Skip to main content
SpringerLink
Log in

Side-Channel Analysis of Cryptographic RFIDs with Analog Demodulation

  • Conference paper
Book cover RFID. Security and Privacy (RFIDSec 2011)

Part of the book series: Lecture Notes in Computer Science ((volume 7055))

Abstract

As most modern cryptographic Radio Frequency Identification (RFID) devices are based on ciphers that are secure from a purely theoretical point of view, e.g., (Triple-)DES or AES, adversaries have been adopting new methods to extract secret information and cryptographic keys from contactless smartcards: Side-Channel Analysis (SCA) targets the physical implementation of a cipher and allows to recover secret keys by exploiting a side-channel, for instance, the electro-magnetic (EM) emanation of an Integrated Circuit (IC). In this paper we present an analog demodulator specifically designed for refining the SCA of contactless smartcards. The customized analogue hardware increases the quality of EM measurements, facilitates the processing of the side-channel leakage and can serve as a plug-in component to enhance any existing SCA laboratory. Employing it to obtain power profiles of several real-world cryptographic RFIDs, we demonstrate the effectiveness of our measurement setup and evaluate the improvement of our new analog technique compared to previously proposed approaches. Using the example of the popular Mifare DESFire MF3ICD40 contactless smartcard, we show that commercial RFID devices are susceptible to the proposed SCA methods. The security analyses presented in this paper do not require expensive equipment and demonstrate that SCA poses a severe threat to many real-world systems. This novel attack vector has to be taken into account when employing contactless smartcards in security-sensitive applications, e.g., for wireless payment or identification.

The work described in this paper has been supported in part by the European Commission through the ICT programme under contract ICT-2007-216676 ECRYPT II.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. FIPS 46-3 Data Encryption Standard (DES), http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

  2. Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM side-channel(s). In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  3. Analog Devices, Inc. AD8045 Voltage Feedback High Speed Amplifier Datasheet (2004)

    Google Scholar 

  4. Analog Devices, Inc. AD8058 Dual, High Performance Voltage Feedback 325 MHz Amplifier Datasheet (2009)

    Google Scholar 

  5. Brier, E., Clavier, C., Olivier, F.: Correlation Power Analysis with a Leakage Model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  6. BSI - German Ministry of Security. Security mechanisms in electronic ID documents, http://www.bsi.de/fachthem/epass/

  7. BSI - German Ministry of Security. Mifare DESFire8 MF3ICD81 Public Evaluation Documentation. Electronic resource (October 2008)

    Google Scholar 

  8. BSI - German Ministry of Security. Technical Guideline TR-03110 Advanced Security Mechanisms for Machine Readable Travel Documents. Electronic resource (October 2010), https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03110/TR-03110_v205_pdf.pdf?_blob=publicationFile

  9. Carluccio, D.: Electromagnetic Side Channel Analysis for Embedded Crypto Devices. Master’s thesis, Ruhr-University Bochum (2005)

    Google Scholar 

  10. Courtois, N.: The Dark Side of Security by Obscurity and Cloning Mifare Classic Rail and Building Passes, Anywhere, Anytime. In: SECRYPT 2009, pp. 331–338. INSTICC Press (2009)

    Google Scholar 

  11. Garcia, F.D., de Koning Gans, G., Muijrers, R., van Rossum, P., Verdult, R., Schreur, R.W., Jacobs, B.: Dismantling MIFARE Classic. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 97–114. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  12. Hutter, M., Mangard, S., Feldhofer, M.: Power and EM Attacks on Passive 13.56 MHz RFID Devices. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 320–333. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  13. International Organization for Standardization. ISO/IEC 14443-3: Identification Cards - Contactless Integrated Circuit(s) Cards - Proximity Cards - Part 3: Initialization and Anticollision (February 2001)

    Google Scholar 

  14. International Organization for Standardization. ISO/IEC 14443-4: Identification cards - Contactless Integrated Circuit(s) Cards - Proximity Cards - Part 4: Transmission Protocol (February 2001)

    Google Scholar 

  15. International Organization for Standardization. ISO/IEC 15693-3: Identification Cards - Contactless Integrated Circuit Cards - Vicinity Cards - Part 3: Anticollision and Transmission Protocol (April 2009)

