OpenCard hack (projekt chameleon)

Cloning Cryptographic
RFID Cards for 25$
November 29-30, WISSec 2010
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Department of Electrical Engineering and Information Technology
Chair for Embedded Security

Cloning Cryptographic RFID Cards for 25$

Agenda
 Motivation
 RFID Basics
Mifare Classic
Mifare DESFire (EV1)

 Real-World Attacks
 Conclusion

Timo Kasper, WISSec 2010 | November 29-30, 2010 2


Contactless Smartcards
 use RFID (Radio Frequency Identification) technology
 ISO 14443 A/B very popular: sufficient computational
power for cryptography
 large scale applications:
– Access control systems
– Electronic passports
– Payment systems
– Public transport ticketing



Why Emulate Contactless Smartcards ?
 cards used or applications are often insecure
(e.g. no crypto / based on ID number only)
 penetration-testing of real-world systems
 emulating cards promises high profits for fraudsters
 estimate the real cost / risks
 goals:
– card content and behavior freely programmable
(e.g. arbitrary ID instead of fixed ID)
– assistance in analyzing unknown protocols
– support the relevant cryptographic primitives


Popular (ISO 14443) Contactless Smartcards
 Mifare Classic
– Crypto1 stream cipher
– Very cheap, regarded completely broken
 Mifare DESFire
– DES and 3DES
– More expensive, side-channel attacks possible
 Mifare DESFire EV1
– AES-128 (and DES, 3DES)



Agenda
 Motivation
 RFID Basics
Mifare Classic
 Chameleon
 Conclusion



RFID Communication (ISO 14443)

• reader generates field with 13.56 MHz carrier frequency
• supplies tag with clock and energy via inductive coupling
• reader transmits data by short pauses in the field
(pulsed Miller code)
• tag answers employing load modulation
(Manchester code)
• operating range: 8…15 cm, data rate 106…847 kBit/s 10


Mifare Classic



Mifare Classic (1K / 4K)
• over 1 billion cards and 7 million readers sold
• authentication / data encryption with CRYPTO1 stream cipher
• each card contains a read-only Unique Identifier (UID) (4 byte)
• each sector can be secured: two cryptographic keys A and B

UID

Key A, sector 0 Key B, sector 0

Key A, sector 15 Key B, sector 15
12


Mifare Classic Authentication Protocol

1.

2.

3.

4.

1. Authentication request 3. Encrypted challenge (Reader → Card) || answer
2. Challenge (Card → Reader) 4. Encrypted answer



Security of Mifare Classic
 … by obscurity
 cipher and PRNG reverse-engineered in 2007
 many attack vectors (weak PRNG, mathematical
weaknesses in LFSR, parity bit attack)

 card-only attacks:
reveal all secret keys and memory content in minutes
 Considered completely broken



Mifare DESFire / Mifare DESFire EV1



Mifare DESFire / Mifare DESFire EV1

 7-byte read-only UID

 communication can be secured by
– appended message authentication code (MAC)
– full data encryption

 DES, 3DES and AES-128 (EV1) encryption
! Side-channel attacks !



Mifare DESFire Authentication Protocol

 mutual authentication protocol, previously published

 cards only perform (3)DES encryptions EncK(∙)

 readers only perform (3)DES decryptions DecK(∙)



Mifare DESFire Authentication Protocol
1. 1. Authentication request
2. 2. Encrypted nonce

3. Encrypted rotated
3.
answer and nonce

4. 4. Verify answer

5. Encrypted rotated answer
5.

6. 6. Verify Answer


Mifare DESFire EV1 Authentication Protocol
 reverse-engineered from genuine communications
 similar to DESFire
 differences:
– nonces are extended to 128 bit
– AES en-/decryptions are used in common sense
– CBC-mode chains all en-/decryptions even though
they operate on different cryptograms
– second rotation is in the opposite direction



Mifare DESFire EV1 Authentication Protocol

1. 1. Extended nonces

2. En-/Decryption is used in
2. common sense /
Chained CBC (nR XOR b0)

3. 3. Rotation is changed to
the opposite direction



Agenda
 Motivation
 RFID Basics
Mifare Classic

 Conclusion



Introducing:
 Emulate contactless smartcards (ISO 14443)

