diff options
author | Harald Welte <laforge@gnumonks.org> | 2015-10-25 21:00:20 +0100 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2015-10-25 21:00:20 +0100 |
commit | fca59bea770346cf1c1f9b0e00cb48a61b44a8f3 (patch) | |
tree | a2011270df48d3501892ac1a56015c8be57e8a7d /2005/rfid-ccc_ds2005 |
import of old now defunct presentation slides svn repo
Diffstat (limited to '2005/rfid-ccc_ds2005')
-rw-r--r-- | 2005/rfid-ccc_ds2005/rfid-datenschleuder-gliederung.txt | 145 | ||||
-rw-r--r-- | 2005/rfid-ccc_ds2005/rfid-datenschleuder.txt | 314 |
2 files changed, 459 insertions, 0 deletions
diff --git a/2005/rfid-ccc_ds2005/rfid-datenschleuder-gliederung.txt b/2005/rfid-ccc_ds2005/rfid-datenschleuder-gliederung.txt new file mode 100644 index 0000000..05646e2 --- /dev/null +++ b/2005/rfid-ccc_ds2005/rfid-datenschleuder-gliederung.txt @@ -0,0 +1,145 @@ + +- different types of RFID + - serial-number-only + - read/writeable memory + - read/writeable memory with authentication + - processor chip cards (like contact-based) + +- physical/electrical characteristics + - old 125kHz systems + - current 13.56MHz systems + - ISO 14443-A + - ISO 14443-B + - ISO 15693 + - both 125kHz and 13.56MHz are magnetic H-field systems + - reader provides strong magnetic field to provide power to PICC + - data from reader to PICC is modulated onto carrier. + - PICC uses load modulation to send back replies to reader + +- ISO 14443 + - 14443-1 + - defines physical layer (e.g. field strength, ...) + - 14443-2 + - 14443-3 A + - 100% ASK from reader to PICC + - binary search tree anticollision + - 14443-3 B + - 10% ASK from reader to PICC + - slotted aloha anticollision + - 14443-4 + - also called T=CL + - datagram-based transport protocol + - handles retransmission, ack/nack + - optional signal strength signalling + - data rates between 106 and 848 kbps + +- Mifare + - proprietary system by philips + - requires philips circuits in tag and reader + - authentication using two 40bit? keys + - proprietary encryption algoritm + - brute-force of 40bit not possible due to slow devices + +- ISO 15693 + - only used by tags, not by smart cards + +- STm + +- Legic + +- Available readers + - generally based on either Philips or STM reader ASIC + - reader ASIC integrates analogue RF and digital part + - typically offer SPI and/or parallel bus interface + - host interface either serial or USB (planned: ethernet, see also + IETF working group on this subject) + - serial readers speak either proprietary protocol or sometimes + emulate serial contact-based readers for 14443-4 (T=CL) + - stupid readers + - only connect reader ASIC to host pc + - protocol stack implemented on host pc + - intelligent readers + - handle protocol stack in firmware of microcontroller in the + reader + - sometimes even parts of the application are embedded in the + reader firmware + - problem: often only support very specific + protocols/applications + +- librfid + - implements 14443-1234 and 15693 stack + - has hooks for mifare and other proprietary RFID protocols + - implements fairly generic driver for Philips CL RC632 ASIC + - currently only supports Omnikey CardMan 5121 + - currently only offers non-standard API for higher-level apps + - scheduled to provide OpenCT backend (OpenCT supports CT-API and PC/SC) + +- Problems + - T=CL looks almost like a layer 4 network protocol, 14443 supports + operation of multiple PICC's simultaneously (by using CID + addressing). Therefore it looks like a master/slave network + protocol. + - Current API's for contact based cards (like PC/SC) cannot deal well + with multiple PICC's coming and going. + +- Passive Sniffing of 14443 + - dream: ethereal-like program for RFID + - h-field decreases tremendously with distance + - h-field antennas required + - reader -> picc signal strong and easily detected, beyon 10m + - picc -> reader signal very weak (60-70dB below reader->picc). so far + barely recognizable beyond 3m, even with 1m-loop-antenna + - various hardware approaches + - using software defined radio (gnuradio) + - quite expensive, unless you happen to already have one + - flexible, since everything can be done in software + - gnuradio-implementation of 14443 on my TODO list + - using dedicated demodulation hardware + - way cheaper than SDR + - 13.56MHz low enough for DIY-hardware + - under development by Milosch + - using existing reader ASIC, put it in read-only mode + - might be feasible, but operation is unlikely due to + lack of phase and clock synchronization with external + source + +- ICAO compliant MRTDs + - ICAO already regulates MRZ on current travel documents in Doc 9303 + - Working group created standards for new MRTD with biometric data + - Specifications publicly available + - 14443 A or B PICC + - ISO 7816-4 (inter-industry commands) + - LDS (Logical Data Structure) + - DG1 + - data as printed on passport + - DG2 + - facial JPEG, min 80pixels between eyes + - EF.SOD + - signature of DG1, DG2 + - DG_FIXME + - optional fingerprint data + - Security + - passive auth + - basic access control + - prevents unauthorized reading by refusing + access until key derived from MRZ is + presented to PICC + - probably weak, since key is derived only from + DOB, document expiry date and document number + - provides session key generation for SM + encrypted transport layer + - active auth + - TR-PKI + - each country operates its own root CA + - intermediate document signer certificates + - country root certificates available via public LDAP + - certificates of all recognized countries need to be + stored in every inspection system + - certificate chain of EF.SOD signature can be verified + - specifies CRL polling intervals, etc. + +- libicao + - aims to implement all required functions for access to ICAO MRTD + - basic access control present, but no secure messaging yet + - can use OpenCT or PC/SC as underlying API + diff --git a/2005/rfid-ccc_ds2005/rfid-datenschleuder.txt b/2005/rfid-ccc_ds2005/rfid-datenschleuder.txt new file mode 100644 index 0000000..0ef98dc --- /dev/null +++ b/2005/rfid-ccc_ds2005/rfid-datenschleuder.txt @@ -0,0 +1,314 @@ +Introduction into RFID +(C) 2005 by Harald Welte <laforge@gnumonks.org> + +During the last couple of years, various different sectors of industry and +event government organizations started to talk about RFID technology. + +The RFID industry makes huge promises, according to which RFID will penetrate +our everyday life in the very close future. RFID is used in the ICAO-compliant +electronic passports, for electronic ticketing in the public transport sector +and for tickets to events such as the soccer world championships in 2006. +Studies are performed on the feasability of putting RFID circuitry into every +Euro bill. + +Contrary to those industry promises, there is a growing opposition among civil +liberties groups and the data protection community. The fear of abuse of this +technology to invade privacy even further is big. + +The public debate on RFID is mostly on a very high and therefore abstract +level. Even within the technical community, there's a severe lack of knowledge when it comes to really understanding RFID. + +This article tries to give a technical introduction into RFID, +summarizing what the author has learned throughout the last year during his +research and development. + + +A lot of the ambuguity related to RFID comes from the unclear term "RFID" and +it's various abuses. Strictly speaking, "RFID" means "Radio Frequency +IDentification" and therefore refers to any technology facilitating +identification of items using radio frequency. + +However, the term is generally used for meny different technologies and +concepts. + +Another common misconception is that most RFID systems in use today are based +on standards. To the opposite: In fact they're mostly proprietary systems +produced by specific vendors, who obviously all proclaim to have invented an +'industry standard". Even those few RFID protocols that have been standardized +by international standardization bodies such as ISO/IEC reflect the usual +"either it's done way A, if not it's done way B" paradigm that seems to +dominate the whole smart card industry. But that's enough of a rant for now. + + +Overview of an RFID system + +A RFID system is usually composed of a reader device (which is always called +reader, even if it can write) and some (RF)ID tag. + +Tag: + +1) serial number only +The most simplistic RFID systems come with read-only "serial number" tags. +This basically means that the tag has a vendor-defined serial number (much like +a barcode on product packaging), that can only be read. Such systems generally +don't employ any form of authentication. + +2) WORM tags +WORM(write once read many) tags can be written once (usually at the customer +site) and read many times. + +3)read/write tags. +Instead of only being vendor programmable, they are actually (at least +partially) user programmable. Since no authentication is performed, anyone +with the respective equipment can write to such a tag. + +3) read/write with security +This variant of tags employ read/writable memory plus some state machines that +allow for (mutual) authentication of reader and tag. + +4) cryptographic smartcards with RF interface +The lateset generation of "tags" are not really "tags" anymore, but rather +cryptographic smart cards with an RF interface. This means that you have a +whole computer (sometimes called RFIC), including CPU, RAM, ROM, EEPROM, +hardware random number generator, hardware crypto, etc. Since such devices +originate from the smart card world, they sometimes even come as "dual +interface smart cards", i.e. employ both contact based and contactless (RFID) +interface. + + +Reader: + +Readers are usually connected to some computer or network, using standard +interfaces such as RS232 ports, serial interfaces, USB, or Ethernet. +Unfortuantely, there is no standard either on hardware nor on software level. +This means that most RFID applications will be written against specific +vendor-rprovided driver or library API's. There's one notable exception: +Reader systems employing cryptographic smartcards with RF interface often +emulate API's from the contact-based smart card world such as PC/SC or CT-API. + + + +RF Interface: + +Between reader and tag there is some form of an RF interface. The RF interface +differs from system to system in many parameters, such as frequency, +modulation and operational principle. + +magnetic coupling: +Most of todays RFID systems use a magnetic coupling principle. In such a +system, the reader provides a strong magnetic field (H-field). This field is +picked up by the antenna of a tag, and used to power the tag. Common +frequencies for such magnetically coupled RFID systems are 125kHz and 13.56MHz. +Magnetic systems often employ amplitude shift keying for the reader to tag +communications channel, and load modulation from tag to the reader. + +The strong magnetic field only exists in the proximity of the readers' antenna. +Thus, magnetically coupled RFID systems are sometimes referred to as "proximity +RFID", often with operational ranges less than 10cm. + +backscatter: +A lot of RFID systems under current developemnt operate in the UHF frequency +range (868 to 956 MHz, depending on the regulatory domain). They use the +electric field of the reader, and employ backscatter modulation from tag to +reader. The electrical field extends over longer distance than the magnetic +field. Therefore, the operational range of backscatter systems are within tens +of metres. + +SAW: +SWA tags use low-power microwave radio signals. The tag converts them to +ultrasonic accoustic signals using a piezoelectric crystalline material. +Variations of the reflected signal can be used to provide a unique identity +such as a serial number. + +The remaining article will focus on magnetic coupling RFID systems only, since +backscatter systems are not widely deployed yet, and therefore of little +practical relevance. + + +Protocols and standards: + +For the commonly-used 13.56MHz based systems, there are two major protocols in +use, ISO14443 and ISO15693. ISO15693 seems only be used for "dumb" tag +applications, whereas ISO14443 is used frequently with RF interfaced processor +smart cards. + +Besides the "physical layer" issues such as modulation, coding, bit timing, +and frequency, there are some other important tasks of an RFID protocol. + +One of the funamental effects of RFID is the possibility of multiple tags +within the operating range of a reader, just like in any other shared medium +communication channel. + +In order to cope with multiple tags, an anticollision procedure has to be +specifieid. Some sophisticated protocols (as 14443-4 )even allow a reader to +assign logical addresses to individual tags in order to communitace with +multiple tags. + + +ISO11784/11785 + +The ISO11784/11785 series of standards are used for identification of animals. +This family of standards operates at 134,2 kHz and uses the magnetic coupling +operational principle. It uses load modulation with no subcarrier and employs +a bi-phase-code for transmission of 64bit transponder data at 4194 bits/sec. + +ISO14223 + +ISO14223 is an extension of 11784/11785 and allows for more data stored on the +tag/transponder. + +ISO10536 + +ISO10536 describes "close coupling" smart cards, with an operational range of +up to 1cm. It employs inductive or capacitive coupling at 4.9152 MHz. Due to +this low operational range, they never appeared in widespread use on the market. + +ISO14443 + +ISO14443 describes "proximity coupling identification cards". As opposed to +ISO10536, this stanrdard has an operational range of up to 10cm. + +ISO14443 comes in two variants: ISO14443-A and ISO14443-B. They both operate +on the same frequency, but with different parameters. + + 14443A 14443B +mod rdr->tag 100%ASK 10%ASK +mod tag->rdr load modulation at load modulation at 847kHz, BPSK + 847kHz, ASK +code rdr->tag modified miller NRZ +code tag->rdr manchester NRZ +anticol binary search slotted aloha + +ISO14443-4 specifies an (optional) transport level protocol on top of the lower +three layers of the ISO14443 protocol. This transport protocol is sometimes +referred to as "T=CL" (transport=contactless). This designation bears its +origin in the smart card world, where other protocols such as "T=0" and "T=1" +are in widespread use for decades. + + +ISO15693: + +ISO15693 describes "vicinity coupling" RFID, with an operational range of up +to 1m. Like ISO14443, it operates on 13.56 MHz and employs magnetic near-field +inductive coupling. + +This standard again supports various modes, such as 10% or 100% ASK, 1.65kb/s +or 26.48kb/s data rate, ASK or FSK based load modulation. + +ISO18000 series + +This ISO series is under current development. It intends to specify unique +world wide standards for item management. Specifications include operation +on 13.56MHz, 2.45GHz, 5.8GHz and the 868 to 956 MHz UHF band. + +The remaining paper will mostly look at ISO14443, since it is in widespread use +today and also used by the electronic Passport system specified by ICAO. + + +A