Mifare Classic Troubles Peter van Rossum Digital Security Radboud University Nijmegen.
-
Upload
tyshawn-elmer -
Category
Documents
-
view
239 -
download
5
Transcript of Mifare Classic Troubles Peter van Rossum Digital Security Radboud University Nijmegen.
Mifare Classic Troubles
Peter van RossumDigital Security
Radboud University Nijmegen
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Mifare Classic
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
RFID Technology
Reader to tag signal• Dropping field• Modified Miller Encoding
Tag to reader signal• Modulating field• Manchester Encoding
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
RFID ApplicationsIdentify friend or foe (1942)
Event ticketing
Car keys
Public transportticketing
Electronicpassport
Supply chainmanagement
RFID Powder Access control
Anti-theft
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Mifare Classic
Many standards for RFID• ISO14443A: Mifare (NXP)
• ISO14443B: CryptoRF (Motorola/Atmel)
• ISO14443C: Felica (Sony)
• ISO14443D: (OTI)
• ISO14443E: (Cubic)
• ISO14443F: Legic (KABA)
• ISO15693: Tag-IT (Texas Instruments)
• Typically describe physical and data-link layers (not cryptographic features)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Mifare Classic
Many chips in the Mifare (ISO14443A) family• Mifare Ultralight
• Mifare Classic
• Mifare DESFire
• Mifare Plus
• Mifare EV1
• Mifare SMART MX
Most popular: Mifare Classic• over 1 billion sold
• over 200 million in use
• 80% of contactless smartcard market
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Mifare Classic Applications
Public transport ticketing systems Access control Wireless payment systems
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
RFID Security
RFID = Radio Frequency Identification More properly authentication Contactless smartcards
• data storage, computational capabilities
• confidentiality
• integrity
Common RFID Attacks
1. Relay attack
2. Replay attack
3. Cryptanalytic attack
4. Side-channel attack
5. Tracing attack
…
Mifare Classic is vulnerable to all of these.
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
1. RFID – Relay Attack
?
?
!
!
Wireless communication No link between authenticating object (tag)
and service receiver (tag holder)
• Attacker A initiates service
• Attacker A relays queries to tag to attacker B
• Attacker B sends queries to victim’s tag
• Attacker B relays answers back to attacker A
• Attacker A answers queries
?
!
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
2. RFID – Replay Attack
Parking at Radboud University• Access control: wireless employee card• No authentication protocol at all
• Card sends uid; back-end checks authorization
Attack• Eavesdrop signal from car (card) to barrier• Replay signal to gain entry• (only works when original car has left; better to eavesdrop signal from a departing car)
Vulnerabilities• No clock
• Weak randomness
Attack
• Attacker intercepts communication tag - reader
• Attack replays later
Countermeasures (standard)
• Challenge-response authentication (needs clock, randomness, or other form of “freshness”)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
3. RFID – Side-channel attacks
Attacker controls tag• Use side-channels (timing, power, …)• Recover secret information from tag
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
4. RFID – Crypto Attacks
Low energy Low computational capacity Cheap to manufacture Fast enough to operate
• Weak cryptography
• Attacker can break encryption scheme
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
5. RFID – Tracing Attack
Used for identification Anti-collision phase sends uid
• Attacker can recognize people based on the RFID tags they are carrying
• Attacker could trace RFID enabled packages
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Common RFID Attacks - Summary
No clock, weak randomness• replay attacks
Low computational capacity• cryptanalytic attacks
Attacker controls tag• side-channel attacks
Wireless• relay attacks
Used for identification• tracing attacks
IEEE Security & Privacy 2009 Peter van Rossum, Radboud University Nijmegen, Wirelessly Pickpocketing a Mifare Classic Card
TimelineJun 06 RU Start of development of Ghost for ISO 14443-A (Mifare) emulation
Nov 07 RU Functional ISO14443-A (Mifare) emulation
Dec 07 CCC, VA Presentation: reverse engineered encryption of Mifare Classic: CRYPTO1
Feb 08 RU Media report: cloning Mifare Ultralight (single-use OV-chipkaart)
Feb 08 TNO Report on OV-chipkaart: fraud unlikely, advanced equipment needed, 2 year respite
Mar 08 RU Reverse engineered CRYPTO1 & authentication protocol
Mar 08 RU Key recovery using intercepted traffic or communication with reader
Apr 08 RHUL Report on OV-chipkaart: fraud likely, replace cards, design open&modular
Jun 08 NXP Lawsuit against RU to stop publication
Jul 08 Court Publication allowed: potential damage due to flaws in chip, not publication
Oct 08 RU Publication at ESORICS
Nov 08 RU Card-only key recovery of Mifare Classic
Dec 08 RU Attack possible using commercially available (cheap) NFC hardware
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Timeline2004 Fudan Sale of fully functional Mifare Classic clones
2006 Angstrom (Rumour) Mifare Classic reverse engineered and CRYPTO1 broken
Jun 06 RU Start of development of Ghost for ISO 14443-A (Mifare) emulation
Nov 07 RU Functional ISO14443-A (Mifare) emulation
Dec 07 CCC, VA Presentation: reverse engineered encryption of Mifare Classic: CRYPTO1
Feb 08 RU Media report: cloning Mifare Ultralight (single-use OV-chipkaart)
Feb 08 TNO Report on OV-chipkaart: fraud unlikely, advanced equipment needed, 2 year respite
Mar 08 RU Reverse engineered CRYPTO1 & authentication protocol
Mar 08 RU Key recovery using intercepted traffic or communication with reader
Apr 08 RHUL Report on OV-chipkaart: fraud likely, replace cards, design open&modular
Jun 08 NXP Lawsuit against RU to stop publication
Jul 08 Court Publication allowed: potential damage due to flaws in chip, not publication
Oct 08 RU Publication at ESORICS
Nov 08 RU Card-only key recovery of Mifare Classic
Dec 08 RU Attack possible using commercially available (cheap) NFC hardware
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Memory structure
uid, manufacturer datadatadata
key A, access conditions, key B
datadatadata
key A,access conditions, key B
datadatadata
key A, access conditions, key B
0 0123
4567
60616263
1
15
16 bytes
64 blocks 16 sectors
48 bits 48 bits
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
CRYPTO1
26c7 0dd3 0dd3 26c7 0dd3
4457c3b3
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
Feedback:
L(x0,x1,…,x47) := x0+x5+x9+x10+x12+x14+x15+x17+x19+x24+x25+x27+x29+x35+x39+x41+x43
LFSR stream:
ai+48 := L(ai,ai+1,…,ai+47) i∀ ∈ℕ
Keystream:
bi := f(ai+9,ai+11,…,ai+47) i∀ ∈ℕ
(Actually a bit more complicated because of the initialization)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
CRYPTO1: random number generator
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
• 32 bit nonces
• Linear feedback shift register
• 16 bit internal state
• Period 216 – 1 = 65535
Feedback:
L16(x0,x1,…,x15) := x0+x2+x3+x5
Successor:
suc(x0,x1,…,x31) := (x1,x2,…,x30,L16(x16,x17,…,x31))
Distance:
d((x0,x1,…,x31)(y0,y1,…,y31)) := min { n | suc∈ ℕ n(x0,x1,…,x31) = (y0,y1,…,y31) }
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Authentication & initialization
Tag Reader
LFSR stream: Initial state of the LFSR is the key ai := ki i [0,47]∈
Shift nT + uid into the LFSR ai+48 := L(ai,…,ai+47) + nTi + uidi i [0,31]∈
Shift nR into the LFSR
ai+48 := L(ai,…,ai+47) + nRi-32 i [32,63]∈
After authentication, LFSR keeps shifting ai+48 := L(ai,…,ai+47) i [64, ∞) ∈
Keystream: bi := f(ai+9,ai+11,…,ai+47) i [32, ∈ ∞)
auth. ok auth. ok
uid
auth(block)
nT
{nR,aR}
{aT}
pick nT
check aR
aT:=suc96(nT)
check aT
pick nR
aR:=suc64(nT)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Mifare Classic: traceStep Sender Ciphertext Plaintext Meaning
01 R 26 request type A
02 T 04 00 answer request
03 R 93 20 select
04 T 2a 69 8d 43 8d uid
05 R 93 70 2a 69 8d 43 8d select(uid)
06 T 08 b6 dd Mifare Classic 1k
07 R 60 04 d1 3d auth(block 4)
08 T 3b ae 03 2d tag nonce (nT)
09 R c4 94 a1 d2 6e 96 86 42 bb 03 1f 2d 7f cf 34 c3 rdr nonce (nR) & resp (aR)
10 T 84 66 05 9e 86 9d bb d5 tag response (aT)
11 R 7d de a6 b3 30 04 cd d1 read(block 4)
12 T e7 ee e3 ab 0f 89 bb ed 44 b1 91 ce ef 8a 4d ce
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cd ea
contents
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Attacking CRYPTO1
1. Unshifting the LFSR• internal state at any time key
2. Inverting the filter function• keystream internal state
• computational complexity: approx. 226 operations (seconds)
3. Acquiring keystream• observing authentication keystream
• communication complexity: 1 to 3 auth. sessions (micro seconds)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
