WirelesslyPickpocketingaMifareClassicCardFlavioD.GarciaPetervanRossumR - PDF document

WirelesslyPickpocketingaMifareClassicCardFlavioD.GarciaPetervanRossumRoelVerdultRonnyWichersSchreurRadboudUniversityNijmegen,TheNetherlandsfflaviog,petervr,rverdult,ronnyg@cs.ru.nlAbstractTheMifareClassicisthemostwidelyusedcontactlesssmartcardonthemarket.ThestreamcipherCRYPTO1usedbytheClassichasrecentlybeenreverseengi-neeredandseriousattackshavebeenproposed.Themostseriousofthemretrievesasecretkeyinunderasecond.Inordertocloneacard,previouslyproposedattacksrequirethattheadversaryeitherhasaccesstoaneavesdroppedcommunicationsessionorexe-cutesamessage-by-messageman-in-the-middleattackbetweenthevictimandalegitimatereader.Althoughthisisalreadydisastrousfromacryptographicpointofview,systemintegratorsmaintainthattheseattackscannotbeperformedundetected.Thispaperproposesfourattacksthatcanbeex-ecutedbyanadversaryhavingonlywirelessaccesstojustacard(andnottoalegitimatereader).Themostseriousofthemrecoversasecretkeyinlessthanasecondonordinaryhardware.Besidesthecrypto-graphicweaknesses,weexploitotherweaknessesintheprotocolstack.Avulnerabilityinthecomputationofparitybitsallowsanadversarytoestablishasidechannel.Anothervulnerabilityregardingnestedauthenticationsprovidesenoughplaintextforaspeedyknown-plaintextattack.1.IntroductionWithmorethanonebillioncardssold,theMi-fareClassiccoversmorethan70%ofthecontactlesssmartcardmarket1.SuchcardscontainaslightlymorepowerfulICthanclassicalRFIDchips(developedforidenticationonly),equippingthemwithmodestcomputationalpowerandmakingthemsuitableforap-plicationsbeyondidentication,suchasaccesscontrolandticketingsystems.TheMifareClassiciswidelyusedinpublictransportpaymentsystemssuchastheOystercard2inLondon,1.http://www.nxp.com2.http://oyster.t.gov.uktheCharlieCardinBoston3,theSmartRiderinAus-tralia4,EasyCardinTaiwan5,andtheOV-chipkaart6inTheNetherlands.Itisalsowidelyusedforaccesscon-trolinofceandgovernmentalbuildingsandmilitaryobjects.Accordingto[MFS08]theMifareClassiccomplieswithparts1to3oftheISOstandard14443-A[ISO01],specifyingthephysicalcharacteristics,theradiofre-quencyinterface,andtheanti-collisionprotocol.TheMifareClassicdoesnotimplementpart4ofthestandard,describingthetransmissionprotocol,butin-steadusesitsownsecurecommunicationlayer.Inthislayer,theMifareClassicusestheproprietarystreamcipherCRYPTO1toprovidedatacondentialityandmutualauthenticationbetweencardandreader.Thisci-pherhasrecentlybeenreversedengineered[NESP08],[GKM+08].Inthispaper,weshowseriousvulnerabilitiesoftheMifareClassicthatenableanattackertoretrieveallcryptographickeysofacard,justbywirelesslycom-municatingwithit.Thus,thepotentialimpactismuchlargerthanthatoftheproblemspreviouslyreportedin[GKM+08],[CNO08],[KHG08],[Noh08],wheretheattackereitherneedstohaveaccesstoalegitimatereaderoraneavesdroppedcommunicationsession.Theattacksdescribedinthispaperarefastenoughtoallowanattackertowirelessly`pickpocket'avictim'sMifareClassiccard,i.e.,tocloneitimmediately.Vulnerabilities.Thevulnerabilitieswediscoveredconcernthehandlingofparitybitsandnestedauthen-tications.TheMifareClassicsendsaparitybitforeachbytethatistransmitted.Violatingthestandard,theMifareClassicmixesthedatalinklayerandsecurecommunicationlayer:paritybitsarecomputedovertheplaintextinsteadofoverthe3.http://www.mbta.com/fares and passes/charlie4.http://www.transperth.wa.gov.au5.http://www.easycard.com.tw6.http://www.ov-chipkaart.nlToappearinIEEESymposiumonSecurityandPrivacy(S&P'09). bitsthatareactuallysent,i.e.,theciphertext.Thisis,infact,authenticate-then-encryptwhichisgenericallyinsecure[Kra01].Furthermore,paritybitsareencryptedwiththesamebitofkeystreamthatencryptstherstbitofthenextbyteofplaintext.Duringtheauthenti-cationprotocol,ifthereadersendswrongparitybits,thecardstopscommunicating.However,ifthereadersendscorrectparitybits,butwrongauthenticationdata,thecardrespondswithan(encrypted)errorcode.Thisbreaksthecon-dentialityofthecipher,enablinganattackertoestablishasidechannel.ThememoryoftheMifareClassicisdividedintosectors,eachofthemhavingitsown48-bitsecretkey.Toperformanoperationonaspecicsector,thereadermustrstauthenticateusingthecorrespondingkey.Whenanattackerhasalreadyauthenticatedforonesector(knowingthekeyforthatsector)andsubsequentlyattemptstoauthenticateforanothersector(withoutknowingthekeyforthissector),thatattemptleaks32bitsofinformationaboutthesecretkeyofthatsector.Attacks.WedescribefourattacksexploitingthesevulnerabilitiestorecoverthecryptographickeysfromaMifareClassiccardhavingonlycontactlesscom-municationwithit(andnotwithalegitimatereader).Theseattacksmakedifferenttrade-offsbetweenonlinecommunicationtime(thetimeanattackerneedstocommunicatewithacard),ofinecomputationtime(thetimeittakestocomputethecryptographickeyusingthedatagatheredfromthecard),precomputationtime(one-timegenerationtimeofstatictables),diskspaceusage(ofthestatictables)andspecialassump-tions(whethertheattackerhasalreadyonesectorkeyornot).Therstattackexploitstheweaknessoftheparitybitstomountanofinebrute-forceattackonthe48-bitkeyspace.Theattackeronlyneedstotrytoauthenticateapproximately1500times(whichtakesunderasecond).Thesecondattackalsoexploitstheweaknessoftheparitybitsbutthistimetheattackermountsanadaptivechosenciphertextattack.Theat-tackerneedsapproximately28500authenticationattempts.Inthisattack,sheneedstomakesurethatthechallengenonceofthecardisconstant,whichiswhythistakesapproximatelyfteenminutes.Duringtheseauthenticationattempts,theattackeradaptivelychoosesherchallengetothecard,ultimatelyobtainingachallengethatguaranteesthatthereareonly436possibilitiesfortheodd-numberedbitsoftheinternalstateofthecipher.Thisreducestheofinesearchspacetoapproximately33bits.Onastandarddesktopcomputerthissearchtakesaboutoneminute.Inthethirdattacktheattackerkeepsherownchallengeconstant,butvariesthechallengeofthetag,againultimatelyobtainingaspecialinternalstateofthecipher.Thesespecialstateshavetobeprecomputedandstoredina384GBtable.Thisattackrequiresonaverage212=4096authenti-cationattempts,whichcouldinprinciplebedoneinabouttwominutes.Afewextraauthenticationattemptsallowefcientlookupinthetable.Thefourthattackassumesthattheattackerhasalreadyrecoveredatleastonesectorkey.Whentheattackerrstauthenticatesforthissectorandthenforanothersector,theauthenticationprotocolisslightlydifferent,viz.,thechallengenonceofthetagisnotsentintheclear,butencryptedwiththekeyofthenewsector.Becausetherandomnumbergeneratorhasonlya16-bitstate,becauseparitybitsleakthreebitsofinformation,andbe-causethetag'srandomnumbergeneratorrunsinsyncwiththecommunicationtiming,thisallowsanattackertoguesstheplaintexttagnonceandhence32bitsofkeystream.Duetoweaknessesinthecipher[GKM+08],wecanusethese32bitsofkeystreamtocomputeapproximately216candidatekeys.Thesecanthenbecheckedofineusinganotherauthenticationattempt.Sincethisattackonlyrequiresthreeauthenticationattempts,theonlinetimeisnegligible.Theofinesearchtakesunderasecondonordinaryhardware.Relatedwork.DeKoningGansetal.[KHG08]haveproposedanattackonaMifareClassictagthatexploitsthemalleabilityoftheCRYPTO1streamciphertoreadpartialinformationfromatag,withoutevenknowingtheencryptionalgorithm.ByslicingaMifareClassicchipandtakingpictureswithamicroscope,thecipherwasreverseengineeredbyNohletal.[NESP08].Courtoisetal.claimin[CNO08]thattheCRYPTO1cipherissusceptibletoalgebraicattacksandNohlshowsastatisticalweaknessofthecipherin[Noh08].AfulldescriptionofthecipherwasgivenbyGarciaetal.in[GKM+08],togetherwithareverseengineeredauthenticationprotocol.Theyalsodescribeanattackwithwhichanattackercanrecoverasectorkeybycommunicatingwithagenuinereaderorbyeavesdrop-pingasuccessfulauthentication.Allattacksdescribedinthesepapershaveincom-monthattheyneedaccesstoalegitimatereaderorinterceptedcommunication.Incontrast,theattacks2 describedinourpaperonlyneedaccesstoacard.Impact.Theimplicationsoftheattacksdescribedinthispaperarevast.ManyticketingandpaymentsystemsusingtheMifareClassicsequentiallyauthenticateforseveralsectorsverifyingthedatainthecard.Incaseofinvaliddata,theprotocolaborts.Withpreviousattacks,thismeansthatanattackerhastoeithereavesdropafulltraceorwalkfromthereadertothecardholderseveraltimes,executingamessage-by-messageman-in-the-middleattack.Inpractice,bothoptionsarehardtoaccomplishundetected.Furthermore,thereisnoguaranteethatthisallowsanattackertorecoverallusefuldatainthecard,sincesomesectorsmightnotbereadinthisparticularinstance.Ourattacksalwaysenableanattackertoretrievealldatafromthecard.Ourfourthattack,wheretheattackeralreadyknowsasinglekey,isextremelyfast(lessthanonesecondperkeyonordinaryhardware).Therstkeycanbere-trievedusingoneofourrstthreeattacks,butinmanysituationsthisisnotevennecessary.Mostdeployedsystemsleavedefaultkeysforunusedsectorsordonotdiversifykeysatall.Nearlyalldeployedsystemsthatdodiversifyhaveatleastonesectorkeythatisnotdiversied,namelyforstoringthediversicationinformation.ThisisevenspeciedinNXP'sguidelineforsystemintegrators[MAD07].ThismeansthatitispossibleforanadversarytorecoverallkeysnecessarytoreadandwritethesixteensectorsofaMifareClassic1ktaginlessthansixteenseconds.Overview.Westartbygatheringtherelevantinforma-tionthatisalreadyknownabouttheMifareClassicinSection2:itslogicalstructure,theencryptionalgo-rithm,theauthenticationprotocolandtheinitializationofthestreamcipher,howtoundotheinitializationofthestreamcipher,andinformationabouthowthetaggeneratesitsrandomnumbers.InSection3,wecontinuewithaprecisedescriptionofthediscoveredweaknessesinthehandlingoftheparitybitsandnestedauthentications.InSection4,weshowhowtheseweaknessescanbeexploitedtorecoverasectorkeybycommunicationwithjustacard.Section5givessomeconcludingremarks.2.Background2.1.CommunicationThephysicallayeranddatalinklayeroftheMifarefamilyofcardsaredescribedintheISOstandard Figure2.1.MemorylayoutoftheMifareClassic14443-A.WehaveusedtheProxmarkIII7forcommu-nication;thisdeviceimplements,amongothers,thesetwolayersofthisstandardandcanemulatebothacardandareader.Usinginformationfrom[KHG08]aboutthecommandcodesoftheMifareClassicandfrom[GKM+08],[NESP08]aboutthecryptographicaspectsoftheMifareClassic,weimplementedthefunctionalityofaMifareClassicreaderontheProxmark.Notethatwecanobserveatag'scommunicationatthedatalinklevel,implyingthatwecanobservetheparitybitsaswell.Furthermore,wehavethefreedomtosendarbitraryparitybits,whichisnotpossibleusingstockcommercialMifareClassicreaders.However,manynewerNFCreaderscanbeusedtocommunicatewithaMifareClassiccardaswellandarecapableofsendingandreceivingarbitraryparitybits.8Wehavealsoexecutedtheattacksdescribedinthispaperusinganinexpensive(30USD)stockcommercialNFCreader.However,thesereadersaretypicallyconnectedtoahostPCusingUSBanditishardertoobtainaccuratecommunicationtiming.2.2.MemorystructureoftheMifareClassicTheMifareClassictagisessentiallyamemorychipwithsecurewirelesscommunicationcapabilities.Thememoryofthetagisdividedintosectors,eachofwhichisfurtherdividedintoblocksofsixteenbyteseach.Thelastblockofeachsectoristhesectortrailerandstorestwosecretkeysandtheaccessconditionsforthatsector.Toperformanoperationonaspecicblock,thereadermustrstauthenticateforthesectorcontaining7.http://www.proxmark.org/8.http://www.libnfc.org/3 thatblock.Theaccessconditionsdeterminewhichofthetwokeysmustbeused.SeeFigure2.1foranoverviewofthememoryofaMifareClassictag.2.3.CRYPTO1Afterauthentication,thecommunicationbetweentagandreaderisencryptedwiththeCRYPTO1streamcipher.Thiscipherconsistsofa48-bitlinearfeed-backshiftregister(LFSR)withgeneratingpolynomialx48+x43+x39+x38+x36+x34+x33+x31+x29+x24+x23+x21+x19+x13+x9+x7+x6+x5+1andanon-linearlterfunctionf[NESP08].Eachclocktick,twentybitsoftheLFSRareputthroughthelterfunction,generatingonebitofkeystream.ThentheLFSRshiftsonebittotheleft,usingthegeneratingpolynomialtogenerateanewbitontheright.SeeFigure2.2foraschematicrepresentation.WeletF2=f0;1gtheeldoftwoelements(orthesetofBooleans).Thesymboldenotesaddition(XOR).Denition2.1.ThefeedbackfunctionL:F482!F2isdenedbyL(x0x1:::x47):=x0x5x9x10x12x14x15x17x19x24x25x27x29x35x39x41x42x43.Thespecicsofthelterfunctionaretakenfrom[GKM+08].Denition2.2.Thelterfunctionf:F482!F2isdenedbyf(x0x1:::x47):=fc(fa(x9;x11;x13;x15);fb(x17;x19;x21;x23);fb(x25;x27;x29;x31);fa(x33;x35;x37;x39);fb(x41;x43;x45;x47)):Herefa;fb:F42!F2andfc:F52!F2aredenedbyfa(y0;y1;y2;y3):=((y0_y1)(y0^y3))(y2^((y0y1)_y3)),fb(y0;y1;y2;y3):=((y0^y1)_y2)((y0y1)^(y2_y3)),andfc(y0;y1;y2;y3;y4):=(y0_((y1_y4)^(y3y4)))((y0(y1^y3))^((y2y3)_(y1^y4))).Becausef(x0x1:::x47)onlydependsonx9;x11;:::;x47,weshalloverloadnotationandseefasafunctionF202!F2,writingf(x0x1:::x47)asf(x9;x11;:::;x47).Notethatfaandfbherearenegatedwhencomparedto[GKM+08]andfcischangedaccordingly.Theexpressionsforfa,fb,andfcgivenherehavethemin-imalnumberoflogicaloperatorsinf^;_;;:g;inpractice,thisallowsforafastbitslicedimplementationoff[Bih97].Forfuturereference,notethateachofthebuildingblocksoff(andhencefitself)havethepropertythatitgiveszeroforhalfofthepossibleinputs(respectivelyone).Theorem2.3.LetY0;Y1;:::;Y4beindependentuni-formlydistributedvariablesoverF2.ThenP[fa(Y0;Y1;Y2;Y3)=0]=1=2P[fb(Y0;Y1;Y2;Y3)=0]=1=2P[fc(Y0;Y1;Y2;Y3;Y4)=0]=1=2:Proof.Byinspection. 2.4.TagnoncesForuseintheauthenticationprotocol,describedinSection2.5below,MifareClassictagspossessapseudo-randomgenerator.In[NP07]itwasrevealedthatthe32-bittagnoncesaregeneratedbya16-bitLFSRwithgeneratingpolynomialx16+x14+x13+x11+1.EveryclockticktheLFSRshiftstotheleftandthefeedbackbitiscomputedusingL16.Denition2.4.ThefeedbackfunctionL16:F162!F2ofthepseudo-randomgeneratorisdenedbyL16(x0x1:::x15):=x0x2x3x5:Letusdenethefunctionsucthatcomputesthenext32-bitLFSRsequenceofthe16-bitLFSR.Thisfunc-tionisusedlateroninSection2.5intheauthenticationprotocol.Denition2.5.Thesuccessorfunctionsuc:F322!F322isdenedbysuc(x0x1:::x31):=x1x2:::x31L16(x16x17:::x31):Becausetheperiodofthepseudo-randomgeneratorisonly65535andbecauseitshiftsevery9:44s,itcyclesin618ms.Undersimilarphysicalconditions(i.e.,donotmovethetagorthereader),thechallengenoncethatthetaggeneratesonlydependsonthetimebetweenthemo-mentthereaderswitchesontheelectromagneticeldandthemomentitsendstheauthenticationrequest.Inpractice,thismeansthatanattackerwhohasphysicalcontrolofthetag,cangetthetagtosendthesamenonceeverytime.Todoso,theattackerjusthastodroptheeld(forapproximately30s)todischargeallcapacitorsinthetag,switchtheeldbackon,andwaitforaconstantamountoftimebeforeauthenticating.Alternatively,bywaitingexactlytherightamountoftimebeforeauthenticatingagain,theattackercancontrolthechallengenoncethatthetagwillsend.Thisworkswheneverthetagdoesnotleavetheelectromag-neticeldinthemeantime.Onaverage,thistakes618ms=2=309ms.4 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 oo  oo                     fa fb fb fa fb     fc Figure2.2.StructureoftheCRYPTO1streamcipher2.5.AuthenticationprotocolandinitializationTheauthenticationprotocolwasreverseengineeredin[GKM+08].Duringtheanti-collisionphase,thetagsendsitsuidutothereader.Thereaderthenaskstoauthenticateforaspecicsector.ThetagsendsachallengenT.Fromthispointon,communicationisencrypted,i.e.,XOR-edwiththekeystream.ThereaderrespondswithitsownchallengenRandtheansweraR:=suc64(nT)tothechallengeofthetag;thetagnisheswithitsansweraT:=suc96(nT)tothechallengeofthereader.SeeFigure2.3.NotethatlateronwewillsendmessagesaRthatdeviatefromthisprotocol;thiswillbeexplainedinSection4. u! nT! Tag fnRgfaRg Reader faTg! Figure2.3.AuthenticationprotocolDuringtheauthenticationprotocol,theinternalstateofthestreamcipherisinitialized.Itstartsoutasthesectorkeyk,thennTuisshiftedin,thennRisshiftedin.BecausecommunicationisencryptedfromnRonwards,theencryptionofthelaterbitsofnRisinuencedbytheearlierbitsofnR.AuthenticationisachievedbyreachingthesameinternalstateofthecipheraftershiftinginnR.ThefollowingpreciselydenestheinitializationofthecipherandthegenerationoftheLFSR-streama0a1:::andthekeystreamb0b1:::.Denition2.6.Givenakeyk=k0k1:::k472F482,atagnoncenT=nT;0nT;1:::nT;312F322,auidu=u0u1:::u312F322,andareadernoncenR=nR;0nR;1:::nR;312F322,theinternalstateofthecipherattimeiisi:=aiai+1:::ai+472F482.Heretheai2F2aregivenbyai:=ki8i2[0;47]a48+i:=L(ai;:::;a47+i)nT;iui8i2[0;31]a80+i:=L(a32+i;:::;a79+i)nR;i8i2[0;31]a112+i:=L(a64+i;:::;a111+i)8i2N:Furthermore,wedenethekeystreambitbi2F2attimeibybi:=f(aia1+i:::a47+i)8i2N:WedenoteencryptionsbyfganddenefnR;ig;faR;ig2F2byfnR;ig:=nR;ib32+i8i2[0;31]faR;ig:=aR;ib64+i8i2[0;31]:Notethattheai,i,bi,fnR;ig,andfaR;igareformallyfunctionsofk,nT,u,andnR.Insteadofmakingthisexplicitbywriting,e.g.,ai(k;nT;u;nR),wejustwriteaiwherek,nT,u,andnRareclearfromthecontext.2.6.RollbackForourattacksitisimportanttorealizethattorecoverthekey,itissufcienttolearntheinternalstateofthecipheriatanypointiintime.Sinceanattackerknowsu,nT,andfnRg,theLFSRcanthenberolledbacktotimezero.ThisisexplainedinSection6.2of[GKM+08];belowweshowtheirmethodtranslatedintoournotation.Denition2.7.TherollbackfunctionR:F482!F2isdenedbyR(x1x2:::x48):=x5x9x10x12x14x15x17x19x24x25x27x29x35x39x41x42x43x48.IfonerstshiftstheLFSRleftusingLtogenerateanewbitontheright,thenRrecoversthebitthatdroppedoutontheleft,i.e.,R(x1x2:::x47L(x0x1:::x47))=x0:(1)5 