0
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




          Re...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security



             ...
VLSI           Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




              ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




      Optimi...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




     Optimiz...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




      Optimi...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




     Power s...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security



             ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI              Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




           ...
VLSI                  Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




       ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




          Im...
VLSI                 Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




        ...
VLSI                Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




         ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
VLSI             Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security




            ...
Upcoming SlideShare
Loading in...5
×

Strong Crypto for Tiny RFID Tags

1,620

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,620
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
46
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Strong Crypto for Tiny RFID Tags"

  1. 1. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Strong Crypto for Tiny RFID Tags Challenges and Design Issues 11-13 July 2007, Malaga, Spain Martin Feldhofer IAIK – Graz University of Technology Martin.Feldhofer@iaik.tugraz.at www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI 2007 1
  2. 2. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security About us Graz University of Technology  Faculty of Computer Science  Institute for Applied Information Processing and Communications (IAIK) Research groups  Krypto group (hash functions and block ciphers) – Vincent Rijmen  EGIZ (e-government)  Trusted computing/Java security  Network security  VLSI group  Implementation of crypto algorithms  SCA/fault attacks and countermeasures  RFID security http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 2
  3. 3. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security RFID security research projects C@R: “Collaboration Rural” – IP in FP6; IAIK performs research towards asymmetric crypto in RFID. BRIDGE: “Building Radio frequency IDentification solutions for the Global Environment” – IP in FP6; IAIK is task leader for secure RFID tags – deals symmetric security in UHF technology (SCA attacks for attacks on UHF technology) PROACT: Local initiative (sponsored by NXP) to support research and education @ TU Graz SNAP: FIT-IT: Secure NFC Applications (national cooperation with NXP) http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 3
  4. 4. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Outline Motivation Requirements for RFID hardware Low-power design strategies Security algorithms in hardware Comparison of implementations Implementation security Conclusions http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 4
  5. 5. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Questions  Will every passive RFID tag has security features in a few years?  What are the difficulties in designing hardware for passive RFID tags?  Which cryptographic algorithm should be used?  Why does the RFID industry not implement security mechanisms now?  Are implementation attacks really a threat?  Is this work theoretical research or has it practical relevance? http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 5
  6. 6. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security RFIDSec02 to RFIDSec07 Changing view on RFID security  Sarma in 2002: first paper about RFID security at CHES 2002  Sarma in 2003: “…standard crypto too costly on tags…”, “…AES requires 20,000-30,000 gates…”  Weis in 2003: “… strong crypto is not a realistic option …”  Weis in 2003: “… only one-way hash function is required…”  Juels in 2003: “…strong crypto on tags not possible…”  Molnar in 2004: “… symmetric encryption, hash functions, or PRNGS are not possible on tags …”  IAIK in 2004: “… AES possible on passive tags…”  IAIK in 2006: “… AES much more suitable as hash functions …”  RFIDSec06: proposals for ECC on tags  Juels in 2007: “… integrate strong authentication into EPC standard …”  RFIDSec07: many interesting proposals (GPS, …) http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 6
  7. 7. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Why security for RFID systems? Counterfeiting Seven percent of world trade is counterfeited goods (ICC/2003)  500 billion USD in 2004 (TECTEM/2004)  5-10% of car parts (Commission EU/2004)  5-8% of pharmaceuticals (WHO/2002)  12% of toys in Europe (OECD/2000) Problems  High losses  Decreases the value of brands  Threat against public health and safety http://www.iaik.tugraz.at Source: TECTEM University of St. Gallen TU Graz/Computer Science/IAIK/VLSI/Feldhofer 7
