bachelor
bachelor
bachelor
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Cryptanalysis of Rejsekortet<br />
Jens Christian Hillerup<br />
Kongens Lyngby 2010
Technical University of Denmark<br />
Informatics and Mathematical Modelling<br />
Building 321, DK-2800 Kongens Lyngby, Denmark<br />
Phone +45 45253351, Fax +45 45882673<br />
reception@imm.dtu.dk<br />
www.imm.dtu.dk
3<br />
Abstract.<br />
This <strong>bachelor</strong> thesis analyzes the security of the new Danish<br />
ticketing system Rejsekortet. Until now nobody has conducted<br />
any independent research on the security of this system, which is<br />
somewhat surprising because the same system is already rolled<br />
out in Sweden. Using documentation of older versions of the<br />
system, the security has been assessed. Most promising, this<br />
thesis contributes a precomputation attack against a DES-MAC<br />
function implemented in Rejsekortet. This is possible because<br />
of a data structure on the card offering controllable plaintext.<br />
The controlled plaintext can be used as a constant value from<br />
which a rainbow table is derived, enabling the attacker to look<br />
up keys in manageble time and space. The worst-case consequence<br />
of this attack is that it enables a determined attacker to<br />
add money or tickets to not only his own but anybody’s card,<br />
severely harming the system as a whole. Different immediately<br />
applicable countermeasures for this attack are also presented. It<br />
is concluded that the precomputation attack needs more study<br />
before anything can said about its applicability to the current<br />
version of Rejsekortet.
Summary<br />
This <strong>bachelor</strong>’s thesis is completed in spring 2010, and deals with the new Danish<br />
ticketing system called Rejsekortet, which is expected to be in nationwide<br />
production in metros, busses and trains sometime in 2012. The system is designed<br />
to completely replace paper tickets with the reasoning that it will become<br />
easier to administer fare prices, as well as being able to make very precise models<br />
for the traffic flow, which in turn will be able to aid in possible reorganization<br />
of the public transit net.<br />
Rejsekortet is designed to function offline, which entails that data such as the<br />
card balance and active tickets are stored on the card. To prevent card-based<br />
fraud, a series of security mechanisms has been set in place, each providing to<br />
a layered security model. One of these mechanisms is the card itself, which<br />
from the factory has a cryptographic mechanism securing against unauthorized<br />
reading or writing to the card. Another mechanism is a recognized authenticity<br />
verification algorithm (a “MAC”), put in place to ensure overall safety of the<br />
card in case the card is compromised. The third layer is a nightly run-thorough<br />
of the transaction database, in order to prevent cards being copied, etc.<br />
The thesis presents an attack on one of these security measures, namely a timememory<br />
trade-off that allows recovery of a secret key for the aforementioned<br />
authentication algorithm that is executed during Rejsekort transactions. In<br />
addition, the thesis presents an analysis of possible exploitation opportunities if<br />
the key for the authenticity check becomes publicly known.
Resumé<br />
Denne <strong>bachelor</strong>afhandling er udarbejdet i foråret 2010, og omhandler det nye<br />
danske billeteringssystem Rejsekortet, som forventes i landsdækkende drift i<br />
metroer, busser og tog i løbet af 2012. Systemet skal erstatte papirbilletter<br />
med den begrundelse at det bliver lettere at administrere priser, samt at kunne<br />
fastlægge helt klare modeller for trafik-flowet, hvilket kan hjælpe i eventuelle<br />
omlægninger af busser og tog.<br />
Rejsekortet er designet til at kunne fungere offline, og det medfølger at data<br />
som saldo og aktive billetter lagres på kortet. For at undgå snyd med Rejsekortet,<br />
er der blevet implementeret en række forskellige sikkerhedsforanstaltninger,<br />
der hver for sig udgør en “lagkage” af forskellige sikringer, der bygger<br />
ovenpå hinanden. En er kortet selv, der fra fabrikken har kryptografisk sikring<br />
mod uautoriseret læsning og skrivning til kortet. En anden er en anerkendt<br />
autenticitetstjek-algoritme (en “MAC”), der skal sikre kortet hvis den første<br />
sikring bliver kompromitteret. Tredje lag er en natlig gennemgang af transaktionsdatabasen,<br />
for blandt andet at sikre sig mod at kort bliver kopieret, mm.<br />
Opgaven præsenterer et angreb på en af disse sikkerhedsforanstaltninger, navnlig<br />
et time-memory trade-off, der tillader at finde en hemmelig nøgle til grund<br />
for det føromtalte autenticitetstjek, der foregår i forbindelse med Rejsekorttransaktioner.<br />
Herudover fremlægges der en analyse af mulige udnyttelsesmuligheder,<br />
hvis nøglen til autenticitetstjekket bliver offentligt kendt.
Preface<br />
This thesis was prepared at Informatics Mathematical Modelling, the Technical<br />
University of Denmark in partial fulfillment of the requirements for acquiring<br />
the <strong>bachelor</strong>’s degree in engineering. The project was started in February and<br />
consists of 15 ECTS points. The thesis deals with the security of Rejsekortet, a<br />
new Danish/Swedish travel card standard. The focus has been to find a vector<br />
for a cryptographic weakness in Rejsekortet per RKF standards A, B and C,<br />
with the aid of once-available standards documentation. Currently the system<br />
runs in a later version to which the specifications are not available.<br />
An obstacle in the project has been the unavailability of current documentation<br />
of the RKF specification. It has made it more difficult to get a precise<br />
understanding of the data recovered with card dumps.<br />
Finally it is certified that this thesis is written by myself in full to the best of<br />
my ability, and with citation clearly sourced where due.<br />
Virum, June 2010<br />
Jens Christian Hillerup
vi<br />
Glossary<br />
Rejsekort(et)<br />
Danish for “travel card” or “the travel card,” a new Mifare-based ticketing<br />
system for public transportation in Denmark.<br />
The language if this thesis is English, but still the Danish conjugations of the<br />
substantive “Rejsekort” are used. In Danish the definite and indefinite article is<br />
the same, and for a neuter word like Rejsekort it is “et.” The difference is that<br />
the definite article goes after the word instead of before like in other languages.<br />
That entails that “Rejsekortet” is the definite version “Rejsekort.” In addition,<br />
the plural of “Rejsekort” is “Rejsekort.”<br />
RKF, Rejsekortsforeningen<br />
A Swedish company responsible for development of Rejsekortet.<br />
Rejsekort A/S<br />
A Danish company responsible for implementing and developing the travel card<br />
standard set by RKF, as well as rolling the solution out nationwide.
Acknowledgements<br />
I wish to thank Christian Panton for bringing Rejsekortet to my attention as<br />
an interesting subject for my <strong>bachelor</strong>’s thesis, and for the initial research he<br />
conducted before this project was launched.<br />
Moreover I’d like to thank Nikolas Bang Manscher, Julie Falck Valentin-Hjorth,<br />
Mathias Brade, Tim Garbos, Anton Breum, Laura Jespersen-Kaae, Toke Højby<br />
Lorentzen, Ulrik Borch, Niels Emil Hillerup and David Kofoed Wind for proofreading<br />
in all stages of the project.<br />
Finally I would like to thank Erik Zenner for invaluable feedback and consultancy<br />
during the preparation of this thesis.
viii
Contents<br />
Summary<br />
Resumé<br />
Preface<br />
Acknowledgements<br />
i<br />
iii<br />
v<br />
ix<br />
1 On Rejsekortet 1<br />
1.1 History of the project . . . . . . . . . . . . . . . . . . . . . . . . 3<br />
1.2 Technology and card layout . . . . . . . . . . . . . . . . . . . . . 5<br />
1.3 Grades of security . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
1.4 Problem definition . . . . . . . . . . . . . . . . . . . . . . . . . . 28<br />
2 Security analysis and threat model 29<br />
2.1 Threat model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30<br />
2.2 Attack classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32<br />
2.3 Analysis of the security . . . . . . . . . . . . . . . . . . . . . . . 34<br />
3 Attacks on Rejsekortet 41<br />
3.1 Rollback attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 42<br />
3.2 Attacking the MAC . . . . . . . . . . . . . . . . . . . . . . . . . 47<br />
3.3 Masquerading attacks . . . . . . . . . . . . . . . . . . . . . . . . 75<br />
3.4 Attacks on the infrastructure . . . . . . . . . . . . . . . . . . . . 80<br />
3.5 Vandalism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84<br />
4 Improvements 89<br />
4.1 Improvements since version 1 and 2 . . . . . . . . . . . . . . . . . 90<br />
4.2 Other immediately applicable improvements . . . . . . . . . . . . 96
x<br />
CONTENTS<br />
4.3 Other improvements . . . . . . . . . . . . . . . . . . . . . . . . . 98<br />
5 Conclusion 99<br />
A Related research 103<br />
A.1 Mifare keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103<br />
B Mail correspondence 107<br />
B.1 Mail correspondance with Margareta Berg from Resekort Sweden 108<br />
B.2 Mail correspondance with Gregers Mogensen from Rejsekort Danmark<br />
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Chapter 1<br />
On Rejsekortet<br />
Rejsekortet (“the travel card”) is a new system for the Danish network of public<br />
transportation. It is meant to completely replace paper tickets sometime in 2011,<br />
and the project has been in the works since 1995 1 , and has at the time of writing<br />
cost more than a billion Danish kroner 2 .<br />
The card works as a check-in/check-out system in the sense that one “checks<br />
in” while entering e.g. a bus and “checks out” leaving it. The system then<br />
calculates the fare and draws the amount from the card. Moreover the card<br />
supports various degrees of discount, interoperability across borders, and much<br />
more.<br />
The initial specifications were presented by a Swedish company called Resekortsföreningen<br />
(RKF), in order to establish a common standard of travel cards in<br />
Scandinavia. Different public transit organizations could then choose to implement<br />
this new standard, and expect the cards to work seamlessly with the other<br />
systems. Currently, Sweden is the only country to have a travel card using this<br />
standard in production.<br />
1 http://vtu.dk/filer/publikationer/1998/rapport-fra-arbejdsgruppen-om-kortteknologi-oghandicappede/html/dok10.html<br />
2 http://www.business.dk/transport/barsk-kritik-af-nyt-rejsekort-system
2 On Rejsekortet<br />
Disclaimer: This report is concerned with the Rejsekort versions A, B and<br />
C, described in documents RKF-0020[7] (requirements specification) and RKF-<br />
0022[6] (implementation specification), since it was impossible to obtain the<br />
specification for the newest version of the system, see B.2.<br />
RKF-0020 describes what is expected of the system. It outlines the basis for<br />
interoperability, the data types and the desired level of security.<br />
RKF-0022 describes the implementation details; this includes full descriptions<br />
of all the relevant data types on the card, how they are placed and coded, and<br />
also how the data is secured by means of a MAC, see 1.3.2.<br />
Moreover there is a spreadsheet with ID RKF-0025[5] that describes bit-for-bit<br />
where data is positioned on a Rejsekort. From that it is possible to make a<br />
parser that can read Rejsekort, and possibly to write RKF-compliant data back<br />
onto the card.<br />
These documents can be found on the enclosed CD-ROM.<br />
1.1 History of the project<br />
The plans of establishing a travel card system in Denmark were made in 1995 as<br />
a joint venture by the various Danish public transit companies. After a meeting<br />
October 1st 1997 the project was officially started 3 .<br />
Development went on rather quietly until 2000 when Resekortföreningen i Norden<br />
was founded. This company comprised of Danish and Swedish public transport<br />
organisations. In 2001 the system is defined, and the specifications are<br />
written. RKF-0020, RKF-0022 and RKF-0025 are all dated in 2002, and were<br />
once available from the website of Resekortföreningen i Norden. This company<br />
has since been dissolved, and the specifications are no longer available.<br />
In 2003 the Danish public limited company Rejsekortet A/S was founded, and<br />
several public transport organisations joined in 4 . Rejsekort A/S makes a call<br />
for providers of the system implementing the standard from RKF, and the company<br />
East-West Denmark won. This company is owned by Thales Group and<br />
Accenture, and Thales writes in a 2005 press release that Rejsekortet is planned<br />
3 http://vtu.dk/filer/publikationer/1998/rapport-fra-arbejdsgruppen-om-kortteknologi-og-handicappede/<br />
html/dok10.html<br />
4 http://rejsekort.dk/Om+Rejsekort/Historie
1.2 Technology and card layout 3<br />
for nationwide production in 2007 5 .<br />
At the time of writing (May 2010) the system is in the testing phase in two<br />
relatively small parts of Denmark, and it is planned to be rolled out in small<br />
steps until the system is covering all of Denmark in 2012.<br />
1.2 Technology and card layout<br />
Travel cards have been marketed with many different technologies since the<br />
conception of the idea in the mid-nineties. However, in recent years a de-facto<br />
standard seems to have merged. The system is called Mifare and is marketed<br />
by NXP Semiconductors. It is the basis of many travel cards worldwide.<br />
The immediate advantages with a digital ticketing solution rather than paper<br />
tickets are increased precision in usage data, ease of maintenance of travel pricing,<br />
etc. The disadvantage is that, unless utmost care is exercised, the digitalizing<br />
will make it possible to make data appear as if it is issued by Rejsekortet<br />
A/S themselves. This is much more difficult with paper tickets carrying holograms,<br />
etc. Data is data, and cannot be secured by means of holograms or other<br />
physical measures. This chapter will describe exactly how the cards work, and<br />
what digital security measures are taken to ensure that attackers cannot forge<br />
tickets.<br />
1.2.1 RFID<br />
RFID (Radio Frequency IDentification) is a technology that allows touch-less<br />
interaction between a powered base station and a “tag.” Tags can be active<br />
or passive, depending on whether or not it has a battery; generally the active<br />
tags have a longer range than the passive, with the added cost of having to<br />
be powered at all times. Passive tags are powered by induction. The terminal<br />
creates an electromagnetic field that the tag can use to induce a current giving<br />
it enough power to run a small integrated circuit. This circuit can then transmit<br />
a signal back to the terminal.<br />
Some RFID implementations, however, implement more advanced data processing<br />
than just replying back some constant. This is the case with the Mifare<br />
Classic standard which Rejsekortet is built on, see 1.2.3. Mifare Classic chips<br />
5 http://www.thalesgroup.com/Press_Releases/Security_PressRelease_13-09-2005/
4 On Rejsekortet<br />
are even capable of running a small cryptographic cipher, plus implementing<br />
access conditions for separate portions of the on-board storage on the card.<br />
1.2.2 The infrastructure of Rejsekortet<br />
Rejsekortet comprises of three basic entities, namely the cards, the terminals<br />
and the back-office. Cards are held by the commuters using the system, and<br />
terminals are installed on stations and in buses.<br />
Not much is known about communication with the back-office, but it is certain<br />
that the terminals synchronize at least their event log (storing special “Transaction<br />
IDs” specific to the cards) with a central database, either live or on a<br />
buffered basis. The buffered readers would be installed in buses, and only occasionally<br />
transmit their buffer with the back-office. One could imagine a solution<br />
where buses would synchronize at some traffic centre, such as the town hall<br />
square for the Copenhagen buses, in order to reduce costs.<br />
1.2.2.1 Check-in and check-out<br />
When a user wants to travel somewhere with a Rejsekort, he/she will “check in”<br />
on the designated terminals at the station of origin. This will create a certain<br />
data element on the card describing the time and place of the check-in, and write<br />
that to the card. Any intermediate stops require another check-in, in order for<br />
the system to calculate the fare correctly—these check-ins will also be stored<br />
on the card. If the card is checked by a ticket conductor during the trip the<br />
scanner will parse this data structure and check for these “check-ins.”<br />
After the trip the user checks out at the terminals on the station. The terminal<br />
presents the fare and draws the money from the card. An important thing to<br />
note is that the card stores this information, so in order to restrict tampering<br />
it implements some systems preventing this abuse, see section 1.3.<br />
1.2.2.2 The different kinds of cards<br />
There are three different types of Rejsekort, each aimed at different kinds of<br />
users. This gives the system an advantage over the conventional punching card<br />
system currently in use in Denmark (“klippekort”), because it is possible to
1.2 Technology and card layout 5<br />
make very precise profiles of each card’s usage patterns, etc. The three different<br />
types are:<br />
• Personalized: These cards are personal, and the name and photo of the<br />
owner is printed on the card. This will likely be the standard card that<br />
commuting Danes will use.<br />
• Pseudo-anonymous, also known as “Rejsekortet Flex:” This card is<br />
flexible in the sense that it can be used by anyone, not just the owner.<br />
This would for example be used in companies that pay for the employees’<br />
occasional travel, or parents who own a card that their children use.<br />
• Anonymous: This card is likely targeted for tourists and other travellers.<br />
It is completely anonymous and can be used by whoever possesses it. This<br />
card is currently not marketed on the website for Rejsekortet, which only<br />
reinforces the thesis of it being for tourists. Never the less, it can be<br />
assumed that these cards are possible to get hold of once the system is<br />
deployed nationwide.<br />
Source: [8].<br />
There are different grades of discounts available in the system. To encourage<br />
people to use the personal version of the card, the highest level of discount<br />
attainable is only available in the fully personalized version. Flex users get<br />
“zero to medium” discount, and the same goes for anonymous users, [8].<br />
1.2.2.3 Terminals<br />
This thesis deals with three different types of terminals used in the Rejsekort<br />
system. These are:<br />
• Check-in terminals are used on stations when a user wants to commence<br />
a travel.<br />
• Top-up terminals are used for loading money from a credit card to a<br />
Rejsekort. These are also situated on stations, and do not require the user<br />
to hold the card in front of a reader. Instead the user is supposed to put<br />
the card into a slot.<br />
• Conductor terminals are used by conductors on buses or trains to check<br />
if the users have checked-in.
