Secure UHF Tags with Strong Cryptography Development of ISO/IEC Compatible Secure RFID Tags and Presentation of First Results

Similar documents
Technological foundation

Encrypted Data Deduplication in Cloud Storage

Applications of The Montgomery Exponent

E-commerce security: SSL/TLS, SET and others. 4.1

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

WHAT FUTURE FOR CONTACTLESS CARD SECURITY?

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Card Specification Amendment A March 2004

ACOS5-64. Functional Specifications V1.04. Subject to change without prior notice.

A Novel Approach to RFID Authentication: The Vera M4H Unclonable RFID IC

The PASSERINE Public Key Encryption and Authentication Mechanism

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

TABLE OF CONTENTS CHAPTER NO. TITLE PAGE NO.

Security IP-Cores. AES Encryption & decryption RSA Public Key Crypto System H-MAC SHA1 Authentication & Hashing. l e a d i n g t h e w a y

A practical integrated device for lowoverhead, secure communications.

Kurose & Ross, Chapters (5 th ed.)

Secure Internet Connectivity with the Internet Smart Card

NFC FOR CONSUMABLES AND ACCESSORIES

ACOS 3 Contact Card. Functional Specification. Subject to change without prior notice

Functional Specification of the OpenPGP application on ISO Smart Card Operating Systems

Security in NFC Readers

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Functional Specification of the OpenPGP application on ISO Smart Card Operating Systems

Security & Chip Card ICs SLE 55R04. Intelligent 770 Byte EEPROM with Contactless Interface complying to ISO/IEC Type A and Security Logic

Security Policy for Schlumberger Cyberflex Access 32K Smart Card with ActivCard Applets

Key Exchange. Secure Software Systems

ECE 646 Fall 2009 Final Exam December 15, Multiple-choice test

T Cryptography and Data Security

ECMA-409. NFC-SEC-02: NFC-SEC Cryptography Standard using ECDH-256 and AES-GCM. 2 nd Edition / June Reference number ECMA-123:2009

- 0 - CryptoLib: Cryptography in Software John B. Lacy 1 Donald P. Mitchell 2 William M. Schell 3 AT&T Bell Laboratories ABSTRACT

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Security Policy for. DAL C3 2 Applet Suite on Axalto Cyberflex Access 64Kv1 Smart Card Chip. FIPS Level 2. Version 1.03 January 31, 2005

The Application of Elliptic Curves Cryptography in Embedded Systems

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

NIST Cryptographic Toolkit

Entrust IdentityGuard PIV Credential FIPS Cryptographic Module Security Policy Version: 1.0 Date: January 24, 2013

A Look Inside Today's Embedded RFID. Chris Diorio CTO, Impinj Inc.

ID-One PIV (Type A) FIPS Security Policy. (PIV Applet Suite on ID-One Cosmo V7-n) Public Version

Cryptographic Algorithm Validation Program:

Applied Cryptography and Computer Security CSE 664 Spring 2018

Public-key encipherment concept

Channel Coding and Cryptography Part II: Introduction to Cryptography

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

Information technology Security techniques Cryptographic algorithms and security mechanisms conformance testing

Public Key Algorithms

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 9 Elliptic Curve Cryptography

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Changes to SP (SP ) Ketan Mehta NIST PIV Team NIST ITL Computer Security Division

Expert 3.2

Analysis, demands, and properties of pseudorandom number generators

Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.

Inside the World of Cryptographic Algorithm Validation Testing. Sharon Keller CAVP Program Manager NIST ICMC, May 2016

MultiApp ID V2.1 Platform FIPS Cryptographic Module Security Policy

Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy

Efficient RFID authentication scheme for supply chain applications

What did we talk about last time? Public key cryptography A little number theory

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Cryptography V: Digital Signatures

Cryptography V: Digital Signatures

Anonymous Ticketing for NFC-enabled Mobile Phones

Mifare Classic Operations with TRF79xxA NFC/RFID Transceivers. S2 Microcontroller Division NFC/RFID Applications Team 02/2014

Security Policy. nshield F3 10+, nshield F3 500+, nshield F , nshield F for nshield Connect+,

ARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1

borzoi Manual Dragongate Technologies Ltd.

