diff options
Diffstat (limited to '2005/rfid-ccc_ds2005/rfid-datenschleuder.txt')
-rw-r--r-- | 2005/rfid-ccc_ds2005/rfid-datenschleuder.txt | 314 |
1 files changed, 314 insertions, 0 deletions
diff --git a/2005/rfid-ccc_ds2005/rfid-datenschleuder.txt b/2005/rfid-ccc_ds2005/rfid-datenschleuder.txt new file mode 100644 index 0000000..0ef98dc --- /dev/null +++ b/2005/rfid-ccc_ds2005/rfid-datenschleuder.txt @@ -0,0 +1,314 @@ +Introduction into RFID +(C) 2005 by Harald Welte <laforge@gnumonks.org> + +During the last couple of years, various different sectors of industry and +event government organizations started to talk about RFID technology. + +The RFID industry makes huge promises, according to which RFID will penetrate +our everyday life in the very close future. RFID is used in the ICAO-compliant +electronic passports, for electronic ticketing in the public transport sector +and for tickets to events such as the soccer world championships in 2006. +Studies are performed on the feasability of putting RFID circuitry into every +Euro bill. + +Contrary to those industry promises, there is a growing opposition among civil +liberties groups and the data protection community. The fear of abuse of this +technology to invade privacy even further is big. + +The public debate on RFID is mostly on a very high and therefore abstract +level. Even within the technical community, there's a severe lack of knowledge when it comes to really understanding RFID. + +This article tries to give a technical introduction into RFID, +summarizing what the author has learned throughout the last year during his +research and development. + + +A lot of the ambuguity related to RFID comes from the unclear term "RFID" and +it's various abuses. Strictly speaking, "RFID" means "Radio Frequency +IDentification" and therefore refers to any technology facilitating +identification of items using radio frequency. + +However, the term is generally used for meny different technologies and +concepts. + +Another common misconception is that most RFID systems in use today are based +on standards. To the opposite: In fact they're mostly proprietary systems +produced by specific vendors, who obviously all proclaim to have invented an +'industry standard". Even those few RFID protocols that have been standardized +by international standardization bodies such as ISO/IEC reflect the usual +"either it's done way A, if not it's done way B" paradigm that seems to +dominate the whole smart card industry. But that's enough of a rant for now. + + +Overview of an RFID system + +A RFID system is usually composed of a reader device (which is always called +reader, even if it can write) and some (RF)ID tag. + +Tag: + +1) serial number only +The most simplistic RFID systems come with read-only "serial number" tags. +This basically means that the tag has a vendor-defined serial number (much like +a barcode on product packaging), that can only be read. Such systems generally +don't employ any form of authentication. + +2) WORM tags +WORM(write once read many) tags can be written once (usually at the customer +site) and read many times. + +3)read/write tags. +Instead of only being vendor programmable, they are actually (at least +partially) user programmable. Since no authentication is performed, anyone +with the respective equipment can write to such a tag. + +3) read/write with security +This variant of tags employ read/writable memory plus some state machines that +allow for (mutual) authentication of reader and tag. + +4) cryptographic smartcards with RF interface +The lateset generation of "tags" are not really "tags" anymore, but rather +cryptographic smart cards with an RF interface. This means that you have a +whole computer (sometimes called RFIC), including CPU, RAM, ROM, EEPROM, +hardware random number generator, hardware crypto, etc. Since such devices +originate from the smart card world, they sometimes even come as "dual +interface smart cards", i.e. employ both contact based and contactless (RFID) +interface. + + +Reader: + +Readers are usually connected to some computer or network, using standard +interfaces such as RS232 ports, serial interfaces, USB, or Ethernet. +Unfortuantely, there is no standard either on hardware nor on software level. +This means that most RFID applications will be written against specific +vendor-rprovided driver or library API's. There's one notable exception: +Reader systems employing cryptographic smartcards with RF interface often +emulate API's from the contact-based smart card world such as PC/SC or CT-API. + + + +RF Interface: + +Between reader and tag there is some form of an RF interface. The RF interface +differs from system to system in many parameters, such as frequency, +modulation and operational principle. + +magnetic coupling: +Most of todays RFID systems use a magnetic