Skip to main content
SpringerLink
Log in

A Versatile Framework for Implementation Attacks on Cryptographic RFIDs and Embedded Devices

  • Chapter
Transactions on Computational Science X

Part of the book series: Lecture Notes in Computer Science ((TCOMPUTATSCIE,volume 6340))

Abstract

We present a unified framework for advanced implementation attacks that allows for conducting automated side-channel analysis and fault injection targeting all kinds of embedded cryptographic devices including RFIDs. Our proposed low-cost setup consists of modular functional units that can be interchanged, depending on the demands of a concrete attack scenario. We give details of customized modules for the communication with many types of embedded devices and other modules that allow to inject various types of faults. An FPGA-based approach enables very accurate timing and flexible adaption to any extension module. The corresponding data acquisition system for side-channel attacks makes precise power and EM analyses possible. Our setup facilitates the promising combination of active and passive techniques, which is known to render many established security countermeasures ineffective. We introduce several methods for the automatic profiling of cryptographic devices and model their behaviour both with respect to side-channel analysis and fault injection. To demonstrate the capabilities of our framework, we perform the first practical full key-recovery on a cryptographic contactless smartcard employing Triple-DES reported in the literature and inject multiple faults in a widespread microcontroller. We thereby disprove the common belief that highly sophisticated and expensive equipment is required to conduct such attacks. Rather, we illustrate a cost-effective setup that can be tailored to any desired type of security evaluation or penetration test.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. ISO 7816 Identification Cards - Integrated Circuit Cards with Contacts (2004)

    Google Scholar 

  2. Agrawal, D., Archambeault, B., Rao, J., Rohatgi, P.: The EM Side-Channel(s). In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  3. Amiel, F., Villegas, K., Feix, B., Marcel, L.: Passive and active combined attacks: Combining fault attacks and side channel analysis. In: Proceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2007, Washington, DC, USA, pp. 92–102. IEEE Computer Society, Los Alamitos (2007)

    Chapter  Google Scholar 

  4. Analog Devices, Inc. AD8058 Dual, High Performance Voltage Feedback, 325 MHz Amplifier Datasheet (2003)

    Google Scholar 

  5. Analog Devices, Inc. AD9708 8-Bit, 100 MSPS+ TxDAC D/A Converter Datasheet (2009)

    Google Scholar 

  6. Atmel. ATMega32 Data Sheet, http://www.atmel.com

  7. Atmel. Datasheet of Read/Write Base Station U2270B (2008), http://www.atmel.com

  8. Brier, E., Clavier, C., Olivier, F.: Correlation Power Analysis with a Leakage Model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  9. Carluccio, D., Lemke, K., Paar, C.: Electromagnetic Side Channel Analysis of a Contactless Smart Card: First Results. In: RFIDSec 2005 Workshop on RFID and Lightweight Crypto (July 2005), http://events.iaik.tugraz.at/RFIDandLightweightCrypto05/RFID-SlidesandProceedings/Carluccio-EMSideChannel.pdf

  10. Club, C.C.: RFID Zapper (2005)

    Google Scholar 

  11. Corson, D.: Comparing 8-bit Microcontrollers for Ultra-low-power Applications, 3 p., table 1 (October 2005)

    Google Scholar 

  12. Fournier, J.J.A., Moore, S., Li, H., Mullins, R., Taylor, G.: Security Evaluation of Asynchronous Circuits, pp. 137–151 (2003)

    Google Scholar 

  13. Giraud, C., Thiebeauld, H.: A Survey on Fault Attacks. In: Quisquater, J.-J., Paradinas, P., Deswarte, Y., Kalam, A.A.E. (eds.) CARDIS, pp. 159–176. Kluwer, Dordrecht (2004)

    Google Scholar 

  14. Hamid, H.B.-E., Choukri, H., Tunstall, D.N.M., Whelan, C.: The Sorcerer’s Apprentice Guide to Fault Attacks (2004)

    Google Scholar 

  15. Handschuh, H.: Contactless Technology Security Issues. Information Security Bulletin 9 (2004), http://www.chi-publishing.com/samples/ISB0903HH.pdf

  16. Handschuh, H., Paillier, P., Stern, J.: Probing Attacks on Tamper-Resistant Devices. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 303–315. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  17. Hutter, M., Schmidt, J.-M., Plos, T.: RFID and Its Vulnerability to Faults. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 363–379. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  18. International Organization for Standardization. ISO/IEC 14443-3: Identification Cards - Contactless Integrated Circuit(s) Cards - Proximity Cards - Part 3: Initialization and Anticollision, 1st edition (February 2001)

    Google Scholar 

  19. International Organization for Standardization. ISO/IEC 14443-4: Identification cards - Contactless Integrated Circuit(s) Cards - Proximity Cards - Part 4: Transmission Protocol, 1st edition (February 2001)