closer look on Readers: +There's a variety of readers for the 13.56MHz world, ranging from embedded +readr modules to PC-connected readers for USB and serial connections, +Ethernet-connected readers as well as readers for handheld devices with +CompactFlash interface. + +As opposed to the contact-based smartcard world where most readers now support +the USB CCID standard (to my surprise even non-usb devices!), there is no +standardization. Neither does any of the readers - to the best of the authors' +knowledge - have any publicly and/or freely available documentation. A similar +lack is observed for Linux drivers. If they are available, then often for an +extra charge, and in proprietary x86-only format. + +On the electrical level, a lot of readers are surprisingly equal. Almost all +of them seem to use readily available "reader ASICs" of vendors such as TI or +Philips. Those ASIC's usually integrate both the analogue RF part (including +modulation/demodulation) and the digitial part. They are interfaced by serial +(SPI) or parallel address/data bus. As you could have guessed by now, there's +again no publicly/freely available documentation on any of the chipsets. + +After doing some research and re-engineering on commonly-available existing +readers, there seems to be a two different basic architectures: + +1) active +Active readers do all the 14443/15693 processing within a microcontroller of +the reader. Advantages of an active design are low latency, high speed and +applicability in embedded or remotely connected environments where no host +computer could do protocol processing. + +2) passive +Passive readers simply include the most basic logic to interface the reader +ASIC with the external interface. Therefore all protocol processing has to be +done on the host system. + +For obvious reasons, the passive architecture allows for cheaper development +and total product cost. The author anticipates that all PC-based readers will +eventually become passive. A commonly-available passive reader (Omnikey +CardMan 5121) was chosen for the development of librfid. + + +Omnikey CardMan 5121 + +On the first glance, the cm5121 is a USB CCID contact based smartcard reader. +It can be used with vendor-supplied proprietary drievers, or with various +freely available CCID reader drivers, such as the OpenCT project. + +However, the RFID part is simply a Philips CL RC632 reader asic that can be +accessed transparently by issuing read/write_byte and read/write_fifo commands +via CCID PC_to_RDR_Escape usb messages. + +The author further obtained a (publicly available, but encrypted) detailed data +sheet of the Philips CL RC632 reader asic, which magically decrypted itself by +using a couple of days worth of CPU power. + +The CL RC632 is a multi-protocol reader asic, supporting 14443-A, 14443-B, +15693 as well as the proprietary 14443A-based Mifare system. + +Using the data sheet, a free and GPL licensed RFID stack could be implemented +from scratch. + + +Security Issues + +Sniffing +Like any RF interface, the magnetic RFID interface can be passively sniffed. +Due to the use of the H-field in 125kHz and 13.56MHz systems, the possible +surveillance range is very slow. Also, given the enormous power constraints +within the tag, the power put into the tag->reader channel is very low. +Furthermore, the main carrier and the subcarrier are very close in the radio +spectrum - while their signal strength differs some 60 to 80 dB. + +Measurements conducted by the author do not suggest that passive surveilance of +ISO 14443 compliant systems is not possible outside a range of 4-5 metres - at +least not with DIY equipment. + + +DoS +ISO14443-A and -B anticollision systems are subject to denial of service +attacks. + +For 14443-A, such an attack could simply cause one collision for every bit in +the address, thus preventing the reader to complete its binary search algoritm +and fully select one of the available tags. + +Authenticity/Confidentiality +ISO14443-A doesn't provide any form of security. Any kind of authentication +and/or encryption has to be employed at a higher level, such as ISO7816 secure +messaging. Compare the system with a TCP/IP stack (level 1..4) with SSL/TLS on +top. + +Proprietary Security +The security of vendor-speciifc proprietary systems such as Mifare are based on +security by obscurity. The encryption alogorithm is not publicly documented, +and only implemented in vendor-supplied hardware, usually the reader ASIC and +inside the tag itself. Keys are stored on the tag and in the reader ASIC. + +Security by obscurity within the software industry generally doesn't work. +However, in the hardware world vendors still seems to assume it as a valid +paradigm. + +The key lengths used seem extermely small (40bit). Should the algorithm ever +be uncovered, it is expected to compromise the security of the whole system. +The arithmetic complexity of the algorithm can only be low, given it's +implementation in lowest-cost state-machine-only tags. Therefore it is +expected that + + |