Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Example of “other functionalities:” EPC protocol itself
  • Tags also lack user interfaces from which to derive entropy (i.e., as done with keystroke on traditional machines running Linux)
  • -data takes time to decay due to electrical components -
  • =
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • Example of “other functionalities:” EPC protocol itself
  • SFS_presentation.ppt

    1. 1. Implications of Data Remanence on the Use of RAM for True Random Number Generation on RFID Tags Nitesh Saxena and Jonathan Voris [email_address] , [email_address] Polytechnic Institute of New York University Department of Computer Science and Engineering We Can Remember it for You Wholesale
    2. 2. The Problem: RFID Random Number Generation <ul><li>Most security and privacy solutions for RFID tags require true random number generation (RNG) </li></ul><ul><ul><li>True randomness: Uses physical noise </li></ul></ul><ul><ul><li>Pseudorandomness: Uses a seeded function </li></ul></ul><ul><li>Due to costs, RFID tags are constrained in terms of: </li></ul><ul><ul><li>Memory </li></ul></ul><ul><ul><li>Computation </li></ul></ul><ul><ul><li>Power </li></ul></ul><ul><ul><li>User interfaces </li></ul></ul><ul><li>What is the best way to perform RNG on RFID tags? </li></ul>
    3. 3. Potential Solution: RAM Based RNG <ul><li>Recent proposal: Fingerprint Extraction and Random Numbers in SRAM (FERNS) by Holcomb et. al [RFIDSec ‘07][ToC ‘09] </li></ul><ul><li>Derives a fingerprint from uninitialized memory </li></ul><ul><li>Fingerprint can be used as: </li></ul><ul><ul><li>An identifier </li></ul></ul><ul><ul><li>A source of randomness </li></ul></ul><ul><li>Huge advantage: No new hardware required for RNG </li></ul>
    4. 4. Potential Limitations of RAM Based RNG <ul><li>Amount of randomness is restricted by amount of unused memory </li></ul><ul><ul><li>RFID tags don’t have much to begin with </li></ul></ul><ul><ul><li>Other functionalities also utilize RAM </li></ul></ul><ul><li>After a portion of memory has been used for RNG, must wait for it to become uninitialized before using again </li></ul><ul><ul><li>How often does this occur with standard RFID usage? </li></ul></ul><ul><li>Can RAM based RNG generate sufficient randomness for RFID security and privacy protocols? </li></ul>
    5. 5. RFID Overview <ul><li>RFID infrastructure consists of: </li></ul><ul><ul><li>Tags – small transponders </li></ul></ul><ul><ul><li>Readers – wirelessly query tags </li></ul></ul><ul><li>Tags commonly: </li></ul><ul><ul><li>Are passive – derive power from reader transmissions </li></ul></ul><ul><ul><li>Have little memory and computational power </li></ul></ul><ul><li>For research, utilized Wireless Identification and Sensing Platform (WISP) by Intel Research </li></ul><ul><ul><li>First programmable passive tag </li></ul></ul><ul><ul><li>Allowed work with a live RFID device </li></ul></ul>
    6. 6. Using Memory for RNG <ul><li>FERNS approach </li></ul><ul><li>RAM cells power up into a stable ‘0’ or ‘1’ state </li></ul><ul><li>Which state depends on physical properties </li></ul><ul><ul><li>Large threshold voltage mismatch: reliably enter one state </li></ul></ul><ul><ul><li>Small mismatch: take on value randomly </li></ul></ul><ul><li>Physical noise of well matched cells supplies entropy </li></ul>
    7. 7. Data Remanence <ul><li>Popular belief: data held in RAM is lost as soon as power is removed </li></ul><ul><ul><li>Not accurate! Data takes time to decay </li></ul></ul><ul><li>Brief interval after power loss where data remains intact </li></ul><ul><ul><li>Known as data remanence </li></ul></ul><ul><li>Decay rate varies: </li></ul><ul><ul><li>Between particular chips </li></ul></ul><ul><ul><li>With temperature </li></ul></ul><ul><li>What implications does </li></ul><ul><li>this have on RAM </li></ul><ul><li>initialization frequency? </li></ul>Source: Halderman et. al [USENIX ‘08]
    8. 8. RFID Authentication (1) <ul><li>RFID tags designed to respond promiscuously to any query </li></ul><ul><li>Tag forging is relatively simple: </li></ul><ul><ul><li>Query a tag to obtain its data </li></ul></ul><ul><ul><li>Program a new tag with an identical value </li></ul></ul><ul><li>Cryptography is expensive, so traditional solutions are ill-suited to low cost tags </li></ul>
    9. 9. RFID Authentication (2) <ul><li>New authentication solutions developed to address tag shortcomings </li></ul><ul><ul><li>HB+ is one of the best known </li></ul></ul><ul><li>Requires only bitwise logic gates and high quality random numbers </li></ul><ul><ul><li>For 80-bit security, either: </li></ul></ul><ul><ul><ul><li>80 rounds where tag generates a 224 bit random value </li></ul></ul></ul><ul><ul><ul><li>Single round where tag generates a 17,920 bit random value </li></ul></ul></ul><ul><li>Can RAM based RNG generate sufficient randomness for protocols like HB+? </li></ul>