coupling principle. In such a +system, the reader provides a strong magnetic field (H-field). This field is +picked up by the antenna of a tag, and used to power the tag. Common +frequencies for such magnetically coupled RFID systems are 125kHz and 13.56MHz. +Magnetic systems often employ amplitude shift keying for the reader to tag +communications channel, and load modulation from tag to the reader. + +The strong magnetic field only exists in the proximity of the readers' antenna. +Thus, magnetically coupled RFID systems are sometimes referred to as "proximity +RFID", often with operational ranges less than 10cm. + +backscatter: +A lot of RFID systems under current developemnt operate in the UHF frequency +range (868 to 956 MHz, depending on the regulatory domain). They use the +electric field of the reader, and employ backscatter modulation from tag to +reader. The electrical field extends over longer distance than the magnetic +field. Therefore, the operational range of backscatter systems are within tens +of metres. + +SAW: +SWA tags use low-power microwave radio signals. The tag converts them to +ultrasonic accoustic signals using a piezoelectric crystalline material. +Variations of the reflected signal can be used to provide a unique identity +such as a serial number. + +The remaining article will focus on magnetic coupling RFID systems only, since +backscatter systems are not widely deployed yet, and therefore of little +practical relevance. + + +Protocols and standards: + +For the commonly-used 13.56MHz based systems, there are two major protocols in +use, ISO14443 and ISO15693. ISO15693 seems only be used for "dumb" tag +applications, whereas ISO14443 is used frequently with RF interfaced processor +smart cards. + +Besides the "physical layer" issues such as modulation, coding, bit timing, +and frequency, there are some other important tasks of an RFID protocol. + +One of the funamental effects of RFID is the possibility of multiple tags +within the operating range of a reader, just like in any other shared medium +communication channel. + +In order to cope with multiple tags, an anticollision procedure has to be +specifieid. Some sophisticated protocols (as 14443-4 )even allow a reader to +assign logical addresses to individual tags in order to communitace with +multiple tags. + + +ISO11784/11785 + +The ISO11784/11785 series of standards are used for identification of animals. +This family of standards operates at 134,2 kHz and uses the magnetic coupling +operational principle. It uses load modulation with no subcarrier and employs +a bi-phase-code for transmission of 64bit transponder data at 4194 bits/sec. + +ISO14223 + +ISO14223 is an extension of 11784/11785 and allows for more data stored on the +tag/transponder. + +ISO10536 + +ISO10536 describes "close coupling" smart cards, with an operational range of +up to 1cm. It employs inductive or capacitive coupling at 4.9152 MHz. Due to +this low operational range, they never appeared in widespread use on the market. + +ISO14443 + +ISO14443 describes "proximity coupling identification cards". As opposed to +ISO10536, this stanrdard has an operational range of up to 10cm. + +ISO14443 comes in two variants: ISO14443-A and ISO14443-B. They both operate +on the same frequency, but with different parameters. + + 14443A 14443B +mod rdr->tag 100%ASK 10%ASK +mod tag->rdr load modulation at load modulation at 847kHz, BPSK + 847kHz, ASK +code rdr->tag modified miller NRZ +code tag->rdr manchester NRZ +anticol binary search slotted aloha + +ISO14443-4 specifies an (optional) transport level protocol on top of the lower +three layers of the ISO14443 protocol. This transport protocol is sometimes +referred to as "T=CL" (transport=contactless). This designation bears its +origin in the smart card world, where other protocols such as "T=0" and "T=1" +are in widespread use for decades. + + +ISO15693: + +ISO15693 describes "vicinity coupling" RFID, with an operational range of up +to 1m. Like ISO14443, it operates on 13.56 MHz and employs magnetic near-field +inductive coupling. + +This standard again supports various modes, such as 10% or 100% ASK, 1.65kb/s +or 26.48kb/s data rate, ASK or FSK based load modulation. + +ISO18000 series + +This ISO series is under current development. It intends to specify unique +world wide standards for item management. Specifications include operation +on 13.56MHz, 2.45GHz, 5.8GHz and the 868 to 956 MHz UHF band. + +The remaining paper will mostly look at ISO14443, since it is in widespread use +today and also used by the electronic Passport system specified by ICAO. + + +A closer look on Readers: +There's a variety of readers for the 13.56MHz world, ranging from embedded +readr modules to PC-connected readers for USB and serial connections, +Ethernet-connected readers as well as