Mifare Series 7-Security

Phillips's Mifare card is widely used in the market due to its high security. For example, we use bus cards, meal cards for schools and corporate canteens, etc. each slice has an independent key (six-byte password). During communication, the key must be verified before data can be read and written. its key technology is to use the triple-encryption DES algorithm for key verification (that is, the keys transmitted between the reader and the card are encrypted by random numbers ), unlike the early emid card and the Atmel t557 card, they were all plain-coded, so they were initially considered the safest card and widely used as e-wallets.

 

Since, someone successfully cracked the M1 card and once caused panic. on June 23, 2008, the Internet announced how to crack the Mifare classic IC chip (M1 chip) password. german researcher henrykplotz) karstennoh1, a PhD in computer science at the University of Virginia, successfully cracked the security algorithm of the Intel semiconductor mirare classic chip; two independent research groups, Virginia University in Germany and Radboud University in the Netherlands, respectively confirmed the prevalence of mi-fare chips, he also published a thesis to crack the chip encryption algorithm <"wirelessly pickpocketing A Mifare classic card" (Wireless theft of M1 card)> and demonstrated the actual chip cracking process. Clarified the vulnerabilities of M1 card in packet generation parity and so-called nested authentication. Using this vulnerability, attackers can use the tool to study the data communication between the tool and the M1 card, and then crack all the keys of the card to clone the card.

The article believes that when M1 generates a parity bit, it will confuse the data link layer with the Protocol that the security communication layer should have processed in layers. After verification, it will encrypt and reuse the encrypted parity bit password. This is not compliant with the security principles and is indeed usable.

1. Mifare Cracking Method

 

1) brute-force cracking

Even for brute-force cracking, you must first obtain the exact plaintext and the corresponding code stream. This requires about 1536 authentication processes, within one second. However, offline brute-force cracking is required, which can be completed in 36 minutes. However, dedicated hardware devices are required.

 

2) Make a variable based on the challenge Value of the card reader

The card reader here actually refers to an attack tool used to simulate the card reader. The same applies to the next attack. This attack can also be called a ciphertext attack. The idea is to use a tool to control the attacked card to generate the same challenge value each time during authentication, while the card reader responds to different values. This attack requires about 28500 authentication processes, taking about 15 minutes, and then calculating the key, taking about one minute.

 

3) The challenge Value of the card is used as a variable.

This attack is similar to attack 2, but the challenge Value of your tool needs to be constant, and the number of challenges of the card is constantly changing. A 384 GB status table needs to be premade. 4096 authentication is required. It takes about 2 minutes.

 

4) nested authentication attacks

This attack assumes that the attacker has learned the key of at least one sector. Based on the vulnerability, the attacker can obtain the 32-bit of other keys and then conduct an exhaustive attack on the other 16-bit keys. Only three certifications are required (Time is negligible ). The offline attack takes about one second. The M1 card nested authentication vulnerability allows an attacker to easily crack any other sector's key after learning the key of a sector, so as to completely crack the card. This was not easy to achieve in previous attacks, because the card reader of an application system may not generate keys for all the sectors of the card in the system. If all sectors are not considered when designing the system.

2. Impact of Mifare cracking on the bus card system

The Key Management System Based on PSAM/isam card is widely used in domestic bus cards. Generally, a value block is used as the wallet. Keya is responsible for consumption, and keyb is responsible for recharging (including consumption ). The scattered keys of Keya are placed in PSAM, and the scattered keys of keyb are placed in isam (if online recharge is adopted, keyb can be obtained online ). PSAM and isam provide an external storage method for keys. The M1 key is obtained through a specific distributed algorithm, and the calculation process occurs in the terminal or background system.

 

Currently, the cracking mechanism directly acts on the M1 card, completely bypassing and ignoring PSAM and other security mechanisms. Similarly, one card and one password increase the difficulty of cracking by using different cards with different keys, but the highly efficient cracking algorithms are also useless. It is important to note that the existing bus card system is highly dependent on the key management system, one card, one password, and other security mechanisms. The data structure adopted is basically unified and open, this means that once the key is cracked, it is almost in the undefended State, even if the data structure is not public, it cannot be expected.

 

Although the bus card system also uses a blacklist and other system audit and monitoring mechanisms, there is a big difference with the blacklist mechanism of the bank card system: The bus card uses an offline blacklist, and the capacity is limited by terminal devices, it is also a lagging processing (generally effective and the processing cycle is not less than t + 1 day); bank cards are blacklisted online, and the capacity is basically unlimited, and it is a real-time processing (immediate effectiveness and processing ).

 

3. Possible Mifare card system attacks

The severity of the Mifare card being cracked is unquestionable. First, the source code of the crypto1 attack has been publicly released (http://code.google.com/p/crapto1/), which is an open source project and can be freely downloaded from the Internet for free. Second, the proxmark (openpcd) card readers can also be publicly ordered from the Internet. In addition, the efficiency of the attack algorithm increases, in fact, the cost of cracking the M1 key by malicious users (including the time cost) it has been reduced to a very low level and has reached the conditions required for large-scale proliferation.

 

The bus card system may face two types of attacks:

1) Clone: a malicious user attempts to crack the key of the existing valid card and read all the data, and then copies the data to multiple blank IC cards.

2) tampering: Malicious users directly tamper with the wallet balance and other key data of a legitimate card after cracking the key of the current card.

Judging from the attack effect, cloning can create multiple fake cards on the basis of a valid card, and tampering can only create fake cards on the basis of the legitimate card itself.

 

Because the existing M1 card uses the world's unique and tamper-resistant uid physical card number, and the key of the Bus card system basically uses the physical card number for decentralized calculation, if you want to implement a clone attack, you must be able to copy the UID, that is, you must be able to produce and manufacture M1 cards. At present, there are several very limited manufacturers that are able to produce compatible M1 cards. Basically, it is impossible to create illegal clones on their own, or to produce orders at the request of malicious users. Although the M1 card can be successfully simulated with hardware and software and can communicate with the card reader normally, there is still a long way to go from productization.

 

There is a point of view that, as long as a single-card-one-Password, real-time online system is used, or the ID number of a non-contact logic Encryption Card, the key can be decrypted. In fact, the decryption of the non-contact logic encryption card means that the M1 card can be copied. Although the online system can avoid illegal recharge, it cannot guarantee illegal consumption, that is, copying an M1 card with the same ID number, you can perform illegal consumption. The current technology can be completely replicated using FPGA. Based on this principle, Mifare's access card is also insecure.

 

In fact, the most important thing is that security is a system-level concept. A security system has a series of security measures to ensure security, for example, a series of measures such as multi-level key dispersion, PSAM card instead of the terminal's own software to calculate the key, such as saving ciphertext in the card rather than plaintext to increase the difficulty of final cracking, and minimize the loss after being cracked. Security is not guaranteed by a single card. In addition, you can note that the final cracking of cards is not a brute-force cracking of software, but a crucial role of hardware means such as slicing, this is actually a higher requirement on Semiconductor manufacturers, and how to make reverse engineering more difficult. So it's not that the CPU card must be more secure than the M1 card. If the chip's own security level is not enough, the card password can be easily obtained through a cut, or even simple hacker means, so is the CPU card actually meaningless, and the public algorithm used by the CPU card will only make it less secure than M1 (algorithm cracking is free ). This is why Semiconductor manufacturers have always stressed that their chips have passed the eal5 + certification, while there is still a considerable gap between domestic chips.