Cloning CryptographicRFID Cards for 25$November 29-30, WISSec 2010Timo Kasper, Ingo von Maurich, David Oswald, Christof Pa...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar                   ...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarContactless Smartca...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarWhy Emulate Contact...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarPopular (ISO 14443)...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar                   ...
Cloning Cryptographic RFID Cards for 25$  Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarRFID Communication (IS...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar                   ...
Cloning Cryptographic RFID Cards for 25$      Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar    Mifare Classic...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarMifare Classic Auth...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarSecurity of Mifare ...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar               Mifa...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarMifare DESFire / Mi...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarMifare DESFire Auth...
Cloning Cryptographic RFID Cards for 25$          Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar     Mifare DE...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarMifare DESFire EV1 ...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarMifare DESFire EV1 ...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar                   ...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarIntroducing:     E...
Cloning Cryptographic RFID Cards for 25$Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar                        ...
Cloning Cryptographic RFID Cards for 25$Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar                        ...
Cloning Cryptographic RFID Cards for 25$      Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar                  ...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarHardware off-the-s...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarSoftware (so far…)...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarDifficulties stric...
Cloning Cryptographic RFID Cards for 25$  Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarStraightforward CRYPTO...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarCrypto1 Optimizatio...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarDESFire / DESFire E...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar                   ...
Cloning Cryptographic RFID Cards for 25$   Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarCase Study: ID Card C...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarAttacking a Contact...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarCase Study 2: Wides...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarAccess Control Syst...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarClone on a Blank Ca...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar                   ...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarTimo Kasper, WISSec...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar                   ...
Cloning Cryptographic RFID Cards for 25$     Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarConclusion         ...
Thanks!Any questions?Chair for Embedded Security (EMSEC)Department of Electrical Engineering and Information Technology{ti...
Upcoming SlideShare
Loading in …5
×

OpenCard hack (projekt chameleon)

13,143
-1

Published on

By Timo Kasper, upload Tech4Helper

Published in: Business
1 Comment
8 Likes
Statistics
Notes
No Downloads
Views
Total Views
13,143
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
178
Comments
1
Likes
8
Embeds 0
No embeds

No notes for slide

OpenCard hack (projekt chameleon)

  1. 1. Cloning CryptographicRFID Cards for 25$November 29-30, WISSec 2010Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarDepartment of Electrical Engineering and Information TechnologyChair for Embedded Security
  2. 2. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar Agenda  Motivation  RFID Basics Mifare Classic Mifare DESFire (EV1)  Real-World Attacks  ConclusionTimo Kasper, WISSec 2010 | November 29-30, 2010 2
  3. 3. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarContactless Smartcards use RFID (Radio Frequency Identification) technology ISO 14443 A/B very popular: sufficient computational power for cryptography large scale applications: – Access control systems – Electronic passports – Payment systems – Public transport ticketingTimo Kasper, WISSec 2010 | November 29-30, 2010 3
  4. 4. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarWhy Emulate Contactless Smartcards ? cards used or applications are often insecure (e.g. no crypto / based on ID number only) penetration-testing of real-world systems emulating cards promises high profits for fraudsters  estimate the real cost / risks goals: – card content and behavior freely programmable (e.g. arbitrary ID instead of fixed ID) – assistance in analyzing unknown protocols – support the relevant cryptographic primitivesTimo Kasper, WISSec 2010 | November 29-30, 2010 4
  5. 5. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarPopular (ISO 14443) Contactless Smartcards Mifare Classic – Crypto1 stream cipher – Very cheap, regarded completely broken Mifare DESFire – DES and 3DES – More expensive, side-channel attacks possible Mifare DESFire EV1 – AES-128 (and DES, 3DES)Timo Kasper, WISSec 2010 | November 29-30, 2010 5
  6. 6. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar Agenda  Motivation  RFID Basics Mifare Classic Mifare DESFire (EV1)  Chameleon  Real-World Attacks  ConclusionTimo Kasper, WISSec 2010 | November 29-30, 2010 6
  7. 7. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarRFID Communication (ISO 14443)• reader generates field with 13.56 MHz carrier frequency• supplies tag with clock and energy via inductive coupling• reader transmits data by short pauses in the field (pulsed Miller code)• tag answers employing load modulation (Manchester code)• operating range: 8…15 cm, data rate 106…847 kBit/s 10
  8. 8. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar Mifare ClassicTimo Kasper, WISSec 2010 | November 29-30, 2010 11
  9. 9. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar Mifare Classic (1K / 4K)• over 1 billion cards and 7 million readers sold• authentication / data encryption with CRYPTO1 stream cipher• each card contains a read-only Unique Identifier (UID) (4 byte)• each sector can be secured: two cryptographic keys A and B UID Key A, sector 0 Key B, sector 0 Key A, sector 15 Key B, sector 15 12
  10. 10. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarMifare Classic Authentication Protocol 1. 2. 3. 4. 1. Authentication request 3. Encrypted challenge (Reader → Card) || answer 2. Challenge (Card → Reader) 4. Encrypted answerTimo Kasper, WISSec 2010 | November 29-30, 2010 13
  11. 11. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarSecurity of Mifare Classic … by obscurity cipher and PRNG reverse-engineered in 2007 many attack vectors (weak PRNG, mathematical weaknesses in LFSR, parity bit attack) card-only attacks: reveal all secret keys and memory content in minutes Considered completely brokenTimo Kasper, WISSec 2010 | November 29-30, 2010 14
  12. 12. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar Mifare DESFire / Mifare DESFire EV1Timo Kasper, WISSec 2010 | November 29-30, 2010 15
  13. 13. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarMifare DESFire / Mifare DESFire EV1  7-byte read-only UID  communication can be secured by – appended message authentication code (MAC) – full data encryption  DES, 3DES and AES-128 (EV1) encryption ! Side-channel attacks !Timo Kasper, WISSec 2010 | November 29-30, 2010 16
  14. 14. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarMifare DESFire Authentication Protocol mutual authentication protocol, previously published cards only perform (3)DES encryptions EncK(∙) readers only perform (3)DES decryptions DecK(∙)Timo Kasper, WISSec 2010 | November 29-30, 2010 17
  15. 15. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar Mifare DESFire Authentication Protocol 1. 1. Authentication request 2. 2. Encrypted nonce 3. Encrypted rotated 3. answer and nonce 4. 4. Verify answer 5. Encrypted rotated answer 5.6. 6. Verify Answer Timo Kasper, WISSec 2010 | November 29-30, 2010 18
  16. 16. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarMifare DESFire EV1 Authentication Protocol reverse-engineered from genuine communications similar to DESFire differences: – nonces are extended to 128 bit – AES en-/decryptions are used in common sense – CBC-mode chains all en-/decryptions even though they operate on different cryptograms – second rotation is in the opposite directionTimo Kasper, WISSec 2010 | November 29-30, 2010 19
  17. 17. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarMifare DESFire EV1 Authentication Protocol 1. 1. Extended nonces 2. En-/Decryption is used in 2. common sense / Chained CBC (nR XOR b0) 3. 3. Rotation is changed to the opposite directionTimo Kasper, WISSec 2010 | November 29-30, 2010 20
  18. 18. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar Agenda  Motivation  RFID Basics Mifare Classic Mifare DESFire (EV1)  Real-World Attacks  ConclusionTimo Kasper, WISSec 2010 | November 29-30, 2010 21
  19. 19. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarIntroducing:  Emulate contactless smartcards (ISO 14443)  Freely programmable, low-cost (less than $25)  Small, operates autonomously without a PC  EEPROM  store bit streams for offline analysisTimo Kasper, WISSec 2010 | November 29-30, 2010 22
  20. 20. Cloning Cryptographic RFID Cards for 25$Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar – Operating Principle 23
  21. 21. Cloning Cryptographic RFID Cards for 25$Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar – Operating Principle 23
  22. 22. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar – the Reality… Analog CircuitryATxmega (5€) ( approx. 5€ ) Antenna on PCBFTDI USB (4€) Timo Kasper, WISSec 2010 | November 29-30, 2010 24
  23. 23. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarHardware off-the-shelf components Atmel ATxmega192A3 8-Bit microcontroller – 192kB Flash, 16kB SRAM, 4kB EEPROM – Clocked at 27.12MHz (2 x 13.56 MHz) – DES and AES-128 hardware accelerators FTDI FT245RL enables USB communication powered via USB or battery card-sized antenna (fits into slots of most readers)Timo Kasper, WISSec 2010 | November 29-30, 2010 25
  24. 24. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarSoftware (so far…) full emulation of Mifare Classic cards – UID can be freely chosen – memory content and keys can be set arbitrarily authentication mechanisms of Mifare DESFire & EV1 – UID can be freely chosen – secret keys can be set arbitrarilyTimo Kasper, WISSec 2010 | November 29-30, 2010 26
  25. 25. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarDifficulties strict timing requirements of ISO 14443: – bit grid depending on the last bit sent by reader – answer max. 4.8ms after request of the reader Crypto1 is computationally intensive on µC: – using an open C-library for Crypto1 results in inefficient code for 8-bit microcontrollersTimo Kasper, WISSec 2010 | November 29-30, 2010 27
  26. 26. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarStraightforward CRYPTO1 Implementation• platform: 8-Bit microcontroller, ATMega32• clock frequency: 13.56 MHz• encrypting one block (18 bytes) takes > 11 ms  too slow 28
  27. 27. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarCrypto1 Optimizations crypto1 implementation from scratch in assembly replace filter functions with look-up tables – size: 112 byte, negligible compared to 192kB Flash random value for nC is generated before authentication – aR and aC can be precomputed – precomputing key stream bits not possible: sector key and reader nonce unknown a prioriTimo Kasper, WISSec 2010 | November 29-30, 2010 29
  28. 28. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarDESFire / DESFire EV1 Implementations Straightforward on ATxmega – 3DES in CBC mode – AES-128 in “chained” CBC mode 3DES: three times faster than original card – 219µs vs. 690µs for calculation of b3 AES-128: five times faster than original card – 438µs vs. 2.2ms for calculation of b3Timo Kasper, WISSec 2010 | November 29-30, 2010 30
  29. 29. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar Agenda  Motivation  RFID Basics Mifare Classic Mifare DESFire (EV1)  Real-World Attacks  ConclusionTimo Kasper, WISSec 2010 | November 29-30, 2010 31
  30. 30. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarCase Study: ID Card Contactless Payment System • contactless employee ID card, more than 1 million users • payments (max. 150 €), access control, … • Mifare Classic 1K chip stores card number & credit amount • ID cards have identical secret keys. 32
  31. 31. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarAttacking a Contactless Payment System Step 1: read out s.o. else’s (or your own…) card Step 2: emulates an exact clone including the UID → Fraud not detected Credit gone? Step 3: Press state restoration button to restore the previous credit from EEPROM, goto Step 2 new operating mode: generate a random credit balance and new card number on each payment cannot be blacklisted and blocked in the back-endTimo Kasper, WISSec 2010 | November 29-30, 2010 33
  32. 32. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarCase Study 2: Widespread Access Control System Mifare Classic 1K cards unlock doors and elevators secret keys are default (0xA0A1A2A3A4A5) penetration-test with – identification by UID and 1st block of 1st sector – access permissions checked in the back-end 1. read UID from authorized card 2. set this UID in  OPEN SESAME!Timo Kasper, WISSec 2010 | November 29-30, 2010 34
  33. 33. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarAccess Control System in Idle ModeTimo Kasper, WISSec 2010 | November 29-30, 2010 35
  34. 34. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarClone on a Blank Card FailsTimo Kasper, WISSec 2010 | November 29-30, 2010 36
  35. 35. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar SucceedsTimo Kasper, WISSec 2010 | November 29-30, 2010 37
  36. 36. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarTimo Kasper, WISSec 2010 | November 29-30, 2010 38
  37. 37. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof Paar Agenda  Motivation  RFID Basics Mifare Classic Mifare DESFire (EV1)  Real-World Attacks  ConclusionTimo Kasper, WISSec 2010 | November 29-30, 2010 39
  38. 38. Cloning Cryptographic RFID Cards for 25$ Timo Kasper, Ingo von Maurich, David Oswald, Christof PaarConclusion cost-efficient ( < 25 $) freely programmable emulator for contactless smartcards optimized Crypto1 implementation: Full Mifare Classic emulation successful in various real-world systems (3)DES, AES support tested with emulation of Mifare DESFire (incl. EV1) authentication valuable tool for penetration-testing of RFID systems  cost for attacks often overestimatedTimo Kasper, WISSec 2010 | November 29-30, 2010 40
  39. 39. Thanks!Any questions?Chair for Embedded Security (EMSEC)Department of Electrical Engineering and Information Technology{timo.kasper, ingo.vonmaurich, david.oswald, christof.paar}@rub.de
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×