matching electronic fingerprints of rfid tags using the hotelling’s algorithm

Nurbek Saparkhojayev and Dale R. Thompson, Nurbek Saparkhojayev and Dale R. Thompson, Ph.D., P.E. Ph.D., P.E.

Computer Science and Computer Engineering Computer Science and Computer Engineering Dept.Dept.

University of ArkansasUniversity of Arkansas

Matching Electronic Fingerprints Matching Electronic Fingerprints of RFID Tags Using the of RFID Tags Using the Hotelling’s AlgorithmHotelling’s Algorithm

D. R. ThompsonD. R. Thompson http://rfidsecurity.uark.eduhttp://rfidsecurity.uark.edu 11

This material is based upon work supported by the National Science Foundation, Cyber Trust area, under Grant No. CNS-0716578.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science

Foundation.

Presented to: IEEE Sensors Applications Symposium, Feb. 17, 2009

ProblemProblem

Counterfeiting travel documents such Counterfeiting travel documents such as ePassport, DHS PASS card, and as ePassport, DHS PASS card, and future drivers licensesfuture drivers licenses

Travel documents contain radio Travel documents contain radio frequency identification (RFID) tagsfrequency identification (RFID) tags

http://rfidsecurity.uark.eduhttp://rfidsecurity.uark.edu 22D. R. ThompsonD. R. Thompson

Threats to RFID tagsThreats to RFID tags

Cloning the tagCloning the tag– Copy contents of tag to another tagCopy contents of tag to another tag

Side-channel (non-invasive) attacksSide-channel (non-invasive) attacks– Monitor certain external parameters such as Monitor certain external parameters such as

power consumption, timing delay, or power consumption, timing delay, or electromagnetic emissionelectromagnetic emission

– Inject noise/faults to the target to cause Inject noise/faults to the target to cause irregular behaviorsirregular behaviors


Tag Counterfeiting/CloningTag Counterfeiting/Cloning(Spoofing Identity)(Spoofing Identity)


Manipulating Data on Manipulating Data on PassportPassport

The Hacker’s Choice (Oct. 2, The Hacker’s Choice (Oct. 2, 2008)2008)– Copied passportCopied passport– Replaced picture with Replaced picture with

Elvis’s pictureElvis’s picture– Turned off active Turned off active

verificationverification– Tested on boarding pass Tested on boarding pass

machinemachine– http://freeworld.thc.org/thc-http://freeworld.thc.org/thc-

epassport/epassport/– http://www.youtube.com/http://www.youtube.com/

watch?v=4HngStyEm4swatch?v=4HngStyEm4s Used Jeroen van Beek method Used Jeroen van Beek method

presented at Black Hat presented at Black Hat conferenceconference


Counterfeiting MitigationCounterfeiting Mitigation

Tag authentication using Tag authentication using cryptographycryptography– Store secrets on the tag that can be Store secrets on the tag that can be

verifiedverified– Secret keys, symmetric key and public Secret keys, symmetric key and public

key cryptographykey cryptography Physical unclonable functions (PUFs)Physical unclonable functions (PUFs) Electronic fingerprint (E-Fingerprint)Electronic fingerprint (E-Fingerprint)


ObjectiveObjective

Prevent counterfeiting of RFID tagsPrevent counterfeiting of RFID tags– Methods for creating electronic Methods for creating electronic

fingerprint based on physical fingerprint based on physical characteristics of tagcharacteristics of tag

– Digital integrated circuit (IC) design Digital integrated circuit (IC) design methodology that mitigates power- and methodology that mitigates power- and timing-based side-channel attackstiming-based side-channel attacks


ApproachApproach Electronic fingerprint

(e-fingerprint)– Authentication

becomes a function of what the device “is” in addition to a secret it “knows.”

Digital integrated circuit Digital integrated circuit (IC) design methodology (IC) design methodology that mitigates power- that mitigates power- and timing-based side-and timing-based side-channel attackschannel attacks


Two-layer securityTwo-layer security Authentication becomes a function of what the

device “is” in addition to a secret it “knows.” Two-layers

– Cryptography– Electronic fingerprint (E-fingerprint)


Communication between Communication between reader and tagreader and tag


Tag

FeaturesFeatures

Minimum power response at Minimum power response at multiple frequencies (MPRMF)multiple frequencies (MPRMF)

TimingTimingFrequencyFrequencyPhasePhaseTransientsTransients


Minimum power response Minimum power response measured at multiple measured at multiple

frequenciesfrequencies


What will the fingerprint What will the fingerprint look like?look like?


FAR and FRRFAR and FRR

False acceptance rate (FAR)False acceptance rate (FAR)

Probability that a false Probability that a false identity claim will be identity claim will be acceptedaccepted

Type II errorType II error Like biometrics, Like biometrics,

most serious type most serious type of errorof error

False rejection rate (FRR)False rejection rate (FRR)

Probability that a true Probability that a true identity claim is falsely identity claim is falsely rejectedrejected

Type I errorType I error


Hotelling’s Two-sample T^2 Hotelling’s Two-sample T^2 AlgorithmAlgorithm


Create synthetic tag Create synthetic tag fingerprintsfingerprints


ParametersParameters

p = 4 = number of featuresp = 4 = number of features n1 = n2 = 20 = number of samplesn1 = n2 = 20 = number of samples alpha = 0.025 (95% confidence level)alpha = 0.025 (95% confidence level) If T^2 > 13.81, assume fingerprints If T^2 > 13.81, assume fingerprints

are differentare different


Case 1: Compare fingerprint of tag 0 with all Case 1: Compare fingerprint of tag 0 with all other fingerprints at varying noise levels other fingerprints at varying noise levels

(mean = 0)(mean = 0)


Case 2: A single tag fingerprint with std. Case 2: A single tag fingerprint with std. dev. 1.50 compared against itself at noise dev. 1.50 compared against itself at noise

levels with different meanslevels with different means


ConclusionsConclusions

Hotelling’s performs well across a Hotelling’s performs well across a large range of standard deviations IF large range of standard deviations IF the noise has zero meanthe noise has zero mean

Modest computationsModest computations


Future WorkFuture Work

Apply the algorithm to the measured Apply the algorithm to the measured features instead of the synthetic features instead of the synthetic featuresfeatures

Apply the algorithm across a much Apply the algorithm across a much larger set of parameterslarger set of parameters


Contact InformationContact Information

Dale R. Thompson, Ph.D., P.E.Dale R. Thompson, Ph.D., P.E.Associate ProfessorAssociate ProfessorComputer Science and Computer Engineering Dept.Computer Science and Computer Engineering Dept.JBHT – CSCE 504JBHT – CSCE 5041 University of Arkansas1 University of ArkansasFayetteville, Arkansas 72701-1201Fayetteville, Arkansas 72701-1201

Phone: +1 (479) 575-5090Phone: +1 (479) 575-5090FAX: +1 (479) 575-5339FAX: +1 (479) 575-5339E-mail: [email protected]: [email protected]: http://comp.uark.edu/~drt/WWW: http://comp.uark.edu/~drt/


matching electronic fingerprints of rfid tags using the hotelling’s algorithm

Documents

power consumption

edumin power response

rfid tagscloning

rfid tagsmethods

computer science

national science foundation

timing delay

channel attackshttp