Susceptibility of UHF RFID Tags toElectromagnetic Analysis�

Thomas Plos

Institute for Applied Information Processing and Communications (IAIK)Graz University of Technology, Inffeldgasse 16a, 8010 Graz, Austria

Thomas.Plos@iaik.tugraz.at

Abstract. The number of applications that use radio-frequency identi-fication (RFID) technology has grown continually in the last few years.Current RFID tags are mainly used for identification purposes and donot include crypto functionality. Therefore, classical RFID tags are notdesigned as secure devices and do not contain countermeasures againstside-channel analysis (SCA). The lack of such countermeasures makesRFID tags vulnerable to attacks relying on electromagnetic (EM) anal-ysis. When attaching crypto functionality to future RFID tags which isconsidered for many use cases like forgery protection of goods, SCA be-comes a concern. In this work we show the susceptibility of UHF RFIDtags to EM analysis by using differential-EM analysis attacks. We haveexamined commercially-available passive UHF RFID tags with a mi-crochip. The results show that a simple dipole antenna and a digital-storage oscilloscope connected to a computer are enough to determinedata-dependent emanation of the microchip of passive UHF RFID tagsat distances up to 1m. Enhancement of RFID tags with crypto func-tionality therefore requires re-design of the whole tag architecture withrespect to SCA.

Keywords: Side-channel analysis (SCA), radio-frequency identification(RFID), EPC Generation 2 standard, ultra-high frequency (UHF), dif-ferential electromagnetic analysis (DEMA).

1 Introduction

During the last few years the application of radio-frequency identification (RFID)technology has become more and more important. Ticketing, electronic pass-ports, immobilizers, and supply-chain management are only an outline of a longlist of applications that already use RFID systems. The integration of RFIDtechnology can make applications more convenient, more effective, and secure.

The main components of a basic RFID system are an RFID reader that isconnected to a back-end database and at least one RFID tag. RFID reader and

� This work has been supported by the European Commission under the Sixth Frame-work Programme (Project BRIDGE, Contract Number IST-FP6-033546) and by theAustrian Science Fund (FWF Project Number P18321).

T. Malkin (Ed.): CT-RSA 2008, LNCS 4964, pp. 288–300, 2008.© Springer-Verlag Berlin Heidelberg 2008

Susceptibility of UHF RFID Tags to Electromagnetic Analysis 289

RFID tag communicate wirelessly by using a radio frequency (RF) field. The RFfield is generated by the RFID reader via an antenna and modulated accordingto the data that should be transmitted to the RFID tag. The RFID tag itselfis equipped with an antenna which it uses to extract data and energy from theRF field. Three types of RFID tags can be distinguished: passive RFID tags,semi-passive RFID tags, and active RFID tags. Passive RFID tags are the mostprevalent obtaining their power supply directly from the RF field, semi-passivetags and active tags are supplied by a battery. A typical RFID tag consists of anantenna and a microchip. The microchip contains an analog part and a digitalpart, whereas the analog part of an RFID tag is responsible for demodulatingthe RF field and modulating the response of the RFID tag. In addition, theanalog part of passive RFID tags is also responsible for extracting the powersupply from the RF field. The digital part is more or less complex depending onthe application. For security-enhanced applications like contactless smart cards,the digital part of an RFID tag contains a microcontroller with non-volatilememory, less sophisticated applications may only use a state machine with read-only memory.

RFID systems can be classified by the frequency of the RF field and the cou-pling method. The frequencies used by RFID systems range from about 125 kHzin the low-frequency range up to 5.8GHz in the microwave range [1]. Deployedcoupling methods are: electric coupling, magnetic coupling, and electromagneticcoupling. This work focuses on electromagnetic-coupled systems in the UHFrange operating at a frequency of 868MHz. In contrast to electric coupling andmagnetic coupling which operate in the near field, electromagnetic coupling op-erates in the far field by using electromagnetic waves.

Responsible for the existence of electromagnetic waves is the limited propaga-tion speed of the electromagnetic field. At a certain distance from the antennathe electromagnetic field can no longer follow the voltage changes at the antenna.The electromagnetic field separates from the antenna and propagates as an elec-tromagnetic wave. The region where the electromagnetic field is separated fromthe antenna is named far field [1]. For UHF RFID tags operating at a frequencyof 868MHz, the far field starts at a distance of about 5.5 cm from the antenna.The simplest antenna shape that is used for generating electromagnetic wavesis the dipole antenna which consists of two wires. Since the attenuation of theRF field in the far field is less than in the near field, electromagnetic-coupledsystems achieve longer read ranges. Typically, read ranges of 2 to 3 m and morecan be achieved, depending on the power of the RFID reader.

