Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply



Published on

Published in: Business, Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Example of “other functionalities:” EPC protocol itself
  • Tags also lack user interfaces from which to derive entropy (i.e., as done with keystroke on traditional machines running Linux)
  • -data takes time to decay due to electrical components -
  • =
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Transcript

    • 1. Implications of Data Remanence on the Use of RAM for True Random Number Generation on RFID Tags Nitesh Saxena and Jonathan Voris [email_address] , [email_address] Polytechnic Institute of New York University Department of Computer Science and Engineering We Can Remember it for You Wholesale
    • 2. The Problem: RFID Random Number Generation
      • Most security and privacy solutions for RFID tags require true random number generation (RNG)
        • True randomness: Uses physical noise
        • Pseudorandomness: Uses a seeded function
      • Due to costs, RFID tags are constrained in terms of:
        • Memory
        • Computation
        • Power
        • User interfaces
      • What is the best way to perform RNG on RFID tags?
    • 3. Potential Solution: RAM Based RNG
      • Recent proposal: Fingerprint Extraction and Random Numbers in SRAM (FERNS) by Holcomb et. al [RFIDSec ‘07][ToC ‘09]
      • Derives a fingerprint from uninitialized memory
      • Fingerprint can be used as:
        • An identifier
        • A source of randomness
      • Huge advantage: No new hardware required for RNG
    • 4. Potential Limitations of RAM Based RNG
      • Amount of randomness is restricted by amount of unused memory
        • RFID tags don’t have much to begin with
        • Other functionalities also utilize RAM
      • After a portion of memory has been used for RNG, must wait for it to become uninitialized before using again
        • How often does this occur with standard RFID usage?
      • Can RAM based RNG generate sufficient randomness for RFID security and privacy protocols?
    • 5. RFID Overview
      • RFID infrastructure consists of:
        • Tags – small transponders
        • Readers – wirelessly query tags
      • Tags commonly:
        • Are passive – derive power from reader transmissions
        • Have little memory and computational power
      • For research, utilized Wireless Identification and Sensing Platform (WISP) by Intel Research
        • First programmable passive tag
        • Allowed work with a live RFID device
    • 6. Using Memory for RNG
      • FERNS approach
      • RAM cells power up into a stable ‘0’ or ‘1’ state
      • Which state depends on physical properties
        • Large threshold voltage mismatch: reliably enter one state
        • Small mismatch: take on value randomly
      • Physical noise of well matched cells supplies entropy
    • 7. Data Remanence
      • Popular belief: data held in RAM is lost as soon as power is removed
        • Not accurate! Data takes time to decay
      • Brief interval after power loss where data remains intact
        • Known as data remanence
      • Decay rate varies:
        • Between particular chips
        • With temperature
      • What implications does
      • this have on RAM
      • initialization frequency?
      Source: Halderman et. al [USENIX ‘08]
    • 8. RFID Authentication (1)
      • RFID tags designed to respond promiscuously to any query
      • Tag forging is relatively simple:
        • Query a tag to obtain its data
        • Program a new tag with an identical value
      • Cryptography is expensive, so traditional solutions are ill-suited to low cost tags
    • 9. RFID Authentication (2)
      • New authentication solutions developed to address tag shortcomings
        • HB+ is one of the best known
      • Requires only bitwise logic gates and high quality random numbers
        • For 80-bit security, either:
          • 80 rounds where tag generates a 224 bit random value
          • Single round where tag generates a 17,920 bit random value
      • Can RAM based RNG generate sufficient randomness for protocols like HB+?
    • 10. WISP RNG Implementation
      • Implemented FERNS on a WISP tag
      • Preliminary test:
        • Tag generates a single 37 bit hash from 512 bits of uninitialized RAM
        • Tag transmits hash value to the reader through its EPC ID
      • Noticed identical values being transmitted
        • Certainly not random!
        • Why?
    • 11. WISP Data Remanence (1)
      • Broke WISP memory into blocks and sent through EPC ID
      • Uninitialized memory was not changing!
      • Data was being retained between queries
        • Tags derive power from reader transmission
        • While continuously polling, tag never loses power
        • Memory not reinitialized between queries
    • 12. WISP Data Remanence (2)
      • How long is data retained in WISP memory?
      • Used data remanence methodology from Halderman et. al [USENIX ‘08]
      • Attached WISP to debugger
        • Provides power
        • Allows direct reads/writes to tag memory
      • Fill WISP memory with a pseudorandom pattern
    • 13. WISP Data Remanence (3)
      • Next, detached WISP from debugger
        • Deprives tag of power
      • Waited a certain length of time
      • Reattached to debugger and read back memory contents
      • Decay rate is the Hamming distance between the original pattern and the value read back
        • Since pattern was pseudorandom, expected to have equal amount of each bit
        • Thus Hamming distance of 50% pattern length indicates full decay
    • 14. Remanence Results
    • 15. Remanence Results (3)
      • Initial 15 second period of little (< 1%) decay
      • 15 seconds of rapid decay
      • Slow decay of whatever remained
      • Depending on particular tag, WISPs require 25 to 30 seconds without power for complete decay
    • 16. Available Memory on WISPs
      • How much uninitialized RAM is available on a WISP?
        • At the very least, EPC protocol stack must be in RAM
      • Loaded tags with default firmware
      • Checked how much space was available for additional data
        • 512 – 136 = 376 bytes available
      • This is a best case
        • Entire EPC protocol not implemented
        • 5-10 cent RFID tag projected to have 128 bits max – Juels and Weis [CRYPTO ‘05]
    • 17. Practicality of RAM Based RNG (1)
      • How feasible is it to use RAM Based RNG for RFID authentication protocols?
        • Taking HB+ and HB# as examples
      • For 80 bit security,
        • Parallel HB+ requires 17,920 random bits
        • HB# requires 512 random bits (but requires more memory itself)
      • Estimated 0.103 bits of entropy per byte of RAM - Holcomb et. al [RFIDSec ‘07]
      • Based on remanence results, a 30 second wait time is required between reads
    • 18. Practicality of RAM Based RNG (2)
      • For WISP 4.1:
        • 309 random bits available
        • For HB+:
          • 58 memory hashes required
          • 28.5 minutes of wait time
        • For HB#:
          • 2 memory hashes required
          • 30 seconds of wait time
    • 19. Effect on RFID Usage Model
      • Consider contactless RFID access card usage model
        • Reader continuously polling
        • User swipes card in front of reader
      • Access card would have to be taken out of range of reader to let memory “cool down”
      • Users would have to repeatedly bring card in and out of reader range
        • How to tell when you are out of
        • range and for how long?
      • Potential for new attacks
        • If an adversary could continuously
        • supply power, could force tag to
        • reuse RAM values
    • 20. Conclusion
      • Have shown practical shortcomings of RAM based RNG for RFID tags
        • Memory is in short supply
        • Data remanence leads to longer than expected wait times between RAM uses
      • RAM Based randomness is still attractive due to hardware reuse
        • But seems insufficient on its own
      • Future work - investigate:
        • Use of sensors as an entropy source
        • Efficiency of alternative extractors
    • 21.
      • Thank you!