path: root/2005/rfid-ccc_ds2005/rfid-datenschleuder.txt

Introduction into RFID
(C) 2005 by Harald Welte <laforge@gnumonks.org>

During the last couple of years, various different sectors of industry and
event government organizations started to talk about RFID technology.  

The RFID industry makes huge promises, according to which RFID will penetrate
our everyday life in the very close future.  RFID is used in the ICAO-compliant
electronic passports, for electronic ticketing in the public transport sector
and for tickets to events such as the soccer world championships in 2006.
Studies are performed on the feasability of putting RFID circuitry into every
Euro bill. 

Contrary to those industry promises, there is a growing opposition among civil
liberties groups and the data protection community.  The fear of abuse of this
technology to invade privacy even further is big. 

The public debate on RFID is mostly on a very high and therefore abstract
level.  Even within the technical community, there's a severe lack of knowledge when it comes to really understanding RFID.

This article tries to give a technical introduction into RFID,
summarizing what the author has learned throughout the last year during his
research and development.


A lot of the ambuguity related to RFID comes from the unclear term "RFID" and
it's various abuses.  Strictly speaking, "RFID" means "Radio Frequency
IDentification" and therefore refers to any technology facilitating
identification of items using radio frequency.

However, the term is generally used for meny different technologies and
concepts. 

Another common misconception is that most RFID systems in use today are based
on standards.  To the opposite: In fact they're mostly proprietary systems
produced by specific vendors, who obviously all proclaim to have invented an
'industry standard".  Even those few RFID protocols that have been standardized
by international standardization bodies such as ISO/IEC reflect the usual
"either it's done way A, if not it's done way B" paradigm that seems to
dominate the whole smart card industry.  But that's enough of a rant for now.


Overview of an RFID system

A RFID system is usually composed of a reader device (which is always called
reader, even if it can write) and some (RF)ID tag.  

Tag:

1) serial number only
The most simplistic RFID systems come with read-only "serial number" tags.
This basically means that the tag has a vendor-defined serial number (much like
a barcode on product packaging), that can only be read.  Such systems generally
don't employ any form of authentication.

2) WORM tags
WORM(write once read many) tags can be written once (usually at the customer
site) and read many times.

3)read/write tags.  
Instead of only being vendor programmable, they are actually (at least
partially) user programmable.  Since no authentication is performed, anyone
with the respective equipment can write to such a tag.

3) read/write with security
This variant of tags employ read/writable memory plus some state machines that
allow for (mutual) authentication of reader and tag.

4) cryptographic smartcards with RF interface
The lateset generation of "tags" are not really "tags" anymore, but rather
cryptographic smart cards with an RF interface.   This means that you have a
whole computer (sometimes called RFIC), including CPU, RAM, ROM, EEPROM,
hardware random number generator, hardware crypto, etc.  Since such devices
originate from the smart card world, they sometimes even come as "dual
interface smart cards", i.e. employ both contact based and contactless (RFID)
interface.


Reader:

Readers are usually connected to some computer or network, using standard
interfaces such as RS232 ports, serial interfaces, USB, or Ethernet.
Unfortuantely, there is no standard either on hardware nor on software level.
This means that most RFID applications will be written against specific
vendor-rprovided driver or library API's.  There's one notable exception:
Reader systems employing cryptographic smartcards with RF interface often
emulate API's from the contact-based smart card world such as PC/SC or CT-API.



RF Interface:

Between reader and tag there is some form of an RF interface.  The RF interface
differs from system to system in many parameters, such as frequency,
modulation and operational principle.

magnetic coupling:
Most of todays RFID systems use a magnetic coupling principle.  In such a
system, the reader provides a strong magnetic field (H-field).  This field is
picked up by the antenna of a tag, and used to power the tag.  Common
frequencies for such magnetically coupled RFID systems are 125kHz and 13.56MHz.
Magnetic systems often employ amplitude shift keying for the reader to tag
communications channel, and load modulation from tag to the reader.

The strong magnetic field only exists in the proximity of the readers' antenna.
Thus, magnetically coupled RFID systems are sometimes referred to as "proximity
RFID", often with operational ranges less than 10cm.

backscatter:
A lot of RFID systems under current developemnt operate in the UHF frequency
range (868 to 956 MHz, depending on the regulatory domain).  They use the
electric field of the reader, and employ backscatter modulation from tag to
reader.   The electrical field extends over longer distance than the magnetic
field.  Therefore, the operational range of backscatter systems are within tens
of metres.

SAW:
SWA tags use low-power microwave radio signals.  The tag converts them to
ultrasonic accoustic signals using a piezoelectric crystalline material.
Variations of the reflected signal can be used to provide a unique identity
such as a serial number.

The remaining article will focus on magnetic coupling RFID systems only, since
backscatter systems are not widely deployed yet, and therefore of little
practical relevance.


Protocols and standards:

For the commonly-used 13.56MHz based systems, there are two major protocols in
use, ISO14443 and ISO15693.  ISO15693 seems only be used for "dumb" tag
applications, whereas ISO14443 is used frequently with RF interfaced processor
smart cards.

Besides the "physical layer" issues such as modulation, coding, bit timing,
and frequency, there are some other important tasks of an RFID protocol.

One of the funamental effects of RFID is the possibility of multiple tags
within the operating range of a reader, just like in any other shared medium
communication channel.

In order to cope with multiple tags, an anticollision procedure has to be
specifieid.  Some sophisticated protocols (as 14443-4 )even allow a reader to
assign logical addresses to individual tags in order to communitace with
multiple tags.


ISO11784/11785

The ISO11784/11785 series of standards are used for identification of animals.
This family of standards operates at 134,2 kHz and uses the magnetic coupling
operational principle.  It uses load modulation with no subcarrier and employs
a bi-phase-code for transmission of 64bit transponder data at 4194 bits/sec.

ISO14223

ISO14223 is an extension of 11784/11785 and allows for more data stored on the
tag/transponder.

ISO10536

ISO10536 describes "close coupling" smart cards, with an operational range of
up to 1cm.  It employs inductive or capacitive coupling at 4.9152 MHz. Due to
this low operational range, they never appeared in widespread use on the market.

ISO14443

ISO14443 describes "proximity coupling identification cards".  As opposed to
ISO10536, this stanrdard has an operational range of up to 10cm.

ISO14443 comes in two variants: ISO14443-A and ISO14443-B.  They both operate
on the same frequency, but with different parameters.

			14443A			14443B
mod rdr->tag		100%ASK			10%ASK
mod tag->rdr		load modulation at	load modulation at 847kHz, BPSK
			847kHz, ASK
code rdr->tag		modified miller		NRZ
code tag->rdr		manchester		NRZ
anticol			binary search		slotted aloha

ISO14443-4 specifies an (optional) transport level protocol on top of the lower
three layers of the ISO14443 protocol.  This transport protocol is sometimes
referred to as "T=CL" (transport=contactless).  This designation bears its
origin in the smart card world, where other protocols such as "T=0" and "T=1"
are in widespread use for decades.


ISO15693:

ISO15693 describes "vicinity coupling" RFID, with an operational range of up
to 1m.  Like ISO14443, it operates on 13.56 MHz and employs magnetic near-field
inductive coupling.

This standard again supports various modes, such as 10% or 100% ASK, 1.65kb/s
or 26.48kb/s data rate, ASK or FSK based load modulation.

ISO18000 series

This ISO series is under current development.  It intends to specify unique
world wide standards for item management.  Specifications include operation
on 13.56MHz, 2.45GHz, 5.8GHz and the 868 to 956 MHz UHF band.

The remaining paper will mostly look at ISO14443, since it is in widespread use
today and also used by the electronic Passport system specified by ICAO.


A closer look on Readers:
There's a variety of readers for the 13.56MHz world, ranging from embedded
readr modules to PC-connected readers for USB and serial connections,
Ethernet-connected readers as well as readers for handheld devices with
CompactFlash interface.

