Security Analysis of a Cryptographically-EnabledRFID Device
The Johns Hopkins University Information Security InstituteBaltimore, MD 21211, USAe-mail:
RSA LaboratoriesBedford, MA 01730, USAe-mail:
We describe our success in defeating the security of an RFID device known as a DigitalSignature Transponder (DST). Manufactured by Texas Instruments, DST (and variant) deviceshelp secure millions of SpeedPass
payment transponders and automobile ignition keys.Our analysis of the DST involved three phases:1.
Starting from a rough published schematic, we determined the com-plete functional details of the cipher underpinning the challenge-response protocol in the DST.We accomplished this with only “oracle” or “black-box” access to an ordinary DST, that is,by experimental observation of responses output by the device.2.
The key length for the DST is only 40 bits. With an array of of sixteenFPGAs operating in parallel, we can recover a DST key in under an hour using two responsesto arbitrary challenges.3.
Given the key (and serial number) of a DST, we are able to simulate its RFoutput so as to spoof a reader. As validation of our results, we purchased gasoline at a servicestation and started an automobile using simulated DST devices.We accomplished all of these steps using inexpensive oﬀ-the-shelf equipment, and with minimalRF expertise. This suggests that an attacker with modest resources can emulate a target DSTafter brief short-range scanning or long-range eavesdropping across several authentication sessions.We conclude that the cryptographic protection aﬀorded by the DST device is relatively weak.
: Digital Signature Transponder (DST), immobilizer, Hellman time-spacetradeoﬀ, RFID
Radio-Frequency IDentiﬁcation (RFID) is a general term for small, wireless devices that emitunique identiﬁers upon interrogation by RFID readers. Ambitious deployment plans by Wal-mart and other large organizations over the next couple of years have prompted intense com-mercial and scientiﬁc interest in RFID . The form of RFID device likely to see the broadestuse, particularly in commercial supply chains, is known as an EPC (Electronic Product Code)tag. This is the RFID device speciﬁed in the Class 1 Generation 2 standard recently ratiﬁedby a major industry consortium known as EPCglobal [8,17]. EPC tags are designed to be veryinexpensive – and may soon be available for as little as ﬁve cents/unit in large quantities ac-cording to some projections [18,19]. They are sometimes viewed in eﬀect as wireless barcodes:They aim to provide identiﬁcation, but not digital authentication. Indeed, a basic EPC taglacks suﬃcient circuitry to implement even symmetric-key cryptographic primitives .18:55 January 28, 2005