CRYPTO1: unshifting the LFSR
• Feedback:• L(x0,x1,…,x47) := x0+x5+x9+x10+x12+x14
• +x15+x17+x19+x24+x25+x27+x29+x35+x39
• +x41+x43
• LFSR stream:• Initial state of the LFSR is the key• ai := ki i [0,47]∈• Shift nT + uid into the LFSR• ai+48 := L(ai,…,ai+47) + nTi + uidi i [0,31]∈• Shift nR into the LFSR
• ai+48 := L(ai,…,ai+47) + nRi-32 i [32,63]∈• After authentication, LFSR keeps shifting • ai+48 := L(ai,…,ai+47) i [64, ∞) ∈
• Keystream:• bi := f(ai+9,ai+11,…,ai+47) i∈ℕ
Inverting feedback: R(x1,…,x47,x48) := x5+x9+x10+x12+x14
+x15+x17+x19+x24+x25+x27+x29+x35+x39
+x41+x43+x48
R(x1,…,x47,L(x0,x1,…,x47)) = x0
Inverting LFSR stream: Unshift LFSR until end of authentication ai = R(ai+1,…,ai+48) i [64, ∞)∈ Unshift nR from the LFSR
ai = R(ai+1,…,ai+48) + nRi-32 i [32,63]∈ = R(ai+1,…,ai+48) + {nR}i-32 + bi
= R(ai+1,…,ai+48) + {nR}i-32 + f(ai+9,…,ai+47) Unshift nT + uid from the LFSR ai = R(ai+1,…,ai+48) + nTi + uidi i [0,31]∈ Key is the initial state of the LFSR ki = ai i [0,47]∈
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
CRYPTO1: inverting the filter function
# # # # # # # # # # # # # # # # # # # #
keystream: 01100111100110110
• Filter function can be easily inverted because the input to the filter function f are only on odd places• Attack options:
• Compute ‘odd’ bits of LFSR using table and deduce ‘even’ bits (linear relation)• Compute ‘odd’ and ‘even’ bits of LFSR using tables separately and combine tables
####################
0000000000000000000000000000000000000001000000000000000000110000000000000000010000000000000000000110…produces ‘odd’ keystream 0
# ################### #
0 0000000000000000000 00 0000000000000000000 10 00000000000000000010 0000000000000000011 10 0000000000000000100 0…produces ‘odd’ keystream 01
## ################## #
00 000000000000000000 100 000000000000000001 100 000000000000000111 000 000000000000000111 100 000000000000001000…produces ‘odd’ keystream 010
219
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
CRYPTO1: acquiring keystream
Tag Reader
auth. ok auth. ok
uid
auth(block)
nT
{nR,aR}
{aT}
pick nT
check aR
aT:=suc96(nT)
check aT
pick nR
aR:=suc64(nT)
• Intercepted communication:
• nT, {aR}, {aT} visible to attacker
• {aR} + suc64(nT), {aT} + suc96(nT) 64 keystream bits
• invert f, roll back LFSR, recover key
• Access to genuine reader:
• nT under attacker control
• {aR} + suc64(nT) visible to attacker 32 keystream bits • invert f, 216 possible LFSRs• roll back LFSRs, 216 candidate keys (repeat and take intersection)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Weaknesses 48 bit internal state, stream cipher
• enables brute force attack weak 16-bit random number generator
• enables chosen plaintext attack & replay attack simple LFSR structure
• enables unshifting the internal state to recover key weak filter function
• enables inverting the one-way function function• 64 bits keystream unique key• 32 bits keystream 216 candidate keys
authentication protocol leaks keystream consequences (march 2008)
• intercepted communication can (quickly) be decrypted• key (of first sector read) can be recovered from just a reader• (access to just a tag not sufficient)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
CRYPTO1: (in)security
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Parity trouble
Plaintext
Keystream
Ciphertext
Weaknesses:• Parity computed over plaintext• Parity encrypted• Parity encrypted using same bit of keystream that encrypts next bit of plaintext• During authentication, parity is checked before authenticity
• No response when parity check fails; {NACK} when authenticity fails Note:• Not compliant with ISO14443-3 Type A• To emulate Mifare Classic with NFC chip, use raw Mifare mode and do parity yourself
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Parity trouble
Tag Attacker
auth. failed
uid
auth(block)
nT
{nR,aR}
{NACK}
pick nT
check aR
pick {nR}
pick {aR}
(Encrypted) parity checked continuously• Parity wrong tag resets
Parity in {nR,aR} checked before aR• Parity correct and aR wrong 4 bit {NACK}• Error message is encrypted
Card-only Attack• Send 64 random bits for {nR,aR} (and random parity)• (½)8 = 1/256 probability of guessing parity correctly• Correct guess leaks 12 bits of information• Options:
• Brute force• Adaptive chosen ciphertext attack (vary {nR})• Chosen plaintext attack (vary nT)• [Courtois] Differential attack (vary {nR})
• Attacker only needs access to a card!
