Title: Implications of Data Remanence on the Use of RAM for True Random Number Generation on RFID Tags
1Implications of Data Remanence on the Use of RAM
for True Random Number Generation on RFID Tags
We Can Remember it for You Wholesale
- Nitesh Saxena and Jonathan Voris
- nsaxena_at_poly.edu, jvoris_at_isis.poly.edu
- Polytechnic Institute of New York University
- Department of Computer Science and Engineering
2The Problem RFID Random Number Generation
- Most security and privacy solutions for RFID tags
require true random number generation (RNG) - True randomness Uses physical noise
- Pseudorandomness Uses a seeded function
- Due to costs, RFID tags are constrained in terms
of - Memory
- Computation
- Power
- User interfaces
- What is the best way to perform RNG on RFID tags?
3Potential Solution RAM Based RNG
- Recent proposal Fingerprint Extraction and
Random Numbers in SRAM (FERNS) by Holcomb et. al
RFIDSec 07ToC 09 - Derives a fingerprint from uninitialized memory
- Fingerprint can be used as
- An identifier
- A source of randomness
- Huge advantage No new hardware required for RNG
4Potential Limitations of RAM Based RNG
- Amount of randomness is restricted by amount of
unused memory - RFID tags dont have much to begin with
- Other functionalities also utilize RAM
- After a portion of memory has been used for RNG,
must wait for it to become uninitialized before
using again - How often does this occur with standard RFID
usage? - Can RAM based RNG generate sufficient randomness
for RFID security and privacy protocols?
5RFID Overview
- RFID infrastructure consists of
- Tags small transponders
- Readers wirelessly query tags
- Tags commonly
- Are passive derive power from reader
transmissions - Have little memory and computational power
- How can random numbers be generated under these
constraints?
6Intels WISP Tags
- Wireless Identification and Sensing Platform
(WISP) by Intel Research - First programmable passive RFID tag
- Onboard TI MSP430 microcontroller
- 512 bytes of RAM
- Allowed work with a live RFID tag
- Alter functionality
- Probe memory
7Using Memory for RNG (1)
- FERNS approach
- RAM cells power up into a stable 0 or 1 state
- Which state depends on physical properties
- Large threshold voltage mismatch reliably enter
one state - Small mismatch take on value randomly
- Physical noise of well matched cells supplies
entropy
8Using Memory for RNG (2)
- Desirable RAM cells are randomly distributed
- An extractor is needed to pull them together
- Can use a hash function
- PH Universal Hash Function
- Suitable for low-cost hardware implementation
9Data Remanence
- Popular belief data held in RAM is lost as soon
as power is removed - Not accurate! Data takes time to decay
- Brief interval after power loss where data
remains intact - Known as data remanence
- Decay rate varies
- Between particular chips
- With temperature
- What implications does
- this have on RAM
- initialization frequency?
Source Halderman et. al USENIX 08
10RFID Authentication (1)
- RFID tags designed to respond promiscuously to
any query - Tag forging is relatively simple
- Query a tag to obtain its data
- Program a new tag with an identical value
- Cryptography is expensive, so traditional
solutions are ill-suited to low cost tags
11RFID Authentication (2)
- New authentication solutions developed to address
tag shortcomings - HB is one of the best known
- Challenge-response scheme based on HB human
authentication protocol - Requires only bitwise logic gates and high
quality random numbers - For 80-bit security, either
- 80 rounds where tag generates a 224 bit random
value - Single round where tag generates a 17,920 bit
random value - Can RAM based RNG generate sufficient randomness
for protocols like HB?
12Experimental Setup
- Used 4 WISP 4.1 tags
- Desktop computer
- TI MSP-FET430 debugging interface
- Impinj Speedway RFID Reader
13WISP RNG Implementation (1)
- Implemented FERNS on a WISP tag
- Reduced the PH hash input block size from 64 bits
to 16 bits - Reduced output to 37 bits from 133
- Practical consideration no need for multiple
precision data types - Theoretical benefit produces slightly more
random bits (148 vs 133)
14WISP RNG Implementation (2)
- Preliminary test
- Tag generates a single 37 bit hash from 512 bits
of uninitialized RAM - Tag transmits hash value to the reader through
its EPC ID - Noticed identical values being transmitted
- Certainly not random!
