exposing iclass key diversification contents
play

Exposing iClass Key Diversification Contents Introduction RFID - PowerPoint PPT Presentation

Aug 27, 2022 •198 likes •619 views

Usenix WOOT 2011 Flavio D. Garcia Gerhard de Koning Gans Roel Verdult Exposing iClass Key Diversification Contents Introduction RFID iClass and Picopass Key Diversification iClass Key Diversification DES and

  1. Usenix WOOT 2011 Flavio D. Garcia Gerhard de Koning Gans Roel Verdult Exposing iClass Key Diversification

  2. Contents • Introduction – RFID – iClass and Picopass – Key Diversification • iClass Key Diversification – DES and Fortify – Reader Control and Key Updates – Finding hash0 and hash0 -1 • Key Recovery Attack • Conclusion

  3. Radio Frequency Identification (RFID)

  4. Radio Frequency Identification (RFID)

  5. iClass and PicoPass

  6. iClass (HID Global) • ISO 15693 compatible smartcard • Introduced in 2002 as replacement of HID prox • Over 300 million cards sold (according to HID)

  7. iClass (HID Global) • Widely used in access control (examples from HID) – The Bank of America Merrill Lynch – Int. Airport of Mexico City – Navy base of Pearl Harbor • Used as secure authentication – NaviGO (Dell Latitude and Precision) – e-Payment – Billing systems

  8. iClass • One master key for every system • Built-in Key Diversification

  9. Security by Obscurity? • We know the examples of – Mifare Classic – KeeLoq – Hitag2 • How is the key diversification implemented? • Important question since it is built-in !

  10. Our Contribution • Reverse engineering of built-in key diversification – Encryption of ID – 'Hashing' by hash0 • By-pass encryption mode of Omnikey Secure Mode – New library to communicate in Secure Mode • Custom firmware for Proxmark3 (RFID Tool) – To eavesdrop ISO 15693 communication • Released all of above (proxmark.org) • We show that hash0 can be inverted and give an attack to find the master key!

  11. Key Diversification Request ID 45 card key = diversify(MK,45)

  12. iClass Key Diversification/Fortification [Source: PicoPass Datasheets]

  13. iClass Key Diversification/Fortification hash0, h0 1. 2. [Source: PicoPass Datasheets]

  14. Omnikey (HID Global) ISO 24727 requires encryption of USB connection

  15. Omnikey Secure Mode 3DES iCLASSCardLib.dll

  16. iClass Memory Layout Key Slot Value 00 01 02 .. ..

  17. Authentication Protocol Card Identity Card Challenge Reader Random Reader 'MAC' Card 'MAC'

  18. Authentication Protocol Card Identity Card Challenge Used to derive card specific key Reader Random Reader 'MAC' Card 'MAC'

  19. Eavesdropping Proxmark 3 Supports several HF/LF protocols (ISO 14443a/b) Added eavesdropping for iClass communication

  20. Implementation side effect: “ISO Tunneling” ISO 14443 ISO 15693

  21. Implementation side effect: “ISO Tunneling” ISO 14443 ISO 15693 Emulate iClass using existing software from libnfc

  22. Card Key Update

  23. Card Key Update fcb4323e6a865626 ⊕ 7698db5d01780a8f -------------------- 8a2ce9636bfe5ca9 XOR Difference of Card Keys is send over the air

  24. Determine Input of hash0 DES enc ( id , MK ) ? hash0 Pick any 64-bit string c and compute with two different keys (k and k'): DES dec (c,k) = p DES dec (c,k') = p'

  25. Determine Input of hash0 DES enc ( p , k) c Same XOR hash0 difference! DES enc ( p , k)

  26. Determine Input of hash0 DES enc ( p , k) c Same XOR hash0 difference! DES enc ( p , k) Card key = hash0(DES enc ( id , kc ))

  27. Recovering hash0 • XOR Difference • Learn Input/Output Relations • Step-by-step Recovery of Partial Input/Outputs • Reconstruct hash0

  28. Input/Output Relations h0(00000000000000 01 ) = 0606 000000000000 h0(00000000000000 02 ) = 04 00 04 0000000000 h0(000000 01 00000000) = 0000000000 08 0000 h0(000000 02 00000000) = 0000000000 10 0000 h0( 80 00000000000000) = 0306050c07060d00 h0( 40 00000000000000) = 0306050c04050d00

  30. or-mask and-mask

  31. PERMUTATION NEGATION or-mask and-mask

  32. Structure of hash0 permute negate

  33. Structure of hash0 mod 70 61 62 63 64 60 61 62 63 permute negate

  34. hash0 • We fully recovered hash0 • It is clearly not – Collision resistant – One-way • We were able to invert hash0 – On average we have 4 candidate pre-images • Recovering the master key comes down to a brute force on single DES (Few days on RIVYERA)

  35. Key Recovery Attack (Phase 1) Key Update: k master → k new emulated id The attacker knows k new and therefore learns hash0(DES enc (id,k master ))

  36. Key Recovery Attack (Phase 2) • For every DES key k check if DES enc (id,k) equals one of the pre-images from phase 1. • When the check above succeeds the corresponding key k needs to be verified against another emulated id. • A single DES key can be broken within days. We checked the recovered candidates against the master key that we obtained from the reader firmware.

