This document summarizes a talk on practical cryptanalysis for hackers. It discusses attacks the speaker carried out on Taiwan's transit payment cards, including the original 悠遊卡 and the upgraded 二代悠遊卡. The speaker describes how earlier 悠遊卡 cards were broken, the upgrades made for 二代悠遊卡, and presents a new card-only attack that can recover keys from 二代悠遊卡 in 10-20 hours without prior knowledge. The talk recommends moving away from the insecure MIFARE Classic technology and discusses how to educate the public about security weaknesses.

1. Practical cryptanalysis for hackers
Chen-Mou Cheng
ccheng@cc.ee.ntu.edu.tw
Dept. Electrical Engineering
National Taiwan University
December 5, 2015

2. What is cryptography? What is cryptanalysis?

3. What is cryptography? What is cryptanalysis?
Not going to lecture about them today

4. About myself
PhD, Harvard University, 2007

5. About myself
PhD, Harvard University, 2007
目前：國立台灣大學負教授

6. About myself
PhD, Harvard University, 2007
目前：國立台灣大學負教授
Has published >60 papers

7. About myself
PhD, Harvard University, 2007
目前：國立台灣大學負教授
Has published >60 papers
Most are garbage don’t have a high impact factor; hasn’t really
changed anything in practice, it seems

8. 砍掉重練？

9. 砍掉重練？
A bit late, as no one wants to hire a middle-aged professor
who has never really left school

10. 砍掉重練？
A bit late, as no one wants to hire a middle-aged professor
who has never really left school
“肝已不再新鮮”TM

11. 砍掉重練？
A bit late, as no one wants to hire a middle-aged professor
who has never really left school
“肝已不再新鮮”TM
Must do some work having something to do with practice

12. How we got started
May, 2009: Read “Wirelessly Pickpocketing a Mifare Classic
Card” (IEEE S&P 2009) by F. D. Garcia, P. van Rossum,
R. Verdult, and R. W. Schreur from Nijmegen
Summer, 2009: Repeated the experiments on 悠遊卡
Fall, 2009: Demonstrated several attacks to the authority
Card-only attacks (Nijmegen)
Long-range sniffing (ours)

13. How we got started
May, 2009: Read “Wirelessly Pickpocketing a Mifare Classic
Card” (IEEE S&P 2009) by F. D. Garcia, P. van Rossum,
R. Verdult, and R. W. Schreur from Nijmegen
Summer, 2009: Repeated the experiments on 悠遊卡
Fall, 2009: Demonstrated several attacks to the authority
Card-only attacks (Nijmegen)
Long-range sniffing (ours)

14. The story went on
Fall, 2009: Demonstrated several attacks to the authority

15. The story went on
Fall, 2009: Demonstrated several attacks to the authority
Jan., 2010: Government regulators approved 悠遊卡 as a
means of electronic payment in Taiwan (!)

16. The story went on
Fall, 2009: Demonstrated several attacks to the authority
Jan., 2010: Government regulators approved 悠遊卡 as a
means of electronic payment in Taiwan (!)
(怒) “Just don’t say you heard it from me: MIFARE Classic is
completely broken,” at the 4th Hacks in Taiwan Conference
(HIT 2010), Taipei, Taiwan, Jul. 2010

17. “Reverse-engineering a real-world RFID payment system”
A talk by Harald Welte in 27C3, Dec., 2010
Disclosed “the process of reverse-engineering the actual
content of the [悠遊卡] to discover the public transportation
transaction log, the account balance and how the daily
spending limit work”
As well as “how easy it is to add or subtract monetary value
to/from the card. Cards manipulated as described in the talk
have been accepted by the payment system”

18. “Reverse-engineering a real-world RFID payment system”
A talk by Harald Welte in 27C3, Dec., 2010
Disclosed “the process of reverse-engineering the actual
content of the [悠遊卡] to discover the public transportation
transaction log, the account balance and how the daily
spending limit work”
As well as “how easy it is to add or subtract monetary value
to/from the card. Cards manipulated as described in the talk
have been accepted by the payment system”
“Corporations enabling citizens to print digital money”

