practical cryptanalysis for hackers

Practical cryptanalysis for hackers

Chen-Mou Chengccheng@cc.ee.ntu.edu.tw

Dept. Electrical EngineeringNational Taiwan University

December 5, 2015

What is cryptography? What is cryptanalysis?

I Not going to lecture about them today

What is cryptography? What is cryptanalysis?

I Not going to lecture about them today

About myself

I PhD, Harvard University, 2007

I 目前：國立台灣大學負教授I Has published >60 papersI Most are garbage don’t have a high impact factor; hasn’t really

changed anything in practice, it seems

About myself

I PhD, Harvard University, 2007I 目前：國立台灣大學負教授

I Has published >60 papersI Most are garbage don’t have a high impact factor; hasn’t really

changed anything in practice, it seems

About myself

I PhD, Harvard University, 2007I 目前：國立台灣大學負教授

I Has published >60 papers

I Most are garbage don’t have a high impact factor; hasn’t reallychanged anything in practice, it seems

About myself

I PhD, Harvard University, 2007I 目前：國立台灣大學負教授

I Has published >60 papersI Most are garbage don’t have a high impact factor; hasn’t really

changed anything in practice, it seems

砍掉重練？

I A bit late, as no one wants to hire a middle-aged professorwho has never really left school

I “肝已不再新鮮”TM

I Must do some work having something to do with practice

砍掉重練？

I A bit late, as no one wants to hire a middle-aged professorwho has never really left school

I “肝已不再新鮮”TM

I Must do some work having something to do with practice

砍掉重練？

I A bit late, as no one wants to hire a middle-aged professorwho has never really left school

I “肝已不再新鮮”TM

I Must do some work having something to do with practice

砍掉重練？

I A bit late, as no one wants to hire a middle-aged professorwho has never really left school

I “肝已不再新鮮”TM

I Must do some work having something to do with practice

How we got started

I May, 2009: Read “Wirelessly Pickpocketing a Mifare ClassicCard” (IEEE S&P 2009) by F. D. Garcia, P. van Rossum,R. Verdult, and R. W. Schreur from Nijmegen

I Summer, 2009: Repeated the experiments on 悠遊卡I Fall, 2009: Demonstrated several attacks to the authority

I Card-only attacks (Nijmegen)I Long-range sniffing (ours)

How we got started

I May, 2009: Read “Wirelessly Pickpocketing a Mifare ClassicCard” (IEEE S&P 2009) by F. D. Garcia, P. van Rossum,R. Verdult, and R. W. Schreur from Nijmegen

I Summer, 2009: Repeated the experiments on 悠遊卡I Fall, 2009: Demonstrated several attacks to the authority

I Card-only attacks (Nijmegen)I Long-range sniffing (ours)

The story went on

I Fall, 2009: Demonstrated several attacks to the authority

I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan (!)

I (怒) “Just don’t say you heard it from me: MIFARE Classic iscompletely broken,” at the 4th Hacks in Taiwan Conference(HIT 2010), Taipei, Taiwan, Jul. 2010

The story went on

I Fall, 2009: Demonstrated several attacks to the authority

I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan (!)

I (怒) “Just don’t say you heard it from me: MIFARE Classic iscompletely broken,” at the 4th Hacks in Taiwan Conference(HIT 2010), Taipei, Taiwan, Jul. 2010

The story went on

I Fall, 2009: Demonstrated several attacks to the authority

I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan (!)

I (怒) “Just don’t say you heard it from me: MIFARE Classic iscompletely broken,” at the 4th Hacks in Taiwan Conference(HIT 2010), Taipei, Taiwan, Jul. 2010

“Reverse-engineering a real-world RFID payment system”

I A talk by Harald Welte in 27C3, Dec., 2010

I Disclosed “the process of reverse-engineering the actualcontent of the [悠遊卡] to discover the public transportationtransaction log, the account balance and how the dailyspending limit work”

I As well as “how easy it is to add or subtract monetary valueto/from the card. Cards manipulated as described in the talkhave been accepted by the payment system”

I “Corporations enabling citizens to print digital money”

“Reverse-engineering a real-world RFID payment system”

I A talk by Harald Welte in 27C3, Dec., 2010

I Disclosed “the process of reverse-engineering the actualcontent of the [悠遊卡] to discover the public transportationtransaction log, the account balance and how the dailyspending limit work”

I As well as “how easy it is to add or subtract monetary valueto/from the card. Cards manipulated as described in the talkhave been accepted by the payment system”

