Dismantling iClass and iClass Elite

With more than 300 million cards sold, HID iClass is one of the most popular contactless smart cards on the market. It is widely used for access control, secure login and payment systems. The card uses 64-bit keys to provide authenticity and integrity. The cipher and key diversification algorithms are proprietary and little information about them is publicly available. In this paper we have reverse engineered all security mechanisms in the card including cipher, authentication protocol and key diversification algorithms, which we publish in full detail. Furthermore, we have found six critical weaknesses that we exploit in two attacks, one against iClass Standard and one against iClass Elite (a.k.a., iClass High Security). In order to recover a secret card key, the first attack requires one authentication attempt with a legitimate reader and 222 queries to a card. This attack has a computational complexity of 240 MAC computations. The whole attack can be executed within a day on ordinary hardware. Remarkably, the second attack which is against iClass Elite is significantly faster. It directly recovers the master key from only 15 authentication attempts with a legitimate reader. The computational complexity of this attack is lower than 225 MAC computations, which means that it can be fully executed within 5 seconds on an ordinary laptop.

[1]  Jan Tretmans,et al.  Model Based Testing with Labelled Transition Systems , 2008, Formal Methods and Testing.

[2]  Andrey Bogdanov,et al.  Linear Slide Attacks on the KeeLoq Block Cipher , 2007, Inscrypt.

[3]  Milosch Meriac Heart of Darkness-exploring the uncharted backwaters of HID iCLASS , 2010 .

[4]  Elaine B. Barker,et al.  A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications , 2000 .

[5]  Jan Jürjens,et al.  Verifying Cryptographic Code in C: Some Experience and the Csec Challenge , 2011, Formal Aspects in Security and Trust.

[6]  Flavio D. Garcia,et al.  Dismantling SecureMemory, CryptoMemory and CryptoRF , 2010, CCS '10.

[7]  Jean-Louis Lanet,et al.  Smart Card Research and Advanced Application, 9th IFIP WG 8.8/11.2 International Conference, CARDIS 2010, Passau, Germany, April 14-16, 2010. Proceedings , 2010, CARDIS.

[8]  Bin Zhang,et al.  Cryptanalysis of the Atmel Cipher in SecureMemory, CryptoMemory and CryptoRF , 2011, ACNS.

[9]  Werner Schindler,et al.  Random Number Generators for Cryptographic Applications , 2009, Cryptographic Engineering.

[10]  Gregory V. Bard,et al.  Algebraic and Slide Attacks on KeeLoq , 2008, FSE.

[11]  Nicolas Courtois,et al.  The Dark Side of Security by Obscurity - and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime , 2009, SECRYPT.

[12]  Amir Rahmati,et al.  TARDIS: Time and Remanence Decay in SRAM to Implement Secure Protocols on Embedded Devices without Clocks , 2012, USENIX Security Symposium.

[13]  Marius Mikucionis,et al.  Formal Methods and Testing , 2008 .

[14]  Flavio D. Garcia,et al.  Exposing iClass Key Diversification , 2011, WOOT.

[15]  Eli Biham,et al.  A Practical Attack on KeeLoq , 2008, Journal of Cryptology.

[16]  Roger Frost,et al.  International Organization for Standardization (ISO) , 2004 .

[17]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[18]  Bart Jacobs,et al.  Logical Formalisation and Analysis of the Mifare Classic Card in PVS , 2011, ITP.

[19]  Christof Paar,et al.  Breaking KeeLoq in a Flash: On Extracting Keys at Lightning Speed , 2009, AFRICACRYPT.

[20]  Bart Preneel Progress in Cryptology - AFRICACRYPT 2009, Second International Conference on Cryptology in Africa, Gammarth, Tunisia, June 21-25, 2009. Proceedings , 2009, AFRICACRYPT.

[21]  Frederik Vercauteren,et al.  Practical Realisation and Elimination of an ECC-Related Software Bug Attack , 2012, CT-RSA.

[22]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[23]  Flavio D. Garcia,et al.  Wirelessly Pickpocketing a Mifare Classic Card , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[24]  Flavio D. Garcia,et al.  Gone in 360 Seconds: Hijacking with Hitag2 , 2012, USENIX Security Symposium.

[25]  Bart Jacobs,et al.  Dismantling MIFARE Classic , 2008, ESORICS.

[26]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[27]  Oliver Kullmann,et al.  Theory and Applications of Satisfiability Testing - SAT 2009, 12th International Conference, SAT 2009, Swansea, UK, June 30 - July 3, 2009. Proceedings , 2009, SAT.

[28]  Claude Castelluccia,et al.  Extending SAT Solvers to Cryptographic Problems , 2009, SAT.

[29]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[30]  Flavio D. Garcia,et al.  A Practical Attack on the MIFARE Classic , 2008, CARDIS.

[31]  Ingrid Verbauwhede,et al.  Power Analysis of Atmel CryptoMemory - Recovering Keys from Secure EEPROMs , 2012, CT-RSA.

[32]  Karsten Nohl,et al.  Peeling Away Layers of an RFID Security System , 2011, Financial Cryptography.

[33]  Jean-Jacques Quisquater,et al.  Practical Algebraic Attacks on the Hitag2 Stream Cipher , 2009, ISC.

[34]  Martín Abadi,et al.  Code-Carrying Authorization , 2008, ESORICS.

[35]  Flaminia L. Luccio,et al.  Secure Recharge of Disposable RFID Tickets , 2011, Formal Aspects in Security and Trust.

[36]  Dong Hoon Lee,et al.  Cryptanalysis of INCrypt32 in HID's iCLASS Systems , 2013, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[37]  Dan S. Wallach,et al.  Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.