    Google Scholar 

  16. Kasper, T., Carluccio, D., Paar, C.: An Embedded System for Practical Security Analysis of Contactless Smartcards. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 150–160. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  17. Kasper, T., Oswald, D., Paar, C.: EM Side-Channel Attacks on Commercial Contactless Smartcards Using Low-Cost Equipment. In: Youm, H.Y., Yung, M. (eds.) WISA 2009. LNCS, vol. 5932, pp. 79–93. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  18. Kasper, T., Oswald, D., Paar, C.: A Versatile Framework for Implementation Attacks on Cryptographic RFIDs and Embedded Devices. In: Gavrilova, M., Tan, C., Moreno, E. (eds.) Transactions on Computational Science X. LNCS, vol. 6340, pp. 100–130. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  19. Kasper, T., von Maurich, I., Oswald, D., Paar, C.: Chameleon: A Versatile Emulator for Contactless Smartcards. In: Rhee, K.-H., Nyang, D. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 189–206. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  20. Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)

    Google Scholar 

  21. Langer EMV-Technik. Details of Near Field Probe Set RF 2. Website

    Google Scholar 

  22. Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, Secaucus (2007)

    MATH  Google Scholar 

  23. Nohl, K., Evans, D., Starbug, Plötz, H.: Reverse-Engineering a Cryptographic RFID Tag. In: USENIX Security Symposium, pp. 185–194. USENIX Association (2008)

    Google Scholar 

  24. NXP. Mifare DESFire Contactless Multi-Application IC with DES and 3DES Security MF3ICD40 (April 2004)

    Google Scholar 

  25. NXP. Mifare Ultralight C Product Short Datasheet (May 2009)

    Google Scholar 

  26. NXP. Mifare DESFire EV1 Contactless Multi-Application IC Datasheet (December 2010)

    Google Scholar 

  27. NXP. Mifare Smart Card ICs. Website (March 2011), http://www.nxp.com/products/identification_and_security/smart_card_ics/mifare_smart_card_ics/index.html

  28. Oren, Y., Shamir, A.: Remote Password Extraction from RFID Tags. IEEE Transactions on Computers 56(9), 1292–1296 (2007), http://iss.oy.ne.ro/RemotePowerAnalysisOfRFIDTags

    Article  MathSciNet  Google Scholar 

  29. Pico Technology. PicoScope 5200 USB PC Oscilloscopes (2008)

    Google Scholar 

  30. Plos, T.: Evaluation of the Detached Power Supply as Side-Channel Analysis Countermeasure for Passive UHF RFID Tags. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 444–458. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  31. Plos, T., Hutter, M., Feldhofer, M.: Evaluation of Side-Channel Preprocessing Techniques on Cryptographic-Enabled HF and UHF RFID-Tag Prototypes. In: Dominikus, S. (ed.) Workshop on RFID Security 2008, pp. 114–127 (2008)

    Google Scholar 

  32. Schwartz, M., Bennett, W.R., Stein, S.: Communication Systems and Techniques. Wiley (1966)

    Google Scholar 

  33. Smith, P.S.W.: The Scientist and Engineer’s Guide to Digital Signal Processing, 1st edn. California Technical Publishing (1997)

    Google Scholar 

  34. van Woudenberg, J.G.J., Witteman, M.F., Bakker, B.: Improving Differential Power Analysis by Elastic Alignment. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 104–119. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  35. Vishay Semiconductors, Inc. BAT48 Schottky Diode Datasheet

    Google Scholar 

  36. Wikipedia. Contactless Smart Card — Wikipedia, The Free Encyclopedia (2011) (Online; accessed March 5, 2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Horst Görtz Institute for IT Security, Ruhr-University Bochum, Germany

    Timo Kasper, David Oswald & Christof Paar

Authors
  1. Timo Kasper
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Oswald
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christof Paar
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. RSA Laboratories/ EMC, 11 Cambridge Center, 02142, Cambridge, MA, USA

    Ari Juels

  2. Horst Görtz Institute for IT Security, Ruhr-University, Bochum, Germany

    Christof Paar

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kasper, T., Oswald, D., Paar, C. (2012). Side-Channel Analysis of Cryptographic RFIDs with Analog Demodulation. In: Juels, A., Paar, C. (eds) RFID. Security and Privacy. RFIDSec 2011. Lecture Notes in Computer Science, vol 7055. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25286-0_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-25286-0_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-25285-3

  • Online ISBN: 978-3-642-25286-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation