1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
- different types of RFID
- serial-number-only
- read/writeable memory
- read/writeable memory with authentication
- processor chip cards (like contact-based)
- physical/electrical characteristics
- old 125kHz systems
- current 13.56MHz systems
- ISO 14443-A
- ISO 14443-B
- ISO 15693
- both 125kHz and 13.56MHz are magnetic H-field systems
- reader provides strong magnetic field to provide power to PICC
- data from reader to PICC is modulated onto carrier.
- PICC uses load modulation to send back replies to reader
- ISO 14443
- 14443-1
- defines physical layer (e.g. field strength, ...)
- 14443-2
- 14443-3 A
- 100% ASK from reader to PICC
- binary search tree anticollision
- 14443-3 B
- 10% ASK from reader to PICC
- slotted aloha anticollision
- 14443-4
- also called T=CL
- datagram-based transport protocol
- handles retransmission, ack/nack
- optional signal strength signalling
- data rates between 106 and 848 kbps
- Mifare
- proprietary system by philips
- requires philips circuits in tag and reader
- authentication using two 40bit? keys
- proprietary encryption algoritm
- brute-force of 40bit not possible due to slow devices
- ISO 15693
- only used by tags, not by smart cards
- STm
- Legic
- Available readers
- generally based on either Philips or STM reader ASIC
- reader ASIC integrates analogue RF and digital part
- typically offer SPI and/or parallel bus interface
- host interface either serial or USB (planned: ethernet, see also
IETF working group on this subject)
- serial readers speak either proprietary protocol or sometimes
emulate serial contact-based readers for 14443-4 (T=CL)
- stupid readers
- only connect reader ASIC to host pc
- protocol stack implemented on host pc
- intelligent readers
- handle protocol stack in firmware of microcontroller in the
reader
- sometimes even parts of the application are embedded in the
reader firmware
- problem: often only support very specific
protocols/applications
- librfid
- implements 14443-1234 and 15693 stack
- has hooks for mifare and other proprietary RFID protocols
- implements fairly generic driver for Philips CL RC632 ASIC
- currently only supports Omnikey CardMan 5121
- currently only offers non-standard API for higher-level apps
- scheduled to provide OpenCT backend (OpenCT supports CT-API and PC/SC)
- Problems
- T=CL looks almost like a layer 4 network protocol, 14443 supports
operation of multiple PICC's simultaneously (by using CID
addressing). Therefore it looks like a master/slave network
protocol.
- Current API's for contact based cards (like PC/SC) cannot deal well
with multiple PICC's coming and going.
- Passive Sniffing of 14443
- dream: ethereal-like program for RFID
- h-field decreases tremendously with distance
- h-field antennas required
- reader -> picc signal strong and easily detected, beyon 10m
- picc -> reader signal very weak (60-70dB below reader->picc). so far
barely recognizable beyond 3m, even with 1m-loop-antenna
- various hardware approaches
- using software defined radio (gnuradio)
- quite expensive, unless you happen to already have one
- flexible, since everything can be done in software
- gnuradio-implementation of 14443 on my TODO list
- using dedicated demodulation hardware
- way cheaper than SDR
- 13.56MHz low enough for DIY-hardware
- under development by Milosch
- using existing reader ASIC, put it in read-only mode
- might be feasible, but operation is unlikely due to
lack of phase and clock synchronization with external
source
- ICAO compliant MRTDs
- ICAO already regulates MRZ on current travel documents in Doc 9303
- Working group created standards for new MRTD with biometric data
- Specifications publicly available
- 14443 A or B PICC
- ISO 7816-4 (inter-industry commands)
- LDS (Logical Data Structure)
- DG1
- data as printed on passport
- DG2
- facial JPEG, min 80pixels between eyes
- EF.SOD
- signature of DG1, DG2
- DG_FIXME
- optional fingerprint data
- Security
- passive auth
- basic access control
- prevents unauthorized reading by refusing
access until key derived from MRZ is
presented to PICC
- probably weak, since key is derived only from
DOB, document expiry date and document number
- provides session key generation for SM
encrypted transport layer
- active auth
- TR-PKI
- each country operates its own root CA
- intermediate document signer certificates
- country root certificates available via public LDAP
- certificates of all recognized countries need to be
stored in every inspection system
- certificate chain of EF.SOD signature can be verified
- specifies CRL polling intervals, etc.
- libicao
- aims to implement all required functions for access to ICAO MRTD
- basic access control present, but no secure messaging yet
- can use OpenCT or PC/SC as underlying API
|