Should & How RFID System be Evaluated against CC v3.1. InfoCom Security Division Yao-Chang Yu 2007/9/26

Transcription

1 Should & How RFID System be Evaluated against CC v3.1 InfoCom Security Division Yao-Chang Yu 2007/9/26

2 Outline RFID System Overview EPCglobal Architecture Framework Security in EPC Standard Security Issues How to evaluate RFID Evaluation Level 1

3 System Overview RFID System Overview RFID Tag Reader Middleware & Database 2

4 Tag Overview RFID System Overview Class 0 Identity Tag Class 1 Identity Tag Class 2 Higher Functionality Class 3 Semi Passive Class4 Passive 1. Passive, 2. Read Only, 3. EPC code by manufacture, 4. Working Range: 10m at most, 5. 64bits and 96bits 1. Passive, 2. Write Once Read Many, 3.EPC code by User, 4. Working Range: 10m at most, 5. 64bits and 96bits 1. Passive, 2. Rewriteable, 3. more memory, 4. Capable of Equipped with Sensor, 5. Working Range: 10m at most 1.Equipped with battery to drive sensor, 2. more memory (compare with Class2), 3. Working Range: 30m at most, 4. Sensor 1. More powerful battery, 2.more memory (compare with class 3), 3. Working Range>100m 3

5 EPCglobal Architecture Framework Data Exchange in EPCglobal Network EPCIS 1 EPCIS 2 EPCIS Accessing Application EPCIS Accessing Application Subscriber A Subscriber B 4

6 EPCglobal Architecture Framework Data Exchange in EPCglobal Network EPCIS 2 EPCIS 1 EPCIS 3 EPCIS 4 EPCIS 5 ONS EPCIS Accessing Application EPCIS Accessing Application Subscriber A Subscriber B 5

7 Security in EPC Standard Mutual Authentication between subscribers Authentication between EPCIS and subscribers RFID Tag-level security and privacy Kill Command with a 32 bits password 6

8 Security Issues Privacy Violation For a low-level RFID tag, the function is as simple as answering requests. RFID will answer any requests without ask who is requesting. The signal can be tracked by trackers Unauthorized Reading tag ID Tag Cloning Intentionally intercept tag ID and duplicate a Tag (e.g. Access Control Card) 7

9 Tag Security Function Security function Form the Tag point of view, the only security function that is addressed in RFID standards is the kill command with a 32 bits password. When tag receives the correct password, the tag will be terminated permanently. Purpose of the security function Mainly to prevent tracking Partially unauthorized reading Partially cloning Problem of this security function Tag can not be reused 8

10 Tag Evaluation Level What should be considered to determine the EAL of Low-Level RFID tag The purpose of RFID tags Product identification Biometric chip Credit Card Assets ID Password Threat Tag Cloning Intercept tag ID/ password Cost Low-level RFID Tag is about 5 cents/tag 9

11 Tag Evaluation Level Result of Evaluation Level Determination For a low-level RFID tags, normally it contains about 3,000 logical gates and only around 400 logical gates can be used to perform security functions. RFID tags is not possible to have security functions to protect itself from unauthorized reading alone. Also, it is not possible for a low-level RFID tag to protect itself from cloning alone. Therefore, I suggest that there is no need to evaluate lowlevel RFID tag individually. 10

12 Notice Above mentioned is for class 0/1 RFID tags. If the TOE is class 2,3 and 4 tags, then the result will be different. For example, class 4 RFID tag is powered by battery, so it can do much more things than class 0/1 tags. Such as Encryption/Decryption Digital Signature Sensors Physical Protection 11

13 Reader Standards Standards Reader Protocol Standard v1.1 Security related Command Source. Read (dataselector: DataSelector, Passwords: binary[ ], Selectors: Tagselector [ ]): Source.WriteID (ID:binary, Passwords: binary[ ], Selectors: TagSelector [ ]): Source.Write (data:tagfieldvalue [ ], Passwords: binary[ ], Selectors: Tagselector [ ]): Source.Kill (Passwords:binary[ ], Sleector: TagSelector [ ]): 12

14 Reader Standards Low-level Reader Protocol Standard v1.0.1 Application Layer Protocol Address the communication between reader and client Address the mutual authentication between reader and client TLS v1.0 or TLSv1.0 is used for TCP connection X.509 certificate 13