6 On Rejsekortet<br />
1.2.3 Mifare<br />
Mifare is a family of ticketing systems made by NXP Semiconductors. The<br />
system implemented by Rejsekortet is called Mifare Classic, and it is widely used<br />
worldwide for physical access control and ticketing systems, e.g. the Oyster card<br />
in the English subway and the student card at the IT University of Copenhagen<br />
for door access. With over one billion smart cards sold Mifare is the most<br />
widely deployed physical access control system worldwide 6 . It is used not only<br />
for trains, metros and buses, but also for door and port access.<br />
1.2.3.1 The hardware<br />
Mifare hardware exists in many flavours, such as wrist bands, number signs for<br />
the backs of race runners, wrist watches, cellphones, and of course cards. Some<br />
of this hardware support the Mifare Classic protocol, but for this project we<br />
are only concerned with the subset of Mifare products that is the Mifare Classic<br />
cards.<br />
1.2.3.2 Sectors and blocks<br />
Mifare Classic cards come in two variants, 1K and 4K, having an EEPROM<br />
memory of 1024 bytes or 4096 bytes, respectively. The memory is laid out as<br />
seen on Figure 1.1.<br />
• 1K and 4K cards have the same first 1024 bytes: 16 sectors, each consisting<br />
of 4 blocks. One block can hold 16 bytes.<br />
• 4K cards have 12 additional larger sectors, each consisting of 16 blocks.<br />
The blocks are of the same size, so these larger sectors can carry 16 · 16 =<br />
256 bytes.<br />
The last block in a sector always holds key and access control information used<br />
by the authentication procedure to determine exactly how data can be read or<br />
modified. The data structure holds:<br />
• Key A: 6 bytes. The primary key for the sector. This key can never be<br />
read out from hardware, but grants complete access to the sector if a user<br />
has it.<br />
6 http://www.mifare.net/, see “The success of MIFARE”
1.2 Technology and card layout 7<br />
Figure 1.1: The Mifare memory layout. Figure by de Koning Gans et. al, used<br />
with permission.<br />
• Access control: 3 bytes. These bits define the access conditions for the<br />
sector. See 1.2.3.3 for a list of functions these bytes govern access to.<br />
• An unused byte.<br />
• Key B: 6 bytes. This is the secondary key. It can have access control<br />
separate to key A,<br />
The first block of the first sector of every Mifare card is a little special; it is<br />
burned into the card and cannot be changed, ever. It contains the manufacturer<br />
data of the card, including the cards unique ID. For this reason sector 0 only<br />
has only two writable blocks instead of three, see Figure 1.1.<br />
1.2.3.3 Challenge/response<br />
Mifare implements a challenge/response protocol that must be satisfied before<br />
a terminal can log in to a card. The protocol is described in [3], and can be<br />
described in plain text as seen in Figure 1.2.<br />
After authenticating to the sector, the card provides the following actions, for<br />
some given block in the sector:
8 On Rejsekortet<br />
1. Reader sends a “select” request.<br />
2. Tag replies with its unique ID.<br />
3. Reader sends a directed “select” request, including the tag’s unique ID.<br />
This prevents collisions when two tags are within the reach of the reader.<br />
4. Reader tries to authenticate to some sector.<br />
5. Tag picks a challenge nonce and sends it to the reader.<br />
6. Reader sends a challenge nonce, as well as a response to the tag’s challenge.<br />
7. Tag sends a response to the reader’s challenge.<br />
Figure 1.2: Authentication protocol of Mifare<br />
• Read: Reads the content of the given block.<br />
• Write: Writes some given data to the given block.<br />
• Increment: Treats the block contents as an integer and increments it by<br />
a given value.<br />
• Decrement: Like “Increment,” but it decrements.<br />
• Copy: Copies the content of a block onto another. This can be used for<br />
backup.<br />
The incrementation and decrementing functions make Mifare attractable to use<br />
for ticketing systems since a purse can be implemented atomically.<br />
Note that the access control bytes for the sector dictate whether or not these<br />
functions can be used.<br />
1.2.3.4 Ensuring internal card consistency<br />
Rejsekortet implements a system that makes card transactions indivisible. This<br />
is to ensure that a card does not get corrupted if the user removes it prematurely<br />
during a transaction; either an entire transaction is carried out, or no transaction<br />
is carried out.
1.2 Technology and card layout 9<br />
The system furthermore differentiates between different kinds of sector types, by<br />
defining different application types to them. They define how data redundancy<br />
is managed for that specific data field and, and how the data is arranged.<br />
Some application types are used only for one data structure on the card, e.g.<br />
AT2. AT2 is the type used for storing tickets currently active on the card. There<br />
are two data elements “taking turns” in containing the newest version, as well<br />
as some number 1 ≤ n ≤ 6 of additional elements, containing a log of old tickets<br />
on the card.<br />
The card contains a data structure, TCAS 7 , that keeps the ID of the last transaction,<br />
as well as the status of all the sectors. The sector status variable defines<br />
which of the two redundancy elements is the current, depending on the application<br />
type of the sector. This is important, because no current data is ever<br />
supposed to be overwritten in Rejsekortet; if some value on the card is going to<br />
have a new value, the data will be written to the unused sector first, and then<br />
the section status will be changed so as to reflect that the current data is in the<br />
“other part” of sector.<br />
Ultimately, Rejsekort consistency is ensured by also having two copies of the<br />
TCAS field. At each transaction this structure is written twice to the card,<br />
in predetermined sectors. This makes the system very robust to connection<br />
disturbance, because the card will always be able to use the old TCAS in case of a<br />
communications fall-out. There are four phases of a transmission in Rejsekortet:<br />
1. Writing the new data to the unused fields.<br />
2. Writing the new TCAS1 to its designated sector. This value has another<br />
sector status for the altered data field, making the just-written data current.<br />
3. Writing the new TCAS2 which is equal to TCAS1. TCAS2, as we shall see,<br />
is used if the next transaction falls out and TCAS1 becomes inconsistent.<br />
From [6] we have this table over transaction breakdowns and how the system<br />
will react (quote):<br />
As stated, if TCAS1 is inconsistent, TCAS2 will be used. This leads to the card<br />
being temporarily “rolled back” because the TCAS pointed to the non-recent<br />
data elements.<br />
7 Travel Card Application Status
10 On Rejsekortet<br />
Time of transaction<br />
breakdown<br />
Writing of data<br />
Writing of TCAS1<br />
Writing of TCAS2<br />
No breakdown<br />
Consequences<br />
The transaction is not completed.<br />
Next transaction will use TCAS1.<br />
The transaction not completed.<br />
By the start of the next transaction<br />
TCAS1 will be inconsistent, i.e.<br />
TCAS2 is used.<br />
The transaction is completed.<br />
By the start of the next transaction<br />
TCAS2 will be inconsistent, i.e.<br />
TCAS1 is used.<br />
The transaction is completed.<br />
Next transaction will use TCAS1,<br />
which is identical to TCAS2.<br />
One application type, however, does not have redundancy. This type is only<br />
used by the “customer profile” field, which in turn is only alterable in the topup-terminals.<br />
These terminals require the user to put the card into a slot which<br />
drastically reduces the risk of transmission errors, which might be the reason<br />
for saving the redundancy space for something else.<br />
1.2.3.5 Transaction numbers<br />
RKF-0022 also talks about various kinds of transaction IDs. Some are internal<br />
to the system, some are internal to the card. All in all there are four different<br />
kinds of transaction numbers, stored in different areas of the card (parts quoted<br />
from RKF-0022):<br />
• Card transaction number: Identifies complete transactions. The transaction<br />
number is local to each travel card.<br />
• Device transaction number: Identifies transactions completed by a front<br />
system. The transaction number is local to each front system device.<br />
• Purse transaction number: Identifies purse transactions. The transaction<br />
number is local to each purse object (which can be assumed to be one per<br />
card.)<br />
• Ticket/contract transaction number: Identifies ticket/contract transactions.<br />
The transaction number is local to each travel card ticket and
1.3 Grades of security 11<br />
contract object, respectively (which can also be assumed to be one per<br />
card.)<br />
These values are probably available to the back-office system.<br />
known that the card transaction number is, see page 52 in [6].<br />
At least it is<br />
1.3 Grades of security<br />
One argument used in the defense of Rejsekortet has been that it implements<br />
several layers of security, and that if one of the layers are broken the other ones<br />
will act redundantly. The layers implemented are the Mifare proprietary crypto,<br />
DES-MAC checksums for the important blocks on the card, and finally a nightly<br />
inspection of the database to determine if users have tried to fool the system in<br />
some way.<br />
1.3.1 Mifare / Crypto-1<br />
Mifare implements a proprietary cryptosystem, Crypto-1, to protect the contents<br />
of the card. The cipher has been proved to be rather weak, and recent<br />
attacks allow an adversary to decrypt and dump the contents of the card in<br />
minutes, see 1.3.1.1.<br />
Crypto-1 is a stream cipher with a key size of 48 bits, but further description is<br />
not in the scope of this thesis. A more detailed description of the cryptosystem<br />
can be found in [2].<br />
1.3.1.1 Mifare insecurities<br />
Because of the market penetration of Mifare it is a very attractive target for<br />
cryptographic attacks. Mifare implements a proprietary cryptosystem called<br />
Crypto-1, which has been proven insufficient by some recent scientific papers.<br />
The most serious attack is presented by Garcia et. al. in a paper called “Wirelessly<br />
Pickpocketing a Mifare Classic Card”[3]. The attack is called the Nested<br />
Authentication attack, and allows an adversary to recover encryption keys for<br />
any sector given the key for just one. This enables an attacker to quickly recover<br />
all keys for a card, given just one. In short, the attack works by being able to
12 On Rejsekortet<br />
Figure 1.3: The Crypto-1 cipher internals.<br />
control a nonce sent by the tag because it depends on the timing of the authentication.<br />
If a reader is already authenticated with one sector, the specification<br />
requires all communication to be encrypted. Then, when a terminal tries to<br />
authenticate to a new sector, an attacker can make qualified guess as to the new<br />
nonce, and from that some of the keystream information taken from the sector<br />
that is being logged in to (even though the attacker has not logged in yet).<br />
Research has shown that some Mifare Classic solutions actually use a default key<br />
for one or more of the sectors on the card 8 . There are eight different default keys,<br />
and it is relatively easy to check every sector with all of the keys. If any sector<br />
on the card uses a default key, the attacker can use the nested authentication<br />
attack to recover the rest of the keys.<br />
However, if no sectors use standard keys it is possible to recover the key by<br />
means of an attack described in a paper by Courtois, called “The Dark Side<br />
of Security by Obscurity (. . . )”[1]. This attack works when an attacker replies<br />
with a bad response to initial challenge, and only if the parity bits of the bad<br />
response are set correctly. Instead of replying with four bytes signifying that<br />
the data was wrong (even though the parity is right), it replies with four bits,<br />
specifically the value 0x5 XOR’ed with four bits of the keystream. This opens<br />
some opportunities for recovering more of the keystream. The attack is described<br />
in full in [1].<br />
9.<br />
8 http://proidea.maszyna.pl/CONFidence09/2/CONFidence2009_pavol_luptak.pdf, slide
1.3 Grades of security 13<br />
Common to the “Darkside” and nested authentication attacks is that they need<br />
only a Mifare card and a NFC-compatible reader. The readers are readily available<br />
online, currently priced at 30 e 9 .<br />
These attacks combined can recover all sector keys and dump a card in minutes<br />
on a laptop with a off-the-shelf NFC reader, even shorter time if the attacker<br />
has access to a “ProxMark” reader 10 , currently costing $330. There are numerous<br />
software projects that implement these attacks and provide read-write<br />
functionality for Mifare cards, among others libnfc 11 , mfcuk 12 , crapto1 13 and<br />
RFID IO tools 14 .<br />
1.3.2 MAC<br />
All of the security-critical sectors on Rejsekortet carry a checksum value calculated<br />
with the CBC-MAC algorithm using DES[6], to which the key is secret.<br />
This is to ensure that people do not modify the data in case they recovered the<br />
Mifare keys.<br />
The sectors carrying MACs must have the last 24 bits comprised of a “MAC<br />
algorithm identifier,” a “MAC key identifier” as well as a 16-bit MAC (page 58,<br />
[6] 15 ). The key identifier exists so that Rejsekort A/S can issue a new key if the<br />
old one has been compromised (in turn enabling an attacker to calculate the<br />
current MAC for some data stream), and likewise the algorithm can be changed<br />
if the current algorithm is deemed too weak.<br />
Moreover the sectors carry a field containing the ID of the key used to calculate<br />
the hash so that RKF can issue a new key in case one is broken.<br />
The non-critical sections have a CRC checksum instead of a MAC.<br />
9 http://www.touchatag.com/e-store<br />
10 http://proxmark3.com/<br />
11 http://www.libnfc.org/<br />
12 http://code.google.com/p/mfcuk/<br />
13 http://code.google.com/p/crapto1/<br />
14 http://www.rfidiot.org/<br />
15 The specification allows MACs longer than 16 bits, but in practice only 16-bit MACs are<br />
used[5].
