31. Microscope-wielding boffins crack Tube smartcard
The keys to London Underground, and plenty more
By Dan Goodin in San Francisco • Get more from this author
Posted in ID, 12th March 2008 05:02 GMT
Free whitepaper – Protecting personally identifiable information
Security researchers say they've found a way to crack the encryption used to protect a widely-
used smartcard in a matter of minutes, making it possible for them to quickly and cheaply clone
the cards that are used to secure office buildings and automate the collection of mass
transportation fares.
The attack works against the Mifare Classic, a wireless card made by Netherlands-based NXP
Semiconductors. It is used by transit operators in London, Boston and the Netherlands and by
organizations in the public and private sectors to control access to sensitive areas, according
to Karsten Nohl, a PhD candidate at the University of Virginia and one of the cryptographers
who discovered the weakness. NXP says it's sold 1 billion to 2 billion of the cards.
The wireless devices are growing in popularity because of their low cost - about 50 cents
apiece - and they offer many of the advantages of radio frequency identification (RFID)
technology. Specifically, smartcards don't require contact with the mechanical readers used by
transit agencies, which lowers operators' costs and are quicker and more convenient for users.
The research team was able to obtain the card's proprietary encryption scheme by physically
dissecting its chip and examining it under a microscope. They then photographed various
levels of its circuitry and used optical recognition software to produce a 3D representation of
the entire chip. By examining the logic gates in great detail, they were able to deduce the
proprietary algorithm, which NXP dubs Crypto1.
32. Microscope-wielding boffins crack Tube smartcard
The keys to London Underground, and plenty more
By Dan Goodin in San Francisco • Get more from this author
Posted in ID, 12th March 2008 05:02 GMT
Free whitepaper – Protecting personally identifiable information
Security researchers say they've found a way to crack the encryption used to protect a widely-
used smartcard in a matter of minutes, making it possible for them to quickly and cheaply clone
the cards that are used to secure office buildings and automate the collection of mass
transportation fares.
The attack works against the Mifare Classic, a wireless card made by Netherlands-based NXP
Semiconductors. It is used by transit operators in London, Boston and the Netherlands and by
organizations in the public and private sectors to control access to sensitive areas, according
to Karsten Nohl, a PhD candidate at the University of Virginia and one of the cryptographers
who discovered the weakness. NXP says it's sold 1 billion to 2 billion of the cards.
The wireless devices are growing in popularity because of their low cost - about 50 cents
apiece - and they offer many of the advantages of radio frequency identification (RFID)
technology. Specifically, smartcards don't require contact with the mechanical readers used by
transit agencies, which lowers operators' costs and are quicker and more convenient for users.
The research team was able to obtain the card's proprietary encryption scheme by physically
dissecting its chip and examining it under a microscope. They then photographed various
levels of its circuitry and used optical recognition software to produce a 3D representation of
the entire chip. By examining the logic gates in great detail, they were able to deduce the
proprietary algorithm, which NXP dubs Crypto1.
51. It was just ~200 lines of an RSA implementation
52. /******************************************************************************
*
* Copyright (c) 1998,99 by Mindbright Technology AB, Stockholm, Sweden.
* www.mindbright.se, info@mindbright.se
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
*****************************************************************************
* $Author: nallen $
* $Date: 2001/11/12 16:31:16 $
* $Name: $
*****************************************************************************/
/*
* !!! Author's comment: The contents of this file is heavily based
* upon Tatu Ylonen's c-code in the ssh1.2.26 package, which in turn
* is a standard implementation of the RSA algorithm, the code is
* rather trivial (though the math behind it is not :-). I don't know
* whom are responsible for the original optimization using the
* Chinese remainder theorem which I guess is the only non-trivial
* part of this implementation. Please note that RSA can't be used
* without proper licensing in the United States.
