8/3/2019 1049_CCC-07-Mifare-v2

1/24

CCC 07

Karsten Nohl, Starbug, Henryk Pltz

8/3/2019 1049_CCC-07-Mifare-v2

2/24

Radio Frequency IDentification

Tiny computer chips Passively Powered

8/3/2019 1049_CCC-07-Mifare-v2

3/24

RFIDs become ubiquitous

Integrated in many securityapplications Tickets

Access Control

Car Ignition

8/3/2019 1049_CCC-07-Mifare-v2

4/24

Passports

Implants

RFIDs become universalidentifier. Might replacepasswords, PINs, andfingerprints.

8/3/2019 1049_CCC-07-Mifare-v2

5/24

Tagging of consumer goods

Will replace bar-codes!

Threat to Privacy

Customer tracking

Leaks internal business information!

8/3/2019 1049_CCC-07-Mifare-v2

6/24

Tagging of consumer goods

Will replace bar-codes!

Threat to Privacy

Customer tracking

Leaks internal business information!

8/3/2019 1049_CCC-07-Mifare-v2

7/24

Cryptographyon RFIDs in needed for:

Unclonability Credit cards, luxury goods, medication,

Privacy!

But, what crypto is small enough for tags?

8/3/2019 1049_CCC-07-Mifare-v2

8/24

Passports

RSA

TU Graz [05]

AESNo Crypto

Mifare

???

8/3/2019 1049_CCC-07-Mifare-v2

9/24

Philips claims:

approved authentication

advanced security levels

48 bit key

Car thefts(source: hldi.org)

8/3/2019 1049_CCC-07-Mifare-v2

10/24

Reconstruct circuit from photos of chip

Sniff reader-tag communication

Reverse-engineering of the Mifare

crypto and evaluating its security

verify

8/3/2019 1049_CCC-07-Mifare-v2

11/24

-Controller

Philips

Reader ICa) Sniffing data

b) Full control over timing!

8/3/2019 1049_CCC-07-Mifare-v2

12/24

8/3/2019 1049_CCC-07-Mifare-v2

13/24

8/3/2019 1049_CCC-07-Mifare-v2

14/24

select

detect

Chip has several

thousand gates

But only ~70 differenttypes

Detection can beautomated

8/3/2019 1049_CCC-07-Mifare-v2

15/24

Even tiny RFID chip too large to analyze entirely

Crypto

8/3/2019 1049_CCC-07-Mifare-v2

16/24

Very err0r-prone and tedious process

Will automate further

8/3/2019 1049_CCC-07-Mifare-v2

17/24

48-bit LFSR

f()

+

RNG

tagnonce key stream

secret key, tag ID

+

readernonce

++

8/3/2019 1049_CCC-07-Mifare-v2

18/24

+

+

RNG 16(!!)-bit random numbers

LFSR based

Value derived from time of read

Our Attack:

Control timing (OpenPCD)

= control random number (works for tag and reader!)= break Mifare security :)

8/3/2019 1049_CCC-07-Mifare-v2

19/24

8/3/2019 1049_CCC-07-Mifare-v2

20/24

1) No non-linear componentin feedback loop

No forward secrecy

2) Output bit derived from fixedsubset of bits

non-optimal avalanche properties

+

+

Suggests attack on key faster thanbrute-force (known-plaintext)

8/3/2019 1049_CCC-07-Mifare-v2

21/24

Cipher complexity low

Has probably been the

highest design goal

Allows for very efficient

FPGA implementation

$100 key cracker will find keyin ~1 week! (much faster evenwhen trading space for time)

8/3/2019 1049_CCC-07-Mifare-v2

22/24

No Crypto

Mifare

Security

Protection perhaps sufficient to protect

transactions of very small value E.g., Micro-payments, privacy

Security too weak for:

Access control, car theft protection, credit cards,

8/3/2019 1049_CCC-07-Mifare-v2

23/24

Obscurity and proprietary crypto add securityonly in the short-run

(but lack of peer-review hurts later)

Constraints of RFIDs make good cryptoextremely hard

Where are the best trade-offs? How much security is needed?

8/3/2019 1049_CCC-07-Mifare-v2

24/24

Karsten Nohl

nohl@virginia.edu

+

+

++