The Mifare Classic is the most widely used contactless smartcard on the market.The stream cipher CRYPTO1 used by the Classic has recently been reverse engineered and serious attacks have been proposed. The most serious of them retrieves a secret key in under a second. In order to clone a card, previously proposed attacks require that the adversary either has access to an eavesdropped communication session or executes a message-by-message man-in-the-middle attack between the victim and a legitimate reader. Although this is already disastrous from a cryptographic point of view, system integrators maintain that these attacks cannot be performed undetected.This paper proposes four attacks that can be executed by an adversary having only wireless access to just a card (and not to a legitimate reader). The most serious of them recovers a secret key in less than a second on ordinary hardware. Besides the cryptographic weaknesses, we exploit other weaknesses in the protocol stack. A vulnerability in the computation of parity bits allows an adversary to establish a side channel. Another vulnerability regarding nested authentications provides enough plaintext for a speedy known-plaintext attack.
[1]
Eli Biham,et al.
A Fast New DES Implementation in Software
,
1997,
FSE.
[2]
Nicolas Courtois,et al.
Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards
,
2008,
IACR Cryptol. ePrint Arch..
[3]
Bart Jacobs,et al.
Dismantling MIFARE Classic
,
2008,
ESORICS.
[4]
Christof Paar,et al.
Breaking Ciphers with COPACOBANA - A Cost-Optimized Parallel Code Breaker
,
2006,
CHES.
[5]
Flavio D. Garcia,et al.
A Practical Attack on the MIFARE Classic
,
2008,
CARDIS.
[6]
Hugo Krawczyk,et al.
The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)
,
2001,
CRYPTO.
[7]
David Evans,et al.
Reverse-Engineering a Cryptographic RFID Tag
,
2008,
USENIX Security Symposium.