An important protocol for electromagnetic-coupled RFID systems in the UHFrange is the Electronic Product Code (EPC) Generation 2 standard [2]. The EPCGeneration 2 standard is planned to be the future replacement for conventionalbar codes. The vision of the inventors of the EPC Generation 2 standard isto attach an RFID tag to each individual product. For now, RFID tags arestill too expensive to place them on each individual product, rather they areplaced on groups of products like pallets. Equipping pallets with RFID tagsallows to increase the efficiency and to reduce costs in supply-chain management.

290 T. Plos

The driving force behind the introduction of the EPC Generation 2 standard isEPCglobal which is a not-for-profit organization that has been founded by GS1in 2003. GS1 has emerged from Uniform Code Council (UCC) and EuropeanArticle Number (EAN) International which are the two organizations that areresponsible for managing the bar code systems. Large distributors such as Wal-Mart, Tesco, and Metro have already integrated RFID technology that uses theEPC Generation2 standard into their supply-chain management [3].

Usually, RFID tags have to be fairly cheap and therefore can only integratelimited functionality which strongly affects the utilized protocol. Thus, protocolslike the EPC Geneneration 2 standard neglect to include cryptographic security.The lack of cryptographic security makes the EPC Geneneration2 standard vul-nerable to various attacks such as cloning or revealing secrets like the kill pass-word. However, when using EPC Generation 2 tags to prevent valuable goodsfrom forgery, a higher tag price is acceptable. Pharmacy for example is a usecase where valuable goods are involved. Another important aspect is the techno-logical progress that allows to integrate more and more functionality to futureRFID tags. There exist various proposals that deal with enhancing the securityof RFID protocols which furthermore enforce to include crypto functionality toRFID tags (see [4, 5, 6, 7]). As soon as RFID tags contain crypto functionality,vulnerability against side-channel analysis becomes a concern.

This work is organized as follows. Section 2 provides an overview of the relatedwork with respect to power analysis and electromagnetic analysis. In Section 3,the UHF RFID tags that have been examined in this work are described, followedby a description of the measurement setup in Section 4. Section 5 presents theresults of the side-channel analysis that have been conducted. The conclusion ofthis work is given in Section 6.

2 Related Work

With the introduction of power analysis by Kocher et al. in 1998, a wide field fornew and effective side-channel attacks has been opened [8]. Power analysis makesuse of the fact that the power consumption of CMOS devices is dependent on thedata and instructions that are executed. Measuring the power consumption ofa CMOS device and deploying statistical methods allows to reveal secrets fromcryptographic devices like smart cards. Some years later, the EM radiation ofCMOS devices has also been found useful for side-channel attacks. In [9], Gan-dolfi et al. describe the practical implementation of EM attacks and furthermorecompare them with conventional power analysis. Thereby, the authors come tothe conclusion that EM measurements, although they are noisier, lead to bet-ter differentials than power measurements. As explained by Mangard [10], EMattacks are not limited to the near field, they can also be successful in the farfield.

Hutter et al. [11] describe how to use EM measurements to attack passiveRFID devices which are running at 13.56MHz. Two RFID prototype deviceswith a cryptographic primitive implemented on them, one in software and one in

Susceptibility of UHF RFID Tags to Electromagnetic Analysis 291

hardware, are attacked by applying power measurements and EM measurements.In both cases the attacks were successful. A focus on UHF RFID devices and EMmeasurements is given by the work of Oren and Shamir [12]. There, the authorsdescribe a new attack called parasitic backscatter attack. This attack is possiblesince the amount of power that is reflected by UHF RFID tags is related to thepower consumption of its internal circuit. Furthermore, the authors explain howthe parasitic backscatter attack can be used to extract the secret kill passwordfrom EPC Generation 1 tags. Relying on the results in [12], our work goes a stepfurther and focuses on determining the susceptibility of EPC Generation 2 tagsto differential electromagnetic analysis (DEMA).

3 Examined UHF RFID Tags

For analyzing the side-channel leakage, two different types of UHF RFID tagshave been used. Firstly a self-made prototype of a UHF RFID tag that operatessemi passively, and secondly commercially-available UHF RFID tags that oper-ate passively. The self-made prototype which has initially been built to evaluatecurrent UHF RFID protocols has also been found useful for providing the triggersignal when performing measurements on passive UHF RFID tags.

3.1 Description of the UHF Tag Prototype

The first EM measurements presented in this work have been done by usinga self-made UHF tag prototype. When evaluating and enhancing the securityof current UHF RFID protocols, it is helpful to have a programmable UHFRFID tag. A programmable UHF RFID tag can be used to easily integrateadditional functionality such as new security mechanisms and new commands.Furthermore, the additional functionality can be verified and tested, showing aproof of concept. Standard UHF RFID tags do not provide the possibility tointegrate additional functionality because their functionality is implemented insilicon.

Unlike most UHF RFID tags, the UHF tag prototype operates semi passively.Like a passive RFID tag, a semi-passive RFID tag only uses the RF field ofthe reader for communication, but uses an extra battery for power supply likean active RFID tag. Our UHF tag prototype is a printed circuit board (PCB)with discrete components. As shown in Figure 1, the UHF tag prototype can bedivided into four parts: an antenna, an analog front end, a digital part, and aprotocol implementation.

Antenna. For the UHF tag prototype a simple dipole antenna has been selectedwhich consists of two wires [1]. The dipole antenna of the UHF tag prototype isdirectly printed on the layout of the PCB. With the help of the antenna, energyis extracted from the RF field. The voltage induced in the antenna is furthermorefed to the input of the analog front end.

292 T. Plos

Antenna

Analog front end

Digital part

Protocol implementation

Micro-controller

Hysteresiscomparator

Charge-pump rectifierBackscatter

Fig. 1. Architecture of the UHF tag prototype

Analog Front End. The analog front end of the UHF tag prototype containsa charge-pump rectifier, a hysteresis comparator, and a backscatter. Thereby,the charge-pump rectifier demodulates and multiplies the voltage comingfrom the antenna. Afterwards, the hysteresis comparator turns the analog sig-nal from the charge-pump rectifier into a “clean” digital signal for entering thedigital part. The backscatter consists of a resistor and a capacitor forming animpedance that is switched in parallel to the antenna via a fast switching tran-sistor allowing backscatter modulation. UHF RFID tags transmit their reply viabackscatter modulation [13].

Digital Part. In order to have the UHF tag prototype programmable, its dig-ital part is realized as a microcontroller. The deployed microcontroller is anAtmel ATMega128 which is an 8-bit microcontroller operating at 16MHz. Pro-gramming and in-system debugging of the microcontroller is done via a JTAGinterface.

Protocol Implementation. The EPC Generation 2 standard has been selectedas protocol for the UHF tag prototype. The protocol is implemented in softwarewhich is written to the program memory of the UHF tag prototype’s microcon-troller. Besides the implementation of the mandatory functionality of the EPCGeneration 2 standard, the UHF tag prototype has also integrated secure tagauthentication that uses a 128-bit AES encryption scheme according to [6].

3.2 Description of Passive UHF RFID Tags

In addition to the UHF tag prototype we have used passive UHF RFID tagsthat are commercially available. In contrast to the UHF tag prototype, passiveUHF RFID tags are completely powered by the RF field of the RFID readerrequiring no extra battery. A passive UHF RFID tag consists of an antenna anda microchip that comprises an analog part and a digital part. Typically, theprotocol handling is implemented via a state machine in dedicated hardware [1].

Susceptibility of UHF RFID Tags to Electromagnetic Analysis 293

A comparison with the previous section shows that the overall structure of apassive UHF RFID tag is not that different from the structure of the UHF tagprototype.

In order to obtain read ranges of several meters, passive UHF RFID tagsshould consume very little power. The power consumption of passive UHF RFIDtags is in the range of some microwatts [14]. For detecting data-dependent em-anation we have used passive UHF RFID tags from various tag vendors. Allexamined passive UHF RFID tags have shown data-dependent emanation.

4 Measurement Setup for UHF RFID Tags

This section describes the measurement setup that has been used to reveal data-dependent emanation of UHF RFID tags. Measurements have been done somecentimeters away from the UHF RFID tags in the near field and up to 1m awayfrom the UHF RFID tags in the far field. The RF field of the RFID readerhas been switched on during all the measurements. Initial measurements havedetected data-dependent emanation of the UHF tag prototype. Measurementson passive UHF RFID tags could also reveal the side-channel leakage.

UHF RFID reader

Digital-storageoscilloscope

Computer

RF field

DUT

EMmeasurement

probe

UHF tag

prototypeTriggersignal

Fig. 2. Measurement setup for examining the emanation of a passive UHF RFID tag(DUT) in the far field

The automation of the measurement setup is important for performingside-channel analysis. Only an automated measurement setup allows to gatherthousands of individual measurements within an acceptable time. Besides theexamined UHF RFID tag which we call device under test (DUT), the maincomponents of the measurement setup are a digital-storage oscilloscope, a UHFRFID reader that is compliant to the EPC Generation 2 standard, and an EM

294 T. Plos

Fig. 3. Near-field probes that have beenused for the measurements

Fig. 4. Self-made dipole antenna thathas been used for the measurements

measurement probe. The digital-storage oscilloscope and the UHF RFID readerare connected to a computer. A program on the computer controls the wholemeasurement flow and performs the subsequent analysis of the recorded data.Depending on the measurement, different EM measurement probes are used toobtain the EM signal that is radiated from the DUT. Figure 2 shows the mea-surement setup for examining the emanation of a passive UHF RFID tag in thefar field.

Acquiring a single measurement follows always the same scheme and requiresseveral steps. After initializing the DUT, the computer sends the command tothe UHF RFID reader that is used for detecting the data-dependent emanation.The UHF RFID reader in turn communicates with the DUT via the air interface.While the DUT processes this command, its radiated EM field is recorded bythe digital-storage oscilloscope with the help of an EM measurement probe. Thedata acquisition of the digital-storage oscilloscope is started by a trigger signal.When examining the UHF tag prototype, the trigger signal directly comes fromthe UHF tag prototype. Passive UHF RFID tags are not suitable for directlyproviding a trigger signal. Thus, the software of the UHF tag prototype is mod-ified such that it can be placed in parallel to the passive UHF RFID tag intothe RF field to provide the external trigger signal (compare Figure 2). Acquiringa single measurement is finalized by transferring and storing the recorded datafrom the digital-storage oscilloscope to the computer.

4.1 Near-Field Measurements

For measuring the emanation of UHF RFID tags in the near field, we have usedspecial near-field probes. Near-field probes are available in various sizes andshapes depending on the frequency range and the application they are dedicatedfor. During our measurements we have used the three near-field probes in Fig-ure 3 which are designated for detecting magnetic fields. One near-field probeworks for frequencies from 100 kHz to 50MHz, the other two near-field probeswork for frequencies from 30MHz to 3GHz.

Susceptibility of UHF RFID Tags to Electromagnetic Analysis 295

Since the signal amplitudes that can be obtained with near-field probes arerather small, we have deployed an additional preamplifier. The preamplifier has avoltage gain of 30 dB and is connected between the output of the near-field probeand the input of the digital-storage oscilloscope. When doing measurements inthe range of some tenths of megahertz, it is helpful to enable the internal band-width limitation of the digital-storage oscilloscope. Limiting the bandwidth hasthe advantage that the strong RF field from the UHF RFID reader is suppressed,which furthermore increases the quality of the measurements.

4.2 Far-Field Measurements

Near-field probes are no longer suitable for far-field measurements, rather,electromagnetic antennas are required. The UHF RFID tags that have beenexamined in this work operate at a carrier frequency of about 868MHz. Sinceour far-field measurements have concentrated on detecting data-dependent em-anation of UHF RFID tags around their carrier frequency, no special broadbandantenna is necessary. A self-made dipole antenna shown in Figure 4 whose lengthis tuned to the carrier frequency is sufficient. The length of a dipole antenna fora carrier frequency of 868MHz is about 17 cm [1]. While near-field measure-ments require an additional preamplifier in order to obtain acceptable signalamplitudes, far-field measurements do not. A spectrum analyzer with specialband-pass filters can be used to transform the 868MHz signal to baseband whichallows to reduce the required sampling rate of the digital-storage oscilloscope. Areduced sampling rate results in measurements that consume less storage spaceon the computer and can be analyzed in a faster way.

5 Side-Channel Analysis of UHF RFID Tags

For analyzing the susceptibility of UHF RFID tags to side-channel analysis(SCA) we have used differential electromagnetic analysis (DEMA) attacks whichhave originally emerged from differential power analysis (DPA) attacks [9]. Bothattacks are a powerful instrument to reveal secrets from crypto devices. Thedifference between DEMA attacks and DPA attacks is the method in whichmeasurements are acquired. For DEMA attacks, measurements of the electro-magnetic field that is emanated by crypto devices are required. DPA attacks usepower traces that are obtained by directly measuring the power consumption ofcrypto devices. Both attacks have the advantage that only a simple model of theanalyzed crypto device is necessary and that even very noisy measurements canbe used [15].

Before starting a DEMA attack an appropriate operation needs to be selectedthat is suitable for revealing data dependencies. The UHF RFID tags which wehave examined are EPC Generation 2 tags. For those tags, it has turned outthat the Write command is a useful operation to detect data dependencies. TheWrite command as it is defined in the EPC Generation 2 standard [2] allows towrite a 2-byte value to the non-volatile memory of a UHF RFID tag. Since the

296 T. Plos

2-byte value is a freely selectable parameter of the Write command, the 2-bytevalue can be used as chosen input data of the DEMA attack.

By using the measurement setup and the measurement-acquisition strategydescribed in Section 4 we have obtained various electromagnetic traces. The elec-tromagnetic traces are recorded while the examined UHF RFID tag executes aWrite command with a chosen 2-byte value. Thereby, always the same memorylocation of the UHF RFID tag is used. This memory location is initialized withthe value zero before a new chosen 2-byte value is written. Initializing the mem-ory location has the purpose to bring the UHF RFID tag always to the sameinitial state.

After recording the electromagnetic traces, a hypothetical model is used tomap the chosen 2-byte values to hypothetical values that try to predict the elec-tromagnetic emanation of the UHF RFID tag. There exist various hypotheticalmodels like the Hamming-weight model or the Hamming-distance model whichare not explained here in more detail (see [15]). Taking the hypothetical val-ues from all 2-byte values that have been used to obtain the electromagnetictraces results in a hypothesis that is assumed to be correct. Additionally, an-other several hundred hypotheses are created that are assumed to be wrong.Wrong hypotheses are determined by applying the hypothetical model to ran-domly chosen values that are different from the 2-byte values that have beenused to obtain the electromagnetic traces.

Having all the hypotheses allows to compare them with the electromagnetictraces that have been recorded previously. Comparison is done with the helpof statistical methods. A well known statistical method for DEMA attacks andDPA attacks which we have used is the correlation coefficient. The correlationcoefficient shows the linear dependency between different values [15]. The higherthe absolute value of the correlation coefficient the higher is the linear depen-dency between the values that are compared. Based on the correlation coefficient,a correlation trace can be computed for each hypothesis. For the side-channelanalysis, we call a DEMA attack successful if the comparison between the elec-tromagnetic traces and the hypothesis that is assumed to be correct leads tosignificant peaks in the corresponding correlation trace.

5.1 Side-Channel Analysis of the UHF Tag Prototype

The UHF tag prototype we have built and used for side-channel analysis oper-ates semi passively and contains a microcontroller. Compared to a conventionalpassive UHF RFID tag, the power consumption of the deployed microcontrolleris much higher. For any fixed hardware architecture, higher power consumptionbrings along higher electromagnetic emanation.

Results of Near-Field Measurements. Main part of the electromagneticfield that is emanated by the UHF tag prototype’s microcontroller is located inthe frequency range of some hundreds of megahertz. Since the strong RF signalof the UHF RFID reader is located around 868MHz, the RF signal can be easily

Susceptibility of UHF RFID Tags to Electromagnetic Analysis 297

0 100 200

-0.5

0

0.5

Time [ s]

Cor

rela

tion

coef

ficie

nt

Fig. 5. Result of the DEMA attack onthe UHF tag prototype by doing low-pass filtering directly on the digital-storage oscilloscope

0 100 200

-0.5

0

0.5

Time [ s]

Cor

rela

tion

coef

ficie

nt

Fig. 6. Result of the DEMA attack onthe UHF tag prototype by doing low-pass filtering via software in an addi-tional preprocessing step

suppressed by applying a low-pass filter. There are two possible ways for low-pass filtering: directly with the help of the digital-storage oscilloscope duringthe measurement acquisition, or via software in an additional preprocessing stepbefore performing the DEMA attack.

Suppressing the strong RF signal by using the digital-storage oscilloscope re-sults in electromagnetic traces with smaller amplitudes. As a consequence, ahigher input sensitivity can be selected at the digital-storage oscilloscope whichincreases the accuracy of the measurements. Figure 5 shows the result of a suc-cessful DEMA attack on the UHF tag prototype in the near-field during the exe-cution of a Write command. Thereby, recording 1000 individual electromagnetictraces has lead to a maximum absolute value of 0.63 for the correlation trace ofthe correct hypothesis. Low-pass filtering has been directly done on the digital-storage oscilloscope during measurement acquisition. For comparison, Figure 6shows the result of the same DEMA attack by doing low-pass filtering of theelectromagnetic traces in software. In this case, the maximum absolute value ofthe correlation trace reduces to about 0.21.

Results of Far-Field Measurements. Besides analyzing the emanation ofthe UHF tag prototype in the near field, we have also done analysis work inthe far field. As mentioned in Section 4.2, we have concentrated on measuringthe emanation of UHF RFID tags around the carrier frequency of the RF signalof about 868MHz during our far-field measurements. With our measurementstrategy we could not detect any data dependent emanation of the UHF tagprototype in the far field.

5.2 Side-Channel Analysis of Passive UHF RFID Tags

In contrast to our UHF tag prototype, passive UHF RFID tags have a power con-sumption of only some microwatts. With our measurement equipment we havenot been able to directly measure the electromagnetic field that is emanated by

298 T. Plos

0 0.5 1-0.2

00.20.40.6

Time [ms]

Cor

rela

tion

coef

ficie

nt

Fig. 7. Result of the DEMA attack ona passive UHF RFID tag in the nearfield

0 0.5 1-0.2

00.20.40.6

Time [ms]

Cor

rela

tion

coef

ficie

nt

Fig. 8. Result of the DEMA attack ona passive UHF RFID tag from a differ-ent tag vendor in the near field

the microchip of a passive UHF RFID tag. Therefore, we have used an indirecteffect named parasitic backscatter to detect data-dependent emanation of themicrochip. Passive UHF RFID tags deploy backscatter modulation to transmitdata to the UHF RFID reader. As described in [12], the power consumptionof passive UHF RFID tags modulates the backscatter which results in parasiticbackscatter. The most important observation is that the backscatter of a pas-sive UHF RFID tag can be detected via a simple dipole antenna within severalmeters.

Results of Near-Field Measurements. Using the parasitic backscatter ofpassive UHF RFID tags in the near field has allowed to perform DEMA attackssuccessfully. When using a near-field probe, its placement toward the passiveUHF RFID tag that is examined is an important factor for the success of theDEMA attack. Favorable placement of the near-field probe stronger attenuatesthe RF field that is emitted by the antenna of the UHF RFID reader. Thestronger the RF field is attenuated the less measurements are necessary for asuccessful DEMA attack.

In this way we have been able to perform successful DEMA attacks by measur-ing less than 100 electromagnetic traces. Figure 7 shows the result of a DEMAattack on a passive UHF RFID tag by using 1000 measurements. In order toensure that this is not a phenomenon of a specific tag vendor, we have testedpassive UHF RFID tags from various tag vendors. Figure 8 shows the result ofthe same DEMA attack by using a passive UHF RFID tag from a different tagvendor. Although the two correlation traces in Figure 7 and Figure 8 are quitedifferent, both illustrate that there is a strong data dependency.

Results of Far-Field Measurements. For the passive UHF RFID tags wehave done the same measurements in the far field than for our UHF tag pro-totype. In contrast to the UHF tag prototype, the passive UHF RFID tags wehave examined show data dependent emanation also in the far field. Thereby,

Susceptibility of UHF RFID Tags to Electromagnetic Analysis 299

0 0.5 1-0.2

0

0.2

Time [ms]

Cor

rela

tion

coef

ficie

nt

Fig. 9. Result of the DEMA attack ona passive UHF RFID tag at a distanceof 20 cm using 1000 EM traces

0 0.5 1-0.05

0

0.05

0.1

Time [ms]

Cor

rela

tion

coef

ficie

nt

Fig. 10. Result of the DEMA attack ona passive UHF RFID tag at a distanceof 1m using 10000 EM traces

we have analyzed the electromagnetic field with a self-made dipole antenna atvarious distances of the passive UHF RFID tags, starting from 20 cm up to 1 m.

All our DEMA attacks in the far field of the passive UHF RFID tags havebeen successful, even at a distance of 1 m. Figure 9 shows the result of a DEMAattack on a passive UHF RFID tag at a distance of 20 cm using 1000 measure-ments. Regardless of the distance, the peaks in the resulting correlation tracesalways look similar. For comparison, Figure 10 shows the correlation traces ofthe same passive UHF RFID tag at a distance of 1m. The difference when thedistance increases is the maximum absolute value of the correlation coefficient.Figure 9 shows a maximum absolute value of the correlation trace of 0.27 whichdecreases to 0.08 in Figure 10. As a consequence, the number of measurementsmust be increased to clearly identify the data dependency at greater distances.The correlation traces in Figure 10 have been obtained by using 10000 measure-ments.

6 Conclusion

In this work we have shown the susceptibility of UHF RFID tags to DEMAattacks. We have analyzed a self-made UHF tag prototype and commercially-available passive UHF RFID tags from various tag vendors. Whereas the UHFtag prototype that operates semi passively shows only data-dependent emanationin the near field, passive UHF RFID tags show data-dependent emanation inthe far field too. We have performed successful DEMA attacks in the far field ofpassive UHF RFID tags at distances up to 1 m. However, increasing the numberof acquired measurements should allow to realize successful DEMA attacks atgreater distances as well.

Current RFID tags do not use cryptographic protection and furthermore storeno secret that could be the aim of such attacks. Hence, this work has no practicalrelevance for current RFID products. Nevertheless, it was our goal to investigatethe side-channel leakage and to determine the susceptibility of future UHF RFID

300 T. Plos

tags to this class of attacks. Our results clearly show that once cryptographicfunctionality should be added to UHF RFID tags, countermeasures against SCAneed to be applied as well. Analyzing our results we come to the conclusion thatad-hoc countermeasures will not suffice, but a complete re-design of the RFIDtag’s architecture will be necessary to protect effectively from SCA.

References

[1] Finkenzeller, K.: RFID-Handbook, 2nd edn. Carl Hanser Verlag Munchen (2003)[2] International Organization for Standardization: ISO/IEC 18000-6C: Air Interface

for Radio-Frequenc Identification (RFID) Devices Operating in the 860 MHz to960 MHz Industrial, Scientific, and Medical (ISM) Band used in Item ManagmentApplications. ISO/IEC (2006)

[3] Garfinkel, S., Rosenberg, B.: RFID: Applications, Security, and Privacy. Addison-Wesley Professional, Reading (2005)

[4] Aigner, M.: Seven reasons for application of standardized crypto functionality onlow cost tags. EU RFID Forum (2007)

[5] Bailey, D., Juels, A.: Shoehorning Security into the EPC Standard. In: De Prisco,R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 303–320. Springer, Heidelberg(2006)

[6] Feldhofer, M., Dominikus, S., Wolkerstorfer, J.: Strong Authentication for RFIDSystems Using the AES Algorithm. In: Joye, M., Quisquater, J.-J. (eds.) CHES2004. LNCS, vol. 3156, pp. 357–370. Springer, Heidelberg (2004)

[7] Yu, Y., Yang, Y., Fan, Y., Min, H.: Security Scheme for RFID Tag. Auto-ID LabsFudan University, White Paper (2006)

[8] Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M.J. (ed.)CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)

[9] Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic Analysis: Concrete Results.In: Koc, C.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp.251–261. Springer, Heidelberg (2001)

[10] Mangard, S.: Exploiting Radiated Emissions – EM Attacks on CryptographicICs. In: Ostermann, T., Lackner, C. (eds.) Austrochip 2003, Proceedings, Linz,Austria, October 1, 2003, pp. 13–16 (2003) (ISBN 3-200-00021-X)

[11] Hutter, M., Feldhofer, M., Mangard, S.: Power and EM Attacks on Passive 13.56MHz RFID Devices. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS,vol. 4727, pp. 320–333. Springer, Heidelberg (2007)

[12] Oren, Y., Shamir, A.: Remote password extraction from RFID tags. IEEE Trans-actions on Computers 56(9), 1292–1296 (2007)

[13] Zhu, Z.: RFID Analog Front End Design Tutorial (version 0.0). Auto-ID LabsUniversity of Adelaide (2004)

[14] Karthaus, U., Fischer, M.: Fully Integrated Passive UHF RFID Transponder ICWith 16.7-µW Minimum RF Input Power. IEEE Journal of Solid-State Circuits,1602–1608 (2003)

[15] Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks – Revealing the Se-crets of Smart Cards. Springer, Heidelberg (2007) (ISBN 978-0-387-30857-9)