Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mifare Classic Troubles Peter van Rossum Digital Security Radboud University Nijmegen.

Similar presentations


Presentation on theme: "Mifare Classic Troubles Peter van Rossum Digital Security Radboud University Nijmegen."— Presentation transcript:

1 Mifare Classic Troubles Peter van Rossum Digital Security Radboud University Nijmegen

2 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Mifare Classic

3 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. RFID Technology Reader to tag signal Dropping field Modified Miller Encoding Tag to reader signal Modulating field Manchester Encoding

4 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. RFID Applications Identify friend or foe (1942) Event ticketing Car keys Public transport ticketing Electronic passport Supply chain management RFID Powder Access control Anti-theft

5 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Mifare Classic Many standards for RFID ISO14443A: Mifare (NXP) ISO14443B: CryptoRF (Motorola/Atmel) ISO14443C: Felica (Sony) ISO14443D: (OTI) ISO14443E: (Cubic) ISO14443F: Legic (KABA) ISO15693: Tag-IT (Texas Instruments) Typically describe physical and data-link layers (not cryptographic features)

6 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Mifare Classic Many chips in the Mifare (ISO14443A) family Mifare Ultralight Mifare Classic Mifare DESFire Mifare Plus Mifare EV1 Mifare SMART MX Most popular: Mifare Classic over 1 billion sold over 200 million in use 80% of contactless smartcard market

7 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Mifare Classic Applications Public transport ticketing systems Access control Wireless payment systems

8 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. RFID Security RFID = Radio Frequency Identification More properly authentication Contactless smartcards data storage, computational capabilities confidentiality integrity Common RFID Attacks 1. Relay attack 2. Replay attack 3. Cryptanalytic attack 4. Side-channel attack 5. Tracing attack … Mifare Classic is vulnerable to all of these.

9 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. 1. RFID – Relay Attack ? ? ! ! Wireless communication No link between authenticating object (tag) and service receiver (tag holder)‏ Attacker A initiates service Attacker A relays queries to tag to attacker B Attacker B sends queries to victim’s tag Attacker B relays answers back to attacker A Attacker A answers queries ? !

10 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. 2. RFID – Replay Attack Parking at Radboud University Access control: wireless employee card No authentication protocol at all Card sends uid; back-end checks authorization Attack Eavesdrop signal from car (card) to barrier Replay signal to gain entry (only works when original car has left; better to eavesdrop signal from a departing car) Vulnerabilities No clock Weak randomness Attack Attacker intercepts communication tag - reader Attack replays later Countermeasures (standard) Challenge-response authentication (needs clock, randomness, or other form of “freshness”)‏

11 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. 3. RFID – Side-channel attacks Attacker controls tag Use side-channels (timing, power, …) Recover secret information from tag

12 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. 4. RFID – Crypto Attacks Low energy Low computational capacity Cheap to manufacture Fast enough to operate Weak cryptography Attacker can break encryption scheme

13 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. 5. RFID – Tracing Attack Used for identification Anti-collision phase sends uid Attacker can recognize people based on the RFID tags they are carrying Attacker could trace RFID enabled packages

14 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Common RFID Attacks - Summary No clock, weak randomness replay attacks Low computational capacity cryptanalytic attacks Attacker controls tag side-channel attacks Wireless relay attacks Used for identification tracing attacks

15 IEEE Security & Privacy 2009 Peter van Rossum, Radboud University Nijmegen, Wirelessly Pickpocketing a Mifare Classic Card Timeline Jun 06RUStart of development of Ghost for ISO A (Mifare) emulation Nov 07RUFunctional ISO14443-A (Mifare) emulation Dec 07 CCC, VA Presentation: reverse engineered encryption of Mifare Classic: CRYPTO1 Feb 08RUMedia report: cloning Mifare Ultralight (single-use OV-chipkaart) Feb 08TNO Report on OV-chipkaart: fraud unlikely, advanced equipment needed, 2 year respite Mar 08RUReverse engineered CRYPTO1 & authentication protocol Mar 08RUKey recovery using intercepted traffic or communication with reader Apr 08RHULReport on OV-chipkaart: fraud likely, replace cards, design open&modular Jun 08NXPLawsuit against RU to stop publication Jul 08CourtPublication allowed: potential damage due to flaws in chip, not publication Oct 08RUPublication at ESORICS Nov 08RUCard-only key recovery of Mifare Classic Dec 08RUAttack possible using commercially available (cheap) NFC hardware

16 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Timeline 2004FudanSale of fully functional Mifare Classic clones 2006 Angstrom (Rumour) Mifare Classic reverse engineered and CRYPTO1 broken Jun 06RUStart of development of Ghost for ISO A (Mifare) emulation Nov 07RUFunctional ISO14443-A (Mifare) emulation Dec 07 CCC, VA Presentation: reverse engineered encryption of Mifare Classic: CRYPTO1 Feb 08RUMedia report: cloning Mifare Ultralight (single-use OV-chipkaart) Feb 08TNO Report on OV-chipkaart: fraud unlikely, advanced equipment needed, 2 year respite Mar 08RUReverse engineered CRYPTO1 & authentication protocol Mar 08RUKey recovery using intercepted traffic or communication with reader Apr 08RHULReport on OV-chipkaart: fraud likely, replace cards, design open&modular Jun 08NXPLawsuit against RU to stop publication Jul 08CourtPublication allowed: potential damage due to flaws in chip, not publication Oct 08RUPublication at ESORICS Nov 08RUCard-only key recovery of Mifare Classic Dec 08RUAttack possible using commercially available (cheap) NFC hardware

17 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Memory structure uid, manufacturer data data key A, access conditions, key B data key A,access conditions, key B data key A, access conditions, key B bytes 64 blocks16 sectors 48 bits

18 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. CRYPTO1 26c70dd3 26c70dd3 4457c3b Feedback: L(x 0,x 1,…,x 47 ) := x 0 +x 5 +x 9 +x 10 +x 12 +x 14 +x 15 +x 17 +x 19 +x 24 +x 25 +x 27 +x 29 +x 35 +x 39 +x 41 +x 43 LFSR stream: a i+48 := L(a i,a i+1,…,a i+47 ) ∀ i ∈ℕ Keystream: b i := f(a i+9,a i+11,…,a i+47 ) ∀ i ∈ℕ (Actually a bit more complicated because of the initialization)

19 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. CRYPTO1: random number generator bit nonces Linear feedback shift register 16 bit internal state Period 2 16 – 1 = Feedback: L 16 (x 0,x 1,…,x 15 ) := x 0 +x 2 +x 3 +x 5 Successor: suc(x 0,x 1,…,x 31 ) := (x 1,x 2,…,x 30,L 16 (x 16,x 17,…,x 31 )) Distance: d((x 0,x 1,…,x 31 )(y 0,y 1,…,y 31 )) := min { n ∈ ℕ | suc n (x 0,x 1,…,x 31 ) = (y 0,y 1,…,y 31 ) }

20 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. A uthentication & initialization TagReader LFSR stream: Initial state of the LFSR is the key a i := k i i ∈ [0,47] Shift nT + uid into the LFSR a i+48 := L(a i,…,a i+47 ) + nT i + uid i i ∈ [0,31] Shift nR into the LFSR a i+48 := L(a i,…,a i+47 ) + nR i-32 i ∈ [32,63] After authentication, LFSR keeps shifting a i+48 := L(a i,…,a i+47 ) i ∈ [64, ∞) Keystream: b i := f(a i+9,a i+11,…,a i+47 ) i ∈ [32, ∞) auth. ok uid auth(block) nT {nR,aR} {aT} pick nT check aR aT:=suc 96 (nT) check aT pick nR aR:=suc 64 (nT)

21 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Mifare Classic: trace StepSenderCiphertextPlaintextMeaning 01R26request type A 02T04 00answer request 03R93 20select 04T2a 69 8d 43 8duid 05R a 69 8d 43 8dselect(uid) 06T08 b6 ddMifare Classic 1k 07R60 04 d1 3dauth(block 4) 08T3b ae 03 2dtag nonce (nT) 09Rc4 94 a1 d2 6e bb 03 1f 2d 7f cf 34 c3rdr nonce (nR) & resp (aR) 10T e86 9d bb d5tag response (aT) 11R7d de a6 b cd d1read(block 4) 12Te7 ee e3 ab 0f 89 bb ed 44 b1 91 ce ef 8a 4d ce cd ea contents

22 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Attacking CRYPTO1 1. Unshifting the LFSR internal state at any time  key 2. Inverting the filter function keystream  internal state computational complexity: approx operations (seconds) 3. Acquiring keystream observing authentication  keystream communication complexity: 1 to 3 auth. sessions (micro seconds)

23 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. CRYPTO1: unshifting the LFSR Feedback: L(x 0,x 1,…,x 47 ) := x 0 +x 5 +x 9 +x 10 +x 12 +x 14 +x 15 +x 17 +x 19 +x 24 +x 25 +x 27 +x 29 +x 35 +x 39 +x 41 +x 43 LFSR stream: Initial state of the LFSR is the key a i := k i i ∈ [0,47] Shift nT + uid into the LFSR a i+48 := L(a i,…,a i+47 ) + nT i + uid i i ∈ [0,31] Shift nR into the LFSR a i+48 := L(a i,…,a i+47 ) + nR i-32 i ∈ [32,63] After authentication, LFSR keeps shifting a i+48 := L(a i,…,a i+47 ) i ∈ [64, ∞) Keystream: b i := f(a i+9,a i+11,…,a i+47 ) i ∈ℕ Inverting feedback: R(x 1,…,x 47, x 48 ) := x 5 +x 9 +x 10 +x 12 +x 14 +x 15 +x 17 +x 19 +x 24 +x 25 +x 27 +x 29 +x 35 +x 39 +x 41 +x 43 +x 48 R(x 1,…,x 47,L(x 0,x 1,…,x 47 )) = x 0 Inverting LFSR stream: Unshift LFSR until end of authentication a i = R(a i+1,…,a i+48 ) i ∈ [64, ∞) Unshift nR from the LFSR a i = R(a i+1,…,a i+48 ) + nR i-32 i ∈ [32,63] = R(a i+1,…,a i+48 ) + {nR} i-32 + b i = R(a i+1,…,a i+48 ) + {nR} i-32 + f(a i+9,…,a i+47 ) Unshift nT + uid from the LFSR a i = R(a i+1,…,a i+48 ) + nT i + uid i i ∈ [0,31] Key is the initial state of the LFSR k i = a i i ∈ [0,47]

24 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. CRYPTO1: inverting the filter function #################### keystream: Filter function can be easily inverted because the input to the filter function f are only on odd places Attack options: Compute ‘odd’ bits of LFSR using table and deduce ‘even’ bits (linear relation) Compute ‘odd’ and ‘even’ bits of LFSR using tables separately and combine tables #################### … produces ‘odd’ keystream 0 # ################### # … produces ‘odd’ keystream 01 ## ################## # … produces ‘odd’ keystream

25 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. CRYPTO1: acquiring keystream TagReader auth. ok uid auth(block) nT {nR,aR} {aT} pick nT check aR aT:=suc 96 (nT) check aT pick nR aR:=suc 64 (nT) Intercepted communication: nT, {aR}, {aT} visible to attacker {aR} + suc 64 (nT), {aT} + suc 96 (nT) 64 keystream bits invert f, roll back LFSR, recover key Access to genuine reader: nT under attacker control {aR} + suc 64 (nT) visible to attacker 32 keystream bits invert f, 2 16 possible LFSRs roll back LFSRs, 2 16 candidate keys (repeat and take intersection)

26 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Weaknesses 48 bit internal state, stream cipher enables brute force attack weak 16-bit random number generator enables chosen plaintext attack & replay attack simple LFSR structure enables unshifting the internal state to recover key weak filter function enables inverting the one-way function function 64 bits keystream  unique key 32 bits keystream  2 16 candidate keys authentication protocol leaks keystream consequences (march 2008) intercepted communication can (quickly) be decrypted key (of first sector read) can be recovered from just a reader (access to just a tag not sufficient)

27 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. CRYPTO1: (in)security

28 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Parity trouble Plaintext Keystream Ciphertext Weaknesses: Parity computed over plaintext Parity encrypted Parity encrypted using same bit of keystream that encrypts next bit of plaintext During authentication, parity is checked before authenticity No response when parity check fails; {NACK} when authenticity fails Note: Not compliant with ISO Type A To emulate Mifare Classic with NFC chip, use raw Mifare mode and do parity yourself

29 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Parity trouble TagAttacker auth. failed uid auth(block) nT {nR,aR} {NACK} pick nT check aR pick {nR} pick {aR} (Encrypted) parity checked continuously Parity wrong  tag resets Parity in {nR,aR} checked before aR Parity correct and aR wrong  4 bit {NACK} Error message is encrypted Card-only Attack Send 64 random bits for {nR,aR} (and random parity) (½) 8 = 1/256 probability of guessing parity correctly Correct guess leaks 12 bits of information Options: Brute force Adaptive chosen ciphertext attack (vary {nR}) Chosen plaintext attack (vary nT) [Courtois] Differential attack (vary {nR}) Attacker only needs access to a card! Note Russian/Chinese Mifare clones do not check parity always send {NACK} Classic compatibility mode of Mifare Plus does not check parity does not send {NACK} (fixed after we notified NXP of these problems)

30 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Chosen Plaintext Attack TagAttacker auth. failed uid auth(block) nT {nR},{aR} = 0,0 {NACK} pick nT check aR Precompute T := { states a 32 a 33 … a 79 | if reader sends {nR} = {aR} = 0 then corresponding 8 encrypted parity bits are 0 and 4 next keystream bits are 0} |T| ≈ 2 48 /2 12 = 2 36 (storage: 384 GB) Attack Search (online) for nT such that sending all 0’s for {nR}, {aR} and the parity bits results in {NACK} = NACK (i.e. 4 keystream bits 0). Search (offline) in T: Compute candidate key using nT and uid Check key (offline) Improvements More tables, one for each possibility of {NACK}. Sort table(s) by correct parity and {NACK} when sending all 1’s for {nR}, {aR}

31 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Online vs. offline order of magnitude Offline Online brute force adaptive chosen ciphertext (vary {nR}) chosen plaintext (vary nT) s mss days min h 1536 authentication attempts 2 48 offline search space 2 or 3 authentications 2 20 offline search space 4096 authentication attempts 128 authentication attempts with fixed nT 2 24 offline search space in one-time precomputed 384GB table authentication attempts with same nT offline search space intercepted communication differential attack [Courtois] (vary {nR}) 150 authentication attempts with same nT 2 20 offline search space NXP/System Integrators: “lab-conditions required to fix nT” NXP/System Integrators: “impossible to execute real-time” NXP/System Integrators: “Difficult to execute in real-life”

32 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Even faster? One key known already TagReader LFSR stream: Initial state of the LFSR is the key a i := k i i ∈ [0,47] Shift nT + uid into the LFSR a i+48 := L(a i,…,a i+47 ) + nT i + uid i i ∈ [0,31] Shift nR into the LFSR a i+48 := L(a i,…,a i+47 ) + nR i-32 i ∈ [32,63] After authentication, LFSR keeps shifting a i+48 := L(a i,…,a i+47 ) i ∈ [64, ∞) Keystream: b i := f(a i+9,a i+11,…,a i+47 ) i ∈ [32, ∞) auth. ok uid auth(block) nT {nR,aR} {aT} pick nT check aR aT:=suc 96 (nT) check aT pick nR aR:=suc 64 (nT)

33 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. R eauthentication & initialization TagReader LFSR stream: Initial state of the LFSR is the key a i := k i i ∈ [0,47] Shift nT + uid into the LFSR a i+48 := L(a i,…,a i+47 ) + nT i + uid i i ∈ [0,31] Shift nR into the LFSR a i+48 := L(a i,…,a i+47 ) + nR i-32 i ∈ [32,63] After authentication, LFSR keeps shifting a i+48 := L(a i,…,a i+47 ) i ∈ [64, ∞) Keystream: b i := f(a i+9,a i+11,…,a i+47 ) i ∈ ℕ auth. ok {auth(block)} old key {nT} {nR,aR} {aT} pick nT check aR aT:=suc 96 (nT) check aT pick nR aR:=suc 64 (nT)

34 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. CRYPTO1: reauthentication & initialization TagAttacker {auth(block)} old key {nT} pick nT Weaknesses nT predictable based on only 2 16 possiblities parity bits (reduces to 2 13 possibilities) timing (reduces to 1 to 5 possibilities) weak cipher (as before) Attack authenticate for one sector using known key try to reauthenticate for other sector guess nonce and compute 32 keystream bits use weaknesses in cipher to compute (1 to 5 times) approx candidate keys repeat two or three times and take intersection Note compatibility mode of Mifare Plus uses better (32-bit) random number gen (attack fails) some Mifare Classics are Mifare Smart MX emulating a Mifare Classic uses better (16-bit) random number gen (timing information not available)

35 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Summary of further weaknesses weak random number generator sync with time enables chosen plaintext attack reader nonces determine 32 bits of the internal state enables chosen ciphertext attack against card mixing of data link and encryption layers one-time pad used twice: information leakage encrypted error message sent when authentication fails 4-bit information leakage tag nonce sent encrypted when authenticating twice 32-bit information leakage (when one key already known) consequences (november 2008) keys can be recovered from just a card card can be wirelessly cloned directly

36 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. Online vs. offline order of magnitude Offline Online brute force adaptive chosen ciphertext (vary {nR}) chosen plaintext (vary nT) s mss days min h 1536 authentication attempts 2 48 offline search space 2 to 5 authentication attempts 2 20 offline search space 4096 authentication attempts 128 authentication attempts with fixed nT 2 24 offline search space in one-time precomputed 384GB table authentication attempts with fixed nT offline search space intercepted communication/ known old key differential attack [Courtois] (vary {nR}) 150 authentication attempts with same nT 2 20 offline search space

37 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. What to do? Strategy RU: responsible disclosure 02/08: Warning (to NXP, government): additional measures needed; minister of internal affairs made problems public Only claim what we can actually demonstrate 10/08: Publication after delay of 7 months; full details 10/08 – 03/09: Repeat for card-only attack Strategy NXP: damage control 03/08: Customer chooses cheapest chip 07/08: Publication irresponsible 10/08: Don’t use Classic for new applications 03/09: Lab conditions needed (for ‘immediate’ attack) Strategy system integrators (TLS, TFL, …): protect investment 03/08: Attack not feasible 07/08: Fraud detected in back-end; no fraud detected so far 10/08: No criminal business case

38 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. “No Criminal Business Case’’? Attack scenarios Loyalty scheme attack (bus) micro-waved OV-chipkaart OV-chipkaart with wrong keys Checking out (bus) too soon too late State-modification attacks Store/restore state (detected in back-end?) Increase balance (detected in back-end?) Add travel products (detected in back-end?)

39 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. “No Criminal Business Case’’? Attack scenarios (more speculative) Wirelessly clone cards Travel on someone else’s card (detected in back-end?) Generate new cards (and sell them) On ‘white’ cards On ‘unactivated’ or empty cards Steal reader Recover key diversification by side-channel analysis by brute force Easy wireless cloning of cards (detected in back-end?) Easy generation of new cards (detected in back-end?)

40 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. “No Criminal Business Case”?

41 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. “No Criminal Business Case?’’ Questions?

42 Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9. References De Koning Gans, Hoepman, Garcia. A Practical Attack on the Mifare Classic. CARDIS LNCS pp Nohl, Evans, Starbug, Plotz. Reverse-Engineering a Cryptographic RFID Tag. USENIX Security pp Courtois, Nohl, O’Neil. Algebraic Attacks on the Crypto-1 Stream Cipher in Mifare Classic and Oyster Cards. ePrint 2008/166. Garcia, De Koning Gans, Muijrers, Van Rossum, Verdult, Wichers Schreur, Jacobs. Dismantling Mifare Classic. ESORICS LNCS pp Teepe. Making the best of Mifare Classic Garcia, Van Rossum, Verdult, Wichers Schreur. Wirelessly Pickpocketing a Mifare Classic Card. IEEE S&P pp Courtois. The Dark Side of Security by Obscurity and Cloning Mifare Rail and Building Passes Anytime, Anywhere. SECCRYPT 2009.


Download ppt "Mifare Classic Troubles Peter van Rossum Digital Security Radboud University Nijmegen."

Similar presentations


Ads by Google