15 Reader Security Consideration What should be considered to determine the EAL of RFID Reader Purpose of the RFID Reader To interact with RFID tag and backend server Assets Crypto Key (for TLS) PIN (to access reader) Password (to invoke kill command) Threat Unauthorized use of RFID reader Unauthorized initiate kill command to terminate tag key or PIN may be read out by unauthorized people Cost high 14

16 Evaluation Level Answers to the Evaluation Level could be varied It depends on Usage of RFID reader Operation Environment Protected Assets Cost To sum up the previously mentioned convictions, we suggest the proper evaluation level will be in the range of EAL3~EAL4+. 15

17 Reader Security Objectives Threat 1: Unauthorized use of RFID reader Objective for the TOE: O1:TOE must ensure that RFID reader can only be used by authorized user. Objective for the Environment OE1:User must ensure that RFID Reader should be stored properly. Threat 2: Unauthorized initiate kill command to terminate tag Objective for the TOE O2:TOE must ensure the Kill Command is initialed by authorized user 16

18 Reader Security Objectives Threat 3: Crypto key or PIN may be read out by unauthorized people Objective for the TOE: O3: TOE has to ensure that the key and PIN stored in the reader memory cannot be read out unauthorized. O4: TOE has to ensure the evidence of physical breach can be tracked. 17

19 Threat & Objectives Mapping OE1 O1 O2 O3 O4 T1 T2 * * * T3 * * 18

20 Security Function Requirements FCS: Cryptographic Support FDP: User Data protection FIA: Identification and Authentication FMT: Security Management FPT: Protection of the TOE Security Functions 19

21 Security Assurance Requirements EAL3 Development ADV_ARC.1 ADV_FSP.3 ADV_TDS.2 Guidance document AGD_OPE.3 AGD_PRE.1 Life-Cycle support ALC_CMC.3 ALC_CMS.3 ALC_DEL.1 AVC_DVS.1 ALC_LCD.1 Security Target Evaluation ASE_CCL.1 ASE_ECD.1 ASE_INT.1 ASE_OBJ.2 ASE_REQ.2 ASE_SPD.1 ASE_TSS.1 Tests ATE_COV.2 ATE_DPT.1 ATE_FUN.1 ATE_IND.2 Vulnerability assessment AVA_VAN.2 20

22 Security Assurance Requirements EAL4 Development ADV_ARC.1 ADV_FSP.4 ADV_IMP.1 ADV_TDS.3 Guidance document AGD_OPE.3 AGD_PRE.1 Life-Cycle support ALC_CMC.4 ALC_CMS.4 ALC_DEL.1 AVC_DVS.1 ALC_LCD.1 Security Target Evaluation ASE_CCL.1 ASE_ECD.1 ASE_INT.1 ASE_OBJ.2 ASE_REQ.2 ASE_SPD.1 ASE_TSS.1 Tests ATE_COV.2 ATE_DPT.2 ATE_FUN.1 ATE_IND.2 Vulnerability assessment AVA_VAN.3 21

23 Augmented Component For EAL3+, the Augmented component could be ADV_FSP.3 -> ADV_FSP.4 ADV_TDS.1 * -> ADV_IMP.1 ADV_TDS.3, ALC_TAT.1 ADV_TDS.2 -> ADV_TDS.3 ALC_CMC.3 -> ALC_CMC.4 ADV_FSP.4 ALC_CMS.1, ALC_DVS.1, ALC_LCD ALC_FLR.1/ ALC_FLR.2 / ALC_FLR.3 ALC_CMS.3 -> ALC_CMS.4 -- * -> ALC_TAT.1 ADV_IMP.1 AVA_VAN.2 -> AVA_VAN.3 ADV_ARC.1, ADV_FSP.2, ADV_TDS.3, ADV_IMP.1, AGD_OPE.1, AGD_PRE.1 22

24 Summary To summarize what we mentioned above A low-level RFID tags (Class 0 and Class 1) does not have any protection, so there is no need to be evaluated (like a digital stamp or a traditional bar code) For high level RFID tags (Class 2 and Class 4), because these two types tag equipped with battery, more memory and maybe security functions, it should be evaluated. Reader is the key to ensure the security functions work properly between communication of tags and reader. 23

25 Reference EPCglobal Radio-Frequency Identity protocols Class-1 Generation-2 UHF RFID protocol for Communications at 860MHz~960MHz Version The EPCglobal Architecture Framework Version 1 EPCglobal Certificate Profile EPC Information Services (EPCIS) Version 1.0 Low Level Reader Protocol (LLRP), Version Reader Protocol Standard, Version

26 g{tç~ léâ 25