Oberthur ID-One Cosmo 64 v5.4 D. FIPS Level 3. Security Policy. Public Version. Version 1.0. May 22, 2007

Canon MFP Security Chip. ISO/IEC Security Policy

Overview. SSL Cryptography Overview CHAPTER 1

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

RAIM: Redundant Array of Independent Motes

IDPrime MD 830-revB FIPS Cryptographic Module Non-Proprietary Security Policy Level 3

Refresher: Applied Cryptography

International Journal of Scientific & Engineering Research, Volume 4, Issue 4, April ISSN

Implementation of an RFID Key Management System for DASH7

Security. Communication security. System Security

NXP Semiconductors JCOP 3 SecID P60 OSA FIPS Cryptographic Module Non Proprietary Security Policy

CSE 127: Computer Security Cryptography. Kirill Levchenko

Security in ECE Systems

Waspmote Encryption Libraries. Programming guide

Security Mechanism of Electronic Passports. Petr ŠTURC Coesys Research and Development

Encryption. INST 346, Section 0201 April 3, 2018

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Security of Biometric Passports ECE 646 Fall Team Members : Aniruddha Harish Divya Chinthalapuri Premdeep Varada

SETECS OneCARD PIV II Java Card Applet. on Gemalto GemCombi'Xpresso R4 E72K PK card

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Open Mobile API The enabler of Mobile ID solutions. Alexander Summerer, Giesecke & Devrient 30th Oct. 2014

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

QUANTUM SAFE PKI TRANSITIONS

Uses of Cryptography

UNC20C01R 1Kbyte EEPROM Contactless Card IC

Biometric Passport from a Security Perspective

Pretty Good Privacy (PGP

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Lecture III : Communication Security Mechanisms

Winter 2011 Josh Benaloh Brian LaMacchia

Improved Delegation Of Computation Using Somewhat Homomorphic Encryption To Reduce Storage Space

Automotive Security An Overview of Standardization in AUTOSAR

Transcription:

Development of ISO/IEC 18000-63 Compatible Secure RFID Tags and Presentation of First Results Walter Hinz, Klaus Finkenzeller, Martin Seysen Barcelona, February 19 th, 2013

Agenda Motivation for Secure UHF Tags The Rabin-Montgomery Cryptosystem Message Flow Protocol Extension with Mutual Authentication Proof-Of-Concept Implementation February 19th, 2013 Slide 2

Agenda Motivation for Secure UHF Tags The Rabin-Montgomery Cryptosystem Message Flow Protocol Extension with Mutual Authentication Proof-Of-Concept Implementation February 19th, 2013 Slide 3

Inductive and radiative RFID Systems February 19th, 2013 Slide 4

Secure UHF RFID Cryptographic protection of UHF RFID systems facilitates novel applications thanks to its long operating range Today: RF 13,56 MHz: Smart Card OS / 10 cm UHF 868 MHz: Non-secure memory / 10 m Secure UHF RFID: Cryptographic security with same operating range technological leap µcontroller with SCOS full flexibility in the choice of authentication protocols AES efficiently implemented in hardware Security HF 13.56 SCOS Power consumption X 50 Secure UHF Technology UHF memory Reading range February 19th, 2013 Slide 5

Agenda Motivation for Secure UHF Tags The Rabin-Montgomery Cryptosystem Message Flow Protocol Extension with Mutual Authentication Proof-Of-Concept Implementation February 19th, 2013 Slide 6

The Rabin-Montgomery Crypto Suite Based on the asymmetric cryptosystem by Michael O. Rabin (1979) Augmented by a method from Peter Montgomery (1985) to avoid the division of long numbers in modular arithmetic Allows cost and energy efficient implementation by combining the Rabin and Montgomery algorithms Allows non-traceable and confidential identification and authentication Does not require a private (secret) key to be stored in a tag the tag performs only efficient public key operations Time consuming private key operations need only be performed by the interrogator Can be combined with symmetric mutual authentication, based on AES February 19th, 2013 Slide 7

How the RAMON Tag Authentication Works RAMON is a public key protocol, using four different keys: A A An public key K E, used for encryption. This is the only key stored on the tag private key(-set) K D, used for decryption This key is only stored in a secure memory in the interrogator optional key set K s, K V,used to validate a signed UID As the data length might exceed the buffer capacity of tag or interrogator, response messages are chained First response chunk is delivered while ongoing encryption produces more data consecutively Optimised transaction time February 19th, 2013 Slide 8

