lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 6 Oct 2008 19:20:22 +0100
From: n3td3v <xploitable@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Fwd: Security Flaw in Mifare Classic

---------- Forwarded message ----------
From: n3td3v <xploitable@...il.com>
Date: Mon, Oct 6, 2008 at 7:08 PM
Subject: Security Flaw in Mifare Classic
To: n3td3v <n3td3v@...glegroups.com>


On March 7, 2008, research by the Digital Security group has revealed
a security vulnerability in Mifare Classic RFID chips, the most
commonly used type of RFID chip worldwide, that affects many
applications using Mifare Classic.

We have demonstrated that the proprietary CRYPTO1 encryption algorithm
used on these cards allows the (48 bit) cryptographic keys to be
relatively easily retrieved. Especially for RFID applications where
the same common shared key is used on all RFID cards and card readers,
which may be the case for instance in access control to buildings,
this constitutes a serious risk.

This attack recovers the secret key from the MIFARE reader. To mount
the attack we first need to gather a tiny amount of data from a
genuine reader. With this data we can compute, off-line, the secret
key within a second. There is no precomputation required, and only a
small amount of RAM. Moreover, when one has an intercepted a "trace"
of the communication between a card and a reader, we can compute all
the cryptographic keys from this single trace, and decrypt it. We have
implemented and executed these attack in practice, and managed to
recover the secret keys.

The movie on the right shows a demonstration of the attack on the
access control system for our university building.

The research was presented at the Esorics 2008 conference. The
manufacturer of the Mifare Classic, NXP, has tried to obtain a court
injunction against publication. But the judge ruled against NXP on
July 18, see the university press release (English and Dutch) and the
court ruling (in Dutch only).

Results

NEW The main paper is the ESORICS paper, which describes the
cryptographic weaknesses of CRYPTO1, and the process of reverse
engineering CRYPTO1 and its initialisation.
NEW The manuscript "Making the Best of Mifare Classic" contains
countermeasures which can help to prevent state restoration attacks
and to detect attempted cloning of cards.

NEW The paper "In sneltreinvaart je privacy kwijt" (in Dutch) gives an
analysis of the privacy protection that the current Dutch OV-chipkaart
offers. This will appear in Privacy & Informatie.

The CARDIS paper contains earlier results on the Mifare Classic, in
particular the first practical attack, which exploits the malleability
of the stream cipher, and the reverse engineered command set of the
Mifare Classic.

The Master's thesis of Gerhard de Koning Gans is the work on which the
CARDIS paper is based. Moreover, the process of programming the
Proxmark3 is described in this thesis.

The Master's thesis of Roel Verdult describes a cloning attack on the
Mifare Ultralight, which is the little sister of the Mifare Classic,
and which has no encryption on board. Moreover, it describes the Ghost
emulator device, which has been essential in the process of reverse
eningeering CRYPTO1.

The report "Proof of concept, cloning the OV-Chip card" describes the
practical execution of a cloning attack of the Mifare Ultralight in a
non-technical manner.

Two German researchers, Karsten Nohl and Henryk Plötz have also been
reverse engineering the CRYPTO1 algorithm. Their presentation at CCC
is available online and contributed to our understanding of CRYPTO1.

Kerckhoffs' principle

All this demonstrates, once again, the dangers of relying on 'security
by obscurity', keeping the design of a system secret and relying on
this to keep the system secure. As all experts in the field agree, a
better approach is the Kerckhoffs' principle: making the design of a
system public so that it can be openly evaluated and scrutinised by
experts, and only relying on the secrecy of the cryptographic keys for
the security. The principle is named after the Dutch cryptographer
Auguste Kerckhoffs, who first published this idea in 1833. Our
Computer Security Master track is named after him.

Dutch public transport cards (the 'OV-chipkaart')

Mifare Classic and Mifare Ultralight chips are used in the RFID cards
for public transport that are being introduced in the Netherlands, the
'Ov-chipkaart'. We have been able to demonstrate that both cards are
subject to manipulation. The London Oyster card is very similar to the
OV-chipkaart, and indeed vulnerable to the same attacks.

We have started a wiki on the use of RFID for mass public transport,
not only to collect information on technical and privacy issues of the
existing Dutch system - without the media hype and the associated
inaccurate claims -, but also to collect ideas about better ways to
design such systems, in an open and transparent fashion.

Press Releases
Our own press release in English and in Dutch.
Erratum: the Hong Kong subway does not use Mifare, as we claimed in
our press release
Statement by the Dutch Minister of internal affairs (in Dutch).
NXP's information for end users of Mifare Classic chips and systems
integrators.

http://www.ru.nl/ds/research/rfid/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