Upload
ursula-mathews
View
224
Download
1
Embed Size (px)
Citation preview
RFID/USNSecurity Issues
RFID/USNSecurity Issues
2009/7/14신승목
Cryptography & Information Security Lab
KAIST-ICC
Contents
Ubiquitous world1
RFID 개론 및 보안 이슈2
USN 개론 및 보안 이슈33
Quiz44
2 / 48
KAIST-ICC
Advent of Ubiquitous society
3 / 48
KAIST-ICC
Transition to Ubiquitous society
4 / 48
KAIST-ICC
RFID/USN concept
@ MIC/Korea 2007
RFID/USN 기술은 다양한 장소에서 태그나 센서 노드를 이용하여 인간 / 사물 등의 환경 정보를 인식하고 취합 및 처리하여 인간이 좀 더 편리하게 IT 서비스를 이용할 수 있게 해준다 .
5 / 48
KAIST-ICC
Introduction to RFID
6
What it RFID?
KAIST-ICC
Radio Frequency IDentication (RFID) is a method of remotely identifying objects using transponders (tags) queried through a radio frequency channel.
T8T2
Tn
T3T6
T7T4
T1
T5
Reader
Backend Database7 / 48
RFID - overview
KAIST-ICC
Data
Barcode
RFID
A typical RFID tag
A multi-tier system: RFID tag, reader and backend server
An infrastructure to build ubiquitous society
8 / 48
RFID readers (1/2)
KAIST-ICC
Fixed-Type Readers
Mobile Readers
9 / 48
RFID readers (2/2)
KAIST-ICC
Typical Structure of RFID Reader
915MHz
Radio
Network
Processor
Digital Signal
Processor
(DSP)
13.56MHz
Radio
PowerSupply
10 / 48
RFID Tag
KAIST-ICC
Classification by Power
Classification by Frequency Low-frequency (LF: 125 ~ 134.2 KHz and 140 ~ 148.5
KHz) High-frequency (HF: 13.56 MHz) Ultra-high-frequency (UHF: 868 ~ 928 MHz)
Passive Semi-passive Active
Power Source Passive Battery Battery
Transmitter Passive Passive Battery
Max Range(m) 10 100 1000
11 / 48
Electronic Product Code (EPC)
KAIST-ICC
296 = 79,228,162,514,264,337,593,543,950,33696 bits can uniquely label all products for the
next 1,000 years.
Version EPC Manager (Manufacturer)
Object Class (Product)
Serial Number
8 bits 28 bits 24 bits 36 bits
12 / 48
EPC classification (1/2)
KAIST-ICC
Class-1: Identity Tags (normative): Passive Tags An electronic product code (EPC) identifier A Tag identifier (TID) A 'kill' function that permanently disables the Tag Optional password-protected access control Optional user memory
13 / 48
EPC classification (2/2)
KAIST-ICC
Higher-class Tags (informative) Class-2: Higher-Functionality Passive Tags
• An extended TID (Tag ID)• Extended user memory• Authenticated access control
Class-3: Semi-Passive Tags• An integral power source• Integrated sensing circuitry
Class-4: Active Tags (i.e., sensor node)• Tag-to-Tag communications• Active communications• ad-hoc networking capabilities
14 / 48
RFID system applications (1/3)
KAIST-ICC
Libraries
Supply chain management
15 / 48
RFID system applications (2/3)
KAIST-ICC
Airline Baggage @ JFK Airport
16 / 48
RFID system applications (3/3)
KAIST-ICC
PassportsTransport paymentsAnti-counterfeiting
Whitepapers in 2006 (by Auto-ID Labs.)
Access controlAnimal tracking, etc.
17 / 48
KAIST-ICC
RFID security issues
18 / 48
Security and Privacy in RFID Privacy invasion:
Information leakage of user’s belongings without awareness of a user
Static ID is subject to tracking such as behavior tracking
Lack of authentication: Malicious reading (skimming): Captured information aids
duplicating genuine tags. Denial-of-Service(DOS) due to
deployment of cloned tags
Risks Eavesdropping between T & R DB Desynchronization B & R Impersonation, spoofing Replay attack / Active Query Data loss (DoS, Message hijacking) Forgery (Decoy Tag, etc.) Physical (Hardware) attack
19 / 48 KAIST-ICC
Security Requirements in RFID Systems
ConfidentialityIndistinguishabilityAnti-cloningAvailabilityForward security
20 / 48 KAIST-ICC
Weak Implementations (1/2)
In January 2005, researchers at John Hopkins University and the RSA Lab announced a successful attack on the Texas Instruments DST RFID by guessing its 40-bit key using brute-force.
The DST RFID was used in Ford immobilizers and ExxonMobil SpeedPass.
21 / 48 KAIST-ICC
Weak Implementations (2/2) - Video
Cracking TI (Texas Instrument) DST (Digital Signature Transponder) chip
TI DST Cracking the key in a DST tag
Buying gas using the DST simulatorSniffing a DST tag in a victim's pocket22 / 48 KAIST-ICC
Security Challenge
The narrow cost requirements of low-cost RFID systems make low-cost tags extremely resource-scarce environments, far below the requirements for any public-key and symmetric-key cryptographic systems.
EPC tags: $0.05, 250 – 1000 gatesAES: 20,000 – 30,000 gates
23 / 48 KAIST-ICC
KAIST-ICC
Introduction to USN
24
Sensor & Sensor Network
What is a Sensor? A device that produces a measurable response to a
change in a physical or chemical condition, e.g. temperature, ground composition, etc.
Sensor Networks A large number of low-cost, low-power,
multifunctional, and small sensor nodes They benefit from advances in 3 technologies
• digital circuitry• wireless communication• silicon micro-machining
25 / 48 KAIST-ICC
Wireless Sensor Networks (WSN)
New technologies have reduced the cost, size, and power of micro-sensors and wireless interfaces.
Sensing
Computation
Networking
Circulatory Net
EnvironmentalMonitoringStructura
l26 / 48 KAIST-ICC
WSN - Properties
Compose of a large number of sensor nodesDensely deployed inside(near) the phenomenonLow energy consumption
Relocation or recharge is impossible
Self-organizing network (infrastructureless) Random deployment : manual configuration is
unfeasible
27 / 48 KAIST-ICC
Applications: U-farm
28 / 48 KAIST-ICC
Applications: Weather sensing
Fire Detection
HANLA Mountain Peak
National Park Guard Office Jeju University
Seoul
J eju
PusanGwangju
Daegu
Daejeon
Suwon
ICU
Control Centre
KOREN
WSN Depl oyment
J eju IslandJ eju Island
Display Video StreamingDisplay Sensor Information
ICU Computer Centre
KOREN router
IPv6 Switch
To Internet
Display Server 1 Display Server 2
Web Server
Main Server
Sensor Nodes
447Mhz / 910Mhz
Sensor Sub-Network
SensorSub-networks
National Park Guard Office
Peak
Mountain Hostel
SN Sub-Base Stations
Sub-BaseStation
Camera
Climber’s Path
PCS Base Station
1st Year:1.6 GHzCDMA
KTF wired Network
To ICU(KOREN)
Ipv6 (Fiber)
Jeju University
To J eju Univer sity(KOREN)
HALLA Mountain
ICU Control Center
IPv6 Tunneling Server
Main Base Station
Internet
KTF Internet Gateway
2nd Year: KOREN Optical Cable
29 / 48 KAIST-ICC
Applications: Fire Detection
Cultural Property Asset Management
using USN
Bush Fire Detection
30 / 48 KAIST-ICC
Applications: Battle Field
31 / 48 KAIST-ICC
Applications: Disaster Detection
중계기
파고센서노드 (2 개소 )
센서노드 ( 교량 )
CCD 카메라
죽암천죽암천
내수전천내수전천
저동 2리천저동 2리천저동천저동천
도동사천도동사천
서달천서달천
태하천태하천
구암천구암천
남서천남서천
남양천남양천
평리천평리천
통구미천통구미천
사동천사동천옥천천옥천천
현포천현포천
도동항
법정하천 (2 개소 )센서노드 : 15 개중계기 : 7 개카메라 : 2 개
소하천 (7 개소 )센서노드 : 4 개중계기 : 2 개카메라 : 2 개
위험내천 (6 개소 )센서노드 : 11 개중계기 : 6 개
32 / 48 KAIST-ICC
Communication Architecture
Sensor nodes can bedata originators anddata routers
33 / 48 KAIST-ICC
Node Hardware
sensors CPU radio
battery
Acoustic, seismic, magnetic, etc. interface
Electro-magnetic interface
Limited-battery supply
Eventdetection
Wireless communication with neighboring nodes
In-node processing
34 / 48 KAIST-ICC
Examples of Sensor Nodes
35 / 48 KAIST-ICC
KAIST-ICC
USN security issues
36 / 48
Why should we consider the Security? (1/2)
Providing confidentiality, integrity, and availability of the communications and computations
Sensor networks are vulnerable to security attacks due to the broadcast nature of transmission
Sensor nodes can be physically captured or destroyed
37 / 48 KAIST-ICC
Why should we consider the Security? (2/2)
Since the system is able control house infrastructure e.g., gas, water control etc If the adversary attacks house infra system
• House infrastructure can be a serious harm to human
• e.g., Open gas valve, overheat the micro-wave
KAIST-ICC38 / 48
Security Threats of Each Application
* Yee Wei Law and Havinga, P.J.M., “How to Secure a Wireless Sensor Network”, 200539 / 48 KAIST-ICC
Constraints of WSN
Design of New Security Solution Must Be Required!
40 / 48 KAIST-ICC
Security Requirements for WSN
Data Confidentiality (Eavesdropping) Don’t leak sensor readings Solution: Encryption
Data Authentication (inject / alter Attack) data was really from claimed sender Solution: MAC
Data Integrity (inject / alter Attack) Received data is not altered in the mid-way Solution: data authentication
41 / 48 KAIST-ICC
Attacks on WSN
Typical attacks on WSN are: Sybil attack Wormholes HELLO flood attacks
Notations= adversary
= base station
= sensor node* D. Wagner, “Security for Sensor Networks: Cryptography and Beyond”, SASN 2003
42 / 48 KAIST-ICC
HELLO flood attack
Inferring a node is a neighbor (i.e. within radio range) after receiving a broadcast packet from them may be ill-conceived. An adversary with a powerful transmitter could easily reach every node in the network.
* D. Wagner, “Security for Sensor Networks: Cryptography and Beyond”, SASN 200343 / 48 KAIST-ICC
Sybil attack
An adversary may present multiple identities to other nodes. The Sybil attack can disrupt geographic and multipath routing protocols by “being in more than one place at once” and reducing diversity.
* D. Wagner, “Security for Sensor Networks: Cryptography and Beyond”, SASN 200344 / 48 KAIST-ICC
Wormholes
Tunnel packets from
one part of the network
and replay them
in a different part.
* D. Wagner, “Security for Sensor Networks: Cryptography and Beyond”, SASN 200345 / 48 KAIST-ICC
Conclusion
RFID/USNs are essential technology for up-coming Ubiquitous world
If the system is not designed with security in mind This technology would harm human life
Security should be considered from the design of entire Ubiquitous system
KAIST-ICC46 / 48