MIFARE Classic上的實務攻擊與防禦

Ming-Yang Chih; 池明洋

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/10782

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	鄭振牟(Chen-Mou Cheng)
dc.contributor.author	Ming-Yang Chih	en
dc.contributor.author	池明洋	zh_TW
dc.date.accessioned	2021-05-20T21:58:22Z	-
dc.date.available	2010-07-22
dc.date.available	2021-05-20T21:58:22Z	-
dc.date.copyright	2010-07-21
dc.date.issued	2010
dc.date.submitted	2010-07-20
dc.identifier.citation	[1] F. Garcia, G. de Koning Gans, R. Muijrers, P. van Rossum, R. Verdult, R. Schreur, and B. Jacobs, “Dismantling MIFARE Classic,” in Computer Security — ESORICS 2008, pp. 97–114. [2] M. Hutter, J.-M. Schmidt, and T. Plos, “RFID and its vulnerability to faults,” in Cryptographic Hardware and Embedded Systems — CHES 2008, pp. 363–379. [3] S. K. Nohl, D. Evans, and H. Plotz, “Reverse engineering a cryptographic RFID tag,” in USENIX Security Symposium 2008. [4] G. de Koning Gans, J.-H. Hoepman, and F. Garcia, “A practical attack on the MIFARE Classic,” in Smart Card Research and Advanced Applications — IFIP WG 8.8/11.2, 2008, pp. 267–282. [5] F. D. Garcia, P. van Rossum, R. Verdult, and R. W. Schreur, “Wirelessly pickpocketing a MIFARE Classic card,” in IEEE Symposium on Security and Privacy, 2009, pp. 3–15. [6] C. Ming-Yang, S. Jie-Ren, Y. Bo-Yin, D. Jintai, and C. Chen-Mou, in Cryptology and Information Security Conference 2010. [7] “COPACOBANA — special-purpose hardware for code-breaking,” http://www.copacobana.org. [8] K. Finkenzeller, RFID handbook: Fundamentals and applications in contactless smart cards and identification, 2nd ed. Wiley and Sons Ltd, 2003. [9] ISO/IEC 14443. identification cards — contactless integrated circuit(s) cards — proximity card, 2001. [10] D. L. Cook, J. Ioannidis, A. D. Keromytis, and J. Luck, “CryptoGraphics: Secret key cryptography using graphics cards,” in RSA Conference, Cryptographer’s Track (CT-RSA), 2005, pp. 334–350. [11] D. L. Cook and A. D. Keromytis, CryptoGraphics: Exploiting Graphics Cards For Security. Springer, 2006. [12] A. Moss and N. P. Smart, “Toward acceleration of RSA using 3D graphics hardware,” in 11th IMA International Conference on Cryptography and Coding, December 2007. [13] D. Bernstein, T.-R. Chen, C.-M. Cheng, T. Lange, and B.-Y. Yang, “ECM on graphics cards,” in Advances in Cryptology — EUROCRYPT 2009, pp. 483–501. [14] D. V. Bailey, L. Batina, D. J. Bernstein, P. Birkner, J. W. Bos, H.-C. Chen, C.- M. Cheng, G. van Damme, G. de Meulenaer, L. J. D. Perez, J. Fan, T. G‥uneysu, F. Gurkaynak, T. Kleinjung, T. Lange, N. Mentens, R. Niederhagen, C. Paar, F. Regazzoni, P. Schwabe, L. Uhsadel, A. Van Herrewege, and B.-Y. Yang. (2009, Nov) Breaking ECC2K-130. Cryptology ePrint Archive, Report 2009/541. [15] “GNU radio,” http://gnuradio.org. [16] MF1ICS50 Functional specification, NXP, December 2009. [17] MF1ICS70 Functional specification, NXP, December 2009. [18] Ettus Research, “The universal software radio peripheral,” http://www.ettus.com. [19] “Proxmark III, a test instrument for HF/LF RFID,” http://proxmark3.com. [20] D. J. Bernstein, J. Buchmann, and E. Dahmen, Eds., Post-Quantum Cryptography. Springer-Verlag Berlin, February 2009, iSBN: 978-3-540-88701-0, e-ISBN: 978-3- 540-88702-7. [21] A. Kipnis, J. Patarin, and L. Goubin, “Unbalanced Oil and Vinegar signature schemes,” in Advances in Cryptology — EUROCRYPT 1999, pp. 206–222. [22] A. I.-T. Chen, C.-H. O. Chen, M.-S. Chen, C.-M. Cheng, and B.-Y. Yang, “Practicalsized instances of multivariate PKCs: Rainbow, TTS, and `IC-derivatives,” in PQCrypto, 2008, pp. 95–108. [23] B.-Y. Yang, C.-M. Cheng, B.-R. Chen, and J.-M. Chen, “Implementing minimized multivariate public-key cryptosystems on low-resource embedded systems,” in SPC 2006, pp. 73–88. [24] A. Bogdanov, T. Eisenbarth, A. Rupp, and C. Wolf, “Time-area optimized publickey engines: Cryptosystems as replacement for elliptic curves?” in Cryptographic Hardware and Embedded Systems — CHES 2008, pp. 45–61.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/10782	-
dc.description.abstract	MIFARE Classic是近年來最廣泛被使用的非接觸式智慧卡，應用在門禁、大眾運輸工具、電子錢包等系統上。MIFARE Classic上密碼保護機制與結構已被發表在許多的論文上。在本論文中我們提出各式各樣在MIFARE Classic攻擊實作的經驗。我們實作兩類的攻擊:一是假造讀卡機、二是側錄合法的交易。第一類的攻擊在兩天內利用NVIDIA高速運算顯示卡上實作密鑰的窮舉搜尋法與隨機數和連認證的漏洞離線的破解卡片上所有的金鑰。第二類是針對MIFARE Classic加解密器: CRYPTO-1上攻擊方法的改進。經過我們的改進，攻擊者不僅可以破解自己的卡同時也能破解別人的卡。我們所實作的攻擊徹底讓MIFARE Classic的密碼保護失去效用，讓未經授權的攻擊者能任意更改卡片上資料，如同沒有任何保護的記憶卡。更進一步，我們提出有關防止目前已知的攻擊的建議，而此防禦機制加強對卡片資料的防護並加強後端清算機制的效率。	zh_TW
dc.description.abstract	MIFARE Classic is a proprietary contactless smart card technology widely used in public transportation ticketing systems of cities across the world. MIFARE Classic’s cryptographic protection to the stored data has been reverse-engineered and broken in a recent series of papers. In this thesis, we report our experiment experiences attacking a real MIFARE Classic system. Specifically, we implement a brute-force search using NVIDIA graphics cards to verify the claims in the literature. We also implement and improve more advanced attacks that take advantage of other design and implementation flaws of CRYPTO-1, MIFARE Classic’s proprietary cipher. These attacks disarm all cryptographic protection of MIFARE Classic and in effect render it a contactless memory card technology. Last but not least, we present our ideas how to defend against most attacks using practical mechanisms that do not require any hardware changes. Our proposed mechanisms can be easily implemented on a variety of MIFARE Classic readers on the market and only require commodity PCs be used in the backend system with intermittent network connectivity.	en
dc.description.provenance	Made available in DSpace on 2021-05-20T21:58:22Z (GMT). No. of bitstreams: 1 ntu-99-R97921036-1.pdf: 1504292 bytes, checksum: 848c5e81475d1330322fdce76b754801 (MD5) Previous issue date: 2010	en
dc.description.tableofcontents	Abstract 1 1 Introduction 6 1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.3 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.4 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.5 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2 MIFARE Classic 12 2.1 Linear Feedback Shift Register (LFSR) . . . . . . . . . . . . . . . . . . 13 2.2 Structure of CRYPTO-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.2.1 Non-Linear Filter Function . . . . . . . . . . . . . . . . . . . . . 14 2.2.2 Keystream Generation . . . . . . . . . . . . . . . . . . . . . . . 15 2.3 Memory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.4 Command Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.5 Communication Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.6 Other Components in MIFARE Classic . . . . . . . . . . . . . . . . . . 20 2.6.1 Pseudo Random Number Generator (PRNG) . . . . . . . . . . . 20 2.6.2 The Encrypted Parity . . . . . . . . . . . . . . . . . . . . . . . . 21 2.6.3 Encrypted Error Code 0x5 . . . . . . . . . . . . . . . . . . . . . 21 3 Experiment Setup 23 3.1 Sniffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.1.1 Universal Software Radio Peripheral (USRP) . . . . . . . . . . . 23 3.1.2 GNU Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.1.3 Sniffer Implementation . . . . . . . . . . . . . . . . . . . . . . . 24 3.1.4 Converting to Raw Data to Packets . . . . . . . . . . . . . . . . . 25 3.2 Proxmark3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4 Our Attacks on MIFARE Classic 31 4.1 Time-memory Trade-off in Attacking CRYPTO-1 . . . . . . . . . . . . . 31 4.2 Weakness in CRYPTO-1 and its Implementation . . . . . . . . . . . . . . 32 4.2.1 CRYPTO-1 Structure . . . . . . . . . . . . . . . . . . . . . . . . 32 4.2.2 Plaintexts that Provide Consecutive Keystream Bits . . . . . . . . 33 4.2.3 Implementation Vulnerabilities . . . . . . . . . . . . . . . . . . . 34 4.3 PCD-based Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 4.3.1 First-key Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 37 4.3.2 Remaining-key Attack . . . . . . . . . . . . . . . . . . . . . . . 40 4.4 Sniffer-based Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 4.4.1 Keystream to Internal States . . . . . . . . . . . . . . . . . . . . 43 4.4.2 Attack Based on Two-way Traffic . . . . . . . . . . . . . . . . . 44 4.4.3 Long-distance Attack . . . . . . . . . . . . . . . . . . . . . . . . 44 4.5 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.5.1 Implementation Improvement . . . . . . . . . . . . . . . . . . . 46 5 Proposed Defenses for MIFARE Classic 48 5.1 Multivariate PKCs: TTS . . . . . . . . . . . . . . . . . . . . . . . . . . 49 5.2 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 6 Conclusion 54
dc.language.iso	en
dc.title	MIFARE Classic上的實務攻擊與防禦	zh_TW
dc.title	Practical Attacks and Defenses of MIFARE Classic	en
dc.type	Thesis
dc.date.schoolyear	98-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	楊柏因(Bo-Yin Yang),雷欽隆(Chin-Laung Lei),邱榮輝
dc.subject.keyword	MIFARE Classic,CRYPTO-1,cryptanalysis,GPU,RFID security,	zh_TW
dc.relation.page	57
dc.rights.note	同意授權(全球公開)
dc.date.accepted	2010-07-20
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電機工程學研究所	zh_TW
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-99-1.pdf	1.47 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。