Theorem2.8.InthesituationfromDenition2.6,wehavea64+i=R(a65+i:::a112+i)8i2Na32+i=R(a33+i:::a80+i)fnR;igf(0a33+i:::a79+i)8i2[0;31]ai=R(a1+i:::a48+i)nT;iui8i2[0;31]:Proof.Straightforward,usingDenition2.6andEqua-tion(1).Forthesecondequation,notethatfdoesnotdependonitsleftmostinput.Thereforef(0a33+i:::a79+i)=f(a32+i:::a79+i)=b32+iandhencefnR;igf(0a33+i:::a79+i)=nR;i. Consequently,ifanattackersomehowrecoverstheinternalstateoftheLFSRi=aiai+1:::ai+47atsometimei,thenshecanrepeatedlyapplyTheo-rem2.8torecover0=a0a1:::a47,whichisthesectorkey.3.WeaknessesThissectiondescribesweaknessesinthedesignoftheMifareClassic.WersttreatweaknessesinthewaytheMifareClassichandlesparitybitsandthentheonesconcerningnestedauthentications.TheseweaknesseswillbeexploitedinSection4.3.1.ParityweaknessesTheISOstandard14443-A[ISO01]speciesthateverybytesentisfollowedbyaparitybit.TheMifareClassiccomputesparitybitsovertheplaintextinsteadofovertheciphertext.Additionally,thebitofkeystreamusedtoencrypttheparitybitsisreusedtoencryptthenextbitofplaintext.Thisalreadybreaksthecondentialityoftheencryp-tionscheme.InthispaperweshallonlybeconcernedwiththefourparitybitsofnT,nR,andaR.TheISOstandardspeciesoddparity,hencethe“1”inthedenitionbelow.Denition3.1.InthesituationfromDenition2.6,wedenetheparitybitspj2F2bypj:=nT;8jnT;8j+1


nT;8j+71pj+4:=nR;8jnR;8j+1


nR;8j+71pj+8:=aR;8jaR;8j+1


aR;8j+718j2[0;3]andtheencryptionsfpjgofthesebyfpjg:=pjb8+8j8j2[0;11]:Thereisafurtherweaknessconcerningtheparitybits.Duringtheauthenticationprotocol,whenthereadersendsfnRgandfaRg,thetagcheckstheparitybitsbeforetheanswerofthereader.Ifatleastoneoftheeightparitybitsiswrong,thetagdoesnotrespond.Ifalleightparitybitsarecorrect,buttheansweraRiswrong,thetagrespondswiththe4-biterrorcode0x5signifyingfailedauthentication,called`transmissionerror'in[KHG08].IfalleightparitybitsarecorrectandtheansweraRisalsocorrect,thetagresponds,ofcourse,withitsansweraT.Furthermore,incasethereadersendsthecorrectparity,butthewronganswer,the4-biterrorcode0x5issentencrypted.Thishappenseventhoughthereaderhasnotauthenticateditselfandhencecannotbeassumedtobeabletodecrypt.Figure3.1showsanauthenticationtracewheretheattackersendsincorrectauthenticationdatabutcorrectparitybits.Theexclamationmarksrepresentparitybitsthatdeviatefromwhatisspeciedinthestandard.Thenalmessageofthistraceistheencryptederrormessage0x5.3.2.NestedauthenticationsOnceanattackerknowsasinglesectorkeyofaMifareClassic,thereisavulnerabilitythatallowsanadversarytorecovermorekeys.Whenareaderisalreadycommunicating(encrypted)withatag,asubsequentauthenticationcommandforanewsectoralsohastobesentencrypted.Afterthisauthenticationcommand,theinternalstateofthecipherissettothekeyforthenewsectorandtheauthenticationprotocolfromSection2.5startsagain.Thistime,however,thechallengeofthetagisalsosentencrypted.Becausethereareonly216possiblenonces,anattackercansimplytrytoguessanoncetorecover32bitsofkeystream.Alsohere,theinformationthatleaksthroughtheparitybitscanbeusedtospeeduptheattack.Althoughthereare216tagnonces,weshowbelowthattheparitybitssentwiththeencryptedtagnonceleakthreebitsofinformation,sothatthereareonly213tagnoncespossible.Denition3.2.InthesituationfromDenition2.6,wedenefnT;ig2F2byfnT;ig:=nT;ibi8i2[0;31]:Theorem3.3.Foreveryj2f0;1;2gwehavenT;8jnT;8j+1


nT;8j+7nT;8j+8=fpjgfnT;8j+8g16 Reader 26 reqtypeA Tag 0200 answerreq Reader 9320 select Tag c108416ae2 uid,bcc Reader 9370c108416ae2e47c select(uid) Tag 1837cd MifareClassic4k Reader 6000f57b auth(block0) Tag abcd1949 nT Reader 59!d5920f!15b9d5!53! fnRgfaRg Tag a f5g Figure3.1.TraceofafailedauthenticationattemptProof.Wecomputeasfollows.nT;8jnT;8j+1


nT;8j+7nT;8j+8=pj1nT;8j+8(byDfn.3.1)=pjb8+8jnT;8j+8b8+8j1=fpjgfnT;8j+8g1(byDfns.3.1and3.2) SincetheattackercanobservefpjgandfnT;8j+8g,thistheoremgivesanattackerthreebitsofinformationaboutnT.Inpractice,timinginformationbetweentherstandsecondauthenticationattemptleakssomuchadditionalinformationthattheattackercanaccuratelypredictwhatthechallengenoncewillbe.Itturnsoutthatthedistancebetweenthetagnoncesusedinconsecutiveauthenticationattemptsstronglydependsonthetimebetweenthoseattempts.Heredistanceisdenedasfollows.Denition3.4.LetnTandn0Tbetwotagnonces.WedenethedistancebetweennTandn0Tasd(nT;n0T):=mini2Nsuci(nT)=n0T:4.AttacksThissectionshowshowtheweaknessesdescribedintheprevioussectioncanbeexploited.4.1.Brute-forceattackTheattackerplaystheroleofareaderandtriestoauthenticateforasectorofherchoice.Sheanswersthechallengeofthetagwitheightrandombytes(andeightrandomparitybits)forfnRgandfaRg.Withprobability1=256,theparitybitsarecorrectandthetagrespondswiththeencrypted4-biterrorcode.Asuccessleaks12bitsofentropy(outof48).Repeatingtheaboveproceduresufcientlymanytimes(inpracticesixisenough)uniquelydeterminesthekey.Sincethekeylengthisonly48bits,theattackercannowbruteforcethekey:shecanjustcheckwhichofthe248keysproducesallsixtimesthecorrectparitybitsandreceivedresponse.Inpractice,gatheringthosesixauthenticationsessionswithcorrectparitybitsonlytakesonaverage6
