practical cryptanalysis for hackers
TRANSCRIPT
Practical cryptanalysis for hackers
Chen-Mou [email protected]
Dept. Electrical EngineeringNational Taiwan University
December 5, 2015
What is cryptography? What is cryptanalysis?
I Not going to lecture about them today
What is cryptography? What is cryptanalysis?
I Not going to lecture about them today
About myself
I PhD, Harvard University, 2007
I 目前:國立台灣大學負教授I Has published >60 papersI Most are garbage don’t have a high impact factor; hasn’t really
changed anything in practice, it seems
About myself
I PhD, Harvard University, 2007I 目前:國立台灣大學負教授
I Has published >60 papersI Most are garbage don’t have a high impact factor; hasn’t really
changed anything in practice, it seems
About myself
I PhD, Harvard University, 2007I 目前:國立台灣大學負教授
I Has published >60 papers
I Most are garbage don’t have a high impact factor; hasn’t reallychanged anything in practice, it seems
About myself
I PhD, Harvard University, 2007I 目前:國立台灣大學負教授
I Has published >60 papersI Most are garbage don’t have a high impact factor; hasn’t really
changed anything in practice, it seems
砍掉重練?
I A bit late, as no one wants to hire a middle-aged professorwho has never really left school
I “肝已不再新鮮”TM
I Must do some work having something to do with practice
砍掉重練?
I A bit late, as no one wants to hire a middle-aged professorwho has never really left school
I “肝已不再新鮮”TM
I Must do some work having something to do with practice
砍掉重練?
I A bit late, as no one wants to hire a middle-aged professorwho has never really left school
I “肝已不再新鮮”TM
I Must do some work having something to do with practice
砍掉重練?
I A bit late, as no one wants to hire a middle-aged professorwho has never really left school
I “肝已不再新鮮”TM
I Must do some work having something to do with practice
How we got started
I May, 2009: Read “Wirelessly Pickpocketing a Mifare ClassicCard” (IEEE S&P 2009) by F. D. Garcia, P. van Rossum,R. Verdult, and R. W. Schreur from Nijmegen
I Summer, 2009: Repeated the experiments on 悠遊卡I Fall, 2009: Demonstrated several attacks to the authority
I Card-only attacks (Nijmegen)I Long-range sniffing (ours)
How we got started
I May, 2009: Read “Wirelessly Pickpocketing a Mifare ClassicCard” (IEEE S&P 2009) by F. D. Garcia, P. van Rossum,R. Verdult, and R. W. Schreur from Nijmegen
I Summer, 2009: Repeated the experiments on 悠遊卡I Fall, 2009: Demonstrated several attacks to the authority
I Card-only attacks (Nijmegen)I Long-range sniffing (ours)
The story went on
I Fall, 2009: Demonstrated several attacks to the authority
I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan (!)
I (怒) “Just don’t say you heard it from me: MIFARE Classic iscompletely broken,” at the 4th Hacks in Taiwan Conference(HIT 2010), Taipei, Taiwan, Jul. 2010
The story went on
I Fall, 2009: Demonstrated several attacks to the authority
I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan (!)
I (怒) “Just don’t say you heard it from me: MIFARE Classic iscompletely broken,” at the 4th Hacks in Taiwan Conference(HIT 2010), Taipei, Taiwan, Jul. 2010
The story went on
I Fall, 2009: Demonstrated several attacks to the authority
I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan (!)
