Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply



Published on

Published in: Business, Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Example of “other functionalities:” EPC protocol itself
  • Tags also lack user interfaces from which to derive entropy (i.e., as done with keystroke on traditional machines running Linux)
  • -data takes time to decay due to electrical components -
  • =
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Transcript

    • 1. Implications of Data Remanence on the Use of RAM for True Random Number Generation on RFID Tags Nitesh Saxena and Jonathan Voris [email_address] , [email_address] Polytechnic Institute of New York University Department of Computer Science and Engineering We Can Remember it for You Wholesale
    • 2. The Problem: RFID Random Number Generation
      • Most security and privacy solutions for RFID tags require true random number generation (RNG)
        • True randomness: Uses physical noise
        • Pseudorandomness: Uses a seeded function
      • Due to costs, RFID tags are constrained in terms of:
        • Memory
        • Computation
        • Power
        • User interfaces
      • What is the best way to perform RNG on RFID tags?
    • 3. Potential Solution: RAM Based RNG
      • Recent proposal: Fingerprint Extraction and Random Numbers in SRAM (FERNS) by Holcomb et. al [RFIDSec ‘07][ToC ‘09]
      • Derives a fingerprint from uninitialized memory
      • Fingerprint can be used as:
        • An identifier
        • A source of randomness
      • Huge advantage: No new hardware required for RNG
    • 4. Potential Limitations of RAM Based RNG
      • Amount of randomness is restricted by amount of unused memory
        • RFID tags don’t have much to begin with
        • Other functionalities also utilize RAM
      • After a portion of memory has been used for RNG, must wait for it to become uninitialized before using again
        • How often does this occur with standard RFID usage?
      • Can RAM based RNG generate sufficient randomness for RFID security and privacy protocols?
    • 5. RFID Overview
      • RFID infrastructure consists of:
        • Tags – small transponders
        • Readers – wirelessly query tags
      • Tags commonly:
        • Are passive – derive power from reader transmissions
        • Have little memory and computational power
      • For research, utilized Wireless Identification and Sensing Platform (WISP) by Intel Research
        • First programmable passive tag
        • Allowed work with a live RFID device
    • 6. Using Memory for RNG
      • FERNS approach
      • RAM cells power up into a stable ‘0’ or ‘1’ state
      • Which state depends on physical properties
        • Large threshold voltage mismatch: reliably enter one state
        • Small mismatch: take on value randomly
      • Physical noise of well matched cells supplies entropy
    • 7. Data Remanence
      • Popular belief: data held in RAM is lost as soon as power is removed
        • Not accurate! Data takes time to decay
      • Brief interval after power loss where data remains intact
        • Known as data remanence
      • Decay rate varies:
        • Between particular chips
        • With temperature
      • What implications does
      • this have on RAM
      • initialization frequency?
      Source: Halderman et. al [USENIX ‘08]
    • 8. RFID Authentication (1)
      • RFID tags designed to respond promiscuously to any query
      • Tag forging is relatively simple:
        • Query a tag to obtain its data
        • Program a new tag with an identical value
      • Cryptography is expensive, so traditional solutions are ill-suited to low cost tags
    • 9. RFID Authentication (2)
      • New authentication solutions developed to address tag shortcomings
        • HB+ is one of the best known
      • Requires only bitwise logic gates and high quality random numbers
        • For 80-bit security, either:
          • 80 rounds where tag generates a 224 bit random value
          • Single round where tag generates a 17,920 bit random value
      • Can RAM based RNG generate sufficient randomness for protocols like HB+?
    • 10. WISP RNG Implementation
      • Implemented FERNS on a WISP tag
      • Preliminary test:
        • Tag generates a single 37 bit hash from 512 bits of uninitialized RAM
        • Tag transmits hash value to the reader through its EPC ID
      • Noticed identical values being transmitted
        • Certainly not random!
        • Why?
    • 11. WISP Data Remanence (1)
      • Broke WISP memory into blocks and sent through EPC ID
      • Uninitialized memory was not changing!
      • Data was being retained between queries
        • Tags derive power from reader transmission
        • While continuously polling, tag never loses power
        • Memory not reinitialized between queries
    • 12. WISP Data Remanence (2)
      • How long is data retained in WISP memory?
      • Used data remanence methodology from Halderman et. al [USENIX ‘08]
      • Attached WISP to debugger
        • Provides power
        • Allows direct reads/writes to tag memory
      • Fill WISP memory with a pseudorandom pattern
    • 13. WISP Data Remanence (3)
      • Next, detached WISP from debugger
        • Deprives tag of power
      • Waited a certain length of time
      • Reattached to debugger and read back memory contents
      • Decay rate is the Hamming distance between the original pattern and the value read back
        • Since pattern was pseudorandom, expected to have equal amount of each bit
        • Thus Hamming distance of 50% pattern length indicates full decay
    • 14. Remanence Results
    • 15. Remanence Results (3)
      • Initial 15 second period of little (< 1%) decay
      • 15 seconds of rapid decay
      • Slow decay of whatever remained
      • Depending on particular tag, WISPs require 25 to 30 seconds without power for complete decay
    • 16. Available Memory on WISPs
      • How much uninitialized RAM is available on a WISP?
        • At the very least, EPC protocol stack must be in RAM
      • Loaded tags with default firmware
      • Checked how much space was available for additional data
        • 512 – 136 = 376 bytes available
      • This is a best case
        • Entire EPC protocol not implemented
        • 5-10 cent RFID tag projected to have 128 bits max – Juels and Weis [CRYPTO ‘05]
    • 17. Practicality of RAM Based RNG (1)
      • How feasible is it to use RAM Based RNG for RFID authentication protocols?
        • Taking HB+ and HB# as examples
      • For 80 bit security,
        • Parallel HB+ requires 17,920 random bits
        • HB# requires 512 random bits (but requires more memory itself)
      • Estimated 0.103 bits of entropy per byte of RAM - Holcomb et. al [RFIDSec ‘07]
      • Based on remanence results, a 30 second wait time is required between reads
    • 18. Practicality of RAM Based RNG (2)
      • For WISP 4.1:
        • 309 random bits available
        • For HB+:
          • 58 memory hashes required
          • 28.5 minutes of wait time
        • For HB#:
          • 2 memory hashes required
          • 30 seconds of wait time
    • 19. Effect on RFID Usage Model
      • Consider contactless RFID access card usage model
        • Reader continuously polling
        • User swipes card in front of reader
      • Access card would have to be taken out of range of reader to let memory “cool down”
      • Users would have to repeatedly bring card in and out of reader range
        • How to tell when you are out of
        • range and for how long?
      • Potential for new attacks
        • If an adversary could continuously
        • supply power, could force tag to
        • reuse RAM values
    • 20. Conclusion
      • Have shown practical shortcomings of RAM based RNG for RFID tags
        • Memory is in short supply
        • Data remanence leads to longer than expected wait times between RAM uses
      • RAM Based randomness is still attractive due to hardware reuse
        • But seems insufficient on its own
      • Future work - investigate:
        • Use of sensors as an entropy source
        • Efficiency of alternative extractors
    • 21.
      • Thank you!