bachelor

Recommendations

Info

12 On Rejsekortet Figure 1.3: The Crypto-1 cipher internals. control a nonce sent by the tag because it depends on the timing of the authentication. If a reader is already authenticated with one sector, the specification requires all communication to be encrypted. Then, when a terminal tries to authenticate to a new sector, an attacker can make qualified guess as to the new nonce, and from that some of the keystream information taken from the sector that is being logged in to (even though the attacker has not logged in yet). Research has shown that some Mifare Classic solutions actually use a default key for one or more of the sectors on the card 8 . There are eight different default keys, and it is relatively easy to check every sector with all of the keys. If any sector on the card uses a default key, the attacker can use the nested authentication attack to recover the rest of the keys. However, if no sectors use standard keys it is possible to recover the key by means of an attack described in a paper by Courtois, called “The Dark Side of Security by Obscurity (. . . )”[1]. This attack works when an attacker replies with a bad response to initial challenge, and only if the parity bits of the bad response are set correctly. Instead of replying with four bytes signifying that the data was wrong (even though the parity is right), it replies with four bits, specifically the value 0x5 XOR’ed with four bits of the keystream. This opens some opportunities for recovering more of the keystream. The attack is described in full in [1]. 9. 8 http://proidea.maszyna.pl/CONFidence09/2/CONFidence2009_pavol_luptak.pdf, slide
1.3 Grades of security 13 Common to the “Darkside” and nested authentication attacks is that they need only a Mifare card and a NFC-compatible reader. The readers are readily available online, currently priced at 30 e 9 . These attacks combined can recover all sector keys and dump a card in minutes on a laptop with a off-the-shelf NFC reader, even shorter time if the attacker has access to a “ProxMark” reader 10 , currently costing $330. There are numerous software projects that implement these attacks and provide read-write functionality for Mifare cards, among others libnfc 11 , mfcuk 12 , crapto1 13 and RFID IO tools 14 . 1.3.2 MAC All of the security-critical sectors on Rejsekortet carry a checksum value calculated with the CBC-MAC algorithm using DES[6], to which the key is secret. This is to ensure that people do not modify the data in case they recovered the Mifare keys. The sectors carrying MACs must have the last 24 bits comprised of a “MAC algorithm identifier,” a “MAC key identifier” as well as a 16-bit MAC (page 58, [6] 15 ). The key identifier exists so that Rejsekort A/S can issue a new key if the old one has been compromised (in turn enabling an attacker to calculate the current MAC for some data stream), and likewise the algorithm can be changed if the current algorithm is deemed too weak. Moreover the sectors carry a field containing the ID of the key used to calculate the hash so that RKF can issue a new key in case one is broken. The non-critical sections have a CRC checksum instead of a MAC. 9 http://www.touchatag.com/e-store 10 http://proxmark3.com/ 11 http://www.libnfc.org/ 12 http://code.google.com/p/mfcuk/ 13 http://code.google.com/p/crapto1/ 14 http://www.rfidiot.org/ 15 The specification allows MACs longer than 16 bits, but in practice only 16-bit MACs are used[5].
Page 1 and 2: Cryptanalysis of Rejsekortet Jens C
Page 3: 3 Abstract. This bachelor thesis an
Page 7: Resumé Denne bachelorafhandling er
Page 10 and 11: vi Glossary Rejsekort(et) Danish fo
Page 12 and 13: viii
Page 14 and 15: x CONTENTS 4.3 Other improvements .
Page 16 and 17: 2 On Rejsekortet Disclaimer: This r
Page 18 and 19: 4 On Rejsekortet are even capable o
Page 20 and 21: 6 On Rejsekortet 1.2.3 Mifare Mifar
Page 22 and 23: 8 On Rejsekortet 1. Reader sends a
Page 24 and 25: 10 On Rejsekortet Time of transacti
Page 28 and 29: 14 On Rejsekortet 1.3.2.1 CBC-MAC C
Page 30 and 31: 16 On Rejsekortet
Page 32 and 33: 18 Security analysis and threat mod
Page 38 and 39: 24 Attacks on Rejsekortet 3.1 Rollb
Page 40 and 41: 26 Attacks on Rejsekortet 3.2 Attac
Page 42 and 43: 28 Attacks on Rejsekortet and cumbe
Page 44 and 45: 30 Attacks on Rejsekortet hash valu
Page 46 and 47: 32 Attacks on Rejsekortet 3.2.4 Int
Page 48 and 49: 34 Attacks on Rejsekortet 3.2.5 App
Page 50 and 51: 36 Attacks on Rejsekortet 3.2.6.2 T
Page 52 and 53: 38 Attacks on Rejsekortet Language
Page 54 and 55: 40 Attacks on Rejsekortet It is not
Page 56 and 57: 42 Attacks on Rejsekortet specifica
Page 58 and 59: 44 Attacks on Rejsekortet might pro
Page 60 and 61: 46 Attacks on Rejsekortet that the
Page 62 and 63: 48 Attacks on Rejsekortet
Page 64 and 65: 50 Improvements 4.1.1 New MAC algor
Page 66 and 67: 52 Improvements functions tend to b
Page 68 and 69: 54 Improvements
Page 70 and 71: 56 Conclusion of the pre-computatio
Page 72 and 73: 58 Related research Sector 04 - UNK
Page 74 and 75: 60 Mail correspondence enquire abou
Page 76 and 77:
62 Mail correspondence * Kodningspr
Page 78 and 79:
64 Mail correspondence Som ingeniø
Page 80:
66 BIBLIOGRAPHY [9] Philippe Oechsl
show all

bachelor

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?