Practical cryptanalysis for hackers.

Transcript

1. Practical cryptanalysis for hackers Chen-Mou Cheng [email protected] Dept. Electrical Engineering

   National Taiwan University December 5, 2015

2. What is cryptography? What is cryptanalysis?

3. What is cryptography? What is cryptanalysis? Not going to lecture

   about them today

4. About myself PhD, Harvard University, 2007

5. About myself PhD, Harvard University, 2007 目前：國立台灣大學負教授

6. About myself PhD, Harvard University, 2007 目前：國立台灣大學負教授 Has published >60

   papers

7. About myself PhD, Harvard University, 2007 目前：國立台灣大學負教授 Has published >60

   papers Most are garbage don’t have a high impact factor; hasn’t really changed anything in practice, it seems

8. 砍掉重練？

9. 砍掉重練？ A bit late, as no one wants to hire

   a middle-aged professor who has never really left school

10. 砍掉重練？ A bit late, as no one wants to hire

    a middle-aged professor who has never really left school “肝已不再新鮮”TM

11. 砍掉重練？ A bit late, as no one wants to hire

    a middle-aged professor who has never really left school “肝已不再新鮮”TM Must do some work having something to do with practice

12. How we got started May, 2009: Read “Wirelessly Pickpocketing a

    Mifare Classic Card” (IEEE S&P 2009) by F. D. Garcia, P. van Rossum, R. Verdult, and R. W. Schreur from Nijmegen Summer, 2009: Repeated the experiments on 悠遊卡 Fall, 2009: Demonstrated several attacks to the authority Card-only attacks (Nijmegen) Long-range sniffing (ours)

13. How we got started May, 2009: Read “Wirelessly Pickpocketing a

    Mifare Classic Card” (IEEE S&P 2009) by F. D. Garcia, P. van Rossum, R. Verdult, and R. W. Schreur from Nijmegen Summer, 2009: Repeated the experiments on 悠遊卡 Fall, 2009: Demonstrated several attacks to the authority Card-only attacks (Nijmegen) Long-range sniffing (ours)

14. The story went on Fall, 2009: Demonstrated several attacks to

    the authority

15. The story went on Fall, 2009: Demonstrated several attacks to

    the authority Jan., 2010: Government regulators approved 悠遊卡 as a means of electronic payment in Taiwan (!)

16. The story went on Fall, 2009: Demonstrated several attacks to

    the authority Jan., 2010: Government regulators approved 悠遊卡 as a means of electronic payment in Taiwan (!) (怒) “Just don’t say you heard it from me: MIFARE Classic is completely broken,” at the 4th Hacks in Taiwan Conference (HIT 2010), Taipei, Taiwan, Jul. 2010

17. “Reverse-engineering a real-world RFID payment system” A talk by Harald

    Welte in 27C3, Dec., 2010 Disclosed “the process of reverse-engineering the actual content of the [悠遊卡] to discover the public transportation transaction log, the account balance and how the daily spending limit work” As well as “how easy it is to add or subtract monetary value to/from the card. Cards manipulated as described in the talk have been accepted by the payment system”

18. “Reverse-engineering a real-world RFID payment system” A talk by Harald

    Welte in 27C3, Dec., 2010 Disclosed “the process of reverse-engineering the actual content of the [悠遊卡] to discover the public transportation transaction log, the account balance and how the daily spending limit work” As well as “how easy it is to add or subtract monetary value to/from the card. Cards manipulated as described in the talk have been accepted by the payment system” “Corporations enabling citizens to print digital money”

19. Shortly after in Taiwan Jan., 2010: Government regulators approved 悠遊卡

    as a means of electronic payment in Taiwan

20. Shortly after in Taiwan Jan., 2010: Government regulators approved 悠遊卡

    as a means of electronic payment in Taiwan Sep., 2011: First 悠遊卡 hacking incident reported in media Soon the authority disclosed upgrade plans to “二代悠遊卡,” claiming that it will be “secure” Aug., 2012: Official release of 二代悠遊卡

21. Recall: Most serious weaknesses of MIFARE Classic Bad randomness Parity

    weaknesses Weaknesses in nested authentications Together, they allow very efficient key recovery 1. mfcuk can recover one key in less than an hour 2. mfoc can recover all subsequent keys in a few hours

22. The “secure” 二代悠遊卡 二代悠遊卡, like many other similar cards used

    around the world, is essentially a CPU card with MIFARE Classic emulation Tag nonce now is unpredictable and seems to have 32-bit entropy, disabling attacks based on tag nonce manipulation and nested authentications Sure, sniffing still works if you have a legitimate reader So does brute-force if you don’t have such a reader, which may take years on an ordinary PC All other existing, efficient card-only attacks no longer work Seems “secure” enough from a practical point of view

23. Do you believe that?

24. None

25. The research question Is there a practically relevant card-only attack

    on 二代悠遊卡?

26. Attack techniques M. Albrecht and C. Cid: “Algebraic techniques in

    differential cryptanalysis” (FSE 2009) S. Knellwolf, W. Meier, and M. Naya-Plasencia: “Conditional differential cryptanalysis of NLFSR-based cryptosystems” (ASIACRYPT 2010) Y.-H. Chiu, W.-C. Hong, L.-P. Chou, J. Ding, B.-Y. Yang, and C.-M. Cheng, “A practical attack on patched MIFARE Classic” (Inscrypt 2013)

27. Experiment setup All experiments are performed on an old laptop

    and a standard ACR 122 reader Running Ubuntu with libraries such as libnfc and crapto1 We use the CryptoMiniSat SAT solver The CNF formulas are generated by our own software

28. Target under attack Card type Parities checked nT generation 一代悠遊卡

    Yes Predictable 一代悠遊卡加強版 Yes Somewhat random 二代悠遊卡 No (always 0x0) Random

29. Experiment results Attack type Online time Compute time 1.0 1.5

    2.0 Sniffing attack 2 sec. < 2 sec. √ √ √ GPU brute-force 5 sec. 14 hours √ √ √ CPU brute-force 5 sec. > 1 month √ √ √ Parities attack > 3 min. < 30 sec. √ ? Nested authentications 15–75 sec. 25–125 sec. √ √ Our attack (simulation) 10–20 hours 2–15 min. √

30. State of the art Without any prior knowledge, can break

    二代悠遊卡 and obtain a key in 10–20 hours

31. State of the art Without any prior knowledge, can break

    二代悠遊卡 and obtain a key in 10–20 hours C. Meijer and R. Verdult, “Ciphertext-only cryptanalysis on hardened MIFARE Classic cards” (ACM CCS 2015) First using our or other attacks to obtain a key, can break 二 代悠遊卡 and obtain one key every 10–20 minutes Together can break 二代悠遊卡 and obtain all the keys in 15–30 hours

32. How can we fix this problem?

33. How can we fix this problem? Give up MIFARE Classic!

    Many cities are doing so If not, controlling damage by restricting usage

34. How can we hackers help?

35. How can we hackers help? Making these attacks really really

    easy for ordinary people to understand Breaking information asymmetry and taking back the right to make the (right) decision

36. Thanks! Questions or comments?