Practical cryptanalysis for hackers Chen-Mou Cheng [email protected] Dept. Electrical Engineering National Taiwan University December 5, 2015 

What is cryptography? What is cryptanalysis? 

What is cryptography? What is cryptanalysis? Not going to lecture about them today 

About myself PhD, Harvard University, 2007 

About myself PhD, Harvard University, 2007 目前：國立台灣大學負教授 

About myself PhD, Harvard University, 2007 目前：國立台灣大學負教授 Has published >60 papers 

About myself PhD, Harvard University, 2007 目前：國立台灣大學負教授 Has published >60 papers Most are garbage don’t have a high impact factor; hasn’t really changed anything in practice, it seems 

砍掉重練？ 

砍掉重練？ A bit late, as no one wants to hire a middle-aged professor who has never really left school 

砍掉重練？ A bit late, as no one wants to hire a middle-aged professor who has never really left school “肝已不再新鮮”TM 

砍掉重練？ A bit late, as no one wants to hire a middle-aged professor who has never really left school “肝已不再新鮮”TM Must do some work having something to do with practice 

How we got started May, 2009: Read “Wirelessly Pickpocketing a Mifare Classic Card” (IEEE S&P 2009) by F. D. Garcia, P. van Rossum, R. Verdult, and R. W. Schreur from Nijmegen Summer, 2009: Repeated the experiments on 悠遊卡 Fall, 2009: Demonstrated several attacks to the authority Card-only attacks (Nijmegen) Long-range sniffing (ours) 

How we got started May, 2009: Read “Wirelessly Pickpocketing a Mifare Classic Card” (IEEE S&P 2009) by F. D. Garcia, P. van Rossum, R. Verdult, and R. W. Schreur from Nijmegen Summer, 2009: Repeated the experiments on 悠遊卡 Fall, 2009: Demonstrated several attacks to the authority Card-only attacks (Nijmegen) Long-range sniffing (ours) 

The story went on Fall, 2009: Demonstrated several attacks to the authority 

The story went on Fall, 2009: Demonstrated several attacks to the authority Jan., 2010: Government regulators approved 悠遊卡 as a means of electronic payment in Taiwan (!) 

The story went on Fall, 2009: Demonstrated several attacks to the authority Jan., 2010: Government regulators approved 悠遊卡 as a means of electronic payment in Taiwan (!) (怒) “Just don’t say you heard it from me: MIFARE Classic is completely broken,” at the 4th Hacks in Taiwan Conference (HIT 2010), Taipei, Taiwan, Jul. 2010 

“Reverse-engineering a real-world RFID payment system” A talk by Harald Welte in 27C3, Dec., 2010 Disclosed “the process of reverse-engineering the actual content of the [悠遊卡] to discover the public transportation transaction log, the account balance and how the daily spending limit work” As well as “how easy it is to add or subtract monetary value to/from the card. Cards manipulated as described in the talk have been accepted by the payment system” 

“Reverse-engineering a real-world RFID payment system” A talk by Harald Welte in 27C3, Dec., 2010 Disclosed “the process of reverse-engineering the actual content of the [悠遊卡] to discover the public transportation transaction log, the account balance and how the daily spending limit work” As well as “how easy it is to add or subtract monetary value to/from the card. Cards manipulated as described in the talk have been accepted by the payment system” “Corporations enabling citizens to print digital money” 

Shortly after in Taiwan Jan., 2010: Government regulators approved 悠遊卡 as a means of electronic payment in Taiwan 

Shortly after in Taiwan Jan., 2010: Government regulators approved 悠遊卡 as a means of electronic payment in Taiwan Sep., 2011: First 悠遊卡 hacking incident reported in media Soon the authority disclosed upgrade plans to “二代悠遊卡,” claiming that it will be “secure” Aug., 2012: Official release of 二代悠遊卡 

Recall: Most serious weaknesses of MIFARE Classic Bad randomness Parity weaknesses Weaknesses in nested authentications Together, they allow very efficient key recovery 1. mfcuk can recover one key in less than an hour 2. mfoc can recover all subsequent keys in a few hours 

The “secure” 二代悠遊卡 二代悠遊卡, like many other similar cards used around the world, is essentially a CPU card with MIFARE Classic emulation Tag nonce now is unpredictable and seems to have 32-bit entropy, disabling attacks based on tag nonce manipulation and nested authentications Sure, sniffing still works if you have a legitimate reader So does brute-force if you don’t have such a reader, which may take years on an ordinary PC All other existing, efficient card-only attacks no longer work Seems “secure” enough from a practical point of view 

Do you believe that? 

No content

The research question Is there a practically relevant card-only attack on 二代悠遊卡? 

Attack techniques M. Albrecht and C. Cid: “Algebraic techniques in differential cryptanalysis” (FSE 2009) S. Knellwolf, W. Meier, and M. Naya-Plasencia: “Conditional differential cryptanalysis of NLFSR-based cryptosystems” (ASIACRYPT 2010) Y.-H. Chiu, W.-C. Hong, L.-P. Chou, J. Ding, B.-Y. Yang, and C.-M. Cheng, “A practical attack on patched MIFARE Classic” (Inscrypt 2013) 

Experiment setup All experiments are performed on an old laptop and a standard ACR 122 reader Running Ubuntu with libraries such as libnfc and crapto1 We use the CryptoMiniSat SAT solver The CNF formulas are generated by our own software 

Target under attack Card type Parities checked nT generation 一代悠遊卡 Yes Predictable 一代悠遊卡加強版 Yes Somewhat random 二代悠遊卡 No (always 0x0) Random 

Experiment results Attack type Online time Compute time 1.0 1.5 2.0 Sniffing attack 2 sec. < 2 sec. √ √ √ GPU brute-force 5 sec. 14 hours √ √ √ CPU brute-force 5 sec. > 1 month √ √ √ Parities attack > 3 min. < 30 sec. √ ? Nested authentications 15–75 sec. 25–125 sec. √ √ Our attack (simulation) 10–20 hours 2–15 min. √ 

State of the art Without any prior knowledge, can break 二代悠遊卡 and obtain a key in 10–20 hours 

State of the art Without any prior knowledge, can break 二代悠遊卡 and obtain a key in 10–20 hours C. Meijer and R. Verdult, “Ciphertext-only cryptanalysis on hardened MIFARE Classic cards” (ACM CCS 2015) First using our or other attacks to obtain a key, can break 二 代悠遊卡 and obtain one key every 10–20 minutes Together can break 二代悠遊卡 and obtain all the keys in 15–30 hours 

How can we fix this problem? 

How can we fix this problem? Give up MIFARE Classic! Many cities are doing so If not, controlling damage by restricting usage 

How can we hackers help? 

How can we hackers help? Making these attacks really really easy for ordinary people to understand Breaking information asymmetry and taking back the right to make the (right) decision 

Thanks! Questions or comments?