 Freely programmable, low-cost (less than $25)

 Small, operates autonomously without a PC

 EEPROM  store bit streams for offline analysis



– Operating Principle

23


– the Reality…
Analog Circuitry
ATxmega (5€) ( approx. 5€ ) Antenna on PCB

FTDI USB (4€)


Hardware
 off-the-shelf components
 Atmel ATxmega192A3 8-Bit microcontroller
– 192kB Flash, 16kB SRAM, 4kB EEPROM
– Clocked at 27.12MHz (2 x 13.56 MHz)
– DES and AES-128 hardware accelerators
 FTDI FT245RL enables USB communication
 powered via USB or battery
 card-sized antenna (fits into slots of most readers)



Software (so far…)
 full emulation of Mifare Classic cards
– UID can be freely chosen
– memory content and keys can be set arbitrarily

 authentication mechanisms of Mifare DESFire & EV1
– UID can be freely chosen
– secret keys can be set arbitrarily



Difficulties
 strict timing requirements of ISO 14443:
– bit grid depending on the last bit sent by reader
– answer max. 4.8ms after request of the reader

 Crypto1 is computationally intensive on µC:
– using an open C-library for Crypto1 results in
inefficient code for 8-bit microcontrollers



Straightforward CRYPTO1 Implementation

• platform: 8-Bit microcontroller, ATMega32
• clock frequency: 13.56 MHz
• encrypting one block (18 bytes) takes > 11 ms
 too slow
28


Crypto1 Optimizations
 crypto1 implementation from scratch in assembly

 replace filter functions with look-up tables
– size: 112 byte, negligible compared to 192kB Flash

 random value for nC is generated before authentication
– aR and aC can be precomputed
– precomputing key stream bits not possible:
sector key and reader nonce unknown a priori


DESFire / DESFire EV1 Implementations
 Straightforward on ATxmega
– 3DES in CBC mode
– AES-128 in “chained” CBC mode

 3DES: three times faster than original card
– 219µs vs. 690µs for calculation of b3

 AES-128: five times faster than original card
– 438µs vs. 2.2ms for calculation of b3


Agenda
 Motivation
 RFID Basics
Mifare Classic

 Conclusion



Case Study: ID Card Contactless Payment System

• contactless employee ID card, more than 1 million users
• payments (max. 150 €), access control, …
• Mifare Classic 1K chip stores card number & credit amount
• ID cards have identical secret keys. 32


Attacking a Contactless Payment System
 Step 1: read out s.o. else’s (or your own…) card
 Step 2: emulates an exact clone
including the UID → Fraud not detected

 Credit gone? Step 3: Press state restoration button to
restore the previous credit from EEPROM, goto Step 2

 new operating mode: generate a random credit
balance and new card number on each payment
 cannot be blacklisted and blocked in the back-end


Case Study 2: Widespread Access Control System
 Mifare Classic 1K cards unlock doors and elevators
 secret keys are default
(0xA0A1A2A3A4A5)
 penetration-test with
– identification by UID and 1st block of 1st sector
– access permissions checked in the back-end
1. read UID from authorized card
2. set this UID in
 OPEN SESAME!


Access Control System in Idle Mode



Clone on a Blank Card Fails



Succeeds



Agenda
 Motivation
 RFID Basics
Mifare Classic

 Conclusion



Conclusion
cost-efficient ( < 25 $) freely
programmable emulator for contactless smartcards
 optimized Crypto1 implementation: Full Mifare Classic
emulation successful in various real-world systems
 (3)DES, AES support tested with emulation of Mifare
DESFire (incl. EV1) authentication

 valuable tool for penetration-testing of RFID systems
 cost for attacks often overestimated

Thanks!
Any questions?
Chair for Embedded Security (EMSEC)
Department of Electrical Engineering and Information Technology

{timo.kasper, ingo.vonmaurich, david.oswald, christof.paar}@rub.de

OpenCard hack (projekt chameleon)

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie OpenCard hack (projekt chameleon)

Ähnlich wie OpenCard hack (projekt chameleon) (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

OpenCard hack (projekt chameleon)