practical cryptanalysis for hackers
TRANSCRIPT
![Page 1: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/1.jpg)
Practical cryptanalysis for hackers
Chen-Mou [email protected]
Dept. Electrical EngineeringNational Taiwan University
December 5, 2015
![Page 2: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/2.jpg)
What is cryptography? What is cryptanalysis?
I Not going to lecture about them today
![Page 3: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/3.jpg)
What is cryptography? What is cryptanalysis?
I Not going to lecture about them today
![Page 4: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/4.jpg)
About myself
I PhD, Harvard University, 2007
I 目前:國立台灣大學負教授I Has published >60 papersI Most are garbage don’t have a high impact factor; hasn’t really
changed anything in practice, it seems
![Page 5: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/5.jpg)
About myself
I PhD, Harvard University, 2007I 目前:國立台灣大學負教授
I Has published >60 papersI Most are garbage don’t have a high impact factor; hasn’t really
changed anything in practice, it seems
![Page 6: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/6.jpg)
About myself
I PhD, Harvard University, 2007I 目前:國立台灣大學負教授
I Has published >60 papers
I Most are garbage don’t have a high impact factor; hasn’t reallychanged anything in practice, it seems
![Page 7: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/7.jpg)
About myself
I PhD, Harvard University, 2007I 目前:國立台灣大學負教授
I Has published >60 papersI Most are garbage don’t have a high impact factor; hasn’t really
changed anything in practice, it seems
![Page 8: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/8.jpg)
砍掉重練?
I A bit late, as no one wants to hire a middle-aged professorwho has never really left school
I “肝已不再新鮮”TM
I Must do some work having something to do with practice
![Page 9: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/9.jpg)
砍掉重練?
I A bit late, as no one wants to hire a middle-aged professorwho has never really left school
I “肝已不再新鮮”TM
I Must do some work having something to do with practice
![Page 10: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/10.jpg)
砍掉重練?
I A bit late, as no one wants to hire a middle-aged professorwho has never really left school
I “肝已不再新鮮”TM
I Must do some work having something to do with practice
![Page 11: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/11.jpg)
砍掉重練?
I A bit late, as no one wants to hire a middle-aged professorwho has never really left school
I “肝已不再新鮮”TM
I Must do some work having something to do with practice
![Page 12: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/12.jpg)
How we got started
I May, 2009: Read “Wirelessly Pickpocketing a Mifare ClassicCard” (IEEE S&P 2009) by F. D. Garcia, P. van Rossum,R. Verdult, and R. W. Schreur from Nijmegen
I Summer, 2009: Repeated the experiments on 悠遊卡I Fall, 2009: Demonstrated several attacks to the authority
I Card-only attacks (Nijmegen)I Long-range sniffing (ours)
![Page 13: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/13.jpg)
How we got started
I May, 2009: Read “Wirelessly Pickpocketing a Mifare ClassicCard” (IEEE S&P 2009) by F. D. Garcia, P. van Rossum,R. Verdult, and R. W. Schreur from Nijmegen
I Summer, 2009: Repeated the experiments on 悠遊卡I Fall, 2009: Demonstrated several attacks to the authority
I Card-only attacks (Nijmegen)I Long-range sniffing (ours)
![Page 14: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/14.jpg)
The story went on
I Fall, 2009: Demonstrated several attacks to the authority
I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan (!)
I (怒) “Just don’t say you heard it from me: MIFARE Classic iscompletely broken,” at the 4th Hacks in Taiwan Conference(HIT 2010), Taipei, Taiwan, Jul. 2010
![Page 15: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/15.jpg)
The story went on
I Fall, 2009: Demonstrated several attacks to the authority
I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan (!)
I (怒) “Just don’t say you heard it from me: MIFARE Classic iscompletely broken,” at the 4th Hacks in Taiwan Conference(HIT 2010), Taipei, Taiwan, Jul. 2010
![Page 16: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/16.jpg)
The story went on
I Fall, 2009: Demonstrated several attacks to the authority
I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan (!)
