Abstract
We introduce low-cost hardware for performing non-invasive side-channel attacks on Radio Frequency Identification Devices (RFID) and develop techniques for facilitating a correlation power analysis (CPA) in the presence of the field of an RFID reader. We practically verify the effectiveness of the developed methods by analysing the security of commercial contactless smartcards employing strong cryptography, pinpointing weaknesses in the protocol and revealing a vulnerability towards side-channel attacks. Employing the developed hardware, we present the first successful key-recovery attack on commercially available contactless smartcards based on the Data Encryption Standard (DES) or Triple-DES (3DES) cipher that are widely used for security-sensitive applications, e.g., payment purposes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Advanced Security Mechanisms for Machine Readable Travel Documents - Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE), and Restricted Identification (RI)., http://www.bsi.de/english/publications/techguidelines/tr03110/TR-03110_v200.pdf
FIPS 46-3 Data Encryption Standard (DES), http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM Side-Channel(s). In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003)
Brier, E., Clavier, C., Olivier, F.: Correlation Power Analysis with a Leakage Model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)
Carluccio, D.: Electromagnetic Side Channel Analysis for Embedded Crypto Devices. Master’s thesis, Ruhr Universität Bochum (2005)
Carluccio, D., Lemke, K., Paar, C.: Electromagnetic Side Channel Analysis of a Contactless Smart Card: First Results. In: RFIDSec 2005 Workshop on RFID and Lightweight Crypto (July 2005), http://events.iaik.tugraz.at/RFIDandLightweightCrypto05/RFID-SlidesandProceedings/Carluccio-EMSideChannel.pdf
Courtois, N.T., Nohl, K., O’Neil, S.: Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards. Cryptology ePrint Archive, Report 2008/166 (2008)
Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., Shalmani, M.T.M.: On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 203–220. Springer, Heidelberg (2008)
Finkenzeller, K.: RFID-Handbuch, 3rd edn. Hanser Fachbuchverlag (October 2002)
Garcia, F.D., de Koning Gans, G., Muijrers, R., van Rossum, P., Verdult, R., Schreur, R.W., Jacobs, B.: Dismantling MIFARE Classic. In: Jajodia, S., López, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 97–114. Springer, Heidelberg (2008)
Haykin, S.: Communications Systems, 2nd edn., ch. 8. Wiley, Chichester (1983)
Hutter, M., Mangard, S., Feldhofer, M.: Power and EM Attacks on Passive 13.56 MHz RFID Devices. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 320–330. Springer, Heidelberg (2007)
International Organization for Standardization. ISO/IEC 14443-3: Identification cards - Contactless integrated circuit(s) cards - Proximity cards - Part 3: Initialization and anticollision, 1st edn. (February 2001)
International Organization for Standardization. ISO/IEC 14443-4: Identification cards - Contactless integrated circuit(s) cards - Proximity cards - Part 4: Transmission protocol, 1st edn. (February 2001)
Kasper, T., Carluccio, D., Paar, C.: An Embedded System for Practical Security Analysis of Contactless Smartcards. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 150–160. Springer, Heidelberg (2007)
Knuth, D.E.: The Art of Computer Programming, 3rd edn., ch. 2. Seminumerical Algorithms. Addison-Wesley, Boston (1998)
Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)
Langer EMV-Technik. Details of Near Field Probe Set RF 2, http://www.langer-emv.de/en/produkte/prod_rf2.htm
Mangard, S., Oswald, E., Popp, T.: Power analysis attacks: Revealing the secrets of smart cards. Springer, Secaucus (2007)
Microchip. HCS410, KeeLoq Code Hopping Encoder and Transponder Data Sheet, http://ww1.microchip.com/downloads/en/DeviceDoc/40158e.pdf
NXP. Data Sheet of Mifare Classic 4k chip MF1ICS70 (2008)
Oren, Y., Shamir, A.: Remote Password Extraction from RFID Tags. IEEE Transactions on Computers 56(9), 1292–1296 (2007), http://iss.oy.ne.ro/RemotePowerAnalysisOfRFIDTags
Pico Technology. PicoScope 5200 USB PC Oscilloscopes (2008)
Plos, T., Hutter, M., Feldhofer, M.: Evaluation of Side-Channel Preprocessing Techniques on Cryptographic-Enabled HF and UHF RFID-Tag Prototypes. In: Dominikus, S. (ed.) Workshop on RFID Security 2008, pp. 114–127 (2008)
Plötz, H.: Mifare Classic - Eine Analyse der Implementierung. Master’s thesis, Humboldt-Universität zu Berlin (2008)
Shanmugam, K.S.: Digital & Analog Communication Systems, ch. 8.3.2. Wiley-India, Chichester (2006)
Tiu, C.C.: A New Frequency-Based Side Channel Attack for Embedded Systems. Master’s thesis, University of Waterloo (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kasper, T., Oswald, D., Paar, C. (2009). EM Side-Channel Attacks on Commercial Contactless Smartcards Using Low-Cost Equipment. In: Youm, H.Y., Yung, M. (eds) Information Security Applications. WISA 2009. Lecture Notes in Computer Science, vol 5932. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10838-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-10838-9_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-10837-2
Online ISBN: 978-3-642-10838-9
eBook Packages: Computer ScienceComputer Science (R0)