I (怒) “Just don’t say you heard it from me: MIFARE Classic iscompletely broken,” at the 4th Hacks in Taiwan Conference(HIT 2010), Taipei, Taiwan, Jul. 2010
“Reverse-engineering a real-world RFID payment system”
I A talk by Harald Welte in 27C3, Dec., 2010
I Disclosed “the process of reverse-engineering the actualcontent of the [悠遊卡] to discover the public transportationtransaction log, the account balance and how the dailyspending limit work”
I As well as “how easy it is to add or subtract monetary valueto/from the card. Cards manipulated as described in the talkhave been accepted by the payment system”
I “Corporations enabling citizens to print digital money”
“Reverse-engineering a real-world RFID payment system”
I A talk by Harald Welte in 27C3, Dec., 2010
I Disclosed “the process of reverse-engineering the actualcontent of the [悠遊卡] to discover the public transportationtransaction log, the account balance and how the dailyspending limit work”
I As well as “how easy it is to add or subtract monetary valueto/from the card. Cards manipulated as described in the talkhave been accepted by the payment system”
I “Corporations enabling citizens to print digital money”
Shortly after in Taiwan
I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan
I Sep., 2011: First 悠遊卡 hacking incident reported in mediaI Soon the authority disclosed upgrade plans to “二代悠遊卡,”
claiming that it will be “secure”
I Aug., 2012: Official release of 二代悠遊卡
Shortly after in Taiwan
I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan
I Sep., 2011: First 悠遊卡 hacking incident reported in mediaI Soon the authority disclosed upgrade plans to “二代悠遊卡,”
claiming that it will be “secure”
I Aug., 2012: Official release of 二代悠遊卡
Recall: Most serious weaknesses of MIFARE Classic
I Bad randomness
I Parity weaknesses
I Weaknesses in nested authentications
Together, they allow very efficient key recovery
1. mfcuk can recover one key in less than an hour
2. mfoc can recover all subsequent keys in a few hours
The “secure” 二代悠遊卡
I 二代悠遊卡, like many other similar cards used around theworld, is essentially a CPU card with MIFARE Classicemulation
I Tag nonce now is unpredictable and seems to have 32-bitentropy, disabling attacks based on tag nonce manipulationand nested authentications
I Sure, sniffing still works if you have a legitimate readerI So does brute-force if you don’t have such a reader, which may
take years on an ordinary PC
I All other existing, efficient card-only attacks no longer workI Seems “secure” enough from a practical point of view
Do you believe that?
The research question
I Is there a practically relevant card-only attack on二代悠遊卡?
Attack techniques
I M. Albrecht and C. Cid: “Algebraic techniques in differentialcryptanalysis” (FSE 2009)
I S. Knellwolf, W. Meier, and M. Naya-Plasencia: “Conditionaldifferential cryptanalysis of NLFSR-based cryptosystems”(ASIACRYPT 2010)
I Y.-H. Chiu, W.-C. Hong, L.-P. Chou, J. Ding, B.-Y. Yang,and C.-M. Cheng, “A practical attack on patched MIFAREClassic” (Inscrypt 2013)
Experiment setup
I All experiments are performed on an old laptop and astandard ACR 122 reader
I Running Ubuntu with libraries such as libnfc and crapto1
I We use the CryptoMiniSat SAT solverI The CNF formulas are generated by our own software
Target under attack
Card type Parities checked nT generation
一代悠遊卡 Yes Predictable一代悠遊卡加強版 Yes Somewhat random二代悠遊卡 No (always 0x0) Random
Experiment results
Attack type Online time Compute time 1.0 1.5 2.0
Sniffing attack 2 sec. < 2 sec.√ √ √
GPU brute-force 5 sec. 14 hours√ √ √
CPU brute-force 5 sec. > 1 month√ √ √
Parities attack > 3 min. < 30 sec.√
?Nested authentications 15–75 sec. 25–125 sec.
√ √
Our attack (simulation) 10–20 hours 2–15 min.√
State of the art
I Without any prior knowledge, can break 二代悠遊卡 andobtain a key in 10–20 hours
I C. Meijer and R. Verdult, “Ciphertext-only cryptanalysis onhardened MIFARE Classic cards” (ACM CCS 2015)
I First using our or other attacks to obtain a key, can break 二代悠遊卡 and obtain one key every 10–20 minutes
I Together can break 二代悠遊卡 and obtain all the keys in15–30 hours
State of the art
I Without any prior knowledge, can break 二代悠遊卡 andobtain a key in 10–20 hours
I C. Meijer and R. Verdult, “Ciphertext-only cryptanalysis onhardened MIFARE Classic cards” (ACM CCS 2015)
I First using our or other attacks to obtain a key, can break 二代悠遊卡 and obtain one key every 10–20 minutes
I Together can break 二代悠遊卡 and obtain all the keys in15–30 hours
How can we fix this problem?
I Give up MIFARE Classic!
I Many cities are doing so
I If not, controlling damage by restricting usage
How can we fix this problem?
I Give up MIFARE Classic!
I Many cities are doing so
I If not, controlling damage by restricting usage
How can we hackers help?
I Making these attacks really really easy for ordinary people tounderstand
I Breaking information asymmetry and taking back the right tomake the (right) decision
How can we hackers help?
I Making these attacks really really easy for ordinary people tounderstand
I Breaking information asymmetry and taking back the right tomake the (right) decision
Thanks!
I Questions or comments?