exposing iclass key diversiﬁcation - usenix ?· exposing iclass key diversiﬁcation ... the...
Post on 01-Aug-2018
Embed Size (px)
Exposing iClass Key Diversification
Flavio D. Garcia Gerhard de Koning Gans Roel Verdult
Institute for Computing and Information SciencesRadboud University Nijmegen, The Netherlands.
AbstractiClass is one of the most widely used contactless smartcardson the market. It is used extensively in access control andpayment systems all over the world. This paper studies thebuilt-in key diversification algorithm of iClass. We reverseengineered this key diversification algorithm by inspectingthe update card key messages sent by an iClass reader to thecard. This algorithm uses a combination of single DES anda proprietary key fortification function called hash0. Weshow that the function hash0 is not one-way nor collisionresistant. Moreover, we give the inverse function hash01
that outputs a modest amount (on average 4) of candid-ate pre-images. Finally, we show that recovering an iClassmaster key is not harder than a chosen plaintext attack onsingle DES. Considering that there is only one master keyin all iClass readers, this enables an attacker to clone cardsand gain access to potentially any system using iClass.
1 IntroductionOver the last few years, much attention has been paid tothe (in)security of the cryptographic mechanisms used incontactless smartcards [NESP08, GdKGM+08, GvRVS09,COQ09, GvRVS10].
This paper does not focus on the security of the cardsthemselves but on the security of the cryptographic proto-cols used in the embedding systems. Concretely, we studythe key diversification and the proprietary key fortificationfunctions of the HID iClass contactless smartcards and thesecure key loading mode of the Omnikey readers.
iClass is an ISO/IEC 15693 [ISO09] compatible contact-less smartcard manufactured by HID Global. It was intro-duced on the market back in 2002 as a secure replacementof the HID Prox card which had no cryptography at all. Ac-cording to the manufacturer more than 300 million iClasscards have been sold. These cards are widely used in accesscontrol to secured buildings such as The Bank of AmericaMerrill Lynch, the International Airport of Mexico City andthe City of Los Angeles among many others1. According to
HID [Cum06] iClass is also deployed at the United StatesNavy base of Pearl Harbor. Other applications include se-cure user authentication such as in the naviGO system in-cluded in Dells Latitude and Precision laptops; e-paymentsuch as in the FreedomPay and SmartCentric systems; andbilling of electric vehicle charging such as in the LibertyPlugIns system.
HID Global is also the manufacturer of the popular Om-nikey readers. The Omnikey 5321 reader family is a multi-protocol contactless reader which includes iClass compat-ibility. Starting from firmware version 5.00 these read-ers have the so-called Omnikey Secure Mode which isrequired to update iClass card keys. This Secure Modeprovides encryption of the USB traffic complying withISO/IEC 24727 [ISO08] standard.
1.1 Related Work
Experience has shown that, once obscurity has been cir-cumvented, proprietary algorithms often do not provide asatisfactory level of security. One of the most remark-able examples of that is the infamous case of the MifareClassic [NESP08, GdKGM+08, GvRVS09] used widely inaccess control and transport ticketing systems. Other ex-amples include KeeLoq [IKD+08] and Hitag2 [SNC09],which are widely used in wireless car keys and theA5/1 [Gol97] and DECT [LST+09] ciphers used in cell andcordless phones.
1.2 Our contribution
The contribution of this paper is manyfold. First it describesthe reverse engineering of the built-in key diversification al-gorithm of iClass. This key diversification algorithm con-sists of two parts: a cipher that is used to encrypt the iden-tity of the card; and a key fortification function, calledhash0 in HID documentation, which is intended to add ex-tra protection to the master key. Our approach for reverseengineering is in line with that of [GdKGM+08, LST+09,GvRVS10] and consists of analyzing the update card keymessages sent by an iClass compatible reader while we pro-duce small modifications on the diversified key, just before
fortification. For this it was first necessary to bypass theencryption layer of the Omnikey Secure Mode. We reverseengineered the Omnikey Secure Mode and wrote a librarythat is capable of communicating in Omnikey Secure Modeto any Omnikey reader. To eavesdrop the contactless inter-face we have built a custom firmware for the Proxmark IIIin order to intercept ISO/IEC 15693 [ISO09] frames. Wehave released the library, firmware and an implementationof hash0 under the GNU General Public License and theyare available at the Proxmark website2.
Last but not least, we show that the key fortification func-tion hash0 is actually not one-way nor collision resistantand therefore it adds little protection to the master key.Concretely, we give the inverse function hash01 that oninput a 64 bit bitstring it outputs a modest amount (on aver-age 4) of candidate pre-images. We propose an attack thatrecovers a master key from an iClass reader of comparablecomplexity to that of breaking single DES, thus it can beaccomplished within a few days on a RIVYERA3. This isextremely sensitive since there is only one master key forall iClass readers and from which all diversified card keyscan be computed.
As an alternative, it is possible to emulate a predefinedcard identity and use a DES rainbow table [Hel80] based onthis identity to perform the attack. This allows an adversaryto recover the master key within minutes.
During the course of this research, Meriac and Plotzpresented a powerful procedure to read out the EEPROMof a PIC microcontroller, like the ones used in iClass read-ers, at the 27th meeting of the Chaos Communication Con-gress [MP10, Mer10]. This attack is possible due to a mis-configuration of the memory access control bits of the PICused in early reader models, for more details on this attacksee the OpenPCD website4. Their attack on the hardware isa viable alternative to retrieve the master key.
2 Omnikey Secure ModeThe Omnikey contactless smartcard reader has a range ofkey slots where it stores cryptographic keys. These keysare used to authenticate with an HID iClass card. After avalid authentication the reader gains read and write accessto the memory in the card.
All recent Omnikey 5321 and 6321 contactless smartcardreaders manufactured by HID Global support encryptedcommunication with the host, which is called Secure Mode.Applications compliant with ISO/IEC 24727 [ISO08] mustprovide end-to-end encryption and therefore the USB com-munication between the application and reader needs to beencrypted.
To activate the Secure Mode, the host application usesa 3DES key KCUW to perform mutual authentication
with the reader. According to the Omnikey developersguide [WDS+04] this key is only known by a limited groupof developers under a non-disclosure agreement with HIDGlobal.
The Omnikey Secure Mode must be active in order toperform security sensitive operations like changing the keyof a card. In order to be able to eavesdrop and modify mes-sages between the reader and a card during a key update,the Omnikey Secure Mode must be circumvented.
The two-factor authentication application naviGO fromHID Global provides a login procedure for Windows com-puters using an iClass card and a PIN-code. A trial versionof this software package is freely available online5. Nav-iGO uses the Omnikey reader for the personalization phasewhere it authenticates, updates the key and writes creden-tials to an iClass card. To perform these actions naviGOneeds to know the cryptographic key KCUW in order to usethe Secure Mode. HID Global stores the secret key in anunprotected binary file. After extracting KCUW from the fileiCLASSCardLib.dll we gained full control over thesecured USB channel.
We have released a library called iClassified that makes itpossible to send arbitrary commands to an Omnikey readerusing the Omnikey reader in Secure Mode.
3 iClass and PicoPassThe iClass card is basically a re-branded version of the Pi-coPass contactless smartcard which is manufactured by In-side Secure6. The documentation of the PicoPass [Con04]defines the configuration options, commands and memorystructure of an iClass 2KS card. Before HID Global sellsthe PicoPass as an iClass card, they configure the memory,store their cryptographic keys and blow the fuse that allowsany future changes to the configuration.
Block Content Denoted by
0 Card serial number Identifier id
2 e-Purse Card challenge cC3 Key for application 1 Debit key kdid4 Key for application 2 Credit key kcid5 Application issuer area
6. . . 18 Application 1 HID application aHID19. . . n Application 2 n = 16x1 for xKS
Figure 1: Memory layout of an iClass card
The iClass cards come in two versions 2KS and 16KSwith respectively 256 and 4096 bytes of memory. Thememory is divided into blocks of eight bytes as shown inFigure 1. Memory blocks 0, 1, 2 and 5 are publicly access-ible, they contain the card serial number id, configuration
bits, the card challenge cC and issuer information. Block 3and 4 contain two diversified cryptographic keys which arederived from two different HID master keys. These masterkeys are referred to in the documentation as debit key kdand credit key kc. The card only stores the diversified keyskdid and kcid . The remaining blocks are divided into twoareas so-called applications. The