- Why?
15WISP Data Remanence (1)
- Broke WISP memory into blocks and sent through
EPC ID - Uninitialized memory was not changing!
- Data was being retained between queries
- Tags derive power from reader transmission
- While continuously polling, tag never loses power
- Memory not reinitialized between queries
16WISP Data Remanence (2)
- How long is data retained in WISP memory?
- Used data remanence methodology from Halderman
et. al USENIX 08 - Attached WISP to debugger
- Provides power
- Allows direct reads/writes to tag memory
- Fill WISP memory with a pseudorandom pattern
17WISP Data Remanence (3)
- Next, detached WISP from debugger
- Deprives tag of power
- Waited a certain length of time
- Reattached to debugger and read back memory
contents - Decay rate is the Hamming distance between the
original pattern and the value read back - Since pattern was pseudorandom, expected to have
equal amount of each bit - Thus Hamming distance of 50 pattern length
indicates full decay
18WISP Data Remanence (4)
- Took samples after removing power for 0 to 60
seconds at 5 second intervals - Tests performed on 4 WISP tags
19Remanence Results (1)
20Remanence Results (2)
21Remanence Results (3)
- Initial 15 second period of little (lt 1)
decay - 15 seconds of rapid decay
- Slow decay of whatever remained
- Depending on particular tag, WISPs require 25 to
30 seconds without power for complete decay
22Available Memory on WISPs (1)
- How much uninitialized RAM is available on a
WISP? - At the very least, EPC protocol stack must be in
RAM - Loaded tags with default firmware
- Checked how much space was available for
additional data - 512 136 376 bytes available
23Available Memory on WISPs (2)
- 376 bytes is a best case
- Not all mandatory aspects of the EPC protocol are
implemented - Assumes no space occupied by the authentication
protocol itself - Earlier versions (2.0/2.1) of WISP tags have 256
bytes of RAM - 112 bytes available for hashing Czeskis et al.
CCS 08 - 5-10 cent RFID tag projected to have 128 bits max
Juels and Weis CRYPTO 05
24Practicality of RAM Based RNG (1)
- How feasible is it to use RAM Based RNG for RFID
authentication protocols? - Taking HB and HB as examples
- For 80 bit security,
- Parallel HB requires 17,920 random bits
- HB requires 512 random bits (but requires more
memory itself) - Estimated 0.103 bits of entropy per byte of RAM -
Holcomb et. al RFIDSec 07 - Based on remanence results, a 30 second wait time
is required between reads
25Practicality of RAM Based RNG (2)
- For WISP 4.1
- 309 random bits available
- For HB
- 58 memory hashes required
- 28.5 minutes of wait time
- For HB
- 2 memory hashes required
- 30 seconds of wait time
26Practicality of RAM Based RNG (2)
- For WISP 2.1/2.0
- 118 random bits available
- For HB
- 152 memory hashes required
- 76 minutes of wait time
- For HB
- 5 memory hashes required
- 2.5 minutes of wait time
27Effect on RFID Usage Model
- Consider contactless RFID access card usage model
- Reader continuously polling
- User swipes card in front of reader
- Access card would have to be taken out of range
of reader to let memory cool down - Users would have to repeatedly bring card in and
out of reader range - How to tell when you are out of range and for how
long? - Hardware could be used to shut down RAM between
RNG uses - Would add complexity and cost
- Would still have to wait
28Potential Attacks
- If an adversary could continuously supply power,
could force tag to reuse RAM values - Values would be predictable
- Undermines protocol security
- If tag was locked down between RAM uses,
adversary could DoS tag instead - Worse than normal jamming just issuing queries,
not jamming spectrum
29Conclusion
- Have shown practical shortcomings of RAM based
RNG for RFID tags - Memory is in short supply
- Data remanence leads to longer than expected wait
times between RAM uses - RAM Based randomness is still attractive due to
hardware reuse - But seems insufficient on its own
- Future work investigate using sensors as an
entropy source
30