    10. 10. WISP RNG Implementation <ul><li>Implemented FERNS on a WISP tag </li></ul><ul><li>Preliminary test: </li></ul><ul><ul><li>Tag generates a single 37 bit hash from 512 bits of uninitialized RAM </li></ul></ul><ul><ul><li>Tag transmits hash value to the reader through its EPC ID </li></ul></ul><ul><li>Noticed identical values being transmitted </li></ul><ul><ul><li>Certainly not random! </li></ul></ul><ul><ul><li>Why? </li></ul></ul>
    11. 11. WISP Data Remanence (1) <ul><li>Broke WISP memory into blocks and sent through EPC ID </li></ul><ul><li>Uninitialized memory was not changing! </li></ul><ul><li>Data was being retained between queries </li></ul><ul><ul><li>Tags derive power from reader transmission </li></ul></ul><ul><ul><li>While continuously polling, tag never loses power </li></ul></ul><ul><ul><li>Memory not reinitialized between queries </li></ul></ul>
    12. 12. WISP Data Remanence (2) <ul><li>How long is data retained in WISP memory? </li></ul><ul><li>Used data remanence methodology from Halderman et. al [USENIX ‘08] </li></ul><ul><li>Attached WISP to debugger </li></ul><ul><ul><li>Provides power </li></ul></ul><ul><ul><li>Allows direct reads/writes to tag memory </li></ul></ul><ul><li>Fill WISP memory with a pseudorandom pattern </li></ul>
    13. 13. WISP Data Remanence (3) <ul><li>Next, detached WISP from debugger </li></ul><ul><ul><li>Deprives tag of power </li></ul></ul><ul><li>Waited a certain length of time </li></ul><ul><li>Reattached to debugger and read back memory contents </li></ul><ul><li>Decay rate is the Hamming distance between the original pattern and the value read back </li></ul><ul><ul><li>Since pattern was pseudorandom, expected to have equal amount of each bit </li></ul></ul><ul><ul><li>Thus Hamming distance of 50% pattern length indicates full decay </li></ul></ul>
    14. 14. Remanence Results
    15. 15. Remanence Results (3) <ul><li>Initial 15 second period of little (< 1%) decay </li></ul><ul><li>15 seconds of rapid decay </li></ul><ul><li>Slow decay of whatever remained </li></ul><ul><li>Depending on particular tag, WISPs require 25 to 30 seconds without power for complete decay </li></ul>
    16. 16. Available Memory on WISPs <ul><li>How much uninitialized RAM is available on a WISP? </li></ul><ul><ul><li>At the very least, EPC protocol stack must be in RAM </li></ul></ul><ul><li>Loaded tags with default firmware </li></ul><ul><li>Checked how much space was available for additional data </li></ul><ul><ul><li>512 – 136 = 376 bytes available </li></ul></ul><ul><li>This is a best case </li></ul><ul><ul><li>Entire EPC protocol not implemented </li></ul></ul><ul><ul><li>5-10 cent RFID tag projected to have 128 bits max – Juels and Weis [CRYPTO ‘05] </li></ul></ul>
    17. 17. Practicality of RAM Based RNG (1) <ul><li>How feasible is it to use RAM Based RNG for RFID authentication protocols? </li></ul><ul><ul><li>Taking HB+ and HB# as examples </li></ul></ul><ul><li>For 80 bit security, </li></ul><ul><ul><li>Parallel HB+ requires 17,920 random bits </li></ul></ul><ul><ul><li>HB# requires 512 random bits (but requires more memory itself) </li></ul></ul><ul><li>Estimated 0.103 bits of entropy per byte of RAM - Holcomb et. al [RFIDSec ‘07] </li></ul><ul><li>Based on remanence results, a 30 second wait time is required between reads </li></ul>
    18. 18. Practicality of RAM Based RNG (2) <ul><li>For WISP 4.1: </li></ul><ul><ul><li>309 random bits available </li></ul></ul><ul><ul><li>For HB+: </li></ul></ul><ul><ul><ul><li>58 memory hashes required </li></ul></ul></ul><ul><ul><ul><li>28.5 minutes of wait time </li></ul></ul></ul><ul><ul><li>For HB#: </li></ul></ul><ul><ul><ul><li>2 memory hashes required </li></ul></ul></ul><ul><ul><ul><li>30 seconds of wait time </li></ul></ul></ul>
    19. 19. Effect on RFID Usage Model <ul><li>Consider contactless RFID access card usage model </li></ul><ul><ul><li>Reader continuously polling </li></ul></ul><ul><ul><li>User swipes card in front of reader </li></ul></ul><ul><li>Access card would have to be taken out of range of reader to let memory “cool down” </li></ul><ul><li>Users would have to repeatedly bring card in and out of reader range </li></ul><ul><ul><li>How to tell when you are out of </li></ul></ul><ul><ul><li>range and for how long? </li></ul></ul><ul><li>Potential for new attacks </li></ul><ul><ul><li>If an adversary could continuously </li></ul></ul><ul><ul><li>supply power, could force tag to </li></ul></ul><ul><ul><li>reuse RAM values </li></ul></ul>
    20. 20. Conclusion <ul><li>Have shown practical shortcomings of RAM based RNG for RFID tags </li></ul><ul><ul><li>Memory is in short supply </li></ul></ul><ul><ul><li>Data remanence leads to longer than expected wait times between RAM uses </li></ul></ul><ul><li>RAM Based randomness is still attractive due to hardware reuse </li></ul><ul><ul><li>But seems insufficient on its own </li></ul></ul><ul><li>Future work - investigate: </li></ul><ul><ul><li>Use of sensors as an entropy source </li></ul></ul><ul><ul><li>Efficiency of alternative extractors </li></ul></ul>
    21. 21. <ul><li>Thank you! </li></ul>