  40. Verification of Results • We recovered the master key from firmware th CCC, Dec 2010 ] as done by Meriac and Plotz in [ HID iClass Demystified , 27 • This verified that we found the correct key

  41. Conclusion • Single DES for diversification (broken since 1997) • The hash0 function is not: – pre-image resistant – collision resistant • hash0 can be inverted (on average 4 pre-images) • ...recover the master key from key update message! • One master key for every iClass system Next step... • iClass Authentication Algorithm

  42. Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE & EXTENSIBLE A FLEXIBLE, COMPOSABLE &

EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE & EXTENSIBLE A FLEXIBLE, COMPOSABLE &

EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE & EXTENSIBLE A FLEXIBLE, COMPOSABLE & EXTENSIBLE REST API REST API Thierry Delprat td@nuxeo.com https://github.com/tiry/ AGENDA AGENDA Quick introduction provide some context API design

1.37k views • 75 slides
Diversification, Efficiency, and Diversification, Efficiency, and Diversification, Efficiency,

Diversification, Efficiency, and Diversification, Efficiency, and Diversification, Efficiency,

Diversification, Efficiency, and Diversification, Efficiency, and Diversification, Efficiency, and Diversification, Efficiency, and Economic Growth Economic Growth Economic Growth Economic Growth Seminar presentation at Research Colloquium

406 views • 28 slides
Schroders 2014 Q3 results Data Pack November 2014 Contents Page Assets under management (AUM)

Schroders 2014 Q3 results Data Pack November 2014 Contents Page Assets under management (AUM)

Schroders 2014 Q3 results Data Pack November 2014 Contents Page Assets under management (AUM) 2 Regional diversification of AUM 3 Gross sales and net flows 4-5 Currency profile of AUM 6 AUM diversification 7-9 Asset Management AUM

314 views • 27 slides
SKI: Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration Pedro Fonseca

SKI: Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration Pedro Fonseca

SKI: Exposing Kernel Concurrency Bugs through Systematic Schedule Exploration Pedro Fonseca (MPI-SWS) Rodrigo Rodrigues Bjrn Brandenburg (MPI-SWS) (NOVA University of Lisbon) OSDI 2014 SKI: Exposing Kernel Concurrency Bugs

840 views • 67 slides
Risk & Return Three hypothetical stocks Javier Go Estrada Returns IESE Go

Risk & Return Three hypothetical stocks Javier Go Estrada Returns IESE Go

Corporate Finance Risk, Return, Diversification, and the CAPM Javier Estrada Spring, 2014 1. Risk & Return Return, mean return, and volatility 2. Diversification Four viewpoints on diversification Essential variables in portfolio

336 views • 20 slides
The Power of Solution Diversification Matthew Whitehouse, Head of Regional Sales Unum March 2018

The Power of Solution Diversification Matthew Whitehouse, Head of Regional Sales Unum March 2018

The Power of Solution Diversification Matthew Whitehouse, Head of Regional Sales Unum March 2018 What is Diversification ? Diversification is a corporate strategy to enter into a new market or industry in which the business doesn't currently

288 views • 9 slides
The changing landscape of export diversification 1 5 July 2 0 1 6 PRESENTATION Export

The changing landscape of export diversification 1 5 July 2 0 1 6 PRESENTATION Export

The changing landscape of export diversification 1 5 July 2 0 1 6 PRESENTATION Export Diversification and Linking into Global Value Chains: Tangible Solutions and Strategies By Rashmi Banga, Head and Advisor, Trade Competitiveness Section,

473 views • 13 slides
Low rate of lineage High rates of diversification lineage diversification Ancestral trait

Low rate of lineage High rates of diversification lineage diversification Ancestral trait

Low rate of lineage High rates of diversification lineage diversification Ancestral trait Evolutionary dead Key innovation innovation ends (e.g. hypothesis for specialization diversity hypothesis) Low rate of trait Niche conservatism

381 views • 6 slides
liberate, (n): A library for exposing (tra ffi c-classification) rules and avoiding them e ffi

liberate, (n): A library for exposing (tra ffi c-classification) rules and avoiding them e ffi

liberate, (n): A library for exposing (tra ffi c-classification) rules and avoiding them e ffi ciently Fangfan Li , Abbas Razaghpanah, Arash Molavi Kakhki, Arian Akhavan Niaki, David Cho ff nes, Phillipa Gill, Alan Mislove 1 Traffic management 2

1.54k views • 115 slides
Efficient Diversification of Web Search Results G. Capannini, F. M. Nardini, R. Perego, and F.

Efficient Diversification of Web Search Results G. Capannini, F. M. Nardini, R. Perego, and F.

Efficient Diversification of Web Search Results G. Capannini, F. M. Nardini, R. Perego, and F. Silvestri ISTI-CNR, Pisa, Italy Laboratory Web Search Results Diversification Query: Vinci, what is the users intent? Information

761 views • 44 slides
Exposing the Lack of Privacy in File Hos9ng Services Nick

Exposing the Lack of Privacy in File Hos9ng Services Nick

Exposing the Lack of Privacy in File Hos9ng Services Nick Nikiforakis Marco Balduzzi Steven Van Acker Wouter Joosen Davide BalzaroF Sharing is

876 views • 35 slides
Kelly Criterion Utkarsh Gadodia utkarsh.gadodia09@imperial.ac.uk Diversification Is

Kelly Criterion Utkarsh Gadodia utkarsh.gadodia09@imperial.ac.uk Diversification Is

Kelly Criterion Utkarsh Gadodia utkