Cryptography Reference
In-Depth Information
Security of Mifare Classic.
Since its invention, the internal structure of
Crypto1 was kept secret and no open review process was performed. The ci-
pher and its PRNG were later recovered by [17] using low-cost hardware reverse-
engineering techniques. The authors pointed out several design flaws, i.e., the
short key length of 48 bit, mathematical weaknesses in the feedback functions of
the LFSR, the weak 16-bit PRNG and the fact that the nonce generated by the
PRNG depends on the time elapsed between power-up of the card and the authen-
tication command. Subsequently, strong attacks on Mifare Classic were published:
an attack described in [7] utilizes a fixed timing to generate the same nonces for
repeated authentications and obtain parts of the keystream. A method to recover
a secret sector key is proposed in [10], requiring two recorded genuine authentica-
tions to one sector. The most powerful attacks are card-only attacks as presented
in [11] and [5]. They exploit amongst others the weakness that a card sends an en-
crypted NACK (
) each time the parity bits of the message
n
R
⊕
ks
1
||
a
R
⊕
ks
2
are correct but the decrypted
a
R
is not (cf. Protocol 1). This reveals four bits of
keystream with a probability of
0x5
1
256
. Finally, a secret key of a Mifare Classic smart-
card can be extracted within seconds using a combination of card-only attacks as
proposed in [16], hence the cards can be considered fully broken.
3.2 Mifare DESFire and DESFire EV1
Mifare DESFire and Mifare DESFire EV1 cards are compliant to Parts 1-4 of
ISO 14443A. Their UID is seven bytes long, and they support high baud rates
Reader
Card
AUTH (02 0A 00)
−−−−−−−−−−−−−−→
64
n
C
∈
R
{
0
,
1
}
−
b
0
−−−−−−−−−−−−
64
n
R
∈
R
{
0
,
1
}
b
0
=
Enc
K
C
(
n
C
)
−−
b
1
=
Dec
K
R
(
n
R
)
r
0
=
Dec
K
R
(
b
0
)
r
1
=
RotLeft
8
(
r
0
)
b
2
=
Dec
K
R
(
r
1
⊕
b
1
)
b
1
,b
2
−−−−−−−−−−−→
r
2
=
Enc
K
C
(
b
2
)
−−
n
C
=
RotRight
8
(
r
2
⊕
b
1
)
ERROR (02 AE)
−−−−−−−−−−−−−−
=
n
C
else if
n
C
=
n
C
r
3
=
Enc
K
C
(
b
1
)
r
4
=
RotRight
8
(
r
3
)
if
n
C
−
b
3
−−−−−−−−−−−−
r
5
=
Dec
K
R
(
b
3
)
b
3
=
Enc
K
C
(
r
4
)
−−
n
R
=
RotLeft
8
(
r
5
)
verify
n
R
=
n
R
Protocol 2.
The Mifare DESFire authentication protocol [4]
Search WWH ::
Custom Search