Falcon Invoice Discounting: Unlock Your Business Potential
OpenCard hack (projekt chameleon)
1. Cloning Cryptographic
RFID Cards for 25$
November 29-30, WISSec 2010
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Department of Electrical Engineering and Information Technology
Chair for Embedded Security
2. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Agenda
Motivation
RFID Basics
Mifare Classic
Mifare DESFire (EV1)
Real-World Attacks
Conclusion
Timo Kasper, WISSec 2010 | November 29-30, 2010 2
3. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Contactless Smartcards
use RFID (Radio Frequency Identification) technology
ISO 14443 A/B very popular: sufficient computational
power for cryptography
large scale applications:
– Access control systems
– Electronic passports
– Payment systems
– Public transport ticketing
Timo Kasper, WISSec 2010 | November 29-30, 2010 3
4. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Why Emulate Contactless Smartcards ?
cards used or applications are often insecure
(e.g. no crypto / based on ID number only)
penetration-testing of real-world systems
emulating cards promises high profits for fraudsters
estimate the real cost / risks
goals:
– card content and behavior freely programmable
(e.g. arbitrary ID instead of fixed ID)
– assistance in analyzing unknown protocols
– support the relevant cryptographic primitives
Timo Kasper, WISSec 2010 | November 29-30, 2010 4
5. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Popular (ISO 14443) Contactless Smartcards
Mifare Classic
– Crypto1 stream cipher
– Very cheap, regarded completely broken
Mifare DESFire
– DES and 3DES
– More expensive, side-channel attacks possible
Mifare DESFire EV1
– AES-128 (and DES, 3DES)
Timo Kasper, WISSec 2010 | November 29-30, 2010 5
6. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Agenda
Motivation
RFID Basics
Mifare Classic
Mifare DESFire (EV1)
Chameleon
Real-World Attacks
Conclusion
Timo Kasper, WISSec 2010 | November 29-30, 2010 6
7. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
RFID Communication (ISO 14443)
• reader generates field with 13.56 MHz carrier frequency
• supplies tag with clock and energy via inductive coupling
• reader transmits data by short pauses in the field
(pulsed Miller code)
• tag answers employing load modulation
(Manchester code)
• operating range: 8…15 cm, data rate 106…847 kBit/s 10
8. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Mifare Classic
Timo Kasper, WISSec 2010 | November 29-30, 2010 11
9. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Mifare Classic (1K / 4K)
• over 1 billion cards and 7 million readers sold
• authentication / data encryption with CRYPTO1 stream cipher
• each card contains a read-only Unique Identifier (UID) (4 byte)
• each sector can be secured: two cryptographic keys A and B
UID
Key A, sector 0 Key B, sector 0
Key A, sector 15 Key B, sector 15
12
10. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Mifare Classic Authentication Protocol
1.
2.
3.
4.
1. Authentication request 3. Encrypted challenge (Reader → Card) || answer
2. Challenge (Card → Reader) 4. Encrypted answer
Timo Kasper, WISSec 2010 | November 29-30, 2010 13
11. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Security of Mifare Classic
… by obscurity
cipher and PRNG reverse-engineered in 2007
many attack vectors (weak PRNG, mathematical
weaknesses in LFSR, parity bit attack)
card-only attacks:
reveal all secret keys and memory content in minutes
Considered completely broken
Timo Kasper, WISSec 2010 | November 29-30, 2010 14
12. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Mifare DESFire / Mifare DESFire EV1
Timo Kasper, WISSec 2010 | November 29-30, 2010 15
13. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Mifare DESFire / Mifare DESFire EV1
7-byte read-only UID
communication can be secured by
– appended message authentication code (MAC)
– full data encryption
DES, 3DES and AES-128 (EV1) encryption
! Side-channel attacks !
Timo Kasper, WISSec 2010 | November 29-30, 2010 16
14. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Mifare DESFire Authentication Protocol
mutual authentication protocol, previously published
cards only perform (3)DES encryptions EncK(∙)
readers only perform (3)DES decryptions DecK(∙)
Timo Kasper, WISSec 2010 | November 29-30, 2010 17
15. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Mifare DESFire Authentication Protocol
1. 1. Authentication request
2. 2. Encrypted nonce
3. Encrypted rotated
3.
answer and nonce
4. 4. Verify answer
5. Encrypted rotated answer
5.
6. 6. Verify Answer
Timo Kasper, WISSec 2010 | November 29-30, 2010 18
16. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Mifare DESFire EV1 Authentication Protocol
reverse-engineered from genuine communications
similar to DESFire
differences:
– nonces are extended to 128 bit
– AES en-/decryptions are used in common sense
– CBC-mode chains all en-/decryptions even though
they operate on different cryptograms
– second rotation is in the opposite direction
Timo Kasper, WISSec 2010 | November 29-30, 2010 19
17. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Mifare DESFire EV1 Authentication Protocol
1. 1. Extended nonces
2. En-/Decryption is used in
2. common sense /
Chained CBC (nR XOR b0)
3. 3. Rotation is changed to
the opposite direction
Timo Kasper, WISSec 2010 | November 29-30, 2010 20
18. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Agenda
Motivation
RFID Basics
Mifare Classic
Mifare DESFire (EV1)
Real-World Attacks
Conclusion
Timo Kasper, WISSec 2010 | November 29-30, 2010 21
19. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Introducing:
Emulate contactless smartcards (ISO 14443)
Freely programmable, low-cost (less than $25)
Small, operates autonomously without a PC
EEPROM store bit streams for offline analysis
Timo Kasper, WISSec 2010 | November 29-30, 2010 22
20. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
– Operating Principle
23
21. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
– Operating Principle
23
22. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
– the Reality…
Analog Circuitry
ATxmega (5€) ( approx. 5€ ) Antenna on PCB
FTDI USB (4€)
Timo Kasper, WISSec 2010 | November 29-30, 2010 24
23. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Hardware
off-the-shelf components
Atmel ATxmega192A3 8-Bit microcontroller
– 192kB Flash, 16kB SRAM, 4kB EEPROM
– Clocked at 27.12MHz (2 x 13.56 MHz)
– DES and AES-128 hardware accelerators
FTDI FT245RL enables USB communication
powered via USB or battery
card-sized antenna (fits into slots of most readers)
Timo Kasper, WISSec 2010 | November 29-30, 2010 25
24. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Software (so far…)
full emulation of Mifare Classic cards
– UID can be freely chosen
– memory content and keys can be set arbitrarily
authentication mechanisms of Mifare DESFire & EV1
– UID can be freely chosen
– secret keys can be set arbitrarily
Timo Kasper, WISSec 2010 | November 29-30, 2010 26
25. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Difficulties
strict timing requirements of ISO 14443:
– bit grid depending on the last bit sent by reader
– answer max. 4.8ms after request of the reader
Crypto1 is computationally intensive on µC:
– using an open C-library for Crypto1 results in
inefficient code for 8-bit microcontrollers
Timo Kasper, WISSec 2010 | November 29-30, 2010 27
26. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Straightforward CRYPTO1 Implementation
• platform: 8-Bit microcontroller, ATMega32
• clock frequency: 13.56 MHz
• encrypting one block (18 bytes) takes > 11 ms
too slow
28
27. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Crypto1 Optimizations
crypto1 implementation from scratch in assembly
replace filter functions with look-up tables
– size: 112 byte, negligible compared to 192kB Flash
random value for nC is generated before authentication
– aR and aC can be precomputed
– precomputing key stream bits not possible:
sector key and reader nonce unknown a priori
Timo Kasper, WISSec 2010 | November 29-30, 2010 29
28. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
DESFire / DESFire EV1 Implementations
Straightforward on ATxmega
– 3DES in CBC mode
– AES-128 in “chained” CBC mode
3DES: three times faster than original card
– 219µs vs. 690µs for calculation of b3
AES-128: five times faster than original card
– 438µs vs. 2.2ms for calculation of b3
Timo Kasper, WISSec 2010 | November 29-30, 2010 30
29. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Agenda
Motivation
RFID Basics
Mifare Classic
Mifare DESFire (EV1)
Real-World Attacks
Conclusion
Timo Kasper, WISSec 2010 | November 29-30, 2010 31
30. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Case Study: ID Card Contactless Payment System
• contactless employee ID card, more than 1 million users
• payments (max. 150 €), access control, …
• Mifare Classic 1K chip stores card number & credit amount
• ID cards have identical secret keys. 32
31. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Attacking a Contactless Payment System
Step 1: read out s.o. else’s (or your own…) card
Step 2: emulates an exact clone
including the UID → Fraud not detected
Credit gone? Step 3: Press state restoration button to
restore the previous credit from EEPROM, goto Step 2
new operating mode: generate a random credit
balance and new card number on each payment
cannot be blacklisted and blocked in the back-end
Timo Kasper, WISSec 2010 | November 29-30, 2010 33
32. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Case Study 2: Widespread Access Control System
Mifare Classic 1K cards unlock doors and elevators
secret keys are default
(0xA0A1A2A3A4A5)
penetration-test with
– identification by UID and 1st block of 1st sector
– access permissions checked in the back-end
1. read UID from authorized card
2. set this UID in
OPEN SESAME!
Timo Kasper, WISSec 2010 | November 29-30, 2010 34
33. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Access Control System in Idle Mode
Timo Kasper, WISSec 2010 | November 29-30, 2010 35
34. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Clone on a Blank Card Fails
Timo Kasper, WISSec 2010 | November 29-30, 2010 36
35. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Succeeds
Timo Kasper, WISSec 2010 | November 29-30, 2010 37
36. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Timo Kasper, WISSec 2010 | November 29-30, 2010 38
37. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Agenda
Motivation
RFID Basics
Mifare Classic
Mifare DESFire (EV1)
Real-World Attacks
Conclusion
Timo Kasper, WISSec 2010 | November 29-30, 2010 39
38. Cloning Cryptographic RFID Cards for 25$
Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar
Conclusion
cost-efficient ( < 25 $) freely
programmable emulator for contactless smartcards
optimized Crypto1 implementation: Full Mifare Classic
emulation successful in various real-world systems
(3)DES, AES support tested with emulation of Mifare
DESFire (incl. EV1) authentication
valuable tool for penetration-testing of RFID systems
cost for attacks often overestimated
Timo Kasper, WISSec 2010 | November 29-30, 2010 40
39. Thanks!
Any questions?
Chair for Embedded Security (EMSEC)
Department of Electrical Engineering and Information Technology
{timo.kasper, ingo.vonmaurich, david.oswald, christof.paar}@rub.de