*
* Below is some references to useful information about RSA:
*
* Bruce Schneier: Applied Cryptography 2nd ed., John Wiley & Sons, 1996
* Arto Salomaa: Public-Key Cryptography 2nd ed., Springer-Verlag, 1996
* Man Young Rhee: Cryptography and Secure Data Comm., McGraw-Hill, 1994
* R. Rivest, A. Shamir, and L. M. Adleman: Cryptographic Communications
53. break;
if(i == strip.length)
throw new IOException("Invalid strip-data");
val = new byte[strip.length - i];
System.arraycopy(strip, i, val, 0, val.length);
return new BigInteger(val);
}
public static BigInteger doPad(BigInteger input, int padLen, SecureRandom rand) throws
IOException {
BigInteger result;
BigInteger rndInt;
int inByteLen = (input.bitLength() + 7) / 8;
int padByteLen = (padLen + 7) / 8;
if(inByteLen > padByteLen - 3)
throw new IOException("rsaPad: Input too long to pad");
// !!! byte[] ranBytes = new byte[(padByteLen - inByteLen - 3) + 1];
byte[] ranBytes = new byte[(padByteLen - inByteLen - 3) + 1];
rand.nextBytes(ranBytes);
ranBytes[0] = 0;
for(int i = 1; i < (padByteLen - inByteLen - 3 + 1); i++)
if(ranBytes[i] == 0)
ranBytes[i] = 0x17;
rndInt = new BigInteger(ranBytes);
rndInt = rndInt.shiftLeft((inByteLen + 1) * 8);
result = new BigInteger("2");
result = result.shiftLeft((padByteLen - 2) * 8);
result = result.or(rndInt);
result = result.or(input);
return result;
}
}
54. The Jobs
★ National Security Agency (NSA)
★ Single largest employer of mathematicians in the world
81. Salt approaches
★ Random number
★ Stored in the clear next to the hash
★ Email address hash
★ Not (required to be) stored
★ Literally append to password hash
82. Salt Goals
★ Stops use of rainbow tables of hashes
★ Requires each password be cracked individually
★ Cracks become impractically slow
91. Creatingakeystore
keytool -genkeypair -keyalg RSA -keysize 2048 -
keystore myapp.keystore
Enter keystore password: ********
Re-enter new password: ********
What is your first and last name?
[Unknown]: Matthew McCullough
What is the name of your organizational unit?
[Unknown]: Consulting
What is the name of your organization?
[Unknown]: Ambient Ideas, LLC
What is the name of your City or Locality?
[Unknown]: Denver
What is the name of your State or Province?
[Unknown]: Colorado
What is the two-letter country code for this unit?
[Unknown]: US
92. Creatingakeystore
keytool -genkeypair -keyalg RSA -keysize 2048 -
keystore myapp.keystore
Enter keystore password: ********
Re-enter new password: ********
What is your first and last name?
[Unknown]: Matthew McCullough
What is the name of your organizational unit?
[Unknown]: Consulting
What is the name of your organization?
[Unknown]: Ambient Ideas, LLC
What is the name of your City or Locality?
[Unknown]: Denver
What is the name of your State or Province?
[Unknown]: Colorado
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Matthew McCullough, OU=Consulting, O="Ambient
Ideas, LLC", L=Denver, ST=Colorado, C=US correct?
[no]: yes
Enter key password for <mykey>
! (RETURN if same as keystore password):
97. Server sends X509 certificate
(public key)
Client "hello"
CA
Client validates certificate or
allows override approval
Client generates random symmetric key
Signs it with server public key
Encrypted communication
107. Tomcat and SSL
★ Usually fronted, handled by Apache
★ But if you really want it, offered via Tomcat
★ http://tomcat.apache.org/tomcat-6.0-doc/
ssl-howto.html
110. The concept
★ Elliptic Curve Cryptography (ECC)
★ Premise
★ “elliptic curve logarithm”
★ Getting the discrete logarithm of an elliptic curve
node is infeasible
★ Difficulty of finding A from B
★ Ease of finding B given A
111. The Goals
★ Reduces storage, footprint
★ Increases speed over standard public key
encryption
★ Aiming to beat RSA
112.
113. The Risk
★ No mathematical proof yet
★ Patent encumbrances
114. The Endorsement
★ NSA
★ Approved for Top Secret
★ Open Source Implementations
★ BouncyCastle
★ OpenSSL
143. GNU
★ Non JCE implementations
★ Hundreds of algorithms
★ Legacy algorithms
144. In Summary
★ Laws
★ Know the rules for import and export
★ Get the appropriate approvals
★ Hashing
★ Proper bit strength (algorithm)
★ Salt is a modern requirement
★ Encrypting
★ Know the performance of your algorithm
★ Choose a future-proof bit size key
145. ADVANCED JVM ENCRYPTION
Digital security in Practice
Email
Twitter
Blog
Matthew McCullough
matthewm@ambientideas.com
@matthewmccull
http://ambientideas.com/blog