14 On Rejsekortet<br />
1.3.2.1 CBC-MAC<br />
CBC-MAC is a block cipher mode of operation that allows the creation of Message<br />
Authentication Codes (MACs). MACs can be compared to hash functions,<br />
but the difference lies in the fact that there exists a secret key for MACs, preventing<br />
those without it from calculating them.<br />
The MAC function takes a 64-bit secret key and an input of arbitrary length and<br />
chops it into blocks of 64 bits, padding with zeroes if the input length is not a<br />
multiple of 16. For each block the DES cipher function is run with the supplied<br />
key, resulting in a 64-bit value. This value is XORed to the next plaintext block,<br />
and in turn fed into DES, see Figure 1.4. This continues until there are no more<br />
blocks, and leads to “feedback” entire stream for changes in just one bit in one<br />
of the plaintexts. The result of the last DES function is the 64-but MAC value.<br />
This algorithm is described in FIPS 113 as the Data Authentication Algorithm,<br />
but it is also known as DES-MAC.<br />
p 1<br />
p 2<br />
p n<br />
k DES k DES k DES<br />
MAC<br />
Figure 1.4: CBC-MAC with DES as its cipher. There can be any number of<br />
plaintext blocks.<br />
1.3.2.2 Added security of a MAC<br />
Adding a MAC to the system makes it nontrivial to change the contents of a<br />
field, if the Mifare keys would be known. Then, to change the keys one would also<br />
have to recover the key for the DES-MAC which has a keyspace of cardinality<br />
2 56 (even though the keys are 64 bits long—the last 8 bits are used for parity).<br />
The MAC is likely introduced because it would be catastrophic to have the<br />
Mifare keys for Rejsekortet leaked without any further security mechanisms.<br />
Since all Rejsekort use the same Mifare keys, being able to add money and<br />
tickets “just like that” would be highly undesirable.
1.4 Problem definition 15<br />
As an addition to the MAC infrastructure RKF introduces a field describing<br />
which key is used for the MAC, stored as an index. This means that if a key for<br />
the DES-MAC is leaked or broken RKF would just generate a new key, seed it to<br />
the terminals and increment the “key ID” field. Brute-forcing DES is currently<br />
costly and time-consuming, so unless this time window can be brought down<br />
the trouble of brute-forcing DES to recover a key is too high compared to the<br />
temporary gain of being able to forge data; It will only last until a new key is<br />
issued.<br />
1.3.3 Nightly database sanity checking<br />
Checking that all events (check-ins, check-outs, top-ups, etc) “evens out” every<br />
night has been claimed to be the eventual fallback of the security system of<br />
Rejsekortet. This security precaution granted makes Rejsekortet as a whole<br />
more secure, but as opposed to the two previously described security measures<br />
this one is reactive, whereas the others are proactive, i.e. this system reacts<br />
to threats after a security hole has been exploited. The data sent back to the<br />
system is likely the IDs described in 1.2.3.4. Especially the card transaction<br />
number can be used to check if a user has rolled back to an older state of the<br />
card, because then it would appear twice in the database.<br />
It can be argued that this kind of security is just another system “patched” on<br />
top of a weak base system; it does not really fix whatever flaws might exist in<br />
Rejsekortet, but acts more as a check-up that these flaws are not exploited.<br />
1.4 Problem definition<br />
• Can a user cheat the ticketing system to travel for free<br />
– Will such attacks be easily carried out<br />
– Will such attacks be detectable<br />
– What are the legal implications of exploiting the ticketing system<br />
– What are the economic implications for the maintainers of the system<br />
• Is it possible to construct a scheme of large-scale fraud<br />
– Is this economically or technically viable<br />
• Can the system be considered secure against electronic vandalism
16 On Rejsekortet
Chapter 2<br />
Security analysis and threat<br />
model<br />
This chapter describes various attacks applicable to Rejsekortet, along with the<br />
prerequisites to these attacks, as well as the possible countermeasures taken by<br />
the maintainers.<br />
Guarding against every possible flaw in a system like Rejsekortet can prove to<br />
be very costly both in terms of money and time. Therefore we need to establish<br />
a threat model in order to be able to determine whether the flaw is either too<br />
insignificant or too difficult to pull off to actually take precautions against.<br />
2.1 Threat model<br />
As previously stated Rejsekortet is secured by means of Mifare encryption, DES-<br />
MAC authentication and a nightly database consistency check. Rejsekort A/S<br />
has not disclosed what is checked during the database checkups, but we can<br />
assume that it at least checks for double transactions, maybe even keeps a<br />
“purse” object internally in the system. It would resemble the purses on all<br />
Rejsekort in order to ensure that the users has paid for all the tickets that are<br />
used (checked) throughout the lifetime of the cards.
18 Security analysis and threat model<br />
The threats that the maintainers care about the most are the ones that are<br />
difficult to check in that database checks. If a hacker finds out a way to have<br />
the checking terminals accept a Rejsekort but report either invalid or no data to<br />
the back office, then the system is in trouble. This can potentially lead to the<br />
company losing a lot of money, which is why such an attack is called damaging.<br />
It is possible to construct a two-dimensional coordinate system ranging from<br />
“hard” to “easy to pull off” on one axis and “little” to “much damage” on the<br />
other, see Figure 2.1. Generally speaking the most dangerous attacks are the<br />
ones that are both easy to pull off and very dangerous.<br />
Very damaging<br />
Hard to pull off<br />
Easy to pull off<br />
Not very damaging<br />
Figure 2.1: A 2D coordinate system describing the parameters that are significant<br />
to RKF, as well as a marked area describing the “significance threshold.”<br />
Since the coordinate system cannot have any units on the axes it is difficult to<br />
place any attacks in there. It just exemplifies that, theoretically, very damaging<br />
attacks are not necessarily very hard to pull off.<br />
In addition, since Rejsekortet is a system that is made in accordance with the<br />
RKF standard, it is very likely that some security flaw that might exist in<br />
Rejsekortet would also work in the Swedish “Resekortet” system.
2.2 Attack classes 19<br />
2.2 Attack classes<br />
There are four basic kinds of attacks that can be applied to Rejsekortet, each<br />
representing four different ways of approaching defrauding of the system. They<br />
are as follows:<br />
• Rollback attacks in which the attacker loads back an older state of the<br />
card. This kind of attacks need not much more than the possession of a<br />
card reader to be carried out.<br />
• Attacking the MAC allows forging of valid data to make the system<br />
think it issued it itself. This leads to the attacker being able to add<br />
money, tickets, discount rates, etc. to his/her card. A successful MAC<br />
attack would require the recovery of the key for the DES-MAC used, which<br />
has a complexity of 2 56 .<br />
• Masquerading attacks in which an adversary impersonates another (legitimate)<br />
user of the system.<br />
• Attacks on the infrastructure. These attacks will not be described<br />
in much detail, only possible attack vectors will be set forward. It is<br />
impossible to know how the system works without physical access to the<br />
innards, therefore this kinds of attacks will remain speculative until more<br />
details about the hardware is known.<br />
Another thing that has to be taken into consideration is vandalism. Even though<br />
this kind of attacks does not offer anything to the attacker, it must still be taken<br />
seriously—one cannot leave out the possibility of people deliberately trying to<br />
disrupt the system for fun.<br />
2.3 Analysis of the security<br />
As written in 1.3 Rejsekortet has three lines of defense. The first one is the<br />
use of Mifare Classic itself; the user is not supposed to be reading or writing<br />
to his/her card at all! However, as described in 1.3.1.1 some attacks on Mifare<br />
makes it possible to do just that, making the Rejsekort security depend solely<br />
on the DES-MAC and database sanity checks.<br />
This section will describe some remarks—both positive and negative—to the<br />
security system described in the available documents.
20 Security analysis and threat model<br />
2.3.1 Card integrity<br />
One thing to note is that security is not only about keeping hackers from cheating,<br />
it is also about keeping the card in a consistent state.<br />
Securing against cards getting corrupt is done very effectively; as was required<br />
all transactions are indivisible, and in case of disturbances in the terminal/carddialogue.<br />
As was learned in the previous chapter, if the connection is lost at<br />
any point, subsequent transactions will always be able to (re)establish a working<br />
state of the card.<br />
2.3.2 Mifare keys<br />
As stated in the first chapter it is difficult to defend against attacks on Mifare<br />
with attacks in the public domain that are capable of dumping a card in minutes.<br />
However, RKF has done what it could securing the Mifare card by not using<br />
standard keys for any of the sectors. This was determined by experiment using<br />
the mfoc 1 program, testing all sectors on the card with the default Mifare keys.<br />
See section A.1 for the complete output of the experiment.<br />
2.3.3 MAC<br />
Securing the data by means of a MAC is obviously a good idea if the maintainers<br />
of the system want to keep control over what is written to the card.<br />
One could ask why RKF chose to implement MACs instead of just encrypting<br />
the contents, or using cryptographic signing. The answer to the former might<br />
be that it would be convenient to be able to read the contents without having<br />
to decrypt it. Digital signatures are likely not implemented because they need<br />
to be stored in full to be checkable, which is not the case with MACs. Reducing<br />
the length of the MAC just means it is more likely to collide.<br />
In any case, using DES as a security mechanism in 2010 is a bad idea. However,<br />
since the documents used date back to 2002 it is not completely sure that DES-<br />
MAC is still the MAC cipher used. Using a reader it was possible to establish<br />
that either the bit ordering on the cards has changed, or the system implements<br />
a new MAC-algorithm, which can only be considered a welcome improvement.<br />
See section 4.1.1 for more information on this update.<br />
1 http://www.proxmark.org/forum/topic/381/mifare-classic-offline-cracker/
2.3 Analysis of the security 21<br />
2.3.4 Database sanity checks<br />
Other than the different IDs the system gathers, it is difficult to say what is<br />
being sent to the back-office. It is, however, certain that rollback attacks are<br />
detectable, by looking at page 52 in [6].<br />
Sanity checks account for most of the security of Rejsekortet; if the MAC proves<br />
to be secure, then there will still be rollback attacks, and if the MAC is broken<br />
there will just be more to crosscheck. Threat assessments on a case-to-case basis<br />
will be introduced in the next chapter.<br />
2.3.5 Anonymous travel cards<br />
The introduction of completely anonymous travel cards may prove to be somewhat<br />
risky on the maintainers of the system. This means there is little to no risk<br />
in cheating with those. They will likely be disabled after next database sanity<br />
check, but then the attacker can just buy a new card and continue cheating.<br />
2.3.6 Vandalism<br />
Vandalism is largely ignored in Rejsekortet. It is possible to gain write access<br />
to cards in their touchless nature, and this makes them easy to corrupt or wipe,<br />
if the attacker knows the Mifare keys for the cards.<br />
However, with NFC cards like Mifare, the distance between card and reader has<br />
to be very short, under 10 cm. This makes it virtually impossible to “pickpocket”<br />
or in other ways read or write a card without being noticed. It will still be<br />
possible to set up “rogue terminals” on stations and such, to get people to<br />
unknowingly let their cards corrupt.<br />
Because of the proximity needed to write to the cards, the vandalism attacks described<br />
in the next chapter can be considered speculative and not really suitable<br />
for any real-world scenario. As such the system can be considered more or less<br />
resistant to vandalism; the “walking through the train and wiping everything”<br />
example is impossible, not because of a precaution taken by RKF, but because<br />
of physical constraints. Israeli researchers have tried to extend the range of Mifare<br />
reading; they successfully read/wrote a Mifare card at a 25 cm distance 2 .<br />
However, 25 centimeters is still not enough to carry out most vandalism attacks.<br />
2 http://www.eng.tau.ac.il/~yash/kw-usenix06/index.html
22 Security analysis and threat model<br />
2.3.7 Layered approach<br />
Rejsekortet’s security model is based on a layered approach, i.e. several different<br />
security mechanisms on top of each other comprising the overall security of<br />
Rejsekortet. This is a very clever choice if the system is expected to run for an<br />
extended period; there will always be an interest in proving or disproving the<br />
security of systems, especially those contributing to some kind of infrastructure<br />
like the public transit system, and RKF did the right thing opting for a layered<br />
security model.
Chapter 3<br />
Attacks on Rejsekortet<br />
As described in the previous chapter attacks on Rejsekortet can be divided into<br />
four different categories of cheating the system, plus vandalism. Vandalism is<br />
important to bring into the picture because personal gain might not be the only<br />
motivation to perform an attack; if it is possible to make “digital graffiti,” or just<br />
cause a general disruption of the system, some people might still be interested.<br />
Especially if it introduces plausible deniability (“I couldn’t check-in because all<br />
the terminals were broken”).<br />
The other attacks can be assumed to be motivated by the outlook to free travel.<br />
We can divide these attacks into two different kinds:<br />
• Attacks that enable free travel for just the attacker’s card. These attacks<br />
are the rollback and masquerading attacks. As we shall see in section 3.3,<br />
the latter is at this point impossible due to a technical constraint.<br />
• Attacks that are focused on the core security system. If such an attack<br />
is carried out, the overall security of Rejsekortet is decreased. Such an<br />
attack is described in 3.2.
24 Attacks on Rejsekortet<br />
3.1 Rollback attacks<br />
Rollbacks are a class of attacks that all depend on restoring an older state of the<br />
card. This kind of attack is usually very easy to carry out and does not require<br />
much technical know-how, only a card reader and some free software. If this<br />
method would turn out to be effective it can only be assumed that somebody<br />
will write some user-friendly software assisting in this attack.<br />
3.1.1 The trivial rollback<br />
This is the most basic of Rejsekortet attacks. It is carried out as follows:<br />
1. Attacker recovers the Mifare keys for the card and saves the current card<br />
state to his/her hard drive.<br />
2. Attacker uses the public transit system as he/she pleases.<br />
3. Attacker re-installs the saved version to the card.<br />
The card will then be in the same state as it was when it was loaded.<br />
The reason why this works is that the designers of the system wanted a very<br />
rich card state, possibly because they did not want terminals to be online,<br />
communicating with the back-office every time the card is used. To guard<br />
against users tampering with the data on the card, they have implemented a<br />
MAC so that changing the fields is difficult.<br />
In this case, however, the data comes from RKF itself so the attacker can be<br />
certain that the MAC is correct.<br />
3.1.2 Modifying TCAS structure on the card<br />
As part of the card’s indivisibility requirement the RKF-0022 standard implements<br />
the TCAS field, as described in section 1.2.3.4. This field contains information<br />
on the sectors, more specifically a value called SectorStatus. Modifying<br />
this value leads to the system thinking the old value of the field is current.<br />
This attack is unfortunately not possible to carry out without being able to<br />
calculate the correct MAC for the new value of the TCAS field.
3.1 Rollback attacks 25<br />
3.1.3 Countermeasures<br />
Guarding proactively against this attack within the confines of the current system<br />
1 is actually very difficult, despite the very simple nature of the attack. It<br />
is certain that RKF knows about this flaw and does nothing about it because<br />
it is either too expensive to change or a product of a design choice done early<br />
in the development of the system (page 52, [6]. The problem is that the whole<br />
travel card system is based around trusting the state of the card, and to guard<br />
against this it would take a centralized system to verify each transaction when<br />
it is conducted, defeating the purpose of having a “rich” card in the first place.<br />
This problem was highlighted by Christian Panton in a January DR1 newscast 2 .<br />
In response RKF sent out a press release stating that the system is in fact secure<br />
because they conduct nightly checks of the transaction database 3 . This makes<br />
the system resistant to rollbacks, because then it is possible to check that e.g.<br />
transaction IDs appear twice, or that some user has simply traveled for more<br />
money than had been added on top-up terminals.<br />
It is important to note that while this probably will prevent this kind of attacks<br />
from happening, it does not make them impossible; the travel card system has<br />
not been fixed, but another system preventing this attack has been put in place.<br />
3.1.4 Threat assessment<br />
As stated these kinds of attacks are not likely to be taken very seriously. Largescale<br />
exploitation is not likely to happen because this attack needs to be conducted<br />
by the user of the card, and because the economic gain is negligible, as is<br />
the economic loss to the maintainers. Moreover, the database checking system<br />
will likely detect transaction IDs (and, in turn, the Rejsekort ID) appearing<br />
twice, making the attack risky to try.<br />
The legal implications of conducting this attack may very well be serious. It<br />
can be argued that illicit use of Rejsekortet constitutes falsification of documents,<br />
which is punishable by Danish law, with penalties up to two years of<br />
imprisonment in non-serious cases 4 .<br />
1 I.e. the terminals are allowed to be offline, so checking against a central server is not a<br />
possibility.<br />
2 http://forsinkelsen.dk/indslag-i-tv-avisen<br />
3 http://www.rejsekort.dk/Presse/Pressemeddelelser/kundens+penge+er+altid+sikre<br />
4 http://da.wikipedia.org/wiki/Dokumentfalsk
26 Attacks on Rejsekortet<br />
3.2 Attacking the MAC<br />
Rejsekortet introduces a MAC algorithm on most sectors in order to ensure no<br />
one tampers with the contents of the card. The algorithm used is DES-MAC<br />
in CBC mode, which takes a 64-bit key, of which 8 bits are used for parity—<br />
consequently leaving the key complexity at 56 bits—and an input of any length.<br />
Using the key it “hashes” the input to a 64-bit MAC, which is then further<br />
stripped down to only consist of the first 16 bits of the 64-bit value. This new<br />
16-bit value is used as a checksum for the given sector.<br />
p 1<br />
p 2<br />
p n<br />
k DES k DES k DES<br />
MAC<br />
Figure 3.1: The Rejsekort DES-MAC function. This figure is identical to Figure<br />
1.4.<br />
An attacker can implement a hashtable mapping the entire keyspace to the keys’<br />
corresponding MACs for some fixed plaintext. In the trivial case this is known<br />
as a code book. It will be costly in both CPU time and space, but if constructed<br />
an attacker can look up a key from the table in O(1) time. A code book for the<br />
DES-MAC on Rejsekortet would need to have 2 56 entries, each consisting of a<br />
56-bit key and a 16-bit MAC:<br />
2 56 · (56 + 16) bits = 576 petabytes<br />
It is concluded that a code book spanning over the entire DES keyspace is<br />
currently impossible to implement because of the sheer amount of space needed<br />
to keep the table.
3.2 Attacking the MAC 27<br />
3.2.1 Time-memory trade-offs<br />
Time-memory trade-offs (TMTOs) are a class of precomputation attacks that<br />
can be applyed to all one-way functions, that is functions taking any input and<br />
producing an output that is computationally hard to source back to its preimage.<br />
For a one-way function H and the result of the function c, the preimage is the<br />
p that satisfies H(p) = c for some c. One-way functions are not designed to be<br />
reversible, and as such hash functions and MACs pose as good candidates for<br />
this kind of attack.<br />
This thesis will decribe two time-memory trade-offs, namely Hellman tables as<br />
described in the 1980 paper “A Cryptanalytic Time-Memory Trade-Off”[4] by<br />
Hellman, and the 2003 paper “Making A Faster Cryptanalytic Time-Memory<br />
Trade-Off”[9] by Oechslin.<br />
3.2.1.1 Hellman tables<br />
In a 1980 paper by Martin Hellman[4], a new “time-memory trade-off” is proposed.<br />
The way it works is that it implements a reduction function R that<br />
maps hash values back into the plaintext space. This facilitates the generation<br />
of chains with alternating preimages and hash values. To further refine the<br />
method, the one-way function is combined with the reduction function into a<br />
new function f in order to get a mapping from the space of preimages to itself.<br />
For some one-way function H, f can be described as f(p) = R(H(p)). f is also<br />
known as the step function of the table.<br />
The trick is then to only save the first and last values in the chain, discarding<br />
all the intermediate steps. The table consists of some amount of chains m, all<br />
starting with some random preimage and ending with a value equivalent derived<br />
by performing the plaintext-to-plaintext function f over and over, always feeding<br />
it with the output from the last iteration, see Figure 3.2.<br />
d2654f → f 732efc → f 143679 → f 84e5dc → f f<br />
} {{<br />
. . . → 0006f3<br />
}<br />
d2654f→0006f3<br />
Figure 3.2: A Hellman chain and how it is stored.<br />
elements are in storage.<br />
Only the first and last<br />
For practicality reasons attacks employ more than just one table; having one table<br />
cover a large keyspace will result in a very large file, which is time-consuming
28 Attacks on Rejsekortet<br />
and cumbersome to search in. Having more than one table also makes it easier<br />
to distribute the calculations needed to mount the attack properly.<br />
Hellman tables are prone to a very serious flaw, however. A property of hash<br />
functions is that they are collision resistant, however this does not hold for<br />
reduction functions, meaning they can give the same reduction value for two<br />
different hashes. If two hash chains in the table have the same value at any<br />
point, the two chains will merge, see Figure 3.3. This will result in two chains<br />
more likely than not cover much of the same area of the plaintext space.<br />
rejsekort H f74eed6e R ewaisnshw H 491b2cb4 R irundian<br />
movia H 93f03506 R ewaisnshw H 491b2cb4 R irundian<br />
Figure 3.3: Two hash chains merging. For the sake of clarity the one-way<br />
function and reduction functions have different boxes in this figure. The colliding<br />
parts are highlighted in red.<br />
To make up for this, Ronald Rivest proposed in 1982 that chains in Hellman<br />
tables end in a distinguished point. There could be many definitions for the<br />
point, but they have to have some property not happening too often, for example<br />
the first n bits of the value of the ending point be zero, like on 3.2. This is<br />
done to reduce the probability of chains merging; if two chains end in the same<br />
distinguished point, they will have merged for some period of the chain length.<br />
Either of the chains will be thrown out, and a new chain will be calculated in<br />
its stead.<br />
Not only can Hellman tables merge, they can also create a cycle. This happens<br />
when a reduction function reduces a hash to a value already in the same chain.<br />
This leads to the chain cycling and never reaching a distinguished point. To<br />
detect this one could look at how long the chains would be on average, and<br />
determine if the current chain is too far from this average to be realistic. The<br />
chains tend to get so long that it would be unfeasible to keep them in memory<br />
while they are being calculated to accurately determine if there is a cycle.<br />
Therefore one must rely on the length of the chain to determine the likelihood<br />
of it containing a cycle.<br />
To search for some hash value h in a Hellman table with distinguished points,<br />
one first reduces h with the reduction function: h′ = R(h). If h′ constitutes<br />
a distinguished point, the table is checked for any chains ending with h′. If<br />
such a chain exists, it is rebuilt and the preimage for h is found to be the value<br />
immediately preceding h in the chain. If the reduced h is not a distinguished
3.2 Attacking the MAC 29<br />
point, then the f function is run over and over again on h′ so as to build a chain<br />
“on top of” h′. If at any point the function outputs a distinguished point, it<br />
is checked in the same manner as before. However, if there is no match once a<br />
distinguished point has been found, h can be guaranteed not to be in the table.<br />
This is because the deterministic properties of the f; if some distinguished point<br />
is reached after h, one can be sure that for past reconstructions of the chain<br />
that, indeed, the chain would end in the same distinguished point.<br />
rejsekort H f74eed6e R ewaisnshw H 491b2cb4 R bveiytoo<br />
(continued)<br />
H 3b7b7c75 R ewaisnshw H 491b2cb4 R bveiytoo<br />
Figure 3.4: A cycle in a Hellman chain. The two hash values that produce the<br />
same reduction are highlighted in red.<br />
Finally, Hellman tables have the undesired property of causing false alarms.<br />
This phenomenon is a corollary of Helman tables’ inherent misfeature of merging.<br />
It can be explained by a chain in the table merging with the temporary<br />
chain that is being constructed when a hash value is tried. The two chains will<br />
have the same end value, but the stored chain will not contain the sought hash.<br />
Therefore one cannot be sure that a preimage can be recovered before the chain<br />
is rebuilt, unless the R(h) is a distinguished point. Applying any number of f<br />
operations to R(h) might lead to merges with some chain in the Hellman table<br />
before the preimage, leading to a false alarm.<br />
3.2.1.2 Rainbow tables<br />
In 2003 Philippe Oechslin presented a new approach for these time-memory<br />
trade-offs that did away with some of the problems of the older algorithm [9]; he<br />
narrowed down the undesired probabilities to the reduction function—Hellman<br />
tables uses the same function for all reductions, and this causes collisions, resulting<br />
in chains merging and cycling. Oechslin proposed a new kind of tables,<br />
namely rainbow tables.<br />
Rainbow tables work like the older TMTO in the sense that they facilitate<br />
reverse lookups in hashes and other one-way functions, but they use different<br />
reduction functions for every column in the table, resulting in merges only if<br />
two plaintexts are the same and appear at the exact same element index of two<br />
chains. For long chains the proability of this happening is minuscle.<br />
To look up values in a rainbow table the attacker would take the reduce the
30 Attacks on Rejsekortet<br />
hash value to which the preimage is sought, reduce it with the t − 1 th reduction<br />
function R t−1 for chain length t, and look through all chain endings to see<br />
if there is a match. If there is a match, the entire chain is generated from the<br />
beginning. If there is no match, then R t−2 is applied to the hash value, and then<br />
f t−1 . This will yield anoter value. If that value matches one of the endpoints in<br />
the rainbow table(s), then the chain in question is rebuilt. If there is no match,<br />
then R t−3 is applied, then f t−2 , then f t−1 , etc. If at any point f 0 is called, the<br />
sought-after value is not in the rainbow table(s).<br />
3.2.2 How the MAC is calculated<br />
The following is known about the input to the DES-MAC function, quoted from<br />
RKF-0022.<br />
1. All bytes of a block contribute to the checksum calculation with the exception<br />
of the checksum byte itself. Even possible padding zeroes between<br />
the last proper data element and the checksum byte contribute to the<br />
checksum.<br />
2. The data to be authenticated, i.e. input to the MAC algorithm, always<br />
include the CardSerialNumber of CMI: Manufacturer Information. As the<br />
CardSerialNumber is unchangeable, this will prevent system objects or<br />
application objects to be copied from one travel card to another, without<br />
being detected. (Unquote.)<br />
From this we can deduce the input for the DES-MAC function as being the<br />
card’s serial number concatenated with the contents of the object to be MAC’d,<br />
including any possibly unused bits, padded with zeroes to fit a multiple of the<br />
DES block size.<br />
The data is then MAC’ed as described in Section 1.3.2.1. The output from<br />
the DES-MAC function is 64 bits, which is then reduced to using only the first<br />
16 bits of the original MAC (quote RKF-0022: “the output is truncated to the<br />
specified size as the most significant bits of the 64 b output of the algorithm.”).<br />
The reduced MAC of 16 bits is then stored on the card, and may be verified in<br />
subsequent transactions by calculating the MAC anew and comparing the result<br />
with the stored value. If the values match, then the MAC is accepted.
3.2 Attacking the MAC 31<br />
n bits (arbitrary length) 64 bits 16 bits<br />
Plaintext<br />
DES-MAC<br />
cut<br />
MAC<br />
64 bits (8 used for parity)<br />
Key<br />
Figure 3.5: The reduction of MACs. The DES-MAC function is explained in<br />
section 1.3.2.<br />
3.2.3 Criteria to be met for a successful implementation<br />
of a TMTO<br />
To be successful with a time-memory trade-off, the attacker needs to always be<br />
able to control the contents of a data structure in order to restore the state to<br />
some expected content. These conditions must be met:<br />
• There must exist a user-changeable or never-changing data field on the<br />
card.<br />
– If the field is user-changeable it must be so by means of the Rejsekort<br />
terminals or in other ways unsuspicious. Moreover the fields changed<br />
must be controllable so that the data can be restored to some previous<br />
state from which the TMTO was prepared.<br />
– If the field is never-changing we furthermore demand that RKF updates<br />
the hash even though the data is unchanged.<br />
• This field has to have a MAC.<br />
• The DES key for the MACs of all fields should be the same throughout<br />
the card.<br />
The attack is weaker for the never-changing fields, because then it depends on<br />
RKF actually updating the hash even though the data has not been changed,<br />
instead of just letting the old MAC be, with proper reference to the old key.
32 Attacks on Rejsekortet<br />
3.2.4 Interesting property of shortened MACs<br />
Rejsekortet implements a MAC system that reduces the length of the original<br />
MACs to 16 bits from the original 64 bits of the DES-MAC standard. This<br />
increases the risk of having collisions, both key-based and plaintext-based 5 , but<br />
it also makes the implementation more resistant against time/memory-tradeoffs.<br />
The shortening of MACs on the card makes it nontrivial to look them up in a<br />
rainbow table. MACs stored on Rejsekortet are usually 16 bits long[5], taken as<br />
the first 16 bits of the original 64-bit hash[6]. This means that if the plaintext<br />
is fixed two keys will still give different hashes, but their 16-bit reductions can<br />
not be guaranteed different, see Figure 3.6.<br />
k 0<br />
FE:85:3D:20:1B:A8<br />
DES-MAC<br />
09:F9:11:02:9D:74:E3:5B<br />
cut<br />
09:F9<br />
Collision<br />
38:D9:3A:F7:B2:AC<br />
DES-MAC<br />
09:F9:D8:41:56:C5:63:56<br />
cut<br />
09:F9<br />
k 0<br />
Figure 3.6: Two different plaintexts having different 64-bit MACs, but after<br />
being reduced colliding. The inputs to the DES-MAC function are of arbitrary<br />
length, and is only shown here as six bytes as an example.<br />
This entails that a code book needs only 2 16 rows, with all of them linking to<br />
a list of key prospects that need to be cross-tested on some other data that is<br />
MAC’ed with the same key. Note that this will in no way optimize the size<br />
complexity of the code book, nor will the search time for a key be any better.<br />
In fact, quite the opposite; since each reduced MAC can come from 2 40 different<br />
keys acting on the same plaintext, more plaintext will likely be needed to weed<br />
out the false positives.<br />
3.2.4.1 Accommodating this limitation by introducing more tables/cards<br />
It is, however, possible to adapt one’s attack to this kind of security. Knowing<br />
that some sector S 0 is MAC’d with the same key k on all cards gives the attacker<br />
the opportunity to create a table for another card. Given n MACs and n lookup<br />
5 Two different keys for the same plaintext giving one MAC, and one key for two different<br />
plaintexts giving one MAC, respectively.
3.2 Attacking the MAC 33<br />
Card 1 Card 2 Card 3 Card 4<br />
2 56 MAC batch 2 40 MAC batch 2 24 MAC batch 2 8 MAC batch 1<br />
Figure 3.7: Description of usage of the “MAC batch” function that takes a piece<br />
of data with a valid MAC and calculates MACs for all the key candidates from<br />
the list it receives. The numbers on the arrows are the expected cardinality of<br />
the keyset given to the batch function.<br />
tables for the corresponding MACs it is possible to take the intersection the n<br />
tables to “weed out” all the key prospects that do not appear in all the lists.<br />
Generally, the more space and CPU time the attacker can afford, the more<br />
effective this improvement is.<br />
It is possible to make some statistical analysis as to how much an increase in<br />
rainbow tables would affect calculation time, but in general one table should be<br />
enough; starting with a keyspace of 2 56 and reducing that to about 2 56−16 =<br />
2 40 to be brute-forced, it will take 1.2 days for a modern computer 6 for the<br />
intersection set, see 3.2.7.1. If the intersection is ambiguous the remaining<br />
intersection sets can be done in seconds.<br />
We can define a function taking some list of keys and using this list to calculate<br />
the reduced MACs for a given data element. This data element should already<br />
have a MAC that is issued by the system. If the reduced MAC matches the<br />
one already in the data element, it means that the current key is a candidate,<br />
and the key is saved in a buffer of key candidates. This buffer is then given<br />
as input to the same function acting on another card’s data. This way the key<br />
candidates can be weeded out effectively. This model is shown on Figure 3.7.<br />
3.2.4.2 Accomodating this limitation by obtaining more chosen plaintext<br />
from the same card<br />
It is also possible to obtain more chosen plaintext by simply changing the value<br />
of some fields on the card and record the MACs of these individual samples. If<br />
one can find a sector that can mutate to four or more different controlled states,<br />
then it is possible to have 4 · 16 = 64 bits of independent MAC data for some<br />
key. This is convenient, as we shall see in section 3.2.7.<br />
6 In this case, a Lenovo laptop with an Intel Core 2 Duo processor at 2.26GHz, using one<br />
CPU thread.
34 Attacks on Rejsekortet<br />
3.2.5 Applying a time-memory trade-off to Rejsekortet<br />
To construct a rainbow table one needs a one-way function f i that maps some<br />
{0, 1} n → {0, 1} n space, in order to create the rainbow chains of which the table<br />
consists. In this case n = 56 because we would like to search for a 56-bit key.<br />
This f could for example be a DES-MAC function taking a key of 56 bits, plus<br />
a reduction function reducing the 64-bit output to a 56-bit one, in order to have<br />
the output in the same space as the input.<br />
Since the MACs are only 16 bits long they are not usable as hash candidates,<br />
unless we define our plaintext as being four different chosen plaintexts and our<br />
hash as the hashes of the four plaintexts concatenated, as described in 3.2.4.2.<br />
For a key k and the Rejsekortet DES-MAC function (with 16 bits output) H<br />
we have<br />
c k = H(p 1 , k)||H(p 2 , k)||H(p 3 , k)||H(p 4 , k)<br />
. . . for four different plaintexts p 1 , p 2 , p 3 , p 4 . The four different plaintexts could<br />
be different mutations of the same field or just chosen plaintexts from different<br />
sources from the same card, given all these are MAC’ed with the same key. c k<br />
now has 64 bits of entropy since we can expect the output from all of the H<br />
operations to be 16 bits, and mutually independent, even though k is constant.<br />
We can then discard 8 bits from c k in order to get a value in the {0, 1} 56 space.<br />
A f i for Rejsekortet could then take the 56-bit key as input, use that for the k<br />
values in c k , and then reduce the output to 56 bits by cutting the last 8 bits away<br />
from the 64-bit value. Finally, to have the function differ between columns, it<br />
could be XOR’ed with the column’s number.<br />
Using the table counts, chain counts and chain lengths proposed in [9] we know<br />
that for a 56-bit keyspace we need to store of 2 2 3 ·56 = 2 37.33 entries for a table<br />
balanced equally in terms of size and lookup complexity. Each entry would<br />
consist of 2 · 56 bits, leading to a total size for the rainbow table(s)<br />
2 37.33 · (2 · 56) bits = 2.20 terabytes<br />
Hard drives with two terabytes of storage cost, at the time of writing, about<br />
1000 Danish kroner, so the space requirement is easily accommodated.
3.2 Attacking the MAC 35<br />
3.2.6 Candidate data structures for a TMTO<br />
Using RKF-0025[5] as a reference document for the bit layout of the card it was<br />
established that there are two MAC’d data structures in Rejsekortet with either<br />
fixed or chosen plaintext. One is in the card information section, and the other<br />
in the customer profile section. These constitute good candidates because the<br />
attacker can “mold” them to his/her will, allowing a precomputation attack,<br />
because it is always possible to reset the state of the data structure to some<br />
expected value.<br />
3.2.6.1 Time/memory-tradeoff in the TCCI<br />
The TCCI (Travel Card Card Information) is the second block on the card. It<br />
holds the following information[5]:<br />
• Card version.<br />
• Card issuer.<br />
• Expiry date.<br />
• Which currency unit the purse holds.<br />
• A MAC.<br />
• Some fields with constant values, per the specification.<br />
All of this information is not likely to change throughout the lifetime of a card<br />
and thus makes for a good “entry point” for a time-memory trade-off. However,<br />
as described above the attack is not without conditions and resistant to<br />
countermeasures; in fact it is rather fragile.<br />
A condition for the continued efficiency of the flaw is that immutable fields have<br />
their MAC recalculated each time a new key is issued, otherwise the attacker<br />
will gain no more MACs to work with. It can be assumed that the system does<br />
this, because otherwise attackers would be able to calculate correct MACs for<br />
data with an old (known) key.
36 Attacks on Rejsekortet<br />
3.2.6.2 Time/memory-tradeoff in the TCCP<br />
The TCCP (Travel Card Customer Profile) is another good candidate for a precomputation<br />
attack. TCCP’s advantace over the TCCI is that its mutable fields<br />
are user-controllable, abusing the inherent feature of MACs that the plaintext<br />
is likely choosable. The precise contents of the section can be looked up in [5],<br />
but listed here are the user-mutable fields:<br />
• The passenger class<br />
• Preferred language<br />
• Dialogue preferences<br />
The other fields are other fields relating to the user, such as his/her birthday, etc.<br />
Conducting a pre-computation attack from the TCCP is likely more effective<br />
than the one described for the TCCI, because the user has complete control<br />
over the state of the sector. This entails that an attacker will be able to force a<br />
recalculation of the MAC, which can then be looked up in the table.<br />
3.2.7 A practical time-memory trade-off against Rejsekortet<br />
As stated in 3.2.4.2 it is possible to get 64 bits of independent MAC data for<br />
some key if some field can be controlled into four different mutations. As was<br />
just established, the TCCP constitutes such a field. The preferred language<br />
can be expected to have at least two different values, Danish and English, and<br />
so does the passenger class, business class and economic class. This gives four<br />
different states that all have different MACs for some key, see table 3.1. The<br />
16-bit MACs can be concatenated to form a 64-bit MAC. However, the key<br />
length for DES is 56, so the new 64-bit MAC can be shortened to 56 bits, giving<br />
a {0, 1} 56 → {0, 1} 56 mapping.<br />
It is now possible to construct a rainbow table mapping DES keys to this new 56-<br />
bit MAC. As described in section 3.2.5 this rainbow table will have the expected<br />
size of 2.2 TB if it is optimized equally for space efficiency and on-line key<br />
recovery time efficiency. However, values can be adjusted as the attacker sees<br />
fit. The step function f i for the ith column in the rainbow table is defined as<br />
shown in Figure 3.8.
3.2 Attacking the MAC 37<br />
in<br />
f i<br />
64b<br />
c 1 c 2 c 3 c 4<br />
MAC<br />
MAC<br />
MAC<br />
MAC<br />
64b<br />
cut<br />
cut<br />
cut<br />
cut<br />
16b<br />
concatenation<br />
64b<br />
cut<br />
56b<br />
⊕ i<br />
out<br />
Figure 3.8: The step function f i for the ith column of the rainbow table. The<br />
top to the concatenation function is the MAC-function, and the cut and XOR<br />
functions comprise the reduction function.