    Google Scholar 

  20. ISO/IEC 14443. Identification cards - Contactless integrated circuit(s) cards - Proximity cards - Part 1-4 (2001), http://www.iso.ch

  21. Kasper, T.: Embedded Security Analysis of RFID Devices. Master’s thesis, Ruhr Universität Bochum (2006)

    Google Scholar 

  22. Kasper, T., Carluccio, D., Paar, C.: An Embedded System for Practical Security Analysis of Contactless Smartcards. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 150–160. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  23. Kasper, T., Oswald, D., Paar, C.: EM Side-Channel Attacks on Commercial Contactless Smartcards using Low-Cost Equipment. In: Youm, H.Y., Yung, M. (eds.) WISA 2009. LNCS, vol. 5932, pp. 79–93. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  24. Kasper, T., Silbermann, M., Paar, C.: All You Can Eat or Breaking a Real-World Contactless Payment System. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 343–350. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  25. Kim, C.H., Quisquater, J.-J.: Fault Attacks for CRT Based RSA: New Attacks, New Results, and New Countermeasures. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 215–228. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  26. Kömmerling, O., Kuhn, M.G.: Design Principles for Tamper-Resistant Smartcard Processors, pp. 9–20 (1999)

    Google Scholar 

  27. Kocher, P.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)

    Google Scholar 

  28. Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)

    Google Scholar 

  29. Kugelstadt, T.: Op Amps for Everyone. In: Interfacing D/A Converters to Loads, ch. 14, 2nd edn., p. 239. Texas Instruments (2003)

    Google Scholar 

  30. Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, Secaucus (2007)

    MATH  Google Scholar 

  31. Melito, M.: Application Note 484/1293, Car Ignition with IGBTs (1999)

    Google Scholar 

  32. Microchip Technology Inc. PIC16F631/677/685/687/689/690 Data Sheet 20-Pin Flash-Based, 8-Bit CMOS Microcontrollers with nanoWatt Technology(2008)

    Google Scholar 

  33. Nohl, K., Evans, D., Starbug, Plötz, H.: Reverse-Engineering a Cryptographic RFID Tag. In: van Oorschot, P.C. (ed.) USENIX Security Symposium, pp. 185–194 (2008)

    Google Scholar 

  34. NXP. Data Sheet of Mifare Classic 4k chip MF1ICS70 (2008)

    Google Scholar 

  35. Oren, Y., Shamir, A.: Power Analysis of RFID Tags, http://www.wisdom.weizmann.ac.il/~yossio/rfid/

  36. Plos, T.: Susceptibility of UHF RFID Tags to Electromagnetic Analysis. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 288–300. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  37. Potato Semiconductor Corporation. PO74G08A Quadruple 2-input positive AND gate (2009)

    Google Scholar 

  38. Schmidt, J.-M.: Differential Fault Analysis - Final Report. Technical report, TU Graz (June 2008)

    Google Scholar 

  39. Schmidt, J.-M., Herbst, C.: A Practical Fault Attack on Square and Multiply. In: Proc. 5th Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2008, pp. 53–58 (August 10, 2008)

    Google Scholar 

  40. Shanmugam, K.S.: Digital & Analog Communication Systems, ch. 8.3.2. Wiley-India (2006)

    Google Scholar 

  41. ST Microelectronics. Data Sheet for STP10NK50Z, N-Channel Zener-Protected MOSFET (2005)

    Google Scholar 

  42. Waddle, J., Wagner, D.: Fault Attacks on Dual-Rail Encoded Systems. In: Computer Security Applications Conference, Annual, pp. 483–494 (2005)

    Google Scholar 

  43. Xilinx Inc. PicoBlaze 8-bit Embedded Microcontroller User Guide, v. 1.1.2 edition (June 2008)

    Google Scholar 

  44. Xilinx Inc. Spartan-3 FPGA Starter Kit Board User Guide, v 1.2 edition (June 2008)

    Google Scholar 

  45. Xilinx Inc. PicoBlaze User Resources. Web resource (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Horst Görtz Institute for IT Security, Ruhr-University Bochum, Germany

    Timo Kasper, David Oswald & Christof Paar

Authors
  1. Timo Kasper
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Oswald
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christof Paar
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Calgary, 2500 University Drive N.W., T2N 1N4, Calgary, AB, Canada

    Marina L. Gavrilova

  2. Exascala Ltd., Unit 9, 97 Rickman Drive, B15 2AL, Birmingham, UK

    C. J. Kenneth Tan

  3. DCOMP/UFS - Federal University of Sergipe, Aracaju, SE, Brazil

    Edward David Moreno

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Kasper, T., Oswald, D., Paar, C. (2010). A Versatile Framework for Implementation Attacks on Cryptographic RFIDs and Embedded Devices. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds) Transactions on Computational Science X. Lecture Notes in Computer Science, vol 6340. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17499-5_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-17499-5_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-17498-8

  • Online ISBN: 978-3-642-17499-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation