As a proof of concept, we use power analysis to extract the kill passwords from Class 1 EPC tags operating in the UHF frequency range. Tags from several major vendors were successfully attacked. Our attack can be extended to HF tags and to remote fault analysis.
The main significance of our attack is not in the discovery of kill passwords but in its implications on future tag design -- any cryptographic functionality built into tags needs to be designed to be resistant to power analysis, and achieving this resistance is an undertaking which has an effect both on the price and on the performance of tags.
(this is my Master's thesis, carried out under the supervision of Prof. Adi Shamir. It may be considered as the extended version of the article "Remote Password Extraction from RFID Tags", recently published in IEEE Transactions on Computers and indexed as http://dx.doi.org/10.1109/TC.2007.1050 or as http://ieeexplore.ieee.org/iel5/12/4288079/04288095.pdf)Category / Keywords: cryptanalysis, power analysis, side-channel attacks, RFID Publication Info: Remote Password Extraction from RFID Tags, IEEE Transactions on Computers 56(9):1292--1296, September 2007 Date: received 21 Aug 2007 Contact author: yossi oren at weizmann ac il Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation Version: 20070822:184757 (All versions of this report) Short URL: ia.cr/2007/330 Discussion forum: Show discussion | Start new discussion