Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards

Despite a series of attacks, MIFARE Classic is still the world's most widely deployed contactless smartcard on the market. The Classic uses a proprietary stream cipher CRYPTO1 to provide confidentiality and mutual authentication between card and reader. However, once the cipher was reverse engineered, many serious vulnerabilities surfaced. A number of passive and active attacks were proposed that exploit these vulnerabilities. The most severe key recovery attacks only require wireless interaction with a card. System integrators consider such card-only attacks as one of the most serious threat vectors to their MIFARE Classic-based systems, since it allows the adversary to avoid camera detection, which is often present at an access control entrance or public transport gate. However, all card-only attacks proposed in the literature depend on implementation mistakes which can easily be mitigated without breaking backwards compatibility with the existing reader infrastructure. Consequently, many manufactures and system integrators started to deploy "fixed" MIFARE Classic cards which are resilient to such vulnerabilities. However, these countermeasures are rather palliating and inadequate for a cryptographically insecure cipher such as CRYPTO1. In support of this proposition, we present a novel cipher-text card-only attack that exploits a crucial and mandatory step in the authentication protocol and which solely depends on the cryptographic weaknesses of the CRYPTO1 cipher. Hence, in order to avoid this attack, all cards and readers should be upgraded to support an alternative authentication protocol which inherently breaks their backwards compatibility. Our attack requires only a few minutes of wireless interaction with the card, in an uncontrolled environment and can be performed with consumer-grade hardware. The information obtained allows an adversary to drop the computational complexity from 2^48 to approximately 2^30, which enabled us to practically recover a secret key from a hardened MIFARE Classic card in about 5 minutes on an single core consumer laptop.

[1]  Lester S. Hill Cryptography in An Algebraic Alphabet , 1929 .

[2]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[3]  Eli Biham,et al.  A Fast New DES Implementation in Software , 1997, FSE.

[4]  Flavio D. Garcia,et al.  Tutorial: Proxmark, the Swiss Army Knife for RFID Security Research , 2012 .

[5]  Thomas Siegenthaler,et al.  Decrypting a Class of Stream Ciphers Using Ciphertext Only , 1985, IEEE Transactions on Computers.

[6]  Frederik Armknecht,et al.  Algebraic Attacks on Combiners with Memory , 2003, CRYPTO.

[7]  Willi Meier,et al.  Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.

[8]  Flavio D. Garcia,et al.  A Practical Attack on the MIFARE Classic , 2008, CARDIS.

[9]  T. Bayes An essay towards solving a problem in the doctrine of chances , 2003 .

[10]  Philippe Flajolet,et al.  Birthday Paradox, Coupon Collectors, Caching Algorithms and Self-Organizing Search , 1992, Discret. Appl. Math..

[11]  Flavio D. Garcia,et al.  A Toolbox for RFID Protocol Analysis , 2012 .

[12]  Vladimir V. Chepyzhov,et al.  On A Fast Correlation Attack on Certain Stream Ciphers , 1991, EUROCRYPT.

[13]  Alex Biryukov,et al.  Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers , 2000, ASIACRYPT.

[14]  Roel Verdult,et al.  The (in)security of proprietary cryptography , 2015 .

[15]  H. Markowitz The Elimination form of the Inverse and its Application to Linear Programming , 1957 .

[16]  Jovan Dj. Golic On the Security of Nonlinear Filter Generators , 1996, FSE.

[17]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[18]  Vladimir V. Chepyzhov,et al.  A Simple Algorithm for Fast Correlation Attacks on Stream Ciphers , 2000, FSE.

[19]  Nicolas Courtois,et al.  The Dark Side of Security by Obscurity - and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime , 2009, SECRYPT.

[20]  Jovan Dj. Golic,et al.  Cryptanalysis of Alleged A5 Stream Cipher , 1997, EUROCRYPT.

[21]  Chen-Mou Cheng,et al.  A Practical Attack on Patched MIFARE Classic , 2013, Inscrypt.

[22]  Thomas Johansson,et al.  Fast Correlation Attacks through Reconstruction of Linear Polynomials , 2000, CRYPTO.

[23]  Ross J. Anderson Searching for the Optimum Correlation Attack , 1994, FSE.

[24]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[25]  Moiez A. Tapia,et al.  Complete Solution of Boolean Equations , 1980, IEEE Transactions on Computers.

[26]  Christof Paar,et al.  Don't Trust Satellite Phones: A Security Analysis of Two Satphone Standards , 2012, 2012 IEEE Symposium on Security and Privacy.

[27]  G. J. Kuhn Algorithms for self-synchronizing ciphers , 1988, COMSIG 88@m_Southern African Conference on Communications and Signal Processing. Proceedings.

[28]  Claude Carlet,et al.  On Correlation-Immune Functions , 1991, CRYPTO.

[29]  Antoine Joux,et al.  Fast Correlation Attacks: An Algorithmic Point of View , 2002, EUROCRYPT.

[30]  Antoine Joux,et al.  Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases , 2003, CRYPTO.

[31]  Thomas Siegenthaler,et al.  Correlation-immunity of nonlinear combining functions for cryptographic applications , 1984, IEEE Trans. Inf. Theory.

[32]  D. E. Muller A method for solving algebraic equations using an automatic computer , 1956 .

[33]  Margo McCall,et al.  IEEE Computer Society , 2019, Encyclopedia of Software Engineering.

[34]  Bruce Schneier,et al.  Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security. A Report by an Ad Hoc Group of Cryptographers and Computer Scientists , 1996 .

[35]  Flavio D. Garcia,et al.  Gone in 360 Seconds: Hijacking with Hitag2 , 2012, USENIX Security Symposium.

[36]  Ross J. Anderson Tree Functions and Cipher Systems , 1991, Cryptologia.

[37]  Bart Jacobs,et al.  Dismantling MIFARE Classic , 2008, ESORICS.

[38]  Flavio D. Garcia,et al.  Wirelessly Pickpocketing a Mifare Classic Card , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[39]  V. Strassen Gaussian elimination is not optimal , 1969 .

[40]  Nicolas Courtois Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.