256=1536authenticationattemptswhichcanbedoneinlessthanonesecond.Thetimeittakestoperformtheofinebrute-forceattackofcourseisstronglydependentontheresourcestheattackerhasatherdisposal.WegiveanestimatebasedontheperformanceofCOPA-COBANA[KPP+06];thisisacode-crackerbuiltfromoff-the-shelfhardwarecostingapproximately10000USD.BasedonthefactthatCOPACOBANAndsa56-bitDESkeyinonaverage6:4days,pessimisti-callyassumingthatonecantthesamenumberofCRYPTO1checksonanFPGAasDES-decryptions,andrealizingthatthesearchspaceisafactorof256smaller,weestimatethatthistakesonaverage6:4days=256=36min.InSections4.2and4.3thesameideaisexploitedinadifferentway,tradingonlinecommunicationforcomputationtime.4.2.VaryingthereadernonceThissectionshowshowanattackercanmountachosenciphertextattackbyadaptivelyvaryingtheencryptionofnR.Weassumethattheattackercancontrolthepoweruptimingofthetag,therebycausingthetagtoproducethesamenTeverytime.Werstgivetheideaoftheattack.Theattackerrunsauthenticationsessionsuntilsheguessesthecorrectparitybits.TheinternalstateofthestreamcipherjustafterfeedinginnRis64.Shethenrunsanotherauthenticationsession,keepingtherst31bitsoffnRg(andthethreeparitybits)thesame,ippingthelast7 bitoffnRg(andrandomlypickingtherestuntiltheparityisok).Nowthestateofthestreamcipherjustafterfeedinginthereadernonceis641,i.e.,64withthelastbitipped.SincetheparityofthelastbyteofnRchanged(sincetheattackerippedjustthelastbit),andsinceitsparityintherstrunisencryptedwithf(64)andinthesecondrunwithf(641),shecandeducewhetherornotthelastbitofnRinuencestheencryptionofthenextbit,i.e.,whetherornotf(64)=f(641).Approx.9:4%ofthepossible64'shasf(64)=f(64)1andtheycaneasilybegeneratedsinceonlythetwentybitsthatareinputtofarerelevant.Byrepeatingthis,theattackereventually(onaverageafter10:6tries)ndsaninstanceinwhich64isinthose9:4%andthensheonlyhastosearch,ofine,9:4%ofallpossiblestates.Wenowmakethisideapreciseandatthesametimegeneralizeittothelastbitofeachofthefourbytesinthereadernonce.ThefollowingdenitionsaysthatareadernoncehaspropertyFj(forj2f0;1;2;3g)ifippingthelastbitofthe(j+1)thbyteofthereadernoncechangestheencryptionofthenextbit.Denition4.1.Letj2f0;1;2;3gandletnRandn0Rbereadernonceswiththepropertythatn0R;8j+7= nR;8j+7andn0R;i=nR;iforalli8j+7(andnorestrictionsonnR;iandn0R;ifori&#x-5.1;䝥8j+7).WesaythatnRhaspropertyFjifb8j+40=b08j+40.FormallythisisnotjustapropertyofnR,butalsoofk,nT,andu.Nowkanduofcoursedonotvary,soweignorethathere.Furthermore,whendecidingwhetherornotnRhaspropertyFjinProtocol4.2below,theattackeralsokeepsnTconstant.Theattackerdoeschangethereadernonce.Weusea0itorefertothebitsoftheLFSR-streamwherethereadernoncen0Risusedandsimilarlyfor0i;b0i,etc.I.e.,a0idenotesai(k;nT;n0R).Notethat8j+40(resp.08j+40)istheinternalstateofthecipherjustafterfeedingin(j+1)thbyteofnR(resp.n0R)andb8j+40=f(8j+40)(resp.b08j+40=f(08j+40),sothatFjdoesnotdependonnR;iandn0R;ifori&#x-5.1;䝥8j+7.Alsoobservethat08j+40=a8j+40:::a8j+86a08j+87,i.e.,8j+40and08j+40onlydifferinthelastposition.ThecrucialideaisthatanattackercandecidewhetherornotnRhaspropertyFj,onlyknowingfnRg.(Inpractice,theattackerofcoursechoosesfnRg.)Protocol4.2.GivenfnRg,anattackercandecideasfollowswhetherornotnRhaspropertyFj.SherstchoosesfaRgarbitrary.Shethenstarts,consec-utively,severalauthenticationsessionswiththetag.AfterthetagssendsitschallengenT,theattackeranswersfnRg;faRg.Insidethisanswer,theattackeralsohastosendthe(encryptionsof)theparitybits:fp4g;:::;fp11g.Forthese,shetriesall256possibili-ties.Afteronaverage128authenticationsessions,andafteratmost256,withdifferentchoicesforthefpig,theparitybitsarecorrectandtheattackerrecognizesthisbecausethetagrespondswithanerrorcode.Nowtheattackerdenesfn0R;8j+7g:= fnR;8j+7g,i.e.,shechangesthelastbitofthejthbyteoffnRg.Theearlierbitsoffn0RgshechoosesthesameasthoseoffnRg;thelaterbitsoffn0Rgandfa0Rgtheattackerchoosesarbitrarily.Again,theattackerrepeatedlytriestoauthenticatetondthecorrectparitybitsfp0igtosend.Notethatnecessarilyfp0ig=fpigfori2f4;:::;j+3g,sothistakesonaverage27jauthenticationattemptsandatmost28j.NownRhaspropertyFjifandonlyiffpj+4g6=fp0j+4g.Proof.Becausetheattackermodiedthecipher-textofthelastbitofthejthbyteofnR,thelastbitoftheplaintextofthisbytealsochanges:n0R;8j+7=fn0R;8j+7gb08j+39=fn0R;8j+7gb08j+39= fnR;8j+7gb8j+39= nR;8j+7b8j+39b8j+39= nR;8j+7.Hence,theparityofthisbytechanges:p0j+4=n0R;8j


n0R;8j+6n0R;8j+71=nR;8j:::nR;8j+6 nR;8j+71= pj+4.Nowfpj+4gfp0j+4g=pj+4b8j+40p0j+4b08j+40=pj+4b8j+40 pj+4b08j+40=b8j+40b08j+40.Hencefpj+4g=fp0j+4gifandonlyifb8j+40=b08j+40,i.e.,fpj+4g6=fp0j+4gifandonlyifnRhaspropertyFj. ThetheorembelowshowsthattheprobabilitythatnRhasthepropertyFjisapproximately9:4%.Lemma4.3.LetY0;:::;Y4beindependentuniformlydistributedrandomvariablesoverF2.ThenP[fb(Y0;Y1;Y2;Y3)=fb(Y0;Y1;Y2; Y3)]=1 4P[fc(Y0;Y1;Y2;Y3;Y4)=fc(Y0;Y1;Y2;Y3; Y4)]=3 8:Proof.Byinspection. Theorem4.4.LetY0;Y1;:::;Y18;Y19beindependentuniformlydistributedrandomvariablesoverF2.ThenP[f(Y0;:::;Y18;Y19)=f(Y0;:::;Y18; Y19)]=3 32:Proof.WriteZ0:=fa(Y0;:::;Y3),Z1:=fb(Y4;:::;Y7),Z2:=fb(Y8;:::;Y11),Z3:=fa(Y12;:::;Y15),andZ4:=fb(Y16;:::;Y19).Fur-thermore,writeZ04:=fb(Y16;:::;Y18; Y19).NotethatZ0;:::;Z4areindependentand,byTheorem2.3,8 uniformlydistributedoverF2.ThenP[f(Y0;Y1;:::;Y18;Y19)=f(Y0;Y1;:::;Y18; Y19)]=P[fc(Z0;:::;Z4)=fc(Z0;:::;Z3;Z04)]=P[fc(Z0;:::;Z4)=fc(Z0;:::;Z04)jZ4=Z04]
P[Z4=Z04]=P[fc(Z0;:::;Z3;0)=fc(Z0;:::;Z3;1)]
P[fa(Y16;:::;Y18;0)=fa(Y16;:::;Y18;1)]=3 8
