount of unclonable secret key material Unclonable: Hard to make a physical clone Hard to make a mathematical model that simulates the behaviour of the physical structure 10

25 Authentication Options with PUFs Online verification Requires to be connected permanently to DB Large number of Challenge-Response Pairs Off-line verification (Tuyls and Batina, CT-RSA 2006) Physical protection Unforgeable/uncloneable structures embedded in the product (its package) Derive a fingerprint from the structure and print it on the product Cryptographic Protection Digital signatures: prevents tampering with the fingerprints and auxiliary data Secure Identification Protocols 11

26 Authentication Options with PUFs Online verification Requires to be connected permanently to DB Large number of Challenge-Response Pairs Off-line verification (Tuyls and Batina, CT-RSA 2006) Physical protection Unforgeable/uncloneable structures embedded in the product (its package) Derive a fingerprint from the structure and print it on the product Cryptographic Protection Digital signatures: prevents tampering with the fingerprints and auxiliary data Secure Identification Protocols 11

27 Authentication Options Question: Can we perform ECC on RFID Tags? Cost? Options: ECDSA Signature one point multiplication + hash Identification Protocols: Schnorr or Okamoto one or two point multiplications 12

28 Secure Identification Protocols Set-up: an elliptic curve E(GF(2 m )) a point P of order n and a commitment Z = ap to the secret a 13

29 Secure Identification Protocols Set-up: an elliptic curve E(GF(2 m )) a point P of order n and a commitment Z = ap to the secret a Protocol Anatomy Prover witness challenge response Verifier 13

30 Schnorr Identification Protocol Tag (a) 2. Choose r [ 1, n 1] 1. request 3. Compute X = rp 4. X 6. c 7. Compute y = ac + r mod n R Reader (Z=aP) 5. Choose challenge t 2 r 2 < n 7. y 8. If yp ez = X = rp (ac + r) P c(ap) = X accept Else reject 14

31 Contents Motivation PK Authentication Options Parameter Choice A Word About Security EC Processor Architecture Results Conclusions 15

32 Contents Motivation PK Authentication Options Parameter Choice A Word About Security EC Processor Architecture Results Conclusions 15

33 Parameter Choice (field operations) Fields of characteristic two Choose non-standard fields E(F q ) < F k F 2 n, choose k and n such that < F q < Optimize for area not performance 16

34 Parameter Choice (EC operations) Use Montgomery representation Use Lopez-Dahab projective coordinates Minimize number of registers Use only x-coordinate of point during protocol 17

35 Contents Motivation PK Authentication Options Parameter Choice A Word About Security EC Processor Architecture Results Conclusions 18

36 Contents Motivation PK Authentication Options Parameter Choice A Word About Security EC Processor Architecture Results Conclusions 18

37 A Word About Security Composite Fields Security of EC with 130-bit long operands Security is a trade-off (how much are you willing to spend to get my key?) Lenstra (2004) cost-based analysis At the current state of knowledge, only large organizations with large budgets could break it. 19

38 Contents Motivation Authentication Options Parameter Choice A Word About Security EC Processor Architecture Results Conclusions 20

39 Contents Motivation Authentication Options Parameter Choice A Word About Security EC Processor Architecture Results Conclusions 20

40 EC Processor Architecture 21

41 ALU Architecture 22

42 Contents Motivation Authentication Options Parameter Choice A Word About Security EC Processor Architecture Results Conclusions 23

43 Contents Motivation Authentication Options Parameter Choice A Word About Security EC Processor Architecture Results Conclusions 23

44 Area-Time Product of Various Implementations AT factor (k=6) , D=2, w 139, D=2, w 134, D=4, w 142, D=4, w 134, D=3, w 131, D=2, wo 142, D=3, w 134, D=4, wo 134, D=2, w 131, D=1, w 139, D=2, wo 142, D=2, w 142, D=4, wo Implementation Type 134, D=3, wo 139, D=1, w 142, D=3, wo 134, D=2, wo 131, D=1, wo 134, D=1, w 142, D=2, wo 139, D=1, wo 134, D=1, wo 24

45 Area for RAM Cell = 2 equivalent gates Area as function of field and digitsize (k=2) , D=1, wo 134, D=2, wo 134, D=1, w 134, D=3, wo 134, D=2, w 142, D=2, wo 134, D=4, wo 134, D=3, w 142, D=3, wo 142, D=2, w 142, D=3, w 134, D=4, w 142, D=4, wo 142, D=4, w 131, D=1, wo 139, D=1, wo 131, D=1, w 131, D=2, wo 139, D=1, w 139, D=2, wo 131, D=2, w 139, D=2, w

46 Preliminary Results Source Östurk et al. CHES 2004 Field size (bits) 166 (F p ) Area (gates) Technology (µm) 0.13 Frequency 20 MHz Performance (msec) 31.9 Gaubatz et al. PerSec (F p ) KHz Wolkerstorfer CRASH (F p and ) F 2 m MHz 6.67 Ours 2006 (Schnorr) F 2 m 131 ( ) KHz 480 Ours 2006 (Okamoto) 131 ( ) F 2 m KHz

47 Conclusions ECC suitable for certain RFID applications More research on low cost protocols and low cost implementations See also paper in eprint Archive 27

48 Errata Research Research On page 72, line 4 of 2 nd paragraph, change second 9 to 15 28

Public-Key Cryptography for RFID-Tags

Public-Key Cryptography for RFID-Tags L. Batina 1,J.Guajardo 2,T.Kerins 2,N.Mentens 1,P.Tuyls 2, and I. Verbauwhede 1 1 Katholieke Universiteit Leuven, ESAT/COSIC, Belgium {Lejla.Batina,Nele.Mentens,Ingrid.Verbauwhede}@esat.kuleuven.be