nullcon 2011 rfid - nÂo enviado ao evento
DESCRIPTION
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTOTRANSCRIPT
RFID Vulnerabilities, Flaws and Exploits
Mauro Risonho de Paula Assumpção Backtrack Brazil [email protected]
NÃO ENVIADO AO EVENTO
What is RFID?
• Radio Frequency Identification• Identification devices where the interface
for communication with the reader is wireless
• It encompasses the physical layer and communication protocols for identification devices (people, goods comsume, animals, etc.)
• May be proprietary or standardized
Main types
• Memory cards with access control – Main applications are: ticketing in public
transport and physical access control – Memory is divided into sectors where each
sector is protected by an encryption key – Operates at 13.56 MHz with a maximum
range for reading / writing to 10cm – Mifare standard card is the ISO14443 series
Main types
• Proximity cards for physical access control – Besides the Mifare, there are several others
also known as proximity cards – Contactless cards from a proprietary format:
• Indala, HID iClass, HID Prox and other
– Operating in the 125MHz band with short-range
Main types
• Cryptographic cards – There are also cards with contactless
cryptographic coprocessor – Can have both interfaces (contact and
contactless) – We also support the standard ISO14443
Where the fun begins ...
A little more on the Mifare
Mifare Classic
• Structure of memory – 16 sectors – 4 blocks per sector (one block = 16 bytes) – Control access by individual sector
• Key A and Key B • Access conditions
– Each key has 48 bits – Serial number + manufacturer information are
hardcoded in the block 0/setor 0
Mifare Classic
• Structure of memory
BlocksSector
Mifare Classic
• Serial number – 4 or 7 bytes static (hardcoded) – 7 random bytes, where each new channel of
communication established with the reader a new serial number is generated
Mifare Classic
• Block diagram
Interface RF
EE
PR
OM
Antena
Autenticação
Anti-colisão
ALU
Cripto
InterfaceEEPROM
Mifare Classic
• Main components – Interface RF
– Anti-collision: allows interaction of two or more cards with a single reader (ISO 14443)
– Authentication: controls access to any region of memory
– ALU (Arithmetic Logic Unit): manages the operations of addition / subtraction when the card stores values in memory
– Crypto: algorithm implementation CRYPTO1 (stream cipher) to establish secure channel between card and reader
Mifare Classic• 3-step authentication
– The reader specifies the sector to be accessed and used the A or B key to access this
– The card reads the key sent by the reader and encrypt a random number which is sent to the reader (challenge card) <Passing 1>
– The reader decrypts the challenge using the same card key
Mifare Classic• Authentication three steps (continued)
– The reader returns to the card number along with a new decoded random number encrypted by the reader (the reader challenge) <Passing 2>
– The card checks the decrypted number compared to the same that was previously sent
Mifare Classic• Authentication 3 steps (continued)
– The card decrypts the challenge and sends the reader back to the reader <Passing 3>
– The reader checks the response returned by the card
– At the end of this process is established an encrypted communications channel between card and reader
Mifare Classic
• Card Access – Set of commands supported by the card's
owner and are programmed into the chip reader
– An application interacts with the card using a specific bilbioteca of NXP which is linked directly with the controller chip reader
Reading Mifare cards
Reading Mifare cards
• Tools– Contactless reader (HID Omnikey 5321) – Opensource library for interaction with readers
and contactless devices - Librfid (ww.openmrtd.org / projects / librfid /)
– Sample of a blank card Mifare 1K
Reading Mifare cardsProtocol Mifare ClassicSize: 1024 bytesAuthenticating sector 0: mifare auth succeeded!Reading sector 0Reading block 0: Page 0x0: d4 0f 01 ac 76 88 04 00 47 c1 1e 38 65 00 48 05Reading block 1: Page 0x1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Reading block 2: Page 0x2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Reading block 3: Page 0x3: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ffAuthenticating sector 1: mifare auth succeeded!Reading sector 1Reading block 4: Page 0x4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Reading block 5: Page 0x5: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Reading block 6: Page 0x6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00Reading block 7: Page 0x7: 00 00 00 00 00 00 ff 07 80 69 ff ff ff ff ff ffAuthenticating sector 2: mifare auth succeeded!
And so for the other sectors and blocks ...
número de série
dados
Chave A Chave B
Access cond. bits
Reading Mifare cards
• The Mifare card reading blank was only possible because he was set up with keys (A and B) standard
• A card, such as the “Bilhete Único” could not be read or changed (Used in Bus - Brazil)
Safety aspects
Safety aspects
• Mifare card security is supported by the proprietary algorithm CRYPTO1
• First work was done by Karsten Nohl, "Starbug and Henryk Plötz the Chaos Communication Camp 2007 in Berlin
• The CRYPTO1 was the focus of this first analysis of the Mifare cards
• The operation of CRYPTO1 was deduced through reverse engineering
Safety aspects
• Vulnerabilities CRYPTO1 – Time dependence of the random number
generator allows control of the numbers to be generated
– Only 16 bits of the 32 bits used to authenticate three steps are in fact random
– Reverse Engineering by observation of the chip allowed to deduct the functioning of CRYPTO1
Safety aspects
• Operation CRYPTO1
Safety aspects
• Other articles which were published on the security of Mifare cards – A Practical Attack on the MIFARE Classic –
CARDIS 2008, LNCS 5189, pp. 267–282, 2008.
– Dismantling MIFARE Classic – ESORICS 2008, LNCS 5283, pp. 97–114, 2008.
Safety aspects
• The attacks made so far, allowed the creation of clones of smart cards using auxiliary equipment
• It was also possible to manipulate the contactless communication channel in order to observe the data traffic
Safety aspects
Safety aspects
DEMO
Safety aspects
• The security problems are pointed out related to the fragility of CRYPTO1
• The attacks shown not to apply for PKI smart cards, such as electronic passports
References
References
• ISO 14443-1 / 2 / 3• NXP - Mifare functional specification (2008)• Mifare Security. Karsten Nohl, "Starbug" e
Henryk Plötz • A Practical Attack on the MIFARE Classic.
Gerhard de Koning Gans, Jaap-Henk Hoepman, and Flavio D. Garcia.
• Dismantling MIFARE Classic. Flavio D. Garcia, Gerhard de Koning Gans, Ruben Muijrers, Peter van Rossum, Roel Verdult, Ronny Wichers Schreur, and Bart Jacobs