1 4(byLemma4.3)=3 32:Alternatively,onecanalsoobtainthisresultbysimplycheckingall220possibilities. WenowdescribehowanattackercanndanfnRgsuchthatnRhasallfourpropertiesFj.RecallthatthesepropertiesalsodependonnTanditispossiblethatforaxednTnonRhasallfourproperties.Inthatcase,asisexplainedintheprotocolbelow,theattackermakesthetaggenerateadifferentnTandstartsthesearchagain.Protocol4.5.AnattackercanndfnRgsuchthatnRhaspropertiesF0;F1;F2;F3inabacktrackingfashion.SherstloopsoverallpossibilitiesfortherstbyteoffnRg(takingtheotherbytesoffnRgarbitrary).UsingProtocol4.2,theattackerdecidesifnRhaspropertyF0(whichonlydependsontherstbyte).Ifithas,shecontinueswiththesecondbyteoffnRg,loopingoverallpossibilitiesforthesecondbyteoffnRgwhilekeepingtherstbytexed,tryingtondfnRgsuchthatnRalsohaspropertyF1.SherepeatsthisforthethirdandfourthbyteoffnRg.IfatsomestagenopossiblebytehaspropertyFj,thesearchbacktrackstothepreviousstage.Itfailsattherststage,theattackerhastotryadifferenttagnonce.Bysimulatingthisprotocol(forarandomkeyandrandomuid,andarandomtagnonceineveryouterloopofthesearch),wecanestimatethenumberofauthenticationattemptsneededtondareadernoncehavingallfourpropertiesFj.Observation4.6.Theexpectednumberofauthentica-tionattemptsneededtondannRwhichhasallfourpropertiesFjisapproximately28500.OncetheattackerhasfoundannRhavingallfourpropertiesFj,thenumberofpossibilitiesfortheinter-nalstateofthecipherafterfeedinginthisparticularnRisseriouslyrestricted.Thefollowingtheoremstateshowmanypossibilitiestherestillare.Theorem4.7.SupposethatnRhaspropertiesF0,F1,F2,andF3.Thenthereareonly436possibilities0x0000414141100x0000414141400x0001414141100x0001414141400x0004414141100x0004414141400x0014414141100x0014414141400x0015414141100x0015414141400x0041414141100x0041414141400x0044414141100x0044414141400x0051414141100x0051414141400x0100414141100x0100414141400x0101414141100x0101414141400x0104414141100x0104414141400x0114414141100x0114414141400x0115414141100x0115414141400x0141414141100x0141414141400x0144414141100x0144414141400x0151414141100x0151414141400x0400104141100x0400104141400x0400114141100x0400114141400x0400404141100x0400404141400x0400414141100x0400414141400x0401104141100x0401104141400x0401114141100x0401114141400x0401404141100x0401404141400x0401414141100x0401414141400x0404414141100x0404414141400x0414104141100x0414104141400x0414114141100x0414114141400x0414404141100x0414404141400x0414414141100x0414414141400x0415104141100x0415104141400x0415114141100x0415114141400x0415404141100x0415404141400x0415414141100x0415414141400x0441414141100x0441414141400x0444104141100x0444104141400x0444114141100x0444114141400x0444404141100x0444404141400x0444414141100x0444414141400x0451414141100x0451414141400x1400414141100x1400414141400x1401414141100x1401414141400x1404414141100x1404414141400x1414414141100x1414414141400x1415414141100x1415414141400x1441414141100x1441414141400x1444414141100x1444414141400x1451414141100x1451414141400x1500414141100x1500414141400x1501414141100x1501414141400x1504414141100x1504414141400x1514414141100x1514414141400x1515414141100x1515414141400x1541414141100x1541414141400x1544414141100x1544414141400x1551414141100x1551414141400x4100104141100x4100104141400x4100114141100x4100114141400x4100404141100x4100404141400x4100414141100x4100414141400x4101104141100x4101104141400x4101114141100x4101114141400x4101404141100x4101404141400x4101414141100x4101414141400x4104414141100x4104414141400x4114104141100x4114104141400x4114114141100x4114114141400x4114404141100x4114404141400x4114414141100x4114414141400x4115104141100x4115104141400x4115114141100x4115114141400x4115404141100x4115404141400x4115414141100x4115414141400x4141414141100x4141414141400x4144104141100x4144104141400x4144114141100x4144114141400x4144404141100x4144404141400x4144414141100x4144414141400x4151414141100x4151414141400x4400414141100x4400414141400x4401414141100x4401414141400x4404414141100x4404414141400x4414414141100x4414414141400x4415414141100x4415414141400x4441414141100x4441414141400x4444414141100x4444414141400x4451414141100x4451414141400x5100104141100x5100104141400x5100114141100x5100114141400x5100404141100x5100404141400x5100414141100x5100414141400x5101104141100x5101104141400x5101114141100x5101114141400x5101404141100x5101404141400x5101414141100x5101414141400x5104414141100x5104414141400x5114104141100x5114104141400x5114114141100x5114114141400x5114404141100x5114404141400x5114414141100x5114414141400x5115104141100x5115104141400x5115114141100x5115114141400x5115404141100x5115404141400x5115414141100x5115414141400x5141414141100x5141414141400x5144104141100x5144104141400x5144114141100x5144114141400x5144404141100x5144404141400x5144414141100x5144414141400x5151414141100x515141414140Table4.1.Oddbitsof64endingin0whennRhasallpropertiesFjfortheodd-numberedbitsof64.Table4.1lists(inhexadecimal,withzerosontheplacesoftheeven-numberedbits)the218ofthosepossibilitiesthathavethelastbita111equalto0;theother218arethesameexceptthattheyhavea111equalto1.Proof.Byexplicitcomputation.Foreachofthe224elementsy0y1:::y23ofF242,onechecksiff(y4;y5;:::;y23)=f(y4;y5;:::; y23),f(y0;y1;:::;y19)=f(y0;y1;:::; y19),andthereexisty8;y7;:::;y12F2suchthatf(y4;y3;:::;y15)=f(y4;f3;:::; y15)andf(y8;y7;:::;y11)=f(y8;f7;:::; y11). Consequently,whentheattackerhasfoundareadernoncenRthathaspropertiesF0,F1,F2,andF3,thereareonly436
224232:87:3
109possibilitiesfortheinternalstate64ofthecipherjustaftershiftinginthereadernonce.UsingTheorem2.8,thesecanbeusedtocompute7:3