I “Corporations enabling citizens to print digital money”

Shortly after in Taiwan

I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan

I Sep., 2011: First 悠遊卡 hacking incident reported in mediaI Soon the authority disclosed upgrade plans to “二代悠遊卡,”

claiming that it will be “secure”

I Aug., 2012: Official release of 二代悠遊卡

Shortly after in Taiwan

I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan

I Sep., 2011: First 悠遊卡 hacking incident reported in mediaI Soon the authority disclosed upgrade plans to “二代悠遊卡,”

claiming that it will be “secure”

I Aug., 2012: Official release of 二代悠遊卡

Recall: Most serious weaknesses of MIFARE Classic

I Bad randomness

I Parity weaknesses

I Weaknesses in nested authentications

Together, they allow very efficient key recovery

1. mfcuk can recover one key in less than an hour

2. mfoc can recover all subsequent keys in a few hours

The “secure” 二代悠遊卡

I 二代悠遊卡, like many other similar cards used around theworld, is essentially a CPU card with MIFARE Classicemulation

I Tag nonce now is unpredictable and seems to have 32-bitentropy, disabling attacks based on tag nonce manipulationand nested authentications

I Sure, sniffing still works if you have a legitimate readerI So does brute-force if you don’t have such a reader, which may

take years on an ordinary PC

I All other existing, efficient card-only attacks no longer workI Seems “secure” enough from a practical point of view

Do you believe that?

The research question

I Is there a practically relevant card-only attack on二代悠遊卡?

Attack techniques

I M. Albrecht and C. Cid: “Algebraic techniques in differentialcryptanalysis” (FSE 2009)

I S. Knellwolf, W. Meier, and M. Naya-Plasencia: “Conditionaldifferential cryptanalysis of NLFSR-based cryptosystems”(ASIACRYPT 2010)

I Y.-H. Chiu, W.-C. Hong, L.-P. Chou, J. Ding, B.-Y. Yang,and C.-M. Cheng, “A practical attack on patched MIFAREClassic” (Inscrypt 2013)

Experiment setup

I All experiments are performed on an old laptop and astandard ACR 122 reader

I Running Ubuntu with libraries such as libnfc and crapto1

I We use the CryptoMiniSat SAT solverI The CNF formulas are generated by our own software

Target under attack

Card type Parities checked nT generation

一代悠遊卡 Yes Predictable一代悠遊卡加強版 Yes Somewhat random二代悠遊卡 No (always 0x0) Random

Experiment results

Attack type Online time Compute time 1.0 1.5 2.0

Sniffing attack 2 sec. < 2 sec.√ √ √

GPU brute-force 5 sec. 14 hours√ √ √

CPU brute-force 5 sec. > 1 month√ √ √

Parities attack > 3 min. < 30 sec.√

?Nested authentications 15–75 sec. 25–125 sec.

√ √

Our attack (simulation) 10–20 hours 2–15 min.√

State of the art

I Without any prior knowledge, can break 二代悠遊卡 andobtain a key in 10–20 hours

I C. Meijer and R. Verdult, “Ciphertext-only cryptanalysis onhardened MIFARE Classic cards” (ACM CCS 2015)

I First using our or other attacks to obtain a key, can break 二代悠遊卡 and obtain one key every 10–20 minutes

I Together can break 二代悠遊卡 and obtain all the keys in15–30 hours

State of the art

I Without any prior knowledge, can break 二代悠遊卡 andobtain a key in 10–20 hours

I C. Meijer and R. Verdult, “Ciphertext-only cryptanalysis onhardened MIFARE Classic cards” (ACM CCS 2015)

I First using our or other attacks to obtain a key, can break 二代悠遊卡 and obtain one key every 10–20 minutes

I Together can break 二代悠遊卡 and obtain all the keys in15–30 hours

How can we fix this problem?

I Give up MIFARE Classic!

I Many cities are doing so

I If not, controlling damage by restricting usage

How can we fix this problem?

I Give up MIFARE Classic!

I Many cities are doing so

I If not, controlling damage by restricting usage

How can we hackers help?

I Making these attacks really really easy for ordinary people tounderstand

I Breaking information asymmetry and taking back the right tomake the (right) decision

How can we hackers help?

I Making these attacks really really easy for ordinary people tounderstand

I Breaking information asymmetry and taking back the right tomake the (right) decision

Thanks!

I Questions or comments?