Information Flow with RAMON Tag Authentication 6 store 1 System Integrator Generate {K D, K E } Tag IDs, K E 5 2 (Signed) Tag IDs, (K V ) 3 Tag Issuer Generate {K S, K V } Sign Tag IDs with K S 4 store Secure Storage List of (signed) Tag IDs Signature verification key (public) K V Secure Storage RAMON decryption key (private) K D RAMON Encryption key (public) K E 7 (Signed) Tag ID, K E List of (signed) Tag IDs RAMON encryption key (public) K E Signature verification key (public) K V Signature generation key (private) K S verify User Memory 10 Interrogator RAMON Optional steps and components are indicated with a dashed line. 8 Tag 7 store / retrieve 9 (Signed) Tag ID RAMON Encryption key (public) K E n Step n of the information flow February 19th, 2013 Slide 9

Basics: Rabin Cryptosystem The Rabin cryptosystem is an asymmetric cryptographic technique, whose security, like that of RSA, is related to the factorization problem. Message M Encryption: C = M modn Cipher text C: Reader Tag 2 Public key n n = p * q equal size, Secret key p, q p, q: primes, almost p q 3 (mod 4) Decryption: m m p q = = p+1 4 C mod p = C q+1 4 C mod q = C mod p mod q One root r, s is our Message M y p p + y q q =1 + r = ( y p p mq + yq q m p ) mod n r = n r + s = ( y p p mq yq q m p ) mod n s = n s February 19th, 2013 Slide 10

Basics: Montgomery Modular Multiplication The Montgomery approach allows a much more efficient calculation of the cipher text C in the tag. C Encryption: = Message M Cipher text C*: Reader Tag C C R mod n Conversion: = ( M ) R mod n Rabin Decryption (previous slide) R * 2 1 2 1 = M R mod n n = p * q p, q: primes, almost * Public key n equal size, Secret key p, q p q 3 (mod 4) Residue R is a power of 2 and R 2 k > n. In other words, R is at least the next power of 2 which is larger than n. bl nd n = 1 mod 2 ;1 nd < d; nd d 2 February 19th, 2013 Slide 11

Agenda Motivation for Secure UHF Tags The Rabin-Montgomery Cryptosystem Message Flow Protocol Extension with Mutual Authentication Proof-Of-Concept Implementation February 19th, 2013 Slide 12

RAMON Protocol Steps Tag Identification Only Interrogator Tag Generate RND challenge CH Decrypt [Validate Signature of UID] * CH R Generate RND number RN Generate Response R (1) Tag Identification Tag identified or even authenticated Stop here, if only tag identification is required *: signature validation is an optional step February 19th, 2013 Slide 13

Detailed data flow for tag only authentication Interrogator {Database, K D, K V } {(signed)uid, K E } Tag Generate RND challenge CH Decrypt P = DEC (KD,R) CH, RN, UID Validate Signature of UID CH R Generate RND number RN Generate Response R R = ENC (K E,MIX(CH,RN,UID)) February 19th, 2013 Slide 14

Detailed Protocol Step 1: Interrogator send challenge Step 1: The interrogator challenge is delivered to the tag. The tag immediately starts with the cryptographic calculation and answers with the length of the response data which will be calculated. Interrogator Tag Command RFU CSI Length Message RN-16 CRC-16 11010010 2 00' xx EBV Interrogator Challenge step 1 xx xx Command Step 1 AuthMethod Step RFU Interrogator Challenge 11 2 01 2 0000 2 CH [127:0] Response Step 1 Header Length Response RN-16 CRC-16 0 EBV Response data length xx xx AuthMethod Step RFU Response data length 11 2 10 2 0000 2 (Total Nr. of Bytes) Start Calculaton February 19th, 2013 Slide 15

Detailed Protocol Step 2: Retrieve calculation results Interrogator Tag Step 2: The interrogator retrieves the remaining fragments by chaining. Once the interrogator has retrieved the entire record, it is able to authenticate the tag. Command RFU CSI Length Message RN-16 CRC -16 11010010 2 00' xx EBV Retrieve Response xx xx Command Step 2 AuthMethod Step RFU 11 2 01 2 0000 2 Header Length Response RN -16 CRC -16 0 EBV Response data length xx xx Response Step 2 AuthMethod Step RFU Response data fragment Remaining 11 2 10 2 0000 2 Part from result (Nr. of Bytes) Command RFU CSI Length Message RN-16 CRC-16 11010010 2 00' xx EBV Retrieve Response xx xx Command Step 3 AuthMethod Step RFU 11 2 01 2 0000 2 Header Length Response RN -16 CRC- 16 0 EBV Response data length xx xx Response Step 3 AuthMethod Step RFU Response data fragment Remaining 11 2 10 2 0000 2 Last part from result 00 ' ResponseData Part1 ResponseData Part2 Calculation finished February 19th, 2013 Slide 16