109candidatekeys.Theattackercanthencheckthesecandidatekeysbytryingtodecryptthereceived4-biterrormessages.4.3.VaryingthetagnonceInthepreviousapproach,theattackerkeptnTconstantandtriedtondaspecialfnRgsuchthat9 0x0000004d4d1f0x0000012d7b8b0x000001513ca30x0000049e0e780x000004cafec10x000006f945be0x000007089ea50x0000072b67df0x000008e79d8e0x00000a137cd90x00000aed74670x00000b92342b0x00000c6db6a00x00000cbd2daa0x00000cda78170x00000d0cbd270x00000e98af030x00001089393d0x0000129d78db0x000012f4cde60x000015382c190x000016a7a95c0x0000172bebc60x0000173f22990x00001821aa0a0x0000187696660x00001a6d513e0x00001b1c2ff70x00001c2592610x00001c46edf70x00001c5a3fde0x00001c97ee440x00001f19da5e0x00001fef9ec20x000022ce67970x000023a396ce0x000023a92baa0x000026bc6e180x0000278a7954...Table4.2.ExcerptfromtableT0xa04ofinternalcipherstates32atindex0xa04shegainedknowledgeabouttheinternalcipherstate.Nowtheattackerdoestheopposite:shekeepsfnRg(andfaRgandthefpigaswell)constant,butvariesnTinstead.Asbefore,theattackerwaitsforthetagtorespond;whenthishappens,shegainsknowledgeabouttheinternalstateofthecipher.Protocol4.8.Theattackerrepeatedlytriestoauthen-ticatetothetag,everytimewithadifferenttagnoncenTandsendingallzerosasitsresponse(includingtheencryptedparitybits),i.e.,fnRg=0,faRg=0,fp4g=


=fp11g=0.ShewaitsforannTsuchthatthetagactuallyresponds(i.e.,theparitybitsarethecorrectparitybits)andwheretheencryptederrorcodeis0x5(i.e.,b96=b97=b98=b99=0).Notethattwelvebitshavetobe`correct'(theeightparitybitsandthefourkeystreambits),sothiswilltakeonaverage212=4096authenticationattempts.Thefollowingdenesalargetablethatneedstobeprecomputed.Denition4.9.T:=f322F482jfnRg=faRg=0)fp4g=


=fp11g=b96=


=b99=0g:SotheattackerknowsthatafterthetagsendsthechallengenTfoundinProtocol4.8,thecurrentstateofthecipher,32,appearsinT.NowTcanbeprecom-puted;onewouldexpectittocontain248=212=236elements;infact,itcontains0:82%fewerelementsduetoasmallbiasinthecipher.Inprinciple,theattackercouldnowuseTheorem2.8torollbackeachoftheLFSRsinthetabletondcandidatekeysandcheckeachofthesekeysagainstafewotherattemptedauthenticationsessions.Inpractice,searchingthroughTtakesaboutoneday,whichisundesirable.TheattackercanshrinkthesearchspacebysplittingTasfollows.Protocol4.10.AfterndingnTinProtocol4.8,theattackeragainrepeatedlytriestoauthenticatetothetag,everytimewiththetagnoncenTshejustfound.Insteadofzeros,shenowsendsonesfortheresponseandthistimeshetriesallpossibilitiesfortheencryptedparitybitsuntilthetagrespondswithanencryptederrorcode.I.e.,fnRg=0xffffffffandfaRg=0xffffffffandsuccessivelytriesallpossibilitiesforfp4g;:::;fp11guntiloneiscorrect.Thistime,becauseeightbitshavetobe`correct',onaverage128authenticationattemptsareneeded.ThetableTcanbesplitin212=4096partsindexedbytheeightencryptedparitybitsandfourkeystreambitsthatencrypttheerrorcode.Denition4.11.Forevery\r=\r0:::\r112F122wedeneT\r:=f322TjfnRg=faRg=0xffffffff)fp4g=\r0^


^fp11g=\r7^b96=\r8^


^b99=\r11g:SoinsteadofstoringTasonebigtable,duringprecomputationtheattackercreatesthe4096tablesT\r.Taking\r:=fp4g:::fp11gb96:::b99attheendofProtocol4.10,theattackerknowsthat32mustbeanelementofT\r.NowT\rcontainsonlyapproximately224entries,sothiscaneasilybereadfromdisktogenerate224candidatekeysandcheckthemagainstafewotherauthenticationsessions.Table4.2shows,asanexample,therstpartofT\rfor\r=0xa04=101000000100.4.4.NestedauthenticationattackWenowassumethattheattackeralreadyknowsatleastonesectorkey;letuscallthissectortheexploitsector.Thetimebetweentwoconsecutiveauthenticationattemptsmightvaryfromcardtocard,althoughitisquiteconstantforaspeciccard.Therefore,anattackercanrstestimatethistimebyauthenticatingtwotimesfortheexploitsector.Inthiswaytheattackercanestimatethedistancebetweentherstandthesecondtagnonce.AsexplainedinSection3.2,theattackercannowauthenticatefortheexploitsectorandsubsequentlyforanothersector.Intheauthenticationfortheexploitsectorthetagnoncen0Tissentintheclear;duringthesecondauthenticationthetagnoncenTissentencryptedasfnTg.Bycomputingsuci(n0T)foricloseto,theadversaryhasasmallnumberofguessesfornT.TheadversarycanfurthernarrowthepossibilitiesfornTusingthethreebitsofinformationfromtheparitybits(Theorem3.3).InthiswaytheadversarycanaccuratelyguessnTandhencerecovertherst32bitsofkeystream,b0b1:::b31.WeshallshowhowavariantoftheattackofSection6.3of[GKM+08]canbeusedtorecover10 approximately216possiblecandidatekeys.Bydoingthisproceduretwoorthreetimes,theattackercanrecoverthekeyforthesecondsectoraswellbytakingtheintersectionofthetwoorthreesetsofcandidatekeys.Thecrucialingredientintheattackisthefactthattheinputstothelterfunctionareonlyonodd-numberedplacesoftheLFSR.Thismakesitpossibletocomputeseparatelyallpossibilitiesfortheodd-numberedbitsoftheLFSR-streamandtheeven-numberedbitsoftheLFSR-streamthatarecompatiblewiththekeystream.Denition4.12.WedenetheoddtablesTOibyTO0:=fx9x11:::x45x472F202jf(x9x11:::x45x47)=b0gandfori2f1;:::;15gTOi:=fx9x11:::x45+2ix47+2i2F20+i2jx9x11:::x45+2i2TOi1^f(x9+2ix11+2i:::x45+2ix47+2i)=b2ig:Symmetrically,wedenetheeventablesTEibyTE0:=fx10x12:::x46x482F202jf(x10x12:::x46x48)=b1gandfori2f1;:::;15gTEi:=fx10x12:::x46+2ix48+2i2F20+i2jx10x12:::x46+2i2TEi1^f(x10+2ix12+2i:::x46+2ix48+2i)=b2i+1g:WewriteTO:=TO15andTE:=TE15.Becauseofthestructureofthelterfunctionf,TO0andTE0areexactlyofsize219(Theorem2.3).Theothertablesareapproximatelyofthissizeaswell.Anentryx9x11:::x45+2iofTOi1leadstofourdifferentpossibilitiesinTOi:itcanappearinTOiextendedwith0andwith1;itcanappearextendedonlywith0;itcanappearextendedonlywith1;oritcannotappearatall.Overall,thesepossibilitiesareequallylikely,andhenceTOihas,onaverage,thesamesizeasTOi1(andsimilarlyforTE).ThefeedbackfunctionLcanalsobesplitinanevenandanoddpart.Denition4.13.Wedenetheoddpartofthefeedbackfunction,LO:F242!F2,byLO(x1x3:::x47):=x5x9x15x17x19x25x27x29x35x39x41x43andtheevenpartofthefeedbackfunction,LE:F242!F2,byLE(x0x2:::x46):=x0x10x12x14x24x42:NotethatLEandLOcombinetogiveL,inthesensethatL(x0x1x2:::x47)=LE(x0x2:::x46)LO(x1x2:::x47):(2)Asthea9a10:::a77a78arebeingshiftedthroughtheLFSR,theuiduandthetagnoncenTareshiftedinaswell.Inthefollowingdenitionwecomputethe22bitsoffeedbackfromtheLFSRfromtime9totime31,takingcareoftheshiftinginofunT,andalsosplittingthecontributionfromtheodd-andeven-numberedbitsoftheLFSR.Atthispoint,thesituationin[GKM+08]isslightlysimpler.There,theattackertriestondthestateoftheLFSRafterinitialization,sonothingisbeingshiftedin.Denition4.14.Wedenethecontributionoftheen-triesoftheoddtabletothefeedback, O:TO!F222,by O(x9x11:::x77):=(LE(x9+2ix11+2i:::x55+2i)nT;9+2iu9+2i;LO(x11+2ix13+2i:::x57+2i)nT;10+2iu10+2i)i2[0;10]andwedenethecontributionoftheentriesoftheeventabletothefeedback, E:TE!F222,by E(x10x12:::x78):=(LO(x10+2ix12+2i:::x56+2i)x57+2i;LE(x10+2ix12+2i:::x56+2i)x58+2i)i2[0;10]:Denition4.15.WedenethecombinedtableTCasfollows.TC:=fx9x10x11:::x782F702jx9x11:::x772TO^x10x12:::x782TE^ O(x9x11:::x77)= E(x10x12:::x78)g:NotethatTCcaneasilybecomputedbyrstsortingTOby OandTEby E.Thecrucialpointisthefollowingtheorem;itshowsthattheactualLFSR-streamofthetagunderattackisinthetableTC.Theorem4.16.a9a10a11:::a782TC.Proof.BydenitionofTOandTE,a9a11:::a772TOanda10a12:::a782TE.Weonlyhavetocheckthatthesequencea9a10a11:::a78satisesthecon-11 straintdeningTC.Forthis,wehave O(a9a11:::a77) E(a10a12:::a78)=(LE(x9+2ix11+2i:::x55+2i)nT;9+2iu9+2iLO(x10+2ix12+2i:::x56+2i)x57+2i);LO(x11+2ix13+2i:::x57+2i)nT;10+2iu10+2iLE(x10+2ix12+2i:::x56+2i)x58+2i)i2[0;10](byDfn.4.14)=(L(x9+2ix10+2i:::x56+2i)nT;9+2iu9+2ix57+2i;L(x10+2ix11+2i:::x57+2i)nT;10+2iu10+2ix58+2i)i2[0;10](byEqn.(2))=(0;0)i2[0;10];(byDfn.2.6)asrequired. Takingtherst48bitsofeveryentryofTC,theattackercanapplyTheorem2.8ninetimesforeveryentry,obtainingonecandidatekeyforeveryentryofTC.Becausewehaveused32bitsofkeystreamandthekeyis48bits,onaveragetherewillbe216candidatekeys.Doingthisprocedureoncemoregivesanothersetofapproximately216candidatekeys;theactualkeymustbeintheintersection.Inpractice,mostofthetimetheintersectiononlycontainsasinglekey;occasionallyitcontainstwokeysandthenathirdrunofthiswholeprocedurecanbeusedtodeterminethekey(orbothcandidatekeyscanjustbetestedonline,ofcourse).5.ConclusionsWehavefoundserious`textbook'vulnerabilitiesintheMifareClassictag.Inparticular,theMifareClassicmixestwolayersoftheprotocolstackandreusesaone-timepadfortheencryptionoftheparitybits.Italsosendsencryptederrormessagesbeforeasuccessfulauthentication.Theseweaknessesallowanadversarytorecoverasecretkeywithinseconds.Moreover,tagnoncesarepredictablewhich,besidesallowingreplays,providesknownplaintextforournestedauthenticationattack.Wehaveexecutedtheseattacksinpracticeandretrievedallsecretkeysfromanumberofcards,includingcardsusedinlargeaccesscontrolandpublictransportticketingsystems.Toslightlyhamperanadversary,systemintegratorscouldconsiderthefollowingcountermeasures:diversifyallkeysinthecard;cryptographicallybindthecontentsofthecardtotheuid,forinstancebyincludingaMAC;performregularintegritychecksinthebackof-ce.Forthetimebeing,thesecondcountermeasurepre-ventsanattackerfromcloningacardontoablankone.However,thisdoesnotstopanattackerfromemulatingthatcardwithanemulatorliketheProxmark.EarlyonwehavenotiedthemanufacturerNXPofthesevulnerabilities.Sincetheprotocolisimplementedinhardware,wedonotforeseeanydenitivecounter-measuretotheseattacksthatdoesnotrequirereplacingtheentireinfrastructure.However,NXPiscurrentlydevelopingabackwardscompatiblesuccessortotheMifareClassic,theMifarePlus.WearecollaboratingwithNXP,providingfeedbacktohelpthemimprovingthesecurityoftheirnewprototypes,giventhelimita-tionsofthebackwardscompatibilitymode.AcknowledgmentsWearegratefultoourfaculty'scomputerdepartment(C&CZ)forprovidinguswithcomputingpowerandtoBenPolmaninparticularforhisassistance.References[Bih97]EliBiham.AfastnewDESimplementationinsoftware.InFastSoftwareEncryption(FSE'97),volume1267ofLectureNotesinCom-puterScience,pages260–272,1997.[CNO08]NicolasT.Courtois,KarstenNohl,andSeanO'Neil.AlgebraicattacksontheCrypto-1streamcipherinMifareClassicandOys-terCards.CryptologyePrintArchive,Report2008/166,2008.[GKM+08]FlavioD.Garcia,GerharddeKoningGans,RubenMuijrers,PetervanRossum,RoelVer-dult,RonnyWichersSchreur,andBartJacobs.DismantlingMIFAREClassic.InSushilJajodiaandJavierLopez,editors,EuropeanSymposiumonResearchinComputerSecurity(ESORICS'08),volume5283ofLectureNotesinCom-puterScience,pages97–114.Springer,2008.[ISO01]Identicationcards—contactlessintegratedcir-cuitcards—proximitycards(ISO/IEC14443),2001.[KHG08]GerharddeKoningGans,Jaap-HenkHoepman,andFlavioD.Garcia.ApracticalattackontheMIFAREClassic.InGillesGrimaudandFrancois-XavierStandaert,editors,SmartCardResearchandAdvancedApplication(CARDIS'08),volume5189ofLectureNotesinCom-puterScience,pages267–282.Springer,2008.12 [KPP+06]SandeepKumar,ChristofPaar,JanPelzl,GerdPfeiffer,andManfredSchimmler.Breakingci-pherswithCOPACOBANA-acost-optimizedparallelcodebreaker.InCryptographicHard-wareandEmbeddedSystems(CHES'06),vol-ume4249ofLectureNotesinComputerSci-ence,pages101–118.Springer,2006.[Kra01]HugoKrawczyk.Theorderofencryptionandauthenticationforprotectingcommunications(or:HowsecureisSSL?).InAdvancesinCryp-tology(CRYPTO'01),pages310–331.Springer,2001.[MAD07]Mifareapplicationdirectory.http://www.nxp.com/acrobat download/other/identication/M001830.pdf,May2007.[MFS08]MF1ICS50functionalspecication.http://www.nxp.com/acrobat/other/identication/M001053 MF1ICS50 rev5 3.pdf,January2008.[NESP08]KarstenNohl,DavidEvans,Starbug,andHen-rykPl¨otz.Reverse-engineeringacryptographicRFIDtag.InUSENIXSecurity2008,pages185–193,2008.[Noh08]KarstenNohl.CryptanalysisofCrypto-1.http://www.cs.virginia.edu/kn5f/Mifare.Cryptanalysis.htm,2008.[NP07]KarstenNohlandHenrykPl¨otz.Mifare,littlesecuritydespiteobscurity.PresentationatChaosComputerCongress,2007.13