  8. 8. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Why security for RFID systems? Privacy Is “Big Brother” really watching you? Monitoring of communication is easy  Contact less, no clear line-of-sight, broadcast signal  Even tag-to-reader load modulation observable in 4.5m distance Activity tracking of persons via UID Leakage of personal belongings data Data protection is often referred to as showstopper  user acceptance is important  It is useful to integrate security into RFID systems http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 8
  9. 9. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Requirements for a secure RFID system Security protocol S O rR E O  Challenge-response authentication F F Strong cryptography S E Key K EK(rR)  Appropriate key size (128 bits) O O F F Cryptographic primitive Reader Key K  Hash function, block cipher, universal hash function, public key algorithm  “Lightweight” solution (HB, …) Standardized algorithm  Analyzed by many crypto experts (see DST)  AES, SHA-1, SHA-256, MD5, Trivium, Grain Goals: authentication and/or anonymity What about the implementation costs of an RFID tag? http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 9
  10. 10. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security RFID tag vs. contact-less smart card Common properties  Passively powered (no active power supply)  Communication over air interface RFID tag CL smart card < 1.2 - 5m Reading range < 10 cm < 15µA (scarce) Power consumption ~ 10mA (enough) < 1 mm² Chip area 15 -20mm² minimal, 5-10 Cent Prize (€) some € LF, HF, UHF Frequency HF inventory (until now) Application authentication dedicated circuit Hardware microcontroller non/proprietary Security http://www.iaik.tugraz.at crypto coprocessor TU Graz/Computer Science/IAIK/VLSI/Feldhofer 10
  11. 11. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Limitations of crypto hardware on passive tags Chip area ~0.33 mm²  0.35 µm CMOS: 6,000 GE  0.18 µm CMOS: 25,000 GE  Die size is proportional to silicon costs Power consumption ~25 µW  Supply voltage ~ 1.5 V  Mean current Iavg < 15 µA  0.35 µm CMOS: ~15 D-FF @ 1MHz  Determines operating range http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 11
  12. 12. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Optimization metric Optimization goals  (Area, Delay, Power)  Silicon area Low die-size optimization  Mean power – or mean current Iavg  Clock cycles RF field – instead Tmin = #cycles / fmax ISupply Low-power optimization  Relevant for RFID tags  Energy consumption per cycle  Mean current consumption must not exceed available energy in capacitor Vdd VddMIN  Not relevant for RFID tags  Energy consumption per operation  Power consumption per operation IIC (encryption) http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 12
  13. 13. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Optimization techniques – Algorithmic level Focus on standardized challenge-response protocols Focus on standardized algorithms Selected algorithms Types of algorithms  Block cipher  Symmetric encryption  AES-128  Hash algorithms  TEA, XTEA  Keyed hashes  Stream cipher  Asymmetric algorithms  Trivium  Grain Not analyzed  Hash  Obviously too demanding algorithms  MD5  RSA  SHA-1  Doubtable algorithms  SHA-256  NTRU, XTR  Asymmetric  ECC-192  Not yet: GPS, RSA variants http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 13
  14. 14. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Optimization techniques – Architecture level Trade small size for speed  Word width reduction  Latency of reply  Serialize operations (use clock cycles) Example of LFSR http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 14
  15. 15. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Optimization techniques – Circuit level PTotal = PStatic + PSC + PDynamic  PDynamic = CL · VDD2 · f Lowering VDD  Limited by used technology (1.5V @ 0.35µm) Use lowest possible clock frequency (<100 kHz)  Limited by data rate (protocol) Avoiding glitching activity  Clock gating  Sleep-mode logic http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 15
  16. 16. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Optimizations on circuit level Clock gating  Reduces activity din 8 8  Lowers circuit size D Q dout 8 8 FF D Q dout 8 enable D Q din FF Latch enable EN clk clk Sleep logic input input select_f  Not selected path val 0 1 select_f consumes power  Input gates block f g f g signal changes 1 0 select_f output http://www.iaik.tugraz.at output TU Graz/Computer Science/IAIK/VLSI/Feldhofer 16
  17. 17. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Optimum word width for clock gating  Current consumption is at first glance proportional to number of clocked flip flops and latches  Imean ~ N/b + b N…# flip flops in algorithm b…word width  Minimization gives optimal data path word width  boptimal = N – NAES= 256  bopt = 16 – NSHA-1= 832  bopt = 28.8 – NSHA-256= 1024  bopt = 32 – NTrivium= 288  bopt = 17 – NGrain= 160  bopt = 12.6 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 17
  18. 18. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Semi-custom design flow Java Model HDL Code Synthesis Place & route Backend verification Fabrication http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 18