Note• Russian/Chinese Mifare clones
• do not check parity• always send {NACK}
• Classic compatibility mode of Mifare Plus• does not check parity• does not send {NACK}
(fixed after we notified NXP of these problems)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Chosen Plaintext Attack
Tag Attacker
auth. failed
uid
auth(block)
nT
{nR},{aR} = 0,0
{NACK}
pick nT
check aR
Precompute• T := { states a32 a33 … a79 | if reader sends {nR} = {aR} = 0 then corresponding 8 encrypted parity bits are 0 and 4 next keystream bits are 0}• |T| ≈ 248/212 = 236 (storage: 384 GB)
Attack• Search (online) for nT such that sending all 0’s for {nR}, {aR} and the parity bits results in {NACK} = NACK (i.e. 4 keystream bits 0).• Search (offline) in T:
• Compute candidate key using nT and uid• Check key (offline)
Improvements• More tables, one for each possibility of {NACK}.• Sort table(s) by correct parity and {NACK} when sending all 1’s for {nR}, {aR}
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Online vs. offline order of magnitude
Offline
Online
bruteforce
adaptivechosen ciphertext
(vary {nR})
chosen plaintext(vary nT)
s
ms s
days
min
min h
• 1536 authentication attempts• 248 offline search space
• 2 or 3 authentications• 220 offline search space
• 4096 authentication attempts• 128 authentication attempts with fixed nT• 224 offline search space in one-time precomputed 384GB table
• 28500 authentication attempts with same nT• 232.8 offline search space
intercepted communication
differential attack[Courtois] (vary {nR})
• 150 authentication attempts with same nT• 220 offline search space
NXP/System Integrators: “lab-conditions required to fix nT”
NXP/System Integrators: “impossible to execute real-time”
NXP/System Integrators: “Difficult to execute in real-life”
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Even faster? One key known already
Tag Reader
LFSR stream: Initial state of the LFSR is the key ai := ki i [0,47]∈
Shift nT + uid into the LFSR ai+48 := L(ai,…,ai+47) + nTi + uidi i [0,31]∈
Shift nR into the LFSR
ai+48 := L(ai,…,ai+47) + nRi-32 i [32,63]∈
After authentication, LFSR keeps shifting ai+48 := L(ai,…,ai+47) i [64, ∞) ∈
Keystream: bi := f(ai+9,ai+11,…,ai+47) i [32, ∈ ∞)
auth. ok auth. ok
uid
auth(block)
nT
{nR,aR}
{aT}
pick nT
check aR
aT:=suc96(nT)
check aT
pick nR
aR:=suc64(nT)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Reauthentication & initialization
Tag Reader
LFSR stream: Initial state of the LFSR is the key ai := ki i [0,47]∈
Shift nT + uid into the LFSR ai+48 := L(ai,…,ai+47) + nTi + uidi i [0,31]∈
Shift nR into the LFSR
ai+48 := L(ai,…,ai+47) + nRi-32 i [32,63]∈
After authentication, LFSR keeps shifting ai+48 := L(ai,…,ai+47) i [64, ∞) ∈
Keystream: bi := f(ai+9,ai+11,…,ai+47) i ∈ ℕ
auth. ok auth. ok
{auth(block)}old key
{nT}
{nR,aR}
{aT}
pick nT
check aR
aT:=suc96(nT)
check aT
pick nR
aR:=suc64(nT)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
CRYPTO1: reauthentication & initialization
Tag Attacker
{auth(block)}old key
{nT}pick nT
Weaknesses• nT predictable based on
• only 216 possiblities• parity bits (reduces to 213 possibilities)• timing (reduces to 1 to 5 possibilities)
• weak cipher (as before)
Attack• authenticate for one sector using known key• try to reauthenticate for other sector• guess nonce and compute 32 keystream bits• use weaknesses in cipher to compute (1 to 5 times) approx. 216 candidate keys• repeat two or three times and take intersection
Note• compatibility mode of Mifare Plus
• uses better (32-bit) random number gen (attack fails)
• some Mifare Classics are Mifare Smart MX emulating a Mifare Classic
• uses better (16-bit) random number gen (timing information not available)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Summary of further weaknesses
weak random number generator sync with time
• enables chosen plaintext attack reader nonces determine 32 bits of the internal state