As opposed to the contact-based smartcard world where most readers now support
the USB CCID standard (to my surprise even non-usb devices!), there is no
standardization.  Neither does any of the readers - to the best of the authors'
knowledge - have any publicly and/or freely available documentation.  A similar
lack is observed for Linux drivers.  If they are available, then often for an
extra charge, and in proprietary x86-only format.

On the electrical level, a lot of readers are surprisingly equal.  Almost all
of them seem to use readily available "reader ASICs" of vendors such as TI or
Philips.  Those ASIC's usually integrate both the analogue RF part (including
modulation/demodulation) and the digitial part.  They are interfaced by serial
(SPI) or parallel address/data bus.  As you could have guessed by now, there's
again no publicly/freely available documentation on any of the chipsets.

After doing some research and re-engineering on commonly-available existing
readers, there seems to be a two different basic architectures:

1) active
Active readers do all the 14443/15693 processing within a microcontroller of
the reader.  Advantages of an active design are low latency, high speed and
applicability in embedded or remotely connected environments where no host
computer could do protocol processing.

2) passive
Passive readers simply include the most basic logic to interface the reader
ASIC with the external interface.  Therefore all protocol processing has to be
done on the host system.

For obvious reasons, the passive architecture allows for cheaper development
and total product cost.  The author anticipates that all PC-based readers will
eventually become passive.  A commonly-available passive reader (Omnikey
CardMan 5121) was chosen for the development of librfid.


Omnikey CardMan 5121

On the first glance, the cm5121 is a USB CCID contact based smartcard reader.
It can be used with vendor-supplied proprietary drievers, or with various
freely available CCID reader drivers, such as the OpenCT project.

However, the RFID part is simply a Philips CL RC632 reader asic that can be
accessed transparently by issuing read/write_byte and read/write_fifo commands
via CCID PC_to_RDR_Escape usb messages.

The author further obtained a (publicly available, but encrypted) detailed data
sheet of the Philips CL RC632 reader asic, which magically decrypted itself by
using a couple of days worth of CPU power.

The CL RC632 is a multi-protocol reader asic, supporting 14443-A, 14443-B,
15693 as well as the proprietary 14443A-based Mifare system.

Using the data sheet, a free and GPL licensed RFID stack could be implemented
from scratch.


Security Issues

Sniffing
Like any RF interface, the magnetic RFID interface can be passively sniffed.
Due to the use of the H-field in 125kHz and 13.56MHz systems, the possible
surveillance range is very slow.   Also, given the enormous power constraints
within the tag, the power put into the tag->reader channel is very low.
Furthermore, the main carrier and the subcarrier are very close in the radio
spectrum - while their signal strength differs some 60 to 80 dB.

Measurements conducted by the author do not suggest that passive surveilance of
ISO 14443 compliant systems is not possible outside a range of 4-5 metres - at
least not with DIY equipment.


DoS
ISO14443-A and -B anticollision systems are subject to denial of service
attacks. 

For 14443-A, such an attack could simply cause one collision for every bit in
the address, thus preventing the reader to complete its binary search algoritm
and fully select one of the available tags.

Authenticity/Confidentiality
ISO14443-A doesn't provide any form of security.  Any kind of authentication
and/or encryption has to be employed at a higher level, such as ISO7816 secure
messaging.  Compare the system with a TCP/IP stack (level 1..4) with SSL/TLS on
top.

Proprietary Security
The security of vendor-speciifc proprietary systems such as Mifare are based on
security by obscurity.  The encryption alogorithm is not publicly documented,
and only implemented in vendor-supplied hardware, usually the reader ASIC and
inside the tag itself.  Keys are stored on the tag and in the reader ASIC.

Security by obscurity within the software industry generally doesn't work.
However, in the hardware world vendors still seems to assume it as a valid
paradigm.

The key lengths used seem extermely small (40bit).  Should the algorithm ever
be uncovered, it is expected to compromise the security of the whole system.
The arithmetic complexity of the algorithm can only be low, given it's
implementation in lowest-cost state-machine-only tags.  Therefore it is
expected that