38 Attacks on Rejsekortet<br />
Language Class MAC bits<br />
Danish Economic 16 bits<br />
Danish First 16 bits<br />
English Economic 16 bits<br />
English First 16 bits<br />
64 bits<br />
Table 3.1: The four different combinations of chosen plaintext in the TCCP<br />
field.<br />
Now, to recover a key k from the rainbow table, the attacker must recreate the<br />
four combinations of chosen plaintext described in Table 3.1, note their MACs,<br />
concatenate and short the 64-bit value to 56-bits and use that value as searching<br />
operand in the rainbow table, as described in section 3.2.1.2.<br />
This attack enables key recovery from the Rejsekort DES-MAC in feasible time,<br />
in turn allowing a determined attacker to forge money or tickets onto Rejsekort.<br />
Keep in mind that these rainbow tables will work for just one card, but also<br />
that the DES keys are the same for all cards. If an attacker creates a rainbow<br />
table over the DES-MAC function in his Rejsekort, he will be able to recover<br />
the DES keys for all Rejsekort.<br />
3.2.7.1 Estimates of the time complexity in constructing a rainbow<br />
table<br />
To construct a table comprising the entire DES keyspace, it would take 2 56 DES<br />
runs to have the space exhausted. This needs to be done four times because<br />
there are four different plaintexts that need to be concatenated to form one<br />
56-bit value for use in the rainbow table. That is<br />
2 56 · 4 = 2 58 calculations<br />
Using the DES implementation available from www.darkside.com.au/bitslice/,<br />
it was possible to get the following speed test output on a standard Lenovo laptop<br />
from 2008:<br />
Searched 27119864.5 keys per second<br />
Dividing 2 58 with that number gives an expected calculation time of almost 337<br />
years on a current laptop. However, the code could run much faster on an array
3.2 Attacking the MAC 39<br />
of GPUs or FPGAs, or even as a distributed computing project, given it had<br />
more than one thousand participants.<br />
3.2.7.2 Coverage of rainbow tables<br />
By using the same table counts, chains-in-table counts and chain lengths it is<br />
possible to reuse the calculations done in [9] with regards to table coverage.<br />
Oechslin constructed Hellman tables and rainbow tables of equal cardinality<br />
and tested 500 random passwords against the tables. These were his findings.<br />
Hellman tables Rainbow tables<br />
predicted coverage 75.5% 77.5%<br />
measured coverage 75.8% 78.8%<br />
Table 3.2: Coverage statistics of Hellman tables vs. rainbow tables.<br />
As can be seen rainbow tables have a slightly better coverage than tables using<br />
distinguished points. However, since rainbow tables do not incur false alarms<br />
nearly as often as Hellman tables, the cryptanalysis time for a password is<br />
drastically reduced in the favor of rainbow tables.<br />
3.2.7.3 Field experiments<br />
A field study was conducted to determine if this attack is viable. At the terminal<br />
at Høje Taastrup station it was attempted to modify the TCCP in the ways<br />
described in Section 3.2.7. Between the transitions the card was dumped, and<br />
the TCCP state picked out. The results can be seen on Figure 3.9.<br />
A: A2 02 F4 05 E0 3D 03 00 20 ... 00 00 00 00 00 00 00 00 ... 40 ... 66 E0<br />
B: A2 02 F4 05 E0 3D 03 00 10 ... 01 DD 59 41 77 36 1F 8C ... 40 ... 60 39<br />
C: A2 02 F4 05 E0 3D 03 00 10 ... 01 DD 59 41 77 36 1F 8C ... 40 ... 60 39<br />
D: A2 02 F4 05 E0 3D 03 00 20 ... 01 DD 59 41 77 36 1F 84 ... 40 ... 45 AB<br />
E: A2 02 F4 05 E0 3D 03 00 20 ... 01 DD 59 41 77 36 1F 84 ... 40 ... 45 AB<br />
Figure 3.9: Five dumps of the TCCP data structure. The last two bytes are<br />
the 16-bit MAC values. A: The card as it was before the experiment. B: The<br />
passenger class is set to first class. C: The language is set to English. D: The<br />
passenger class is set to economic. E: The language is set back to Danish.<br />
NB: Subsequent 0x00 bytes are replaced with “. . . ”
40 Attacks on Rejsekortet<br />
It is noted that changing the passenger class has an immediate effect on the<br />
contents of the field, whereas changing the language does not! This is in conflict<br />
with the version of RKF-0022/0025 available. Moreover the card seems to be<br />
“initialized” with the first change in the TCCP (much of the data structure were<br />
zeroes before changing it), but this needs to be verified further. It can neither<br />
be proven or disproven that it is possible to establish an older state of the card.<br />
Changing the language actually did lead to a change in the card, albeit in<br />
another part than expected. The TCCP is a special data structure called AT4 7<br />
which, as opposed to other data structures on the card, does not have the<br />
same kind of indivisibility enforcing as the other fields, and this does not need<br />
redundancy. Maybe because this field can be restored to a default value in case<br />
of a transmission error, maybe because the field can only be altered when the<br />
card is in the machine, not in the hand of a user that might leave prematurely.<br />
A: A2 02 F4 05 E0 3D 03 00 20 ... 01 DD 72 2B FC C5 37 5F 78 77 88 00 F1 D8 3F 96 43 14<br />
B: A2 02 F4 05 E0 3D 03 00 20 ... 01 DD 72 2B FC C5 37 5F 78 77 88 00 F1 D8 3F 96 43 14<br />
C: A2 02 F4 05 E0 3D 03 00 10 ... 01 DD 72 2B FC C5 37 5F 78 77 88 00 F1 D8 3F 96 43 14<br />
D: A2 02 F4 05 E0 3D 03 00 10 ... 01 DD 72 2B FC C5 37 5F 78 77 88 00 F1 D8 3F 96 43 14<br />
E: A2 02 F4 05 E0 3D 03 00 20 ... 01 DD 72 2B FC C5 37 5F 78 77 88 00 F1 D8 3F 96 43 14<br />
Figure 3.10: The same exhibits as in Figure 3.9, but elsewhere on the card.<br />
Byte number 9 changes with the language.<br />
It is important to note that the MAC did not change with the language as it did<br />
with the passenger class, despite the data having changed. This means either<br />
that the new MAC was not calculated, or that it collides in this special case. In<br />
any case it is interesting.<br />
It is concluded that the attack as described will not work, partly because the<br />
data storage model has been changed, partly because the field test did not yield<br />
enough data for anyone to give a precise analysis of the possibilities of restoring<br />
an older state. If it is possible to get back to an older state of the structure,<br />
then it is still vulnerable to this attack. Also, if an attacker can find another<br />
controllable data structure, then it can be used in conjunction with this to<br />
mount the attack as described, but with the new data structure states instead.<br />
3.2.8 Threat assessment<br />
Forging attacks can be very dangerous because they can be centralized. If a<br />
determined attacker has the hardware and know-how to construct a rainbow<br />
7 Application Type 4
3.3 Masquerading attacks 41<br />
table of the MAC algorithm, then by knowing all cards use the same keys for<br />
the MAC it is possible to forge money and tickets for every Rejsekort.<br />
If this attack proves effective there is presumably a large market if some entity<br />
can offer Rejsekort money at half price, etc. This has the potential to have very<br />
large economic consequences for Rejsekortet, unless the system is well-equipped<br />
to withstand such an attack, by means of a reactive security measure like with<br />
rollback attacks.<br />
As with rollback attacks this attack is likely detectable to RKF, without knowing<br />
exactly what is being sent to the back-office. One thing that complicates this,<br />
however, is that the attacker can change any data on the card, so if some<br />
validation is not done properly, the attacker might be able to take advantage of<br />
this.<br />
3.3 Masquerading attacks<br />
Masquerading is an attack type involving the attacker digitally posing as somebody<br />
else, often a legitimate user of the system. With the recent attacks on Mifare<br />
cards it has become an ever-larger risk of having one’s card compromised.<br />
The attacks can in theory be performed in seconds with the right equipment,<br />
and the offended part will never notice.<br />
The problem is, though, that these attacks are very hard to carry out in real<br />
life, due to technical constraints both related to the reading and the writing of<br />
the Mifare cards.<br />
3.3.1 The trivial masquerading attack<br />
This attack involves using Mifare vulnerabilities to dump a card and loading it<br />
onto another. There is a tool for this task in libnfc, called nfc-mftool, that<br />
allows reading and writing to Mifare cards, given the proper sector keys. These<br />
can be recovered with the Mifare attacks described in the first chapter.<br />
3.3.1.1 Mifare reading distance<br />
As described in the first chapter, Mifare cards use a technique called Near<br />
Field Communication to facilitate the contact between terminal and card. The
42 Attacks on Rejsekortet<br />
specification of the standard is described in ISO/IEC 14443.<br />
Using a regular reader from http://www.touchatag.com/ the maximum reading<br />
distance was determined to be 7-8 centimetres. This experiment was conducted<br />
by running the program nfc-list in a loop, slowly moving a Mifare<br />
card further and further away from the reader. When the card was out of reach,<br />
it was moved towards the reader again, to accurately determine the maximum<br />
reading distance of Mifare cards.<br />
3.3.1.2 Unique IDs on cards<br />
Mifare cards are shipped from the manufacturer with the first block of the first<br />
sector burned into the card, rendering it immutable. This field contains an<br />
ID number unique to the card among some other manufacturer-specific data.<br />
Rejsekortet uses this ID to distinguish different cards from one another, and<br />
since it is immutable it is not possible to write to the card, it is not possible<br />
to load a dumped version of another card. The ID will not be overwritten, and<br />
consequently all the MACs will not match anymore, since part of their basis is<br />
this ID.<br />
3.3.1.3 Pirate cards<br />
The possibility of someone developing a pirate card for Mifare is considerable.<br />
There is no physical restraints in place to hinder creating a card that allows<br />
writing to the first block of the first sector. The security of genuine Mifare<br />
Classic cards lies in a clever design choice from NXP, that is not to allow writing<br />
to the manufacturer block.<br />
If a pirate card existed, it would be possible to create a one-to-one copy of a Mifare<br />
card, which is problematic not only for Rejsekortet but for all deployments<br />
of Mifare. NXP can be expected to take such experiments very seriously, and<br />
will likely do everything in its power to stop the production of such cards.<br />
3.3.1.4 Having a reader act as a card<br />
Most NFC readers available also offer the functionality of emulating a Mifare<br />
Classic card. This enables an attacker to check in and check out as if the reader<br />
was an actual Mifare card. The problem arises when a conductor wants to
3.4 Attacks on the infrastructure 43<br />
verify the card; since the attacker cannot present a real Rejsekort, this way of<br />
circumventing the “manufacturer area” becomes largely unusable.<br />
3.3.1.5 Threat assessment<br />
Since this attack is not practically possible to carry out, it can be ignored—at<br />
least until pirate cards exist in the wild without NXP interfering.<br />
3.3.2 A vandalistic masquerading attack<br />
Using the a NFC reader as a card opens up some possibilities of masquerading<br />
in a vandalistic way. Suppose an attacker recovers a full dump of a Rejsekort<br />
and uses his card reader to make the illegally copied Rejsekort “follow” him<br />
somewhere. This makes the system think the legitimate Rejsekort is a rolledback<br />
version of itself, and in turn disable it to the annoyance of the owner.<br />
3.3.2.1 Threat assessment<br />
An inherent feature of vandalism attacks is to cause as much disruption as<br />
possible, and only targeting one user of Rejsekortet will likely be too small for<br />
this attack to be interesting in the eyes of a vandal.<br />
3.4 Attacks on the infrastructure<br />
As stated in the last chapter this section will be speculative only, but it presents<br />
some vectors that could be exploited in order to gain something from the system<br />
normally restricted, and some conventional methods on exploitation likely not<br />
applicable to this system.<br />
3.4.1 Attacking the controlling and/or check-in terminals<br />
Some attacks might apply to the terminals. If they can be compromised to<br />
accept a card that should not be accepted, the adversary has mounted an effective<br />
attack against the system. This section will present some techniques that
44 Attacks on Rejsekortet<br />
might prove effective, and should be taken into consideration when securing the<br />
terminals.<br />
3.4.1.1 Fuzzing<br />
Fuzzing is about sending garbage data to a system that expects some degree<br />
of order in its data inputs. This may in some cases cause systems to crash or<br />
otherwise work in unexpected ways. If the attacker is lucky it could for example<br />
be possible to have the checking terminal seemingly accept a card without the<br />
data contents actually being valid.<br />
To be successful with a fuzzing attack the attacker must have physical access to<br />
a checking terminal—preferably not on a station—in order to carry out preliminary<br />
experiments. Experimenting with fuzzing has an inherent component of<br />
“working blindly”—there is no “Fuzzing black book,” one just has to try feeding<br />
bad data to the system. Obtaining the terminal will likely prove to be tricky,<br />
as the transit organizations presumably don’t want their systems compromised,<br />
and therefore show little interest in aiding this.<br />
However, if an attacker gets hold of such a terminal, he would systematically<br />
write either garbage or in other ways non-conforming data to the card, hoping<br />
the terminal would act in an unexpected manner. If it does (and it is checkable)<br />
then the attacker has conducted a successful fuzzing attack on a Rejsekort terminal.<br />
This could for example be the checking terminals accepting a card with<br />
badly formatted data.<br />
Fuzzing attacks at Rejsekortet would probably need to be cleverly applied. From<br />
the specifications the system looks rather robust against inconsistency, with the<br />
introduction of TCAS, etc. The way to go about fuzzing would probably be to<br />
follow the data structures as closely as possible but have pointers to some data<br />
element point elsewhere than expected. This in turn requires the attacker to be<br />
able to calculate the correct MAC for a given data stream.<br />
3.4.1.2 Software-based buffer overflows<br />
Buffer overflow exploitation is typically about exhausting the allocated memory<br />
for some resource without the actual value ending. This can happen with strings<br />
because if the terminating character ‘\0’ is not within the boundaries of the size<br />
of the variable, there’s nothing to stop the variable from “growing out of its<br />
space”. This causes it to overwrite other variables, but probably more worrying
3.5 Vandalism 45<br />
it can overwrite the call stack, resulting in controllable CPU behavior on an<br />
assembly level.<br />
Buffer overflows will likely not work because the data structures on the card<br />
have a fixed length and a special binary format. The readers will always know<br />
exactly how much data to read and how much memory to allocate, with no need<br />
of waiting for a terminal character. This makes buffer overflowing ill-fit as an<br />
attack vector for Rejsekortet’s system, but is included here for completeness.<br />
3.4.2 Attacking the top-up terminals<br />
Depending on the underlying computer systems of the top-up terminals it might<br />
be possible to perform a hacking attack that sends data to the back-office about<br />
the card being topped up, enabling the user to travel for money “officially”<br />
issued by the system, but without having the amount drawn from the given<br />
credit card.<br />
3.4.3 Threat assessment<br />
All of these threats are probably too hard to pull off for the “average Joe”<br />
wanting to travel for free. They either require special knowledge, access to<br />
official equipment and/or quite some courage to pull off.<br />
3.5 Vandalism<br />
As stated in the last chapter, vandalism attacks must be taken seriously even<br />
though they generally are not motivated by the outlook to personal gain. Some<br />
people like to cause mischief not even demanding attribution for it.<br />
As we shall see, in some cases vandalism introduces plausible deniability, which<br />
raises some questions about liability in Rejsekortet system.<br />
3.5.1 Card-based vandalism<br />
With the recent Mifare attacks allowing card contents to be modified, cardbased<br />
vandalism is a very real possibility. If we even take into consideration
46 Attacks on Rejsekortet<br />
that the Mifare keys is shared across all Rejsekort, performing these attacks is<br />
only needed once to be able to dump the card in seconds.<br />
On Figure 3.11 the time consumption for dumping a card is shown. It will<br />
take roughly the same time to write the same amount data to a card. The<br />
dumping was done with a reader from http://www.touchatag.com/ and with<br />
the open-sourced NFC library libnfc.<br />
$ time nfc-mftool r a keys.mfd dump.mfd<br />
Checking arguments and settings<br />
Succesful opened MIFARE the required files<br />
Connected to NFC reader: ACR122U102 - PN532 v1.4 (0x07)<br />
Found MIFARE Classic 4K card with uid: [redacted]<br />
Reading out 256 blocks |........................................|<br />
Writing data to file: dump.mfd<br />
Done, all bytes dumped to file!<br />
real 0m3.871s<br />
user 0m0.010s<br />
sys 0m0.060s<br />
Figure 3.11: Terminal output of a Mifare 4K card being dumped with<br />
nfc-mftool. The card is dumped in less than four seconds.x<br />
With a NFC reader it is possible to corrupt people’s cards without their consent.<br />
However, since NFC communication requires very low distance from card to<br />
reader, it might be difficult to pull off undetected. See Section 3.3.1.1 for an<br />
experiment in the range of Mifare.<br />
3.5.1.1 Rogue terminals<br />
In theory it is possible to construct a terminal-resembling device, putting it<br />
on stations, and either harvesting card dumps or wiping cards as unknowing<br />
commuters “check-in.” However the effort needed to mount this attack will be<br />
tremendous, especially in comparison to the gain.