readers for handheld devices with +CompactFlash interface. + +As opposed to the contact-based smartcard world where most readers now support +the USB CCID standard (to my surprise even non-usb devices!), there is no +standardization. Neither does any of the readers - to the best of the authors' +knowledge - have any publicly and/or freely available documentation. A similar +lack is observed for Linux drivers. If they are available, then often for an +extra charge, and in proprietary x86-only format. + +On the electrical level, a lot of readers are surprisingly equal. Almost all +of them seem to use readily available "reader ASICs" of vendors such as TI or +Philips. Those ASIC's usually integrate both the analogue RF part (including +modulation/demodulation) and the digitial part. They are interfaced by serial +(SPI) or parallel address/data bus. As you could have guessed by now, there's +again no publicly/freely available documentation on any of the chipsets. + +After doing some research and re-engineering on commonly-available existing +readers, there seems to be a two different basic architectures: + +1) active +Active readers do all the 14443/15693 processing within a microcontroller of +the reader. Advantages of an active design are low latency, high speed and +applicability in embedded or remotely connected environments where no host +computer could do protocol processing. + +2) passive +Passive readers simply include the most basic logic to interface the reader +ASIC with the external interface. Therefore all protocol processing has to be +done on the host system. + +For obvious reasons, the passive architecture allows for cheaper development +and total product cost. The author anticipates that all PC-based readers will +eventually become passive. A commonly-available passive reader (Omnikey +CardMan 5121) was chosen for the development of librfid. + + +Omnikey CardMan 5121 + +On the first glance, the cm5121 is a USB CCID contact based smartcard reader. +It can be used with vendor-supplied proprietary drievers, or with various +freely available CCID reader drivers, such as the OpenCT project. + +However, the RFID part is simply a Philips CL RC632 reader asic that can be +accessed transparently by issuing read/write_byte and read/write_fifo commands +via CCID PC_to_RDR_Escape usb messages. + +The author further obtained a (publicly available, but encrypted) detailed data +sheet of the Philips CL RC632 reader asic, which magically decrypted itself by +using a couple of days worth of CPU power. + +The CL RC632 is a multi-protocol reader asic, supporting 14443-A, 14443-B, +15693 as well as the proprietary 14443A-based Mifare system. + +Using the data sheet, a free and GPL licensed RFID stack could be implemented +from scratch. + + +Security Issues + +Sniffing +Like any RF interface, the magnetic RFID interface can be passively sniffed. +Due to the use of the H-field in 125kHz and 13.56MHz systems, the possible +surveillance range is very slow. Also, given the enormous power constraints +within the tag, the power put into the tag->reader channel is very low. +Furthermore, the main carrier and the subcarrier are very close in the radio +spectrum - while their signal strength differs some 60 to 80 dB. + +Measurements conducted by the author do not suggest that passive surveilance of +ISO 14443 compliant systems is not possible outside a range of 4-5 metres - at +least not with DIY equipment. + + +DoS +ISO14443-A and -B anticollision systems are subject to denial of service +attacks. + +For 14443-A, such an attack could simply cause one collision for every bit in +the address, thus preventing the reader to complete its binary search algoritm +and fully select one of the available tags. + +Authenticity/Confidentiality +ISO14443-A doesn't provide any form of security. Any kind of authentication +and/or encryption has to be employed at a higher level, such as ISO7816 secure +messaging. Compare the system with a TCP/IP stack (level 1..4) with SSL/TLS on +top. + +Proprietary Security +The security of vendor-speciifc proprietary systems such as Mifare are based on +security by obscurity. The encryption alogorithm is not publicly documented, +and only implemented in vendor-supplied hardware, usually the reader ASIC and +inside the tag itself. Keys are stored on the tag and in the reader ASIC. + +Security by obscurity within the software industry generally doesn't work. +However, in the hardware world vendors still seems to assume it as a valid +paradigm. + +The key lengths used seem extermely small (40bit). Should the algorithm ever +be uncovered, it is expected to compromise the security of the whole system. +The arithmetic complexity of the algorithm can only be low, given it's +implementation in lowest-cost state-machine-only tags. Therefore it is +expected that + + |