Evaluation of Side-Channel Preprocessing Techniques on Cryptographic-Enabled HF and UHF RFID-Tag Prototypes

1
Evaluation of Side-Channel Preprocessing
Techniques on Cryptographic-Enabled HF and UHF
RFID-Tag Prototypes

• Thomas Plos, Michael Hutter, Martin Feldhofer
• Workshop on RFID Security 2008
• 09. - 11.07.2008, Budapest, Hungary

2
Outline

• Motivation
• Prevalent countermeasures
• Hiding in time dimension
• Attacking techniques on hiding
• Arguments for using FFT
• Conducted attacks
• Tag prototypes
• Measurement setup
• Results
• Conclusion

3
Motivation (1)

• gt 1 billion RFID tags
• sold in 2006
• Movement towards
• internet of things
• Current low-cost tags cannot prevent fake
  products
• Enhanced functionality opens field for new
  applications
• Sensors
• Actuators
• Weakest link of the system determines security ?
  crypto on tags

4
Motivation (2)

• It was long believed that strong crypto is
  unfeasible on passive RFID tags
• Meanwhile great effort to bring standardized
  crypto on low-cost tags
• Secure algorithm ? secure implementation
• Side-channel analysis (SCA) exploits
  implementation weaknesses
• Protection via countermeasures necessary

5
Prevalent Countermeasures

• Make power consumption independent of
  intermediate values
• Principally two types of countermeasures
• Hiding
• In time dimension
• random insertion of dummy cycles
• shuffling
• In amplitude dimension
• increase noise
• reduce signal
• Masking
• Boolean masking (e.g. ?)
• Arithmetic masking (e.g. , )

6
Hiding in Time Dimension

• Highly suitable for low-resource devices like
  RFID tags
• Mainly effects control logic
• Cost efficient in terms of hardware
• Time is not a critical parameter in RFID due to
  rather low data rates in protocols
• Using the example of AES

Dummy operations
Byte shuffling
7
Attacking Techniques on Hiding

• Filtering (amplitude dimension)
• Attenuation of disturbing signals
• Requires knowledge of wanted signal/disturbing
  signal
• Integration techniques (time dimension)
• Summing up specific points defined by a comb or
  a window
• Requires knowledge of specific points
• Identification of parameters for
  filtering/integration techniques could be
  challenging
• Can FFT help us?

8
Arguments for Using FFT

• FFT is time-shift invariant
• Efficiency of randomization is diminished
• Influence of misaligned traces during
  measurements is reduced
• Filtering of disturbing signals not necessary
  (e.g. carrier signal of RFID reader)
• Differential Frequency Analysis (DFA) first
  mentioned by C. Gebotys (CHES 2005)

9
Conducted Attacks

• Analysis of RFID devices (HF and UHF)
• Current low-cost RFID tags do not contain strong
  crypto randomization
• Using self-made tag prototypes
• Integration of 128-bit AES with randomization
• Comparing DEMA with DFA
• Disturbing carrier signal
• DEMA filtering vs. DFA
• Disturbing carrier signal randomization of AES
• DEMA filtering windowing vs. DFA

10
Tag Prototypes

• HF tag prototype
• 13.56MHz
• ISO14443-A
• Semi passive
• UHF tag prototype
• 868MHz
• ISO18000-6C
• Semi passive

11
Measurement Setup
12
Results (1)

• HF tag prototype
• Disturbing 13.56 MHz carrier signal
• DEMA filtering DFA

13
Results (2)

• UHF tag prototype
• Disturbing 868 MHz carrier signal
• DEMA filtering DFA

14
Results (3)

• HF tag prototype
• Disturbing 13.56 MHz carrier signal
  randomization of AES enabled
• DEMA filtering windowing DFA

15
Results (4)

• UHF tag prototype
• Disturbing 868 MHz carrier signal randomization
  of AES enabled
• DEMA filtering windowing DFA

16
Conclusion

• Evaluation of SCA pre-processing techniques on
  RFID devices using hiding in time domain
• HF and UHF RFID-tag prototypes implementing
  128-bit AES with randomization
• DEMA filtering (windowing) vs. DFA
• All attacks successful
• ? DFA offers good results without further
  knowledge about implementation
• ? Hiding alone as countermeasure for RFID tags
  not sufficient

17
Thomas.Plos_at_iaik.tugraz.at Michael.Hutter_at_iaik.tug
raz.at Martin.Feldhofer_at_iaik.tugraz.at
http//www.iaik.tugraz.at/research/sca-lab