1049_CCC-07-Mifare-v2
-
Upload
kees-van-der-wal -
Category
Documents
-
view
216 -
download
1
Transcript of 1049_CCC-07-Mifare-v2
-
8/3/2019 1049_CCC-07-Mifare-v2
1/24
CCC 07
Karsten Nohl, Starbug, Henryk Pltz
-
8/3/2019 1049_CCC-07-Mifare-v2
2/24
Radio Frequency IDentification
Tiny computer chips Passively Powered
-
8/3/2019 1049_CCC-07-Mifare-v2
3/24
RFIDs become ubiquitous
Integrated in many securityapplications Tickets
Access Control
Car Ignition
-
8/3/2019 1049_CCC-07-Mifare-v2
4/24
Passports
Implants
RFIDs become universalidentifier. Might replacepasswords, PINs, andfingerprints.
-
8/3/2019 1049_CCC-07-Mifare-v2
5/24
Tagging of consumer goods
Will replace bar-codes!
Threat to Privacy
Customer tracking
Leaks internal business information!
-
8/3/2019 1049_CCC-07-Mifare-v2
6/24
Tagging of consumer goods
Will replace bar-codes!
Threat to Privacy
Customer tracking
Leaks internal business information!
-
8/3/2019 1049_CCC-07-Mifare-v2
7/24
Cryptographyon RFIDs in needed for:
Unclonability Credit cards, luxury goods, medication,
Privacy!
But, what crypto is small enough for tags?
-
8/3/2019 1049_CCC-07-Mifare-v2
8/24
Passports
RSA
TU Graz [05]
AESNo Crypto
Mifare
???
-
8/3/2019 1049_CCC-07-Mifare-v2
9/24
Philips claims:
approved authentication
advanced security levels
48 bit key
Car thefts(source: hldi.org)
-
8/3/2019 1049_CCC-07-Mifare-v2
10/24
Reconstruct circuit from photos of chip
Sniff reader-tag communication
Reverse-engineering of the Mifare
crypto and evaluating its security
verify
-
8/3/2019 1049_CCC-07-Mifare-v2
11/24
-Controller
Philips
Reader ICa) Sniffing data
b) Full control over timing!
-
8/3/2019 1049_CCC-07-Mifare-v2
12/24
-
8/3/2019 1049_CCC-07-Mifare-v2
13/24
-
8/3/2019 1049_CCC-07-Mifare-v2
14/24
select
detect
Chip has several
thousand gates
But only ~70 differenttypes
Detection can beautomated
-
8/3/2019 1049_CCC-07-Mifare-v2
15/24
Even tiny RFID chip too large to analyze entirely
Crypto
-
8/3/2019 1049_CCC-07-Mifare-v2
16/24
Very err0r-prone and tedious process
Will automate further
-
8/3/2019 1049_CCC-07-Mifare-v2
17/24
48-bit LFSR
f()
+
RNG
tagnonce key stream
secret key, tag ID
+
readernonce
++
-
8/3/2019 1049_CCC-07-Mifare-v2
18/24
+
+
RNG 16(!!)-bit random numbers
LFSR based
Value derived from time of read
Our Attack:
Control timing (OpenPCD)
= control random number (works for tag and reader!)= break Mifare security :)
-
8/3/2019 1049_CCC-07-Mifare-v2
19/24
-
8/3/2019 1049_CCC-07-Mifare-v2
20/24
1) No non-linear componentin feedback loop
No forward secrecy
2) Output bit derived from fixedsubset of bits
non-optimal avalanche properties
+
+
Suggests attack on key faster thanbrute-force (known-plaintext)
-
8/3/2019 1049_CCC-07-Mifare-v2
21/24
Cipher complexity low
Has probably been the
highest design goal
Allows for very efficient
FPGA implementation
$100 key cracker will find keyin ~1 week! (much faster evenwhen trading space for time)
-
8/3/2019 1049_CCC-07-Mifare-v2
22/24
No Crypto
Mifare
Security
Protection perhaps sufficient to protect
transactions of very small value E.g., Micro-payments, privacy
Security too weak for:
Access control, car theft protection, credit cards,
-
8/3/2019 1049_CCC-07-Mifare-v2
23/24
Obscurity and proprietary crypto add securityonly in the short-run
(but lack of peer-review hurts later)
Constraints of RFIDs make good cryptoextremely hard
Where are the best trade-offs? How much security is needed?
-
8/3/2019 1049_CCC-07-Mifare-v2
24/24
Karsten Nohl
+
+
++