Upcoming SlideShare
Loading in...5

Like this? Share it with your network








Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Example of “other functionalities:” EPC protocol itself
  • Tags also lack user interfaces from which to derive entropy (i.e., as done with keystroke on traditional machines running Linux)
  • -data takes time to decay due to electrical components -
  • =
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself

SFS_presentation.ppt Presentation Transcript

  • 1. Implications of Data Remanence on the Use of RAM for True Random Number Generation on RFID Tags Nitesh Saxena and Jonathan Voris [email_address] , [email_address] Polytechnic Institute of New York University Department of Computer Science and Engineering We Can Remember it for You Wholesale
  • 2. The Problem: RFID Random Number Generation
    • Most security and privacy solutions for RFID tags require true random number generation (RNG)
      • True randomness: Uses physical noise
      • Pseudorandomness: Uses a seeded function
    • Due to costs, RFID tags are constrained in terms of:
      • Memory
      • Computation
      • Power
      • User interfaces
    • What is the best way to perform RNG on RFID tags?
  • 3. Potential Solution: RAM Based RNG
    • Recent proposal: Fingerprint Extraction and Random Numbers in SRAM (FERNS) by Holcomb et. al [RFIDSec ‘07][ToC ‘09]
    • Derives a fingerprint from uninitialized memory
    • Fingerprint can be used as:
      • An identifier
      • A source of randomness
    • Huge advantage: No new hardware required for RNG
  • 4. Potential Limitations of RAM Based RNG
    • Amount of randomness is restricted by amount of unused memory
      • RFID tags don’t have much to begin with
      • Other functionalities also utilize RAM
    • After a portion of memory has been used for RNG, must wait for it to become uninitialized before using again
      • How often does this occur with standard RFID usage?
    • Can RAM based RNG generate sufficient randomness for RFID security and privacy protocols?
  • 5. RFID Overview
    • RFID infrastructure consists of:
      • Tags – small transponders
      • Readers – wirelessly query tags
    • Tags commonly:
      • Are passive – derive power from reader transmissions
      • Have little memory and computational power
    • For research, utilized Wireless Identification and Sensing Platform (WISP) by Intel Research
      • First programmable passive tag
      • Allowed work with a live RFID device
  • 6. Using Memory for RNG
    • FERNS approach
    • RAM cells power up into a stable ‘0’ or ‘1’ state
    • Which state depends on physical properties
      • Large threshold voltage mismatch: reliably enter one state
      • Small mismatch: take on value randomly
    • Physical noise of well matched cells supplies entropy
  • 7. Data Remanence
    • Popular belief: data held in RAM is lost as soon as power is removed
      • Not accurate! Data takes time to decay
    • Brief interval after power loss where data remains intact
      • Known as data remanence
    • Decay rate varies:
      • Between particular chips
      • With temperature
    • What implications does
    • this have on RAM
    • initialization frequency?
    Source: Halderman et. al [USENIX ‘08]
  • 8. RFID Authentication (1)
    • RFID tags designed to respond promiscuously to any query
    • Tag forging is relatively simple:
      • Query a tag to obtain its data
      • Program a new tag with an identical value
    • Cryptography is expensive, so traditional solutions are ill-suited to low cost tags
  • 9. RFID Authentication (2)
    • New authentication solutions developed to address tag shortcomings
      • HB+ is one of the best known
    • Requires only bitwise logic gates and high quality random numbers
      • For 80-bit security, either:
        • 80 rounds where tag generates a 224 bit random value
        • Single round where tag generates a 17,920 bit random value
    • Can RAM based RNG generate sufficient randomness for protocols like HB+?
  • 10. WISP RNG Implementation
    • Implemented FERNS on a WISP tag
    • Preliminary test:
      • Tag generates a single 37 bit hash from 512 bits of uninitialized RAM
      • Tag transmits hash value to the reader through its EPC ID
    • Noticed identical values being transmitted
      • Certainly not random!
      • Why?
  • 11. WISP Data Remanence (1)
    • Broke WISP memory into blocks and sent through EPC ID
    • Uninitialized memory was not changing!
    • Data was being retained between queries
      • Tags derive power from reader transmission
      • While continuously polling, tag never loses power
      • Memory not reinitialized between queries
  • 12. WISP Data Remanence (2)
    • How long is data retained in WISP memory?
    • Used data remanence methodology from Halderman et. al [USENIX ‘08]
    • Attached WISP to debugger
      • Provides power
      • Allows direct reads/writes to tag memory
    • Fill WISP memory with a pseudorandom pattern
  • 13. WISP Data Remanence (3)
    • Next, detached WISP from debugger
      • Deprives tag of power
    • Waited a certain length of time
    • Reattached to debugger and read back memory contents
    • Decay rate is the Hamming distance between the original pattern and the value read back
      • Since pattern was pseudorandom, expected to have equal amount of each bit
      • Thus Hamming distance of 50% pattern length indicates full decay
  • 14. Remanence Results
  • 15. Remanence Results (3)
    • Initial 15 second period of little (< 1%) decay
    • 15 seconds of rapid decay
    • Slow decay of whatever remained
    • Depending on particular tag, WISPs require 25 to 30 seconds without power for complete decay
  • 16. Available Memory on WISPs
    • How much uninitialized RAM is available on a WISP?
      • At the very least, EPC protocol stack must be in RAM
    • Loaded tags with default firmware
    • Checked how much space was available for additional data
      • 512 – 136 = 376 bytes available
    • This is a best case
      • Entire EPC protocol not implemented
      • 5-10 cent RFID tag projected to have 128 bits max – Juels and Weis [CRYPTO ‘05]
  • 17. Practicality of RAM Based RNG (1)
    • How feasible is it to use RAM Based RNG for RFID authentication protocols?
      • Taking HB+ and HB# as examples
    • For 80 bit security,
      • Parallel HB+ requires 17,920 random bits
      • HB# requires 512 random bits (but requires more memory itself)
    • Estimated 0.103 bits of entropy per byte of RAM - Holcomb et. al [RFIDSec ‘07]
    • Based on remanence results, a 30 second wait time is required between reads
  • 18. Practicality of RAM Based RNG (2)
    • For WISP 4.1:
      • 309 random bits available
      • For HB+:
        • 58 memory hashes required
        • 28.5 minutes of wait time
      • For HB#:
        • 2 memory hashes required
        • 30 seconds of wait time
  • 19. Effect on RFID Usage Model
    • Consider contactless RFID access card usage model
      • Reader continuously polling
      • User swipes card in front of reader
    • Access card would have to be taken out of range of reader to let memory “cool down”
    • Users would have to repeatedly bring card in and out of reader range
      • How to tell when you are out of
      • range and for how long?
    • Potential for new attacks
      • If an adversary could continuously
      • supply power, could force tag to
      • reuse RAM values
  • 20. Conclusion
    • Have shown practical shortcomings of RAM based RNG for RFID tags
      • Memory is in short supply
      • Data remanence leads to longer than expected wait times between RAM uses
    • RAM Based randomness is still attractive due to hardware reuse
      • But seems insufficient on its own
    • Future work - investigate:
      • Use of sensors as an entropy source
      • Efficiency of alternative extractors
  • 21.
    • Thank you!