3.5 Vandalism 47<br />
3.5.2 Terminal-based vandalism<br />
A successful terminal-based vandalism attack would depend on rendering the<br />
terminal in a state of (seemingly-)irrecoverable non-functioning. For example, if<br />
one could modify a card to make the terminal stuck in an infinite loop and glue<br />
that card to the backside of the terminal, the terminal would be temporarily<br />
disabled.<br />
However, this is not possible; there are no pointers on the card that make it<br />
possible to e.g. have it point to itself. The card is not possible to branch the<br />
execution flow of the terminal in any undesirable direction.<br />
3.5.2.1 Plausible deniability<br />
If future research yields flaws in the terminals, it will introduce plausible deniability,<br />
which gives statements like “I couldn’t check in my card because the<br />
terminal was defective” some additional credibility, and pushes the liability of<br />
the user not having checked in as required back to Rejsekort A/S.<br />
3.5.3 Threat assessment<br />
Vandalism can be considered relatively harmless in the case of Rejsekortet. Since<br />
the reading distance is so low, it is not realistic to e.g. walk through a bus or<br />
a train and wipe all cards as you pass by. Neither is terminal-based vandalism<br />
possible currently, but depending on how easily possible future attacks are carried<br />
out, the maintainers should be wary of this, and have a strategy against<br />
plausible deniability.
48 Attacks on Rejsekortet
Chapter 4<br />
Improvements<br />
This chapter will propose some general improvements to the system that will<br />
increase security.<br />
The available documentation on the system describes an older version, therefore<br />
not all of the information applies anymore. Some information is gathered in two<br />
field tests conducted in June 2010.<br />
4.1 Improvements since version 1 and 2<br />
As previously stated this thesis is concerned with versions 1 and 2 of Rejsekortet.<br />
Using a card provided by Rejsekort A/S it was possible to extract new<br />
information without the specifications, simply by using the card as described<br />
and dumping it whenever its state is changed.<br />
Disclaimer: The information stated may not be precise if RKF has changed<br />
the bit ordering of the fields, and should not be taken as fact without further<br />
investigation.
50 Improvements<br />
4.1.1 New MAC algorithm<br />
It seems that the MAC algorithm has been changed from DES-MAC to something<br />
else. The specifications define a MACAlgorithmIdentifier that, if set to 1,<br />
represents DES-MAC as the algorithm used. This value has since been changed<br />
to 3 which may indicate that the card uses a stronger MAC. The attack still<br />
works in theory, but depending on the key size of the new cipher/hash algorithm<br />
the attack slides further and further into the realm of infeasibility, because of<br />
the sheer size of the new rainbow table, and because higher key complexities<br />
need more chosen plaintext, which is scarce.<br />
The system definitely still uses a MAC algorithm, that is a cryptographic block<br />
cipher with some key size k > 56 in some MAC mode. There are two likely candidates<br />
for the a replacement cipher-based MAC function, namely 3DES and<br />
AES. These algorithms are “industry standard,” and another (secure) implementation<br />
would be either expensive or time-consuming to have developed, or<br />
both.<br />
4.1.1.1 3DES<br />
3DES, pronounced triple-DES, is a reinforcement maneuver applied to the DES<br />
cryptosystem after it was proven too weak in the late nineties. Its weakness was<br />
not the actual encryption algorithm, but the key size—a fact which is also used<br />
in this thesis as an attack on the MAC system. The key size of DES is 64 bits,<br />
but eight of the bits are reserved for parity (in case the transmission of the key<br />
is disturbed).<br />
3DES consists of three successive runs of the DES algorithm, first an encryption<br />
run, then decryption, then encryption again—note that a decryption run can<br />
work as encryption, also succeeding an encryption, as long as they use two different<br />
keys. This structure needs three keys, and offers different keying options<br />
for these with varying security[10].<br />
• All keys K 1 , K 2 , K 3 are independent. This gives a key complexity of 3·56 =<br />
168 bits, and is considered secure, also by current standards.<br />
• K 3 equals K 1 . This gives an increased key complexity of 2 · 56 = 112 bits.<br />
• K 3 = K 2 = K 1 . This is no more secure than single DES, in fact they are<br />
equivalent because E K1 (D K1 (E K1 (m))) = E K1 (m) for encryption function<br />
E and decryption function D.
4.1 Improvements since version 1 and 2 51<br />
For the new implementation Rejsekort A/S would probably choose the first<br />
keying option, if their choice fell on 3DES for the new MAC algorithm. Whatever<br />
containers they used for keys prior to this (suggested) update, they would<br />
need to make them bigger anyway, so not going “all the way” (in terms of key<br />
complexity) seems very unlikely.<br />
4.1.1.2 AES<br />
AES is a more recent symmetric cryptosystem, based on an algorithm called<br />
Rijndael. NIST 1 hosted a competition for the new data encryption standard<br />
in the US. The competition was won by Rijmen and Daeman, and their cipher<br />
Rijndael was finally FIPS approved in 2001.<br />
The AES cipher offers three three different key sizes, namely 128, 192 and 256<br />
bits, and depending on the key size runs in a number of iterative rounds, all<br />
performing the same three functions designed to substitute and shuffle the cipher<br />
state as much as possible, and finally adding a round key. This makes for a very<br />
robust cipher<br />
It is difficult to give estimates on which key size that would be chosen if Rejsekortet<br />
were to use AES as the new hash function, but they would most likely<br />
not pick 256 bits, since a new 2009 attack made it theoretically inferior in terms<br />
of key complexity to AES-128.<br />
A equally-weighed 2 rainbow table over the AES-MAC would use:<br />
(2 · 128) · 2 2 3 ·128 bits = 2 93.3 bits = 1290 yottabytes<br />
The byte scale goes: byte, kilobyte, megabyte, gigabyte, terabyte, petabyte,<br />
exabyte, zettabyte, yottabyte. Current hard drives range of about 2TB; storing<br />
this much data is currently impossible, let alone doing 2 93 calculations to recover<br />
a key!<br />
4.1.1.3 Hash-based MACs<br />
Hash-based MACs use a cryptographic hash function instead of a cipher to<br />
perform the hashing operation. The probable advantages of this is that hash<br />
1 National Institute of Standards and Technology.<br />
2 Equally in terms of space complexity and search complexity.
52 Improvements<br />
functions tend to be very fast and very compact in software, leading to a faster<br />
overall calculation of the MAC value.<br />
The new MAC function may also be based on a hash function. It is at this point<br />
impossible to look at a MAC and tell if it was a product of a cipher-based or a<br />
hash-based MAC algorithm, so the possibility is included here for completeness.<br />
4.1.1.4 Remarks<br />
As previously stated the bit ordering of the fields on the card might have<br />
changed, leading to parsing errors if parsed in accordance with the old standard<br />
[6]. Therefore the MAC might actually not have changed at all. It was<br />
impossible to test if the algorithm was changed because that would require creating<br />
a rainbow table for the DES-MAC to recover the key, and in turn verifying<br />
it against other Rejsekort.<br />
However, we can note the following: 3DES is the fastest of these solutions,<br />
at least when run on hardware. So if the MAC algorithm is in fact changed,<br />
CBC-MAC with 3DES would be the most sensible choice.<br />
4.2 Other immediately applicable improvements<br />
Again, by comparing two historically different dumps of a card it is possible to<br />
establish if other security enhancements have been implemented or not.<br />
4.2.1 Sector-specific keys for the MAC<br />
The proposed time-memory trade-off relies largely on the same key being used<br />
across sectors. If sectors get their own keys one would need a rainbow table for<br />
every sectors to recover the sector-specific key for his/her card. To create such<br />
a table the attacker would also need enough controlled plaintext.<br />
4.2.2 Adding noise bits<br />
Many sectors have free bits that are not used. These are by definition set to<br />
zero[6]. If these were randomized at each write and used in the MAC calculation
4.3 Other improvements 53<br />
they would work as a salt, making known-plaintext attacks impossible because<br />
the plaintext could never be known.<br />
4.2.3 Using Mifare Plus instead of Mifare Classic<br />
The Mifare system is not limited to only using Mifare Classic cards. There<br />
exists a variety of cards, some with increased security. Mifare Plus 3 can act<br />
as a drop-in replacement of Mifare Classic cards, but instead of encrypting the<br />
sectors with Crypto-1 it implements AES, which is much more secure.<br />
This improvement is considered immediately applicable because Rejsekortet at<br />
the time of writing has only been issued to some 1,000 people 4 —rolling it out<br />
to these 1,000 people and using it as the standard onwards would be straightforward.<br />
4.3 Other improvements<br />
It is possible to suggest some improvements that would be too fundamental to<br />
fit into the current system.<br />
4.3.1 Having a centralized system<br />
All of the weaknesses described in this paper would be useless with a centralized<br />
system. An important thing to note is, however, that such a system is very<br />
expensive because every single terminal that interfaces with it needs to be online<br />
or the system fails. This is likely the reason for it not being online in the first<br />
place.<br />
3 http://www.mifare.net/products/smartcardics/mifare_plus.asp<br />
4 http://rejsekort.dk/Presse/Pressemeddelelser/rejsekort+paa+sydsjaelland+og+<br />
lolland-falster: “I dag bruger mere end 1.000 kunder i den kollektive trafik allerede<br />
rejsekort i området mellem Holbæk, Roskilde og Taastrup. . . ”
54 Improvements
Chapter 5<br />
Conclusion<br />
This thesis has been concerned with analyzing the security of the current implementation<br />
of Rejsekortet. This has been a rather daunting task, considering<br />
the fact that the newest specifications documentation has not been available,<br />
leading to somewhat indefinite part conclusions throughout the report.<br />
Various attack classes have been studied, namely rollback attacks, cryptographic<br />
attacks on the MAC, masquerading attacks and infrastructure attacks. The<br />
latter has been on speculations-only basis because it requires breaking the law<br />
to get useful data. The first three, however, have been described, and it has<br />
been established that:<br />
1. Rollback attacks are possible, but also detectable. Since rollback attacks<br />
are not very robust, they are not expected to induce a large economic hit<br />
to the maintainers.<br />
2. Attacking the MAC may be possible. It is not known if forging attacks<br />
are detectable.<br />
3. Masquerading attacks are not possible until a MIFARE pirate card exists<br />
that allows mutability of the first block of the first sector.<br />
The reason why it is not possible to give a clear answer as to the applicability
56 Conclusion<br />
of the pre-computation attack is that from card dumps it seems that the MAC<br />
algorithm has been changed, and that the plaintext control attempts were futile<br />
because the card was in a default state (which was not reproducible). Moreover<br />
it seemed that the language of the terminals was stored somewhere else on<br />
the card, so the attack requires a new controllable data type with at least two<br />
mutations. Conducting the experiment again will provide results usable for a<br />
general security assessment.<br />
Whether or not the MAC algorithm is changed is impossible to know at this<br />
point. But two candidates for a more modern cipher for the MAC to use were<br />
presented: AES and 3DES. They both present much higher key complexity<br />
than DES, and are at this point considered practically impossible to traverse<br />
key-wise.<br />
If the attack on the MAC turns out to be possible, and the back-office detection<br />
is insufficient in detecting e.g. attackers adding money to cards, it could<br />
have catastrophic consequences. With good rainbow tables for Rejsekortet it is<br />
possible to establish a parallel entity that can add money and tickets to cards,<br />
because the key for the MAC function is the same across all cards. Being able<br />
to recover this key in manageable time makes it possible to establish a business<br />
selling under-priced Rejsekort credit, which is of course highly undesirable.<br />
Vandalism has also been analyzed, with the conclusion that is poses no large<br />
risk unless the attacker is very close. A vandalistic attacker is interested in<br />
maximizing the impact of the attack, and corrupting just one card at a time is<br />
simply too time-consuming. It is concluded that the system is robust against<br />
vandalism.<br />
Outlook – where to go from here<br />
As stated, conducting the plaintext control experiment again would yield some<br />
interesting data. The question boils down to this: Is the current MAC value of<br />
the TCCP field preserved if the passenger class is switched to first class, then<br />
back to business class again Will it be possible to find another suitable data<br />
type in place for the dialog language<br />
It would also be interesting to know if the MAC algorithm has been changed<br />
since the available documentation was released. If this is the case it would<br />
theoretically still be possible to mount the attack, but it would be practically<br />
impossible to do in any foreseeable future because of the key complexities involved.