• enables chosen ciphertext attack against card mixing of data link and encryption layers
• one-time pad used twice: information leakage encrypted error message sent when authentication fails
• 4-bit information leakage tag nonce sent encrypted when authenticating twice
• 32-bit information leakage (when one key already known) consequences (november 2008)
• keys can be recovered from just a card
• card can be wirelessly cloned directly
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
Online vs. offline order of magnitude
Offline
Online
bruteforce
adaptivechosen ciphertext
(vary {nR})
chosen plaintext(vary nT)
s
ms s
days
min
min h
• 1536 authentication attempts• 248 offline search space
• 2 to 5 authentication attempts• 220 offline search space
• 4096 authentication attempts• 128 authentication attempts with fixed nT• 224 offline search space in one-time precomputed 384GB table
• 28500 authentication attempts with fixed nT• 232.8 offline search space
intercepted communication/
known oldkey
differential attack[Courtois] (vary {nR})
• 150 authentication attempts with same nT• 220 offline search space
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
What to do? Strategy RU: responsible disclosure
• 02/08: Warning (to NXP, government): additional measures needed; minister of internal affairs made problems public Only claim what we can actually demonstrate
• 10/08: Publication after delay of 7 months; full details
• 10/08 – 03/09: Repeat for card-only attack Strategy NXP: damage control
• 03/08: Customer chooses cheapest chip
• 07/08: Publication irresponsible
• 10/08: Don’t use Classic for new applications
• 03/09: Lab conditions needed (for ‘immediate’ attack) Strategy system integrators (TLS, TFL, …): protect investment
• 03/08: Attack not feasible
• 07/08: Fraud detected in back-end; no fraud detected so far
• 10/08: No criminal business case
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
“No Criminal Business Case’’?
Attack scenarios• Loyalty scheme attack (bus)
• micro-waved OV-chipkaart
• OV-chipkaart with wrong keys
• Checking out (bus)• too soon
• too late
• State-modification attacks• Store/restore state (detected in back-end?)
• Increase balance (detected in back-end?)
• Add travel products (detected in back-end?)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
“No Criminal Business Case’’?
Attack scenarios (more speculative)• Wirelessly clone cards
• Travel on someone else’s card (detected in back-end?)
• Generate new cards (and sell them)• On ‘white’ cards
• On ‘unactivated’ or empty cards
• Steal reader• Recover key diversification
• by side-channel analysis
• by brute force
• Easy wireless cloning of cards (detected in back-end?)
• Easy generation of new cards (detected in back-end?)
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
“No Criminal Business Case”?
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
“No Criminal Business Case?’’
Questions?
Peter van Rossum, Digital Security, Radboud University Nijmegen, Mifare Classic Troubles, 2008/9.
References De Koning Gans, Hoepman, Garcia. A Practical Attack on the Mifare Classic. CARDIS
2008. LNCS 5189. pp 267-282. Nohl, Evans, Starbug, Plotz. Reverse-Engineering a Cryptographic RFID Tag. USENIX
Security 2008. pp 185-193. Courtois, Nohl, O’Neil. Algebraic Attacks on the Crypto-1 Stream Cipher in Mifare
Classic and Oyster Cards. ePrint 2008/166. Garcia, De Koning Gans, Muijrers, Van Rossum, Verdult, Wichers Schreur, Jacobs.
Dismantling Mifare Classic. ESORICS 2008. LNCS 5283. pp 97-114. Teepe. Making the best of Mifare Classic. 2009. Garcia, Van Rossum, Verdult, Wichers Schreur. Wirelessly Pickpocketing a Mifare
Classic Card. IEEE S&P 2009. pp 3-15. Courtois. The Dark Side of Security by Obscurity and Cloning Mifare Rail and Building
Passes Anytime, Anywhere. SECCRYPT 2009.