  19. 19. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Power simulation – Synopsys Nanosim Near-Spice level transistor simulation Accuracy 3% http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 19
  20. 20. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Survey of implemented algorithms Block cipher Public key algorithm  AES-128  ECC  TEA  XTEA Hash algorithm  SHA-1  SHA-256  MD5 Stream cipher  Trivium  Grain http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 20
  21. 21. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security AES-128 Features  Encryption and decryption  Round-key generation Balance included  Optimal relationship between flip flops and computational costs Architecture  256 bits memory and simple  8-bit datapath operations  1 S-box  ¼ MixColumns Difficulties  256 bit storage: RAM  Area*delay metric rather bad  32 x 8-bit organization  ~1000 cycles per encryption Silicon implementation  On 0.35 µm CMOS enc  Proven suitability for RFID start RAM read 32 x 8-bit Controller  0,25 mm² reset data_out  3 µA @ 1.5 V, 106 kHz finished Data Unit data_in AES-128 „Tina“: Tiny AES http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 21
  22. 22. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison of implementations Algorithm Chip area Imean # Clock cycles [GEs] [µA @ 100kHz, 1.5V] AES-128 3,400 3.0 1,032 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 22
  23. 23. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Hash algorithms Algorithms Difficulties  SHA-256, SHA-1, MD5  High HW complexity  Determined by storage effort Architecture – > 1024 bits  32-bit datapath  Flip-flop based RAM W-RAM State- H-RAM A, B, C RAM  Msg expansion, state, 16x32-bit E, F, G 8x32-bit 8x32-bit chaining variables A dataout E  Tables as combinational logic Controller 0 Ch SHA2 T2 T1 Goodies Datapath 1 Maj 1 0 Const datain  Clock gating of „RAM“  No ROM for constants needed 32-bit Adder  Sleep logic for datapath Datapath http://www.iaik.tugraz.at SHA-256 datapath TU Graz/Computer Science/IAIK/VLSI/Feldhofer 23
  24. 24. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison of implementations Algorithm Chip area Imean # Clock cycles [GEs] [µA @ 100kHz, 1.5V] AES-128 3,400 3.0 1,032 SHA-256 10,868 5.83 1,128 SHA-1 8,120 3.93 1,274 MD5 8,001 3.16 712 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 24
  25. 25. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Stream Key Stream ciphers data_in data_out Algorithms Goodies  Trivium, Grain  Distributed LFSR/NFSR Architecture  Pipelined memory access to single 16-bit registers  16-bit datapath  Sleep logic for datapath  Flip-flop based RAM Trivium datapath Grain datapath http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 25
  26. 26. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison of implementations Algorithm Chip area Imean # Clock cycles [GEs] [µA @ 100kHz, 1.5V] AES-128 3,400 3.0 1,032 SHA-256 10,868 5.83 1,128 SHA-1 8,120 3.93 1,274 MD5 8,001 3.16 712 Trivium 3,090 0.68 (1,603) + 176 Grain 3,360 0.80 (130) + 104 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 26
  27. 27. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Elliptic-Curve Cryptography Algorithms Goodies  ECC-192 (GF(p))  Constants as combinational logic Architecture Difficulties  Bit-serial multiplier  Control  Redundant number representation  Long: 500.000 clock cycles  Dual-field capability  Complicated  RAM  Requires hierarchical approach  Flip-flop based – State machine: field operations – Progr. control: point operations  8 x 196-bit organization  Circuit size: 23 kGE a, a(x) p, p(x) c s p p/2 0 c c/2 0 s s/2 0 Control RAM ROM1 p1 c1 s1 Carry-save Adder q s - b/2 s a 0 2c c 0 2s s 0 a ROM2 b2 a2 c2 s2 p(x a a(x) p Carry-save Adder ) neg Arithmetic Unit Reg B Reg C Reg S b c s http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 27
  28. 28. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison of implementations Algorithm Chip area Imean # Clock cycles [GEs] [µA @ 100kHz, 1.5V] AES-128 3,400 3.0 1,032 SHA-256 10,868 5.83 1,128 SHA-1 8,120 3.93 1,274 MD5 8,001 3.16 712 Trivium 3,090 0.68 (1,603) + 176 Grain 3,360 0.80 (130) + 104 ECC-192 23,600 13.3 500,000 TEA 2,633 3.79 289 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 28
  29. 29. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Comparison of algorithms Comparison of hardware implementations  Implemented on same platform  Optimized using same methods Result (128-bit crypto)  AES-128 vs. SHA-256  A: AES 3-times smaller  A*t: AES 4-times better  A*t*P: AES 7-times better http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 29
  30. 30. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Implementation security Traditional attacks on security systems  Cryptanalysis (mathematics) Challenge-response protocol  Strength of keys and algorithms AES-128 But weakest link in system decides about security  Implementation security also very important Input Active attacks  Fault analysis Power Secret  Physical probing key K … Passive attacks EM Implementation  Side-channel analysis of algorithm …  Power consumption Cryptographic  Timing information Timing device  Electromagnetic radiation Side channel information http://www.iaik.tugraz.at Output TU Graz/Computer Science/IAIK/VLSI/Feldhofer 30
