Abstract
As most modern cryptographic Radio Frequency Identification (RFID) devices are based on ciphers that are secure from a purely theoretical point of view, e.g., (Triple-)DES or AES, adversaries have been adopting new methods to extract secret information and cryptographic keys from contactless smartcards: Side-Channel Analysis (SCA) targets the physical implementation of a cipher and allows to recover secret keys by exploiting a side-channel, for instance, the electro-magnetic (EM) emanation of an Integrated Circuit (IC). In this paper we present an analog demodulator specifically designed for refining the SCA of contactless smartcards. The customized analogue hardware increases the quality of EM measurements, facilitates the processing of the side-channel leakage and can serve as a plug-in component to enhance any existing SCA laboratory. Employing it to obtain power profiles of several real-world cryptographic RFIDs, we demonstrate the effectiveness of our measurement setup and evaluate the improvement of our new analog technique compared to previously proposed approaches. Using the example of the popular Mifare DESFire MF3ICD40 contactless smartcard, we show that commercial RFID devices are susceptible to the proposed SCA methods. The security analyses presented in this paper do not require expensive equipment and demonstrate that SCA poses a severe threat to many real-world systems. This novel attack vector has to be taken into account when employing contactless smartcards in security-sensitive applications, e.g., for wireless payment or identification.
The work described in this paper has been supported in part by the European Commission through the ICT programme under contract ICT-2007-216676 ECRYPT II.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
FIPS 46-3 Data Encryption Standard (DES), http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM side-channel(s). In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003)
Analog Devices, Inc. AD8045 Voltage Feedback High Speed Amplifier Datasheet (2004)
Analog Devices, Inc. AD8058 Dual, High Performance Voltage Feedback 325 MHz Amplifier Datasheet (2009)
Brier, E., Clavier, C., Olivier, F.: Correlation Power Analysis with a Leakage Model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)
BSI - German Ministry of Security. Security mechanisms in electronic ID documents, http://www.bsi.de/fachthem/epass/
BSI - German Ministry of Security. Mifare DESFire8 MF3ICD81 Public Evaluation Documentation. Electronic resource (October 2008)
BSI - German Ministry of Security. Technical Guideline TR-03110 Advanced Security Mechanisms for Machine Readable Travel Documents. Electronic resource (October 2010), https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03110/TR-03110_v205_pdf.pdf?_blob=publicationFile
Carluccio, D.: Electromagnetic Side Channel Analysis for Embedded Crypto Devices. Master’s thesis, Ruhr-University Bochum (2005)
Courtois, N.: The Dark Side of Security by Obscurity and Cloning Mifare Classic Rail and Building Passes, Anywhere, Anytime. In: SECRYPT 2009, pp. 331–338. INSTICC Press (2009)
Garcia, F.D., de Koning Gans, G., Muijrers, R., van Rossum, P., Verdult, R., Schreur, R.W., Jacobs, B.: Dismantling MIFARE Classic. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 97–114. Springer, Heidelberg (2008)
Hutter, M., Mangard, S., Feldhofer, M.: Power and EM Attacks on Passive 13.56 MHz RFID Devices. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 320–333. Springer, Heidelberg (2007)
International Organization for Standardization. ISO/IEC 14443-3: Identification Cards - Contactless Integrated Circuit(s) Cards - Proximity Cards - Part 3: Initialization and Anticollision (February 2001)
International Organization for Standardization. ISO/IEC 14443-4: Identification cards - Contactless Integrated Circuit(s) Cards - Proximity Cards - Part 4: Transmission Protocol (February 2001)
International Organization for Standardization. ISO/IEC 15693-3: Identification Cards - Contactless Integrated Circuit Cards - Vicinity Cards - Part 3: Anticollision and Transmission Protocol (April 2009)
Kasper, T., Carluccio, D., Paar, C.: An Embedded System for Practical Security Analysis of Contactless Smartcards. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 150–160. Springer, Heidelberg (2007)
Kasper, T., Oswald, D., Paar, C.: EM Side-Channel Attacks on Commercial Contactless Smartcards Using Low-Cost Equipment. In: Youm, H.Y., Yung, M. (eds.) WISA 2009. LNCS, vol. 5932, pp. 79–93. Springer, Heidelberg (2009)
Kasper, T., Oswald, D., Paar, C.: A Versatile Framework for Implementation Attacks on Cryptographic RFIDs and Embedded Devices. In: Gavrilova, M., Tan, C., Moreno, E. (eds.) Transactions on Computational Science X. LNCS, vol. 6340, pp. 100–130. Springer, Heidelberg (2010)
Kasper, T., von Maurich, I., Oswald, D., Paar, C.: Chameleon: A Versatile Emulator for Contactless Smartcards. In: Rhee, K.-H., Nyang, D. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 189–206. Springer, Heidelberg (2011)
Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)
Langer EMV-Technik. Details of Near Field Probe Set RF 2. Website
Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, Secaucus (2007)
Nohl, K., Evans, D., Starbug, Plötz, H.: Reverse-Engineering a Cryptographic RFID Tag. In: USENIX Security Symposium, pp. 185–194. USENIX Association (2008)
NXP. Mifare DESFire Contactless Multi-Application IC with DES and 3DES Security MF3ICD40 (April 2004)
NXP. Mifare Ultralight C Product Short Datasheet (May 2009)
NXP. Mifare DESFire EV1 Contactless Multi-Application IC Datasheet (December 2010)
NXP. Mifare Smart Card ICs. Website (March 2011), http://www.nxp.com/products/identification_and_security/smart_card_ics/mifare_smart_card_ics/index.html
Oren, Y., Shamir, A.: Remote Password Extraction from RFID Tags. IEEE Transactions on Computers 56(9), 1292–1296 (2007), http://iss.oy.ne.ro/RemotePowerAnalysisOfRFIDTags
Pico Technology. PicoScope 5200 USB PC Oscilloscopes (2008)
Plos, T.: Evaluation of the Detached Power Supply as Side-Channel Analysis Countermeasure for Passive UHF RFID Tags. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 444–458. Springer, Heidelberg (2009)
Plos, T., Hutter, M., Feldhofer, M.: Evaluation of Side-Channel Preprocessing Techniques on Cryptographic-Enabled HF and UHF RFID-Tag Prototypes. In: Dominikus, S. (ed.) Workshop on RFID Security 2008, pp. 114–127 (2008)
Schwartz, M., Bennett, W.R., Stein, S.: Communication Systems and Techniques. Wiley (1966)
Smith, P.S.W.: The Scientist and Engineer’s Guide to Digital Signal Processing, 1st edn. California Technical Publishing (1997)
van Woudenberg, J.G.J., Witteman, M.F., Bakker, B.: Improving Differential Power Analysis by Elastic Alignment. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 104–119. Springer, Heidelberg (2011)
Vishay Semiconductors, Inc. BAT48 Schottky Diode Datasheet
Wikipedia. Contactless Smart Card — Wikipedia, The Free Encyclopedia (2011) (Online; accessed March 5, 2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kasper, T., Oswald, D., Paar, C. (2012). Side-Channel Analysis of Cryptographic RFIDs with Analog Demodulation. In: Juels, A., Paar, C. (eds) RFID. Security and Privacy. RFIDSec 2011. Lecture Notes in Computer Science, vol 7055. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25286-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-25286-0_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25285-3
Online ISBN: 978-3-642-25286-0
eBook Packages: Computer ScienceComputer Science (R0)