Detailed Protocol steps for tag only authentication In Step 1, the interrogator challenge is delivered to the tag. This message is used to request the tag to perform authentication. In Step 2, the interrogator retrieves the remaining fragments by chaining further Authenticate commands and responses. Once the interrogator has fetched the entire authentication record it is able to authenticate the tag. Power - up & ~ killed Tag state transitions acc to ISO/IEC 18000-63. Authenticate ( Step 1 ) Finished Init Authenticate ( Step 1 ) TAM 1.1 Authenticate ( Step 2 ) TAM 1.2 Authenticate ( Step 2 ) TAM 1.3 Error Finished or Error Any other command Mutual authentication February 19th, 2013 Slide 17

Agenda Motivation for Secure UHF Tags The Rabin-Montgomery Cryptosystem Message Flow Protocol Extension with Mutual Authentication Proof-Of-Concept Implementation February 19th, 2013 Slide 18

RAMON protocol steps Algorithms Used Interrogator Tag Algorithm State Generate RND challenge CH Decrypt Validate Signature of UID CH I R T Generate RND number RN Generate Response R Rabin Montgomery (RAMON) (1) Tag Identification Generate challenge CH Generate cryptogram Verify tag cryptogram If successful: Generate Session Keys, Initialise SSC C I C T Decrypt and verify cryptogram Generate Session Keys, Initialise SSC If successful: Generate tag cryptogram AES (FIPS197) AES CBC-Mode (SP800-38A) CMAC (SP800-38B) KDF (SP800-108) (2) Mutual Authentication Secure Channel established Secure Channel established AES (FIPS197) CMAC (SP800-38B) (3) SC February 19th, 2013 Slide 19

Detailed Protocol Steps for Mutual Authentication Mutual authentication can be performed only after the tag has been successfully identified. Secure communication is possible only after successful mutual authentication that involves generation of the required session keys. While in the state SC, the tag is able to process Secure communication commands. SecureComm from Tag Authentication Error TAM1.3 Authenticate (AuthMethod 1, Step 1) MAM1.1 Authenticate (AuthMethod 1, Step 2) Authenticate (AuthMethod 1, Step 1) Init State non secure command SC Error Finished MAM1.2 Authenticate (AuthMethod 1, Step 2) February 19th, 2013 Slide 20

RAMON Keys Used Key Usage Length in bits Remark K ENC Shared secret encryption key 128 Optional K MAC S ENC Shared secret message authentication key Session encryption key 128 128 Optional Dynamic Session Keys S MAC Session message authentication key 128 Dynamic K E K D K V Public key for encryption stored on tag Private decryption key stored on interrogator Public signature (ECDSA) verification key stored on interrogator 1024 n 1024 n 320 n Mandatory Mandatory Optional Tag Identification keys February 19th, 2013 Slide 21

Agenda Motivation for Secure UHF Tags The Rabin-Montgomery Cryptosystem Message Flow Protocol Extension with Mutual Authentication Proof-Of-Concept Implementation February 19th, 2013 Slide 22

FPGA Layout for a Proof-of-Concept Commercial RFID reader connected to PC Externally powered FPGA Evaluation Board Existing non-secure tag as (analogue-only) radio front end, AFE Re-implemented ISO 18000-63 state machine and tag memory Soft-core microcontroller, MSP430X-compatible Hardware multiplier and AES coprocessor February 19th, 2013 Slide 23

A Closer Look to the Actual Demonstrator The available UHF tag evaluation board facilitated the design of the demonstrator by providing digital baseband access to the modulator / demodulator: February 19th, 2013 Slide 24

Some Results MSP430 clock rate 1.25 MHz corresponds well to 1.28 MHz subcarrier RAMON calculation only: 134 ms RAMON including transmission: 330 ms Improve messaging concept ISO/IEC 29167 will define standard command set February 19th, 2013 Slide 25

Thank You for Your Attention Walter Hinz Giesecke & Devrient GmbH Prinzregentenstrasse 159 D-81677 München email: Walter.Hinz@gi-de.com February 19th, 2013 Slide 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback