Mifare Classic Troubles
Download
Report
Transcript Mifare Classic Troubles
Mifare Classic Troubles
Peter van Rossum
Digital Security
Radboud University Nijmegen
Mifare Classic
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
RFID Technology
Reader to tag signal
• Dropping field
• Modified Miller Encoding
Tag to reader signal
• Modulating field
• Manchester Encoding
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
RFID Applications
Identify friend
or foe (1942)
Car keys
Public transport
ticketing
RFID Powder
Anti-theft
Electronic
passport
Access control
Event ticketing
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Supply chain
management
Mifare Classic
Many standards for RFID
• ISO14443A: Mifare (NXP)
• ISO14443B: CryptoRF (Motorola/Atmel)
• ISO14443C: Felica (Sony)
• ISO14443D: (OTI)
• ISO14443E: (Cubic)
• ISO14443F: Legic (KABA)
• ISO15693: Tag-IT (Texas Instruments)
• Typically describe physical and data-link layers
(not cryptographic features)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Mifare Classic
Many chips in the Mifare (ISO14443A) family
Most popular: Mifare Classic
• Mifare Ultralight
• Mifare Classic
• Mifare DESFire
• Mifare Plus
• Mifare EV1
• Mifare SMART MX
• over 1 billion sold
• over 200 million in use
• 80% of contactless smartcard market
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Mifare Classic Applications
Public transport ticketing systems
Access control
Wireless payment systems
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
RFID Security
RFID = Radio Frequency Identification
More properly authentication
Contactless smartcards
•
•
•
data storage, computational capabilities
confidentiality
integrity
Common RFID Attacks
1.
Relay attack
2.
Replay attack
3.
Cryptanalytic attack
4.
Side-channel attack
5.
Tracing attack
…
Mifare Classic is vulnerable to all of these.
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
1. RFID – Relay Attack
?
!
!
?
?
!
Wireless communication
No link between authenticating object (tag)
and service receiver (tag holder)
• Attacker A initiates service
• Attacker A relays queries to tag to
attacker B
• Attacker B sends queries to victim’s tag
• Attacker B relays answers back to
attacker A
• Attacker A answers queries
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
2. RFID – Replay Attack
Parking at Radboud University
• Access control: wireless employee card
• No authentication protocol at all
• Card sends uid; back-end checks
authorization
Attack
• Eavesdrop signal from car (card) to barrier
• Replay signal to gain entry
• (only works when original car has left; better
to eavesdrop signal from a departing car)
Vulnerabilities
•
•
No clock
Weak randomness
Attack
•
•
Attacker intercepts
communication tag - reader
Attack replays later
Countermeasures (standard)
•
Challenge-response
authentication (needs clock,
randomness, or other form of
“freshness”)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
3. RFID – Side-channel attacks
Attacker controls tag
• Use side-channels (timing, power, …)
• Recover secret information from tag
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
4. RFID – Crypto Attacks
Low energy
Low computational capacity
Cheap to manufacture
Fast enough to operate
• Weak cryptography
• Attacker can break encryption scheme
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
5. RFID – Tracing Attack
Used for identification
Anti-collision phase sends uid
• Attacker can recognize people based on the RFID
•
tags they are carrying
Attacker could trace RFID enabled packages
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Common RFID Attacks - Summary
No clock, weak randomness
•
replay attacks
Low computational capacity
•
cryptanalytic attacks
Attacker controls tag
•
side-channel attacks
Wireless
Used for identification
• relay attacks
•
tracing attacks
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Timeline
Jun 06
RU
Start of development of Ghost for ISO 14443-A (Mifare) emulation
Nov 07
RU
Functional ISO14443-A (Mifare) emulation
Dec 07
CCC, VA
Presentation: reverse engineered encryption of Mifare Classic: CRYPTO1
Feb 08
RU
Media report: cloning Mifare Ultralight (single-use OV-chipkaart)
Feb 08
TNO
Report on OV-chipkaart: fraud unlikely, advanced equipment needed, 2 year respite
Mar 08
RU
Reverse engineered CRYPTO1 & authentication protocol
Mar 08
RU
Key recovery using intercepted traffic or communication with reader
Apr 08
RHUL
Report on OV-chipkaart: fraud likely, replace cards, design open&modular
Jun 08
NXP
Lawsuit against RU to stop publication
Jul 08
Court
Publication allowed: potential damage due to flaws in chip, not publication
Oct 08
RU
Publication at ESORICS
Nov 08
RU
Card-only key recovery of Mifare Classic
Dec 08
RU
Attack possible using commercially available (cheap) NFC hardware
IEEE Security & Privacy 2009
Peter van Rossum, Radboud University Nijmegen, Wirelessly Pickpocketing a Mifare Classic
Timeline
2004
Fudan
Sale of fully functional Mifare Classic clones
2006
Angstrom
(Rumour) Mifare Classic reverse engineered and CRYPTO1 broken
Jun 06
RU
Start of development of Ghost for ISO 14443-A (Mifare) emulation
Nov 07 RU
Functional ISO14443-A (Mifare) emulation
Dec 07
CCC, VA
Presentation: reverse engineered encryption of Mifare Classic: CRYPTO1
Feb 08
RU
Media report: cloning Mifare Ultralight (single-use OV-chipkaart)
Feb 08
TNO
Report on OV-chipkaart: fraud unlikely, advanced equipment needed, 2 year respite
Mar 08
RU
Reverse engineered CRYPTO1 & authentication protocol
Mar 08
RU
Key recovery using intercepted traffic or communication with reader
Apr 08
RHUL
Report on OV-chipkaart: fraud likely, replace cards, design open&modular
Jun 08
NXP
Lawsuit against RU to stop publication
Jul 08
Court
Publication allowed: potential damage due to flaws in chip, not publication
Oct 08
RU
Publication at ESORICS
Nov 08 RU
Card-only key recovery of Mifare Classic
Dec 08 RU
Attack possible using commercially available (cheap) NFC hardware
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Memory structure
64 blocks
0
1
2
3
uid, manufacturer data
data
data
key A, access conditions, key B
0
4
5
6
7
data
data
data
key A,access conditions, key B
1
60
61
62
63
data
data
data
key A, access conditions, key B
15
48 bits
48 bits
16 bytes
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
16 sectors
CRYPTO1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
26c7
0dd3
0dd3
26c7
0dd3
4457c3b3
Feedback:
L(x0,x1,…,x47) := x0+x5+x9+x10+x12+x14+x15+x17+x19+x24+x25+x27+x29+x35+x39+x41+x43
LFSR stream:
ai+48 := L(ai,ai+1,…,ai+47) ∀i∈ℕ
(Actually a bit more complicated
because of the initialization)
Keystream:
bi := f(ai+9,ai+11,…,ai+47) ∀i∈ℕ
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
CRYPTO1: random number generator
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
•
32 bit nonces
•
Linear feedback shift register
•
16 bit internal state
•
Period 216 – 1 = 65535
Feedback:
L16(x0,x1,…,x15) := x0+x2+x3+x5
Successor:
suc(x0,x1,…,x31) := (x1,x2,…,x30,L16(x16,x17,…,x31))
Distance:
d((x0,x1,…,x31)(y0,y1,…,y31)) := min { n ∈ ℕ | sucn(x0,x1,…,x31) = (y0,y1,…,y31) }
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Authentication & initialization
Tag
Reader
uid
auth(block)
pick nT
nT
pick nR
aR:=suc64(nT)
{nR,aR}
check aR
Shift nT + uid into the LFSR
ai+48 := L(ai,…,ai+47) + nTi + uidi i ∈ [0,31]
Shift nR into the LFSR
ai+48 := L(ai,…,ai+47) + nRi-32
aT:=suc96(nT)
{aT}
check aT
auth. ok
LFSR stream:
Initial state of the LFSR is the key
ai := ki
i ∈ [0,47]
auth. ok
i ∈ [32,63]
After authentication, LFSR keeps shifting
ai+48 := L(ai,…,ai+47)
i ∈ [64, ∞)
Keystream:
bi := f(ai+9,ai+11,…,ai+47)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
i ∈ [32, ∞)
Mifare Classic: trace
Step
Sender
01
Ciphertext
Plaintext
Meaning
R
26
request type A
02
T
04 00
answer request
03
R
93 20
select
04
T
2a 69 8d 43 8d
uid
05
R
93 70 2a 69 8d 43 8d
select(uid)
06
T
08 b6 dd
Mifare Classic 1k
07
R
60 04 d1 3d
auth(block 4)
08
T
3b ae 03 2d
tag nonce (nT)
09
R
c4 94 a1 d2 6e 96 86 42
bb 03 1f 2d 7f cf 34 c3
rdr nonce (nR) & resp (aR)
10
T
84 66 05 9e
86 9d bb d5
tag response (aT)
11
R
7d de a6 b3
30 04 cd d1
read(block 4)
12
T
e7 ee e3 ab 0f 89 bb ed
44 b1 91 ce ef 8a 4d ce
00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 cd ea
contents
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Attacking CRYPTO1
1.
2.
3.
Unshifting the LFSR
•
internal state at any time key
Inverting the filter function
•
•
keystream internal state
computational complexity: approx. 226 operations
(seconds)
Acquiring keystream
•
•
observing authentication keystream
communication complexity: 1 to 3 auth. sessions
(micro seconds)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
CRYPTO1: unshifting the LFSR
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Feedback:
L(x0,x1,…,x47) := x0+x5+x9+x10+x12+x14
+x15+x17+x19+x24+x25+x27+x29+x35+x39
+x41+x43
Inverting feedback:
R(x1,…,x47,x48) := x5+x9+x10+x12+x14
+x15+x17+x19+x24+x25+x27+x29+x35+x39
+x41+x43+x48
R(x1,…,x47,L(x0,x1,…,x47)) = x0
LFSR stream:
Initial state of the LFSR is the key
ai := ki
i ∈ [0,47] Inverting LFSR stream:
Unshift LFSR until end of authentication
Shift nT + uid into the LFSR
ai = R(ai+1,…,ai+48)
i ∈ [64, ∞)
ai+48 := L(ai,…,ai+47) + nTi + uidi i ∈ [0,31]
Unshift nR from the LFSR
Shift nR into the LFSR
i ∈ [32,63]
ai+48 := L(ai,…,ai+47) + nRi-32
i ∈ [32,63] ai = R(ai+1,…,ai+48) + nRi-32
= R(ai+1,…,ai+48) + {nR}i-32 + bi
After authentication, LFSR keeps shifting
= R(ai+1,…,ai+48) + {nR}i-32 + f(ai+9,…,ai+47)
ai+48 := L(ai,…,ai+47)
i ∈ [64, ∞)
Unshift nT + uid from the LFSR
ai = R(ai+1,…,ai+48) + nTi + uidi i ∈ [0,31]
Keystream:
Key is the initial state of the LFSR
bi := f(ai+9,ai+11,…,ai+47)
i∈ℕ
k i = ai
i ∈ [0,47]
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
CRYPTO1: inverting the filter function
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
keystream: 01100111100110110
219
####################
# ################### #
## ################## #
00000000000000000000
00000000000000000001
00000000000000000011
00000000000000000100
00000000000000000110
…
produces ‘odd’ keystream 0
0 0000000000000000000 0
0 0000000000000000000 1
0 0000000000000000001
0 0000000000000000011 1
0 0000000000000000100 0
…
produces ‘odd’ keystream 01
00 000000000000000000 1
00 000000000000000001 1
00 000000000000000111 0
00 000000000000000111 1
00 000000000000001000
…
produces ‘odd’ keystream 010
• Filter function can be easily inverted because the input to the filter function f
are only on odd places
• Attack options:
• Compute ‘odd’ bits of LFSR using table and deduce ‘even’ bits (linear relation)
• Compute ‘odd’ and ‘even’ bits of LFSR using tables separately and combine tables
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
CRYPTO1: acquiring keystream
Tag
Reader
• Intercepted communication:
• nT, {aR}, {aT} visible to attacker
uid
auth(block)
• {aR} + suc64(nT), {aT} + suc96(nT)
64 keystream bits
pick nT
• invert f, roll back LFSR, recover key
nT
pick nR
aR:=suc64(nT)
{nR,aR}
• Access to genuine reader:
• nT under attacker control
• {aR} + suc64(nT) visible to attacker
32 keystream bits
check aR
• invert f, 216 possible LFSRs
• roll back LFSRs, 216 candidate keys
(repeat and take intersection)
aT:=suc96(nT)
{aT}
check aT
auth. ok
auth. ok
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Weaknesses
48 bit internal state, stream cipher
•
enables brute force attack
weak 16-bit random number generator
•
enables chosen plaintext attack & replay attack
simple LFSR structure
•
enables unshifting the internal state to recover key
weak filter function
•
enables inverting the one-way function function
• 64 bits keystream unique key
• 32 bits keystream 216 candidate keys
authentication protocol leaks keystream
consequences (march 2008)
•
•
•
intercepted communication can (quickly) be decrypted
key (of first sector read) can be recovered from just a reader
(access to just a tag not sufficient)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
CRYPTO1: (in)security
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Parity trouble
Plaintext
Keystream
Ciphertext
Weaknesses:
• Parity computed over plaintext
• Parity encrypted
• Parity encrypted using same bit of keystream that encrypts next bit of plaintext
• During authentication, parity is checked before authenticity
• No response when parity check fails; {NACK} when authenticity fails
Note:
• Not compliant with ISO14443-3 Type A
• To emulate Mifare Classic with NFC chip, use raw Mifare mode and do parity yourself
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Parity trouble
(Encrypted) parity checked continuously
• Parity wrong tag resets
Tag
Attacker
uid
auth(block)
Parity in {nR,aR} checked before aR
• Parity correct and aR wrong 4 bit {NACK}
• Error message is encrypted
pick nT
Card-only Attack
• Send 64 random bits for {nR,aR} (and random parity)
• (½)8 = 1/256 probability of guessing parity correctly
• Correct guess leaks 12 bits of information
• Options:
• Brute force
• Adaptive chosen ciphertext attack (vary {nR})
• Chosen plaintext attack (vary nT)
• [Courtois] Differential attack (vary {nR})
• Attacker only needs access to a card!
check aR
nT
pick {nR}
pick {aR}
{nR,aR}
Note
• Russian/Chinese Mifare clones
• do not check parity
• always send {NACK}
• Classic compatibility mode of Mifare Plus
• does not check parity
• does not send {NACK}
(fixed after we notified NXP of these problems)
{NACK}
auth. failed
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Chosen Plaintext Attack
Precompute
• T := { states a32 a33 … a79 | if reader sends
{nR} = {aR} = 0 then corresponding 8 encrypted
parity bits are 0 and 4 next keystream bits are 0}
• |T| ≈ 248/212 = 236 (storage: 384 GB)
Tag
Attack
• Search (online) for nT such that sending all 0’s
for {nR}, {aR} and the parity bits results in
{NACK} = NACK (i.e. 4 keystream bits 0).
• Search (offline) in T:
• Compute candidate key using nT and uid
• Check key (offline)
pick nT
Improvements
• More tables, one for each possibility of {NACK}.
• Sort table(s) by correct parity and {NACK}
when sending all 1’s for {nR}, {aR}
Attacker
uid
auth(block)
nT
{nR},{aR} = 0,0
check aR
{NACK}
auth. failed
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Online vs. offline order of magnitude
NXP/System Integrators: “impossible to execute real-time”
Offline
days
brute
force
• 1536 authentication attempts
• 248 offline search space
NXP/System Integrators: “lab-conditions required to fix nT”
min
s
• 150 authentication
attempts with same nT
• 220 offline search space
adaptive
chosen ciphertext
(vary {nR})
chosen plaintext
(vary nT)
• 28500 authentication attempts
with same nT
• 232.8 offline search space
differential attack • 4096 authentication attempts
[Courtois] (vary {nR})• 128 authentication attempts
with fixed nT
• 224 offline search space in
one-time precomputed 384GB table
intercepted
communication • 2 or 3 authentications
• 220 offline search space
NXP/System Integrators:
ms “Difficultsto execute in real-life”min
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
h
Online
Even faster? One key known already
Tag
Reader
uid
auth(block)
pick nT
nT
pick nR
aR:=suc64(nT)
{nR,aR}
check aR
Shift nT + uid into the LFSR
ai+48 := L(ai,…,ai+47) + nTi + uidi i ∈ [0,31]
Shift nR into the LFSR
ai+48 := L(ai,…,ai+47) + nRi-32
aT:=suc96(nT)
{aT}
check aT
auth. ok
LFSR stream:
Initial state of the LFSR is the key
ai := ki
i ∈ [0,47]
auth. ok
i ∈ [32,63]
After authentication, LFSR keeps shifting
ai+48 := L(ai,…,ai+47)
i ∈ [64, ∞)
Keystream:
bi := f(ai+9,ai+11,…,ai+47)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
i ∈ [32, ∞)
Reauthentication & initialization
Tag
Reader
{auth(block)}old key
pick nT
{nT}
pick nR
aR:=suc64(nT)
{nR,aR}
check aR
Shift nT + uid into the LFSR
ai+48 := L(ai,…,ai+47) + nTi + uidi i ∈ [0,31]
Shift nR into the LFSR
ai+48 := L(ai,…,ai+47) + nRi-32
aT:=suc96(nT)
{aT}
check aT
auth. ok
LFSR stream:
Initial state of the LFSR is the key
ai := ki
i ∈ [0,47]
auth. ok
i ∈ [32,63]
After authentication, LFSR keeps shifting
ai+48 := L(ai,…,ai+47)
i ∈ [64, ∞)
Keystream:
bi := f(ai+9,ai+11,…,ai+47)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
i∈ℕ
CRYPTO1: reauthentication & initialization
Tag
Attacker
{auth(block)}old key
pick nT
{nT}
Weaknesses
• nT predictable based on
• only 216 possiblities
• parity bits (reduces to 213 possibilities)
• timing (reduces to 1 to 5 possibilities)
• weak cipher (as before)
Attack
• authenticate for one sector using known key
• try to reauthenticate for other sector
• guess nonce and compute 32 keystream bits
• use weaknesses in cipher to compute
(1 to 5 times) approx. 216 candidate keys
• repeat two or three times and take intersection
Note
• compatibility mode of Mifare Plus
• uses better (32-bit) random number gen
(attack fails)
• some Mifare Classics are Mifare Smart MX
emulating a Mifare Classic
• uses better (16-bit) random number gen
(timing information not available)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Summary of further weaknesses
weak random number generator sync with time
