Talk about Mifare Classic hack

2008, the Netherlands NXP (NXP) company developed RFID products Mifare Classic was cracked, black history here is not specifically said, want to learn more about Google Baidu can own. Now it is important to say something about Mifare Classic hack.

Mifare Classic provides a capacity of 1 kb-4kb, now the majority of domestic use is Mifare Classic 1k (S50) [hereafter referred to as M1 card], and my later tests are mostly based on the M1 card to carry out.

We must first understand the structure of the M1 card, which can be the basis for later cracking.

M1 Card has a total of 16 sectors from 0 to 15, each sector is equipped with a total of 3 segments from 0 to 4, each segment can hold 16 bytes of content, why is it emphasized from the beginning of 0? This is the C language inside the array subscript default starting from 0 is the same, to calculate the address offset, we do not have to care about, just remember that it is starting from 0, write the data when the wrong place to write. The 4th segment (i.e. 3 segments) of each sector is used to hold the keya,keyb and control bits, because the M1 card allows each sector to have a pair of separate password protection, so that more flexible control of the operation of the data, the control bit is the result of the various detailed permissions of this sector.

Each M1 card has a globally unique UID number, which is stored in the first segment (0 segments) of the card's first sector (0 sectors), also known as the vendor segment, where the first 4 bytes are the UID of the card, the 5th byte is the check digit of the card UID, and the remaining vendor data. And this paragraph before the factory will be set to write protection, can only read can not be modified, of course, there are exceptions, there is a special card called UID card, UID is not set to protect, in fact, manufacturers do not according to the standard production card, M1 Card Factory is required to lock the UID. The structure of the M1 card is clearly listed.

More RFID card structure can read the following content.

S50 Non-contact IC card Performance Brief (M1)

M1-S70 Card Introduction

High Frequency IC Card guide

Philips official M1 Card documentation

Read the above documents I believe you have a certain understanding of the M1 card, and now to talk about the various methods of M1 card, the following will be released in succession to the actual case.

1. Violent cracking

Brute force cracking is always the topic of cracking work, as long as you have a huge computational resources, whatever password you can crack. And, before the details of the CRYPTO1 algorithm are compromised, the most effective way is to burst. Another important reason is that the M1 card is a passive card, need to provide energy card reader, once the reader has cut off the power, the card temporary data will be lost, so there is no way to record how many times the attacker is wrong password, card will never be locked because of too many password input errors, As long as the attacker has time to slow down with it, the password will definitely come out.

Some common M1 card keys are listed here

Ffffffffffffa0a1a2a3a4a5d3f7d3f7d3f7 000000000000 a0b0c0d0e0f0a1b1c1d1e1f1b0b1b2b3b4b54d3a99c351dd1a982c7e459aaabbccddeeffb5ff67cba951714c5c886e97587ee5f9350fa0478cc39 091533cb6c723f624020000dbfd000012ed12ed8fd0a4f256e9ee9bd361b01b

2. Replay attack

Replay attack is based on the M1 Card PRNG algorithm vulnerability implementation, when the card is close to the reader to obtain energy, it will start to generate a random number sequence, but there is a problem, because the card is a passive card, itself without power, so after the power outage data can not be saved, then the PRNG algorithm based on LSRF defect is out , after each power outage and then re-access the power, the card will generate a random number sequence, so we have the possibility to calculate the sequence, so only we control the time, we can know in the moment after the acquisition of energy of the random number of time, and then replay attacks, it is possible to tamper with normal data. If the ownership of the card is in our hands, we don't even have to waste too much time to achieve it.

3. Cloning cards

This is a very simple and useful method, because the M1 card comes with a sector to hold the data, so most cards will choose to encrypt the sector and then save the data in it, so we can completely clone a clone card with the same data. This will use a special M1 card called the UID card, said that each M1 card in the 0 sector 1th paragraph will have a global unique UID number, and this block after the factory is set by the manufacturer protection can not be modified, the UID card is not set 0 sector protection card, so you can arbitrarily modify you want to To the UID so that we can clone a card with the same UID.

4. Key Stream eavesdropping

Using the Artifact Proxmark 3 can sniff all sectors are encrypted M1 card, in the card and the authorized reader to exchange data when the interception, you can read the tag data, the use of the XOR key tool can be used to calculate the sector key, which is the PRNG algorithm of the vulnerability caused.

5. Authentication Vulnerability

Authentication vulnerability is currently the most used M1 cracking means, when the reader tries to read a sector, Kahan first send a random number to the card reader, the reader to the random number after the use of their own algorithm to encrypt the random number of feedback back to the card, the card again with its own algorithm calculation, If the findings are consistent, the reader is authorized, and then the session is encrypted using its own algorithm and the data is transferred to the reader. This time the problem comes, when we try again to access another sector, the card will repeat the steps just now, but the card and the reader between the data exchange is already encrypted by the algorithm, and this algorithm is determined by the sector key, so the key is leaked out. Therefore, the validation vulnerability requires that we know at least one sector key, but most of the sectors are not encrypted at all, so it is easy to hack.

Crack M1 Card Of course not only these methods, but for us is enough, at present, 80% of the IC cards are M1 cards, such as access cards, rice cards, smart cards and the like.

Here are two articles Radboud University on the crack Mifare, you can study, it is indeed a benefit. (Note that it is English, OH.) ）

The Mifare Hack

Dismantling MIFARE Classic

Talk about Mifare Classic hack