I (怒) “Just don’t say you heard it from me: MIFARE Classic iscompletely broken,” at the 4th Hacks in Taiwan Conference(HIT 2010), Taipei, Taiwan, Jul. 2010
![Page 17: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/17.jpg)
“Reverse-engineering a real-world RFID payment system”
I A talk by Harald Welte in 27C3, Dec., 2010
I Disclosed “the process of reverse-engineering the actualcontent of the [悠遊卡] to discover the public transportationtransaction log, the account balance and how the dailyspending limit work”
I As well as “how easy it is to add or subtract monetary valueto/from the card. Cards manipulated as described in the talkhave been accepted by the payment system”
I “Corporations enabling citizens to print digital money”
![Page 18: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/18.jpg)
“Reverse-engineering a real-world RFID payment system”
I A talk by Harald Welte in 27C3, Dec., 2010
I Disclosed “the process of reverse-engineering the actualcontent of the [悠遊卡] to discover the public transportationtransaction log, the account balance and how the dailyspending limit work”
I As well as “how easy it is to add or subtract monetary valueto/from the card. Cards manipulated as described in the talkhave been accepted by the payment system”
I “Corporations enabling citizens to print digital money”
![Page 19: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/19.jpg)
Shortly after in Taiwan
I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan
I Sep., 2011: First 悠遊卡 hacking incident reported in mediaI Soon the authority disclosed upgrade plans to “二代悠遊卡,”
claiming that it will be “secure”
I Aug., 2012: Official release of 二代悠遊卡
![Page 20: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/20.jpg)
Shortly after in Taiwan
I Jan., 2010: Government regulators approved 悠遊卡 as ameans of electronic payment in Taiwan
I Sep., 2011: First 悠遊卡 hacking incident reported in mediaI Soon the authority disclosed upgrade plans to “二代悠遊卡,”
claiming that it will be “secure”
I Aug., 2012: Official release of 二代悠遊卡
![Page 21: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/21.jpg)
Recall: Most serious weaknesses of MIFARE Classic
I Bad randomness
I Parity weaknesses
I Weaknesses in nested authentications
Together, they allow very efficient key recovery
1. mfcuk can recover one key in less than an hour
2. mfoc can recover all subsequent keys in a few hours
![Page 22: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/22.jpg)
The “secure” 二代悠遊卡
I 二代悠遊卡, like many other similar cards used around theworld, is essentially a CPU card with MIFARE Classicemulation
I Tag nonce now is unpredictable and seems to have 32-bitentropy, disabling attacks based on tag nonce manipulationand nested authentications
I Sure, sniffing still works if you have a legitimate readerI So does brute-force if you don’t have such a reader, which may
take years on an ordinary PC
I All other existing, efficient card-only attacks no longer workI Seems “secure” enough from a practical point of view
![Page 23: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/23.jpg)
Do you believe that?
![Page 24: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/24.jpg)
![Page 25: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/25.jpg)
The research question
I Is there a practically relevant card-only attack on二代悠遊卡?
![Page 26: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/26.jpg)
Attack techniques
I M. Albrecht and C. Cid: “Algebraic techniques in differentialcryptanalysis” (FSE 2009)
I S. Knellwolf, W. Meier, and M. Naya-Plasencia: “Conditionaldifferential cryptanalysis of NLFSR-based cryptosystems”(ASIACRYPT 2010)
I Y.-H. Chiu, W.-C. Hong, L.-P. Chou, J. Ding, B.-Y. Yang,and C.-M. Cheng, “A practical attack on patched MIFAREClassic” (Inscrypt 2013)
![Page 27: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/27.jpg)
Experiment setup
I All experiments are performed on an old laptop and astandard ACR 122 reader
I Running Ubuntu with libraries such as libnfc and crapto1
I We use the CryptoMiniSat SAT solverI The CNF formulas are generated by our own software
![Page 28: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/28.jpg)
Target under attack
Card type Parities checked nT generation
一代悠遊卡 Yes Predictable一代悠遊卡加強版 Yes Somewhat random二代悠遊卡 No (always 0x0) Random
![Page 29: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/29.jpg)
Experiment results
Attack type Online time Compute time 1.0 1.5 2.0
Sniffing attack 2 sec. < 2 sec.√ √ √
GPU brute-force 5 sec. 14 hours√ √ √
CPU brute-force 5 sec. > 1 month√ √ √
Parities attack > 3 min. < 30 sec.√
?Nested authentications 15–75 sec. 25–125 sec.
√ √
Our attack (simulation) 10–20 hours 2–15 min.√
![Page 30: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/30.jpg)
State of the art
I Without any prior knowledge, can break 二代悠遊卡 andobtain a key in 10–20 hours
I C. Meijer and R. Verdult, “Ciphertext-only cryptanalysis onhardened MIFARE Classic cards” (ACM CCS 2015)
I First using our or other attacks to obtain a key, can break 二代悠遊卡 and obtain one key every 10–20 minutes
I Together can break 二代悠遊卡 and obtain all the keys in15–30 hours
![Page 31: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/31.jpg)
State of the art
I Without any prior knowledge, can break 二代悠遊卡 andobtain a key in 10–20 hours
I C. Meijer and R. Verdult, “Ciphertext-only cryptanalysis onhardened MIFARE Classic cards” (ACM CCS 2015)
I First using our or other attacks to obtain a key, can break 二代悠遊卡 and obtain one key every 10–20 minutes
I Together can break 二代悠遊卡 and obtain all the keys in15–30 hours
![Page 32: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/32.jpg)
How can we fix this problem?
I Give up MIFARE Classic!
I Many cities are doing so
I If not, controlling damage by restricting usage
![Page 33: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/33.jpg)
How can we fix this problem?
I Give up MIFARE Classic!
I Many cities are doing so
I If not, controlling damage by restricting usage
![Page 34: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/34.jpg)
How can we hackers help?
I Making these attacks really really easy for ordinary people tounderstand
I Breaking information asymmetry and taking back the right tomake the (right) decision
![Page 35: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/35.jpg)
How can we hackers help?
I Making these attacks really really easy for ordinary people tounderstand
I Breaking information asymmetry and taking back the right tomake the (right) decision
![Page 36: Practical cryptanalysis for hackers](https://reader033.vdocuments.site/reader033/viewer/2022042619/587a71e91a28ab8a2a8b8041/html5/thumbnails/36.jpg)
Thanks!
I Questions or comments?