bachelor

Recommendations

Info

32 Attacks on Rejsekortet 3.2.4 Interesting property of shortened MACs Rejsekortet implements a MAC system that reduces the length of the original MACs to 16 bits from the original 64 bits of the DES-MAC standard. This increases the risk of having collisions, both key-based and plaintext-based 5 , but it also makes the implementation more resistant against time/memory-tradeoffs. The shortening of MACs on the card makes it nontrivial to look them up in a rainbow table. MACs stored on Rejsekortet are usually 16 bits long[5], taken as the first 16 bits of the original 64-bit hash[6]. This means that if the plaintext is fixed two keys will still give different hashes, but their 16-bit reductions can not be guaranteed different, see Figure 3.6. k 0 FE:85:3D:20:1B:A8 DES-MAC 09:F9:11:02:9D:74:E3:5B cut 09:F9 Collision 38:D9:3A:F7:B2:AC DES-MAC 09:F9:D8:41:56:C5:63:56 cut 09:F9 k 0 Figure 3.6: Two different plaintexts having different 64-bit MACs, but after being reduced colliding. The inputs to the DES-MAC function are of arbitrary length, and is only shown here as six bytes as an example. This entails that a code book needs only 2 16 rows, with all of them linking to a list of key prospects that need to be cross-tested on some other data that is MAC’ed with the same key. Note that this will in no way optimize the size complexity of the code book, nor will the search time for a key be any better. In fact, quite the opposite; since each reduced MAC can come from 2 40 different keys acting on the same plaintext, more plaintext will likely be needed to weed out the false positives. 3.2.4.1 Accommodating this limitation by introducing more tables/cards It is, however, possible to adapt one’s attack to this kind of security. Knowing that some sector S 0 is MAC’d with the same key k on all cards gives the attacker the opportunity to create a table for another card. Given n MACs and n lookup 5 Two different keys for the same plaintext giving one MAC, and one key for two different plaintexts giving one MAC, respectively.
3.2 Attacking the MAC 33 Card 1 Card 2 Card 3 Card 4 2 56 MAC batch 2 40 MAC batch 2 24 MAC batch 2 8 MAC batch 1 Figure 3.7: Description of usage of the “MAC batch” function that takes a piece of data with a valid MAC and calculates MACs for all the key candidates from the list it receives. The numbers on the arrows are the expected cardinality of the keyset given to the batch function. tables for the corresponding MACs it is possible to take the intersection the n tables to “weed out” all the key prospects that do not appear in all the lists. Generally, the more space and CPU time the attacker can afford, the more effective this improvement is. It is possible to make some statistical analysis as to how much an increase in rainbow tables would affect calculation time, but in general one table should be enough; starting with a keyspace of 2 56 and reducing that to about 2 56−16 = 2 40 to be brute-forced, it will take 1.2 days for a modern computer 6 for the intersection set, see 3.2.7.1. If the intersection is ambiguous the remaining intersection sets can be done in seconds. We can define a function taking some list of keys and using this list to calculate the reduced MACs for a given data element. This data element should already have a MAC that is issued by the system. If the reduced MAC matches the one already in the data element, it means that the current key is a candidate, and the key is saved in a buffer of key candidates. This buffer is then given as input to the same function acting on another card’s data. This way the key candidates can be weeded out effectively. This model is shown on Figure 3.7. 3.2.4.2 Accomodating this limitation by obtaining more chosen plaintext from the same card It is also possible to obtain more chosen plaintext by simply changing the value of some fields on the card and record the MACs of these individual samples. If one can find a sector that can mutate to four or more different controlled states, then it is possible to have 4 · 16 = 64 bits of independent MAC data for some key. This is convenient, as we shall see in section 3.2.7. 6 In this case, a Lenovo laptop with an Intel Core 2 Duo processor at 2.26GHz, using one CPU thread.
Page 1 and 2: Cryptanalysis of Rejsekortet Jens C
Page 3: 3 Abstract. This bachelor thesis an
Page 7: Resumé Denne bachelorafhandling er
Page 10 and 11: vi Glossary Rejsekort(et) Danish fo
Page 12 and 13: viii
Page 14 and 15: x CONTENTS 4.3 Other improvements .
Page 16 and 17: 2 On Rejsekortet Disclaimer: This r
Page 18 and 19: 4 On Rejsekortet are even capable o
Page 20 and 21: 6 On Rejsekortet 1.2.3 Mifare Mifar
Page 22 and 23: 8 On Rejsekortet 1. Reader sends a
Page 24 and 25: 10 On Rejsekortet Time of transacti
Page 26 and 27: 12 On Rejsekortet Figure 1.3: The C
Page 28 and 29: 14 On Rejsekortet 1.3.2.1 CBC-MAC C
Page 30 and 31: 16 On Rejsekortet
Page 32 and 33: 18 Security analysis and threat mod
Page 38 and 39: 24 Attacks on Rejsekortet 3.1 Rollb
Page 40 and 41: 26 Attacks on Rejsekortet 3.2 Attac
Page 42 and 43: 28 Attacks on Rejsekortet and cumbe
Page 44 and 45: 30 Attacks on Rejsekortet hash valu
Page 48 and 49: 34 Attacks on Rejsekortet 3.2.5 App
Page 50 and 51: 36 Attacks on Rejsekortet 3.2.6.2 T
Page 52 and 53: 38 Attacks on Rejsekortet Language
Page 54 and 55: 40 Attacks on Rejsekortet It is not
Page 56 and 57: 42 Attacks on Rejsekortet specifica
Page 58 and 59: 44 Attacks on Rejsekortet might pro
Page 60 and 61: 46 Attacks on Rejsekortet that the
Page 62 and 63: 48 Attacks on Rejsekortet
Page 64 and 65: 50 Improvements 4.1.1 New MAC algor
Page 66 and 67: 52 Improvements functions tend to b
Page 68 and 69: 54 Improvements
Page 70 and 71: 56 Conclusion of the pre-computatio
Page 72 and 73: 58 Related research Sector 04 - UNK
Page 74 and 75: 60 Mail correspondence enquire abou
Page 76 and 77: 62 Mail correspondence * Kodningspr
Page 78 and 79: 64 Mail correspondence Som ingeniø
Page 80: 66 BIBLIOGRAPHY [9] Philippe Oechsl

bachelor

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?