  31. 31. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Differential power/EM analysis  Target of the attacks is an intermediate value that depends on the secret key Input data Input data Cryptographic 256 key AES hypotheses device Model Power model Power/EM traces Statistical Methods (Correlation, Distance of means,..) 256 correlation traces Highest absolute peak detected http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 31
  32. 32. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Challenges of SCA-secure AES implementation Power consumption Chip area  Determines operating range  Die size equals silicon costs  Below 15µA mean current  Less than 20,000 gate consumption equivalents  Target: max. 5 times higher  Target: max. 5 times larger BUT  Very low data rates (26 kbps)  low clock frequency  High number of available clock cycles Implementation bases on existing AES architecture read write RAM 32 x 8-bit µP Interface select Controller addr data_out Data Unit data_in finished AES-128 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 32
  33. 33. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Implementation of countermeasures „The goal of countermeasures against SCA attacks is to make the power consumption of the device independent of the intermediate values of the executed algorithm.“ [Mangard, Oswald, Popp; Power Analysis Attacks – Revealing the Secrets of Smart Cards] Implemented countermeasures  Hiding (randomization)  Remove data dependency of power consumption  Shuffling of operations  Execution of dummy cycles  Masking  Randomize intermediate values that are processed  Use an SCA-resistant logic style http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 33
  34. 34. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Randomizing the AES AES algorithm Shuffling of operations a00 a01 a02 a03 Randomly choose a starting element (column & row) a10 a11 a12 a13 New sequence: a20 a21 a22 a23 a11 a21 a31 a01 a22 a32 a02 a12 a03 a13 a23 a33 a20 a30 a00 a10 a30 a31 a32 a33 The probability that a certain element is processed at a certain point of time is now 1/16. http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 34
  35. 35. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Increase randomization Execution of dummy cycles  Add a certain amount of dummy blocks randomly at the beginning and/or at the end d d d d d d d d a11 a21 a31 a01 a22 a32 a02 a12 a03 a13 a23 a33 a20 a30 a00 a10 d d d d  Probability that a certain element occurs at a certain point of time is p = 1/(16 + n) (n … number of dummy cycles)  e.g. n=12: probability that a certain element occurs at a certain point of time is 1/28 http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 35
  36. 36. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security SCA-resistant logic style Advantages of using Modified design flow logic styles  Counteract leakage High-level design capture directly at the source  Independent of circuit Special constraints Logic synthesis SR cell library architecture Conversion  Automatic implementation Logic style conversion rules of secure circuits via a semi-custom design Floorplanning DRP cell library process is possible Placement and routing Tape-out http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 36
  37. 37. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Answers  Will every passive RFID tag has security features in a few years?  Hopefully, yes  What are the difficulties in designing hardware for passive RFID tags?  Power consumption and chip area  Which cryptographic algorithm should be used?  Challenge-response protocols with AES-128 (public-key crypto perhaps possible in a few years)  Why does the RFID industry not implement security mechanisms now?  Too busy at the moment  Are implementation attacks really a threat?  If it is worth the effort, yes  Is this work theoretical research or has it practical relevance?  Yes, prototypes in real silicon show feasibility of strong crypto on passive RFID tags http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 37
  38. 38. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Conclusions Strong cryptography required for RFID systems Design for low power consumption Implementation of algorithms  AES-128  SHA-1, SHA-256, MD5  Trivium, Grain  ECC  TEA, XTEA Implementation security is important aspect  AES-128 is most suitable for passive RFID http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 38
  39. 39. VLSI Institute for Applied Information Processing and Communications (IAIK) – VLSI & Security Contact information Martin Feldhofer Institute for Applied Information Processing and Communications TU Graz - Austria Email: Martin.Feldhofer@iaik.tugraz.at Acknowledgements: Johannes Wolkerstorfer Thomas Popp Michael Hutter Stefan Tillich Manfred Aigner Christian Rechberger FIT-IT Project SNAP sponsored by Austrian bm:vit see www.fit-it.at http://www.iaik.tugraz.at TU Graz/Computer Science/IAIK/VLSI/Feldhofer 39
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×