On Comparing Side-Channel Preprocessing Techniques for Attacking RFID Devices

  • Thomas Plos
  • Michael Hutter
  • Martin Feldhofer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5932)


Security-enabled RFID tags become more and more important and integrated in our daily life. While the tags implement cryptographic algorithms that are secure in a mathematical sense, their implementation is susceptible to attacks. Physical side channels leak information about the processed secrets. This article focuses on practical analysis of electromagnetic (EM) side channels and evaluates different preprocessing techniques to increase the attacking performance. In particular, we have applied filtering and EM trace-integration techniques as well as Differential Frequency Analysis (DFA) to extract the secret key. We have investigated HF and UHF tag prototypes that implement a randomized AES implementation in software. Our experiments prove the applicability of different preprocessing techniques in a practical case study and demonstrate their efficiency on RFID devices. The results clarify that randomization as a countermeasure against side-channel attacks might be an insufficient protection for RFID tags and has to be combined with other proven countermeasure approaches.


RFID Differential Frequency Analysis Side-Channel Analysis Electromagnetic Attacks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM Side-Channel(s). In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Atmel Corporation. 8-bit AVR Microcontroller with 128K Bytes In-System Programmable Flash (August 2007),
  3. 3.
    Batina, L., Guajardo, J., Kerins, T., Mentens, N., Tuyls, P., Verbauwhede, I.: Public-Key Cryptography for RFID-Tags. In: Workshop on RFID Security 2006 (RFIDSec 2006), Graz, Austria, July 12-14 (2006)Google Scholar
  4. 4.
    Clavier, C., Coron, J.-S., Dabbous, N.: Differential Power Analysis in the Presence of Hardware Countermeasures. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 252–263. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. 5.
    EPCglobal. EPC Radio-Frequency Identity Protocols Class-1 Generation-2 UHF RFID Protocol for Communications at 860 MHz - 960 MHz Version 1.0.9 (January 2005),
  6. 6.
    Feldhofer, M., Dominikus, S., Wolkerstorfer, J.: Strong Authentication for RFID Systems using the AES Algorithm. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 357–370. Springer, Heidelberg (2004)Google Scholar
  7. 7.
    Gebotys, C.H., Ho, S., Tiu, C.C.: EM Analysis of Rijndael and ECC on a Wireless Java-Based PDA. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 250–264. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Hein, D., Wolkerstorfer, J., Felber, N.: ECC is Ready for RFID – A Proof in Silicon. In: Avanzi, R., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 401–413. Springer, Heidelberg (2008)Google Scholar
  9. 9.
    Hofferek, G., Wolkerstorfer, J.: Coupon Recalculation for the GPS Authentication Scheme. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 162–175. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Homma, N., Nagashima, S., Imai, Y., Aoki, T., Satoh, A.: High-Resolution Side-Channel Attack Using Phase-Based Waveform Matching. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 187–200. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Hutter, M., Mangard, S., Feldhofer, M.: Power and EM Attacks on Passive 13.56 MHz RFID Devices. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 320–333. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    International Organization for Standardization (ISO). ISO/IEC 14443: Identification Cards - Contactless Integrated Circuit(s) Cards - Proximity Cards (2000)Google Scholar
  13. 13.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  14. 14.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks – Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007)zbMATHGoogle Scholar
  15. 15.
    McLoone, M., Robshaw, M.J.B.: New Architectures for Low-Cost Public Key Cryptography on RFID Tags. In: Proceedings of IEEE International Symposium on Circuits and Systems (ISCAS 2007), New Orleans, USA, May 27-30, pp. 1827–1830. IEEE, Los Alamitos (2007)CrossRefGoogle Scholar
  16. 16.
    Oren, Y., Shamir, A.: Remote Password Extraction from RFID Tags. IEEE Transactions on Computers 56(9), 1292–1296 (2007)CrossRefMathSciNetGoogle Scholar
  17. 17.
    Plos, T.: Susceptibility of UHF RFID Tags to Electromagnetic Analysis. In: Malkin, T.G. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 288–300. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Quisquater, J.-J., Samyde, D.: ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards. In: Attali, S., Jensen, T.P. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Sarma, S.E., Weis, S.A., Engels, D.W.: RFID Systems and Security and Privacy Implications. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 454–469. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    Weis, S.A., Sarma, S.E., Rivest, R.L., Engels, D.W.: Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems. In: Hutter, D., Müller, G., Stephan, W., Ullmann, M. (eds.) Security in Pervasive Computing. LNCS, vol. 2802, pp. 201–212. Springer, Heidelberg (2004)Google Scholar
  21. 21.
    Witteman, M.: Advances in Smartcard Security. Information Security Bulletin (7), 11–22 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Thomas Plos
    • 1
  • Michael Hutter
    • 1
  • Martin Feldhofer
    • 1
  1. 1.Institute for Applied Information Processing and Communications (IAIK)Graz University of TechnologyGrazAustria

Personalised recommendations