19. Shortly after in Taiwan
Jan., 2010: Government regulators approved 悠遊卡 as a
means of electronic payment in Taiwan

20. Shortly after in Taiwan
Jan., 2010: Government regulators approved 悠遊卡 as a
means of electronic payment in Taiwan
Sep., 2011: First 悠遊卡 hacking incident reported in media
Soon the authority disclosed upgrade plans to “二代悠遊卡,”
claiming that it will be “secure”
Aug., 2012: Official release of 二代悠遊卡

21. Recall: Most serious weaknesses of MIFARE Classic
Bad randomness
Parity weaknesses
Weaknesses in nested authentications
Together, they allow very efficient key recovery
1. mfcuk can recover one key in less than an hour
2. mfoc can recover all subsequent keys in a few hours

22. The “secure” 二代悠遊卡
二代悠遊卡, like many other similar cards used around the
world, is essentially a CPU card with MIFARE Classic
emulation
Tag nonce now is unpredictable and seems to have 32-bit
entropy, disabling attacks based on tag nonce manipulation
and nested authentications
Sure, sniffing still works if you have a legitimate reader
So does brute-force if you don’t have such a reader, which may
take years on an ordinary PC
All other existing, efficient card-only attacks no longer work
Seems “secure” enough from a practical point of view

23. Do you believe that?

25. The research question
Is there a practically relevant card-only attack on 二代悠遊卡?

26. Attack techniques
M. Albrecht and C. Cid: “Algebraic techniques in differential
cryptanalysis” (FSE 2009)
S. Knellwolf, W. Meier, and M. Naya-Plasencia: “Conditional
differential cryptanalysis of NLFSR-based cryptosystems”
(ASIACRYPT 2010)
Y.-H. Chiu, W.-C. Hong, L.-P. Chou, J. Ding, B.-Y. Yang,
and C.-M. Cheng, “A practical attack on patched MIFARE
Classic” (Inscrypt 2013)

27. Experiment setup
All experiments are performed on an old laptop and a
standard ACR 122 reader
Running Ubuntu with libraries such as libnfc and crapto1
We use the CryptoMiniSat SAT solver
The CNF formulas are generated by our own software

28. Target under attack
Card type Parities checked nT generation
一代悠遊卡 Yes Predictable
一代悠遊卡加強版 Yes Somewhat random
二代悠遊卡 No (always 0x0) Random

29. Experiment results
Attack type Online time Compute time 1.0 1.5 2.0
Sniffing attack 2 sec. < 2 sec.
√ √ √
GPU brute-force 5 sec. 14 hours
√ √ √
CPU brute-force 5 sec. > 1 month
√ √ √
Parities attack > 3 min. < 30 sec.
√
?
Nested authentications 15–75 sec. 25–125 sec.
√ √
Our attack (simulation) 10–20 hours 2–15 min.
√

30. State of the art
Without any prior knowledge, can break 二代悠遊卡 and
obtain a key in 10–20 hours

31. State of the art
Without any prior knowledge, can break 二代悠遊卡 and
obtain a key in 10–20 hours
C. Meijer and R. Verdult, “Ciphertext-only cryptanalysis on
hardened MIFARE Classic cards” (ACM CCS 2015)
First using our or other attacks to obtain a key, can break 二
代悠遊卡 and obtain one key every 10–20 minutes
Together can break 二代悠遊卡 and obtain all the keys in
15–30 hours

32. How can we fix this problem?

33. How can we fix this problem?
Give up MIFARE Classic!
Many cities are doing so
If not, controlling damage by restricting usage

34. How can we hackers help?

35. How can we hackers help?
Making these attacks really really easy for ordinary people to
understand
Breaking information asymmetry and taking back the right to
make the (right) decision

36. Thanks!
Questions or comments?