Appendix<br />
A<br />
Related research<br />
A.1 Mifare keys<br />
The following output from the mfoc program shows that Rejsekortet uses nondefault<br />
keys in all its sectors. This enhances security somewhat.<br />
$ ./mfoc -O rejsekort-test<br />
Found MIFARE Classic 4K card with uid: [redacted]<br />
[Key: ffffffffffff] -> [........................................]<br />
[Key: a0a1a2a3a4a5] -> [........................................]<br />
[Key: b0b1b2b3b4b5] -> [........................................]<br />
[Key: 000000000000] -> [........................................]<br />
[Key: 4d3a99c351dd] -> [........................................]<br />
[Key: 1a982c7e459a] -> [........................................]<br />
[Key: d3f7d3f7d3f7] -> [........................................]<br />
[Key: aabbccddeeff] -> [........................................]<br />
Sector 00 - UNKNOWN_KEY [A] Sector 00 - UNKNOWN_KEY [B]<br />
Sector 01 - UNKNOWN_KEY [A] Sector 01 - UNKNOWN_KEY [B]<br />
Sector 02 - UNKNOWN_KEY [A] Sector 02 - UNKNOWN_KEY [B]<br />
Sector 03 - UNKNOWN_KEY [A] Sector 03 - UNKNOWN_KEY [B]
58 Related research<br />
Sector 04 - UNKNOWN_KEY [A] Sector 04 - UNKNOWN_KEY [B]<br />
Sector 05 - UNKNOWN_KEY [A] Sector 05 - UNKNOWN_KEY [B]<br />
Sector 06 - UNKNOWN_KEY [A] Sector 06 - UNKNOWN_KEY [B]<br />
Sector 07 - UNKNOWN_KEY [A] Sector 07 - UNKNOWN_KEY [B]<br />
Sector 08 - UNKNOWN_KEY [A] Sector 08 - UNKNOWN_KEY [B]<br />
Sector 09 - UNKNOWN_KEY [A] Sector 09 - UNKNOWN_KEY [B]<br />
Sector 10 - UNKNOWN_KEY [A] Sector 10 - UNKNOWN_KEY [B]<br />
Sector 11 - UNKNOWN_KEY [A] Sector 11 - UNKNOWN_KEY [B]<br />
Sector 12 - UNKNOWN_KEY [A] Sector 12 - UNKNOWN_KEY [B]<br />
Sector 13 - UNKNOWN_KEY [A] Sector 13 - UNKNOWN_KEY [B]<br />
Sector 14 - UNKNOWN_KEY [A] Sector 14 - UNKNOWN_KEY [B]<br />
Sector 15 - UNKNOWN_KEY [A] Sector 15 - UNKNOWN_KEY [B]<br />
Sector 16 - UNKNOWN_KEY [A] Sector 16 - UNKNOWN_KEY [B]<br />
Sector 17 - UNKNOWN_KEY [A] Sector 17 - UNKNOWN_KEY [B]<br />
Sector 18 - UNKNOWN_KEY [A] Sector 18 - UNKNOWN_KEY [B]<br />
Sector 19 - UNKNOWN_KEY [A] Sector 19 - UNKNOWN_KEY [B]<br />
Sector 20 - UNKNOWN_KEY [A] Sector 20 - UNKNOWN_KEY [B]<br />
Sector 21 - UNKNOWN_KEY [A] Sector 21 - UNKNOWN_KEY [B]<br />
Sector 22 - UNKNOWN_KEY [A] Sector 22 - UNKNOWN_KEY [B]<br />
Sector 23 - UNKNOWN_KEY [A] Sector 23 - UNKNOWN_KEY [B]<br />
Sector 24 - UNKNOWN_KEY [A] Sector 24 - UNKNOWN_KEY [B]<br />
Sector 25 - UNKNOWN_KEY [A] Sector 25 - UNKNOWN_KEY [B]<br />
Sector 26 - UNKNOWN_KEY [A] Sector 26 - UNKNOWN_KEY [B]<br />
Sector 27 - UNKNOWN_KEY [A] Sector 27 - UNKNOWN_KEY [B]<br />
Sector 28 - UNKNOWN_KEY [A] Sector 28 - UNKNOWN_KEY [B]<br />
Sector 29 - UNKNOWN_KEY [A] Sector 29 - UNKNOWN_KEY [B]<br />
Sector 30 - UNKNOWN_KEY [A] Sector 30 - UNKNOWN_KEY [B]<br />
Sector 31 - UNKNOWN_KEY [A] Sector 31 - UNKNOWN_KEY [B]<br />
Sector 32 - UNKNOWN_KEY [A] Sector 32 - UNKNOWN_KEY [B]<br />
Sector 33 - UNKNOWN_KEY [A] Sector 33 - UNKNOWN_KEY [B]<br />
Sector 34 - UNKNOWN_KEY [A] Sector 34 - UNKNOWN_KEY [B]<br />
Sector 35 - UNKNOWN_KEY [A] Sector 35 - UNKNOWN_KEY [B]<br />
Sector 36 - UNKNOWN_KEY [A] Sector 36 - UNKNOWN_KEY [B]<br />
Sector 37 - UNKNOWN_KEY [A] Sector 37 - UNKNOWN_KEY [B]<br />
Sector 38 - UNKNOWN_KEY [A] Sector 38 - UNKNOWN_KEY [B]<br />
Sector 39 - UNKNOWN_KEY [A] Sector 39 - UNKNOWN_KEY [B]<br />
No sector encrypted with the default key has been found, exiting..<br />
However, by applying the Darkside attack with mfcuk keyrecovery darkside<br />
and supplying this new key to mfoc, all the sector keys are dumped in about<br />
three minutes.
Appendix<br />
B<br />
Mail correspondence<br />
The correspondance is ordered chronologically.<br />
B.1 Mail correspondance with Margareta Berg<br />
from Resekort Sweden<br />
Date: Wed, 17 Feb 2010 16:29:49 +0100<br />
Subject: Technical specifications of Resekortet.<br />
From: Jens Christian Hillerup <br />
To: margareta.berg@resekortet.se<br />
Cc: Erik Zenner <br />
Dear Margareta,<br />
I’m currently working on my <strong>bachelor</strong>’s thesis on Resekortet,<br />
concerning the security of digital ticketing for public transportation<br />
systems. Currently I have parts of version 1 (volym A) and parts of<br />
version 2 (volym B) -- both were once freely available online.<br />
The documentation I already have is rather old, so I’m writing to
60 Mail correspondence<br />
enquire about a more recent version. Do you need any information from<br />
me in this regard<br />
Kindest regards,<br />
Jens Christian Hillerup<br />
CC: Erik Zenner, my <strong>bachelor</strong> counsellor.<br />
* * *<br />
Date: Wed, 17 Feb 2010 14:00:50 -0800<br />
Subject: SV: Technical specifications of Resekortet.<br />
From: Margareta Berg <br />
To: Jens Christian Hillerup <br />
Dear Jens,<br />
Due to the hack of Mifare Classic the specification is not public anymore.<br />
Since 3 years ago we have a strictly license of agreement with the PTA’s<br />
in Sweden and Rejsekort.<br />
Maybe you can contact Gregers Mogensen at Rejsekort and working together<br />
with them in that case you take your <strong>bachelor</strong>’s in Denmark.<br />
Kindly regards<br />
Margareta<br />
B.2 Mail correspondance with Gregers Mogensen<br />
from Rejsekort Danmark<br />
Date: Tue, 23 Feb 2010 09:56:10 +0100<br />
Subject: Ang. tekniske specifikationer på Rejsekortet<br />
From: Jens Christian Hillerup <br />
To: gem@rejsekort.dk<br />
Cc: Erik Zenner <br />
Kære Gregers Mogensen,<br />
Jeg er ved at skrive min <strong>bachelor</strong>opgave fra Danmarks Tekniske<br />
Universitet, hvor jeg skal forsøge at undersøge sikkerheden i
B.2 Mail correspondance with Gregers Mogensen from Rejsekort Danmark61<br />
Rejsekort og sikkerhedsmæssige aspekter i digital billettering<br />
generelt. Derfor er jeg interesseret i at se de tekniske<br />
specifikationer der ligger til grund.<br />
Jeg skrev oprindeligt til Margareta Berg, fordi det var min opfattelse<br />
at det var en svensk gruppe, der oprindeligt lavede specifikationerne,<br />
og fordi de havde et link på deres hjemmeside specifikt til tekniske<br />
specifikationer, men hun ledte mig til dig. Som jeg også skrev til<br />
hende har jeg allerede adgang til dele af version 1 og 2 af standarden<br />
(som engang var frit tilgængelige på internettet), men det skulle<br />
undre mig hvis de er de mest tidssvarende. Min korrespondance med<br />
Margareta Berg er vedhæftet.<br />
Det er vigtigt for mig at understrege, at dette ikke er et forsøg på<br />
at "ødelægge" Rejsekortet, men snarere et godhjertet forsøg på at<br />
belyse de problematikker der blev rejst i medierne medio januar og se<br />
om de holder vand.<br />
På forhånd tak,<br />
Jens Christian Hillerup<br />
CC: Min <strong>bachelor</strong>vejleder Erik Zenner.<br />
* * *<br />
From: Gregers Mogensen <br />
To: Jens Christian Hillerup <br />
CC: Erik Zenner <br />
Date: Tue, 23 Feb 2010 14:22:42 +0100<br />
Subject: SV: Ang. tekniske specifikationer på Rejsekortet<br />
Kære Jens Christian Hillerup<br />
Tak for din mail. Jeg vil gerne hjælpe dig, hvor det er muligt, men der er<br />
en grund til, at vi ikke mere har specifikationerne liggende offentligt<br />
tilgængeligt.<br />
Jeg vil gerne tager et møde med dig og evt. din vejleder, hvor vi kan<br />
drøfte hvad jeg i givet kan bidrage med.<br />
De to punkter, som jeg umiddelbart vil spørge til, om du har med er:
62 Mail correspondence<br />
* Kodningsprincipper for andre rejsekort<br />
* De forretningsmæssige konsekvenser af begrænset sikkerhed<br />
Vi kan holde møde her, eller jeg kan komme forbi DTU en morgen eller sen<br />
eftermiddag, da jeg bor i Holte.<br />
Med venlig hilsen/Regards<br />
Gregers Mogensen<br />
REJSEKORT A/S<br />
Borgergade 14, 3.<br />
DK-1300 København K<br />
Telefon: +45 3343 2400<br />
Direkte: +45 3343 2406<br />
Mobil: +45 4030 7979<br />
E-mail: gem@rejsekort.dk (Please note new e-mail address)<br />
Web: www.rejsekort.dk<br />
* * *<br />
Date: Wed, 24 Feb 2010 13:26:11 +0100<br />
Subject: Re: Ang. tekniske specifikationer på Rejsekortet<br />
From: Jens Christian Hillerup <br />
To: Gregers Mogensen <br />
Cc: Erik Zenner <br />
Kære Gregers,<br />
Tak for din imødekommenhed. Det betyder meget for mig.<br />
Jeg har studeret andre rejsekort, fx Oystercard, og har konkluderet at<br />
de stort set allesammen også benytter Mifare. Det lader til at<br />
Rejsekortet er sikrere end fx Oystercard, givet dets brug af DES-MAC,<br />
som jeg har kunnet læse fra de tidlige implementeringsdokumenter jeg<br />
har adgang til (RKF-0020 og RKF-0022, respektivt).<br />
De forretningsmæssige konsekvenser er ikke noget, jeg umiddelbart<br />
havde tænkt mig at berøre særlig dybt. Dermed ikke sagt, at det ikke<br />
er en faktor i real-world-scenarier for implementeringen af et<br />
sikkerhedssystem, men jeg er nu engang teknisk studerende, og det er
B.2 Mail correspondance with Gregers Mogensen from Rejsekort Danmark63<br />
en forventning at min <strong>bachelor</strong>opgave tager sig mestendels af de<br />
tekniske aspekter af hvad jeg nu engang har valgt som emne. De<br />
forretningsmæssige aspekter vil naturligvis få sin plads i rapporten<br />
-- dog ikke som en hovedprioritet, ligesom privatlivs- og sociologiske<br />
betragtninger kommer i rapporten, men ikke er vægtede.<br />
Jeg er helt klart åben for et møde, og det er jeg sikker på at Erik<br />
(min vejleder) også er. Dog vil jeg gerne lidt dybere ind i systemets<br />
fundamentale virkemåde før det giver mening at have et, hvilket også<br />
var grunden til at jeg bad om de tekniske specifikationer i første<br />
omgang. Efter min mening er det svært at sandsynliggøre at et system<br />
er sikkert, hvis specifikationerne og implementeringsdetaljerne ikke<br />
er offentligt tilgængelige.<br />
Mvh.<br />
Jens Christian<br />
* * *<br />
From: Gregers Mogensen <br />
To: Jens Christian Hillerup <br />
CC: Erik Zenner <br />
Date: Wed, 24 Feb 2010 13:56:54 +0100<br />
Subject: SV: Ang. tekniske specifikationer på Rejsekortet<br />
Kære Jens Christian<br />
Sig til, når du (I) er klar til et møde, og gerne et par uger før. Jeg er<br />
på ferie i uge 11.<br />
Ad dit udsagn:<br />
Efter min mening er det svært at sandsynliggøre at et system<br />
er sikkert, hvis specifikationerne og implementeringsdetaljerne ikke<br />
er offentligt tilgængelige.<br />
Så er jeg helt uenig. Det kan være, at det er svært for dig og andre<br />
"uvedkommende", men de personer, der har brug for denne viden, har den<br />
selvfølgelig, men det er i sagens natur et meget lille antal. Og de skilter<br />
ikke med den fortrolige viden de har.<br />
M.h.t til det forretningsmæssige aspekt, så er sikkerhed jo ikke en<br />
absolut størrelse. Der er i alle livets forhold en implicit eller eksplicit<br />
afvejning af, hvornår noget er sikkert nok.
64 Mail correspondence<br />
Som ingeniør - og tidligere lektor på DTU - mener jeg, at det netop er<br />
ingeniørens styrke at kunne vurdere teknologien i forhold til om verdenen,<br />
og ikke bare teknologien for dens egen skyld.<br />
Med venlig hilsen/Regards<br />
Gregers Mogensen<br />
REJSEKORT A/S<br />
Borgergade 14, 3.<br />
DK-1300 København K<br />
Telefon: +45 3343 2400<br />
Direkte: +45 3343 2406<br />
Mobil: +45 4030 7979<br />
E-mail: gem@rejsekort.dk (Please note new e-mail address)<br />
Web: www.rejsekort.dk
Bibliography<br />
[1] Nicolas T. Courtois. The dark side of security by obscurity and cloning mifare<br />
classic rail and building passes anywhere, anytime. Cryptology ePrint<br />
Archive, Report 2009/137, 2009. http://eprint.iacr.org/.<br />
[2] Flavio D. Garcia, Gerhard Koning Gans, Ruben Muijrers, Peter Rossum,<br />
Roel Verdult, Ronny Wichers Schreur, and Bart Jacobs. Dismantling mifare<br />
classic. In ESORICS ’08: Proceedings of the 13th European Symposium on<br />
Research in Computer Security, pages 97–114, Berlin, Heidelberg, 2008.<br />
Springer-Verlag.<br />
[3] Flavio D. Garcia, Peter van Rossum, Roel Verdult, and Ronny Wichers<br />
Schreur. Wirelessly pickpocketing a mifare classic card. In SP ’09: Proceedings<br />
of the 2009 30th IEEE Symposium on Security and Privacy, pages<br />
3–15, Washington, DC, USA, 2009. IEEE Computer Society.<br />
[4] M. Hellman. A cryptanalytic time-memory trade-off. Information Theory,<br />
IEEE Transactions on, 26(4):401 – 406, jul 1980.<br />
[5] Resekortforeningen i Norden. Implementation specification details type 1.<br />
Can be found on the CD enclosed with this thesis.<br />
[6] Resekortforeningen i Norden. Rkf travel card implementation specification<br />
type 1. Can be found on the CD enclosed with this thesis., 2001.<br />
[7] Resekortforeningen i Norden. Rkf travel card requirements specification.<br />
Can be found on the CD enclosed with this thesis., 2001.<br />
[8] Gregers Mogensen. Travel card in denmark, concept and status. 2009.
66 BIBLIOGRAPHY<br />
[9] Philippe Oechslin. Making a faster cryptanalytic time-memory trade-off.<br />
In Advances in Cryptology - CRYPTO 2003, pages 617–630, 2003.<br />
[10] Wikipedia. Triple des — wikipedia, the free encyclopedia, 2010. [Online;<br />
accessed 31-May-2010].