• enables chosen plaintext attack
reader nonces determine 32 bits of the internal state
• enables chosen ciphertext attack against card
mixing of data link and encryption layers
• one-time pad used twice: information leakage
encrypted error message sent when authentication fails
• 4-bit information leakage
tag nonce sent encrypted when authenticating twice
• 32-bit information leakage (when one key already known)
consequences (november 2008)
• keys can be recovered from just a card
• card can be wirelessly cloned directly
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Online vs. offline order of magnitude
Offline
brute
force
days
min
s
• 150 authentication
attempts with same nT
• 220 offline search space
• 1536 authentication attempts
• 248 offline search space
adaptive
chosen ciphertext
(vary {nR})
chosen plaintext
(vary nT)
• 28500 authentication attempts
with fixed nT
• 232.8 offline search space
differential attack • 4096 authentication attempts
[Courtois] (vary {nR})• 128 authentication attempts
with fixed nT
• 224 offline search space in
one-time precomputed 384GB table
intercepted
communication/
• 2 to 5 authentication attempts
known old
• 220 offline search space
key
ms
s
min
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
h
Online
What to do?
Strategy RU: responsible disclosure
• 02/08: Warning (to NXP, government): additional measures
needed; minister of internal affairs made problems public
Only claim what we can actually demonstrate
• 10/08: Publication after delay of 7 months; full details
• 10/08 – 03/09: Repeat for card-only attack
Strategy NXP: damage control
• 03/08: Customer chooses cheapest chip
• 07/08: Publication irresponsible
• 10/08: Don’t use Classic for new applications
• 03/09: Lab conditions needed (for ‘immediate’ attack)
Strategy system integrators (TLS, TFL, …): protect investment
• 03/08: Attack not feasible
• 07/08: Fraud detected in back-end; no fraud detected so far
• 10/08: No criminal business case
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
“No Criminal Business Case’’?
Attack scenarios
• Loyalty scheme attack (bus)
• micro-waved OV-chipkaart
• OV-chipkaart with wrong keys
• Checking out (bus)
• too soon
• too late
• State-modification attacks
• Store/restore state (detected in back-end?)
• Increase balance (detected in back-end?)
• Add travel products (detected in back-end?)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
“No Criminal Business Case’’?
Attack scenarios (more speculative)
• Wirelessly clone cards
• Travel on someone else’s card (detected in back-end?)
• Generate new cards (and sell them)
• On ‘white’ cards
• On ‘unactivated’ or empty cards
• Steal reader
• Recover key diversification
• by side-channel analysis
• by brute force
• Easy wireless cloning of cards (detected in back-end?)
• Easy generation of new cards (detected in back-end?)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
“No Criminal Business Case”?
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
“No Criminal Business Case?’’
Questions?
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
References
De Koning Gans, Hoepman, Garcia. A Practical Attack on the Mifare Classic. CARDIS
2008. LNCS 5189. pp 267-282.
Nohl, Evans, Starbug, Plotz. Reverse-Engineering a Cryptographic RFID Tag. USENIX
Security 2008. pp 185-193.
Courtois, Nohl, O’Neil. Algebraic Attacks on the Crypto-1 Stream Cipher in Mifare
Classic and Oyster Cards. ePrint 2008/166.
Garcia, De Koning Gans, Muijrers, Van Rossum, Verdult, Wichers Schreur, Jacobs.
Dismantling Mifare Classic. ESORICS 2008. LNCS 5283. pp 97-114.
Teepe. Making the best of Mifare Classic. 2009.
Garcia, Van Rossum, Verdult, Wichers Schreur. Wirelessly Pickpocketing a Mifare
Classic Card. IEEE S&P 2009. pp 3-15.
Courtois. The Dark Side of Security by Obscurity and Cloning Mifare Rail and Building
Passes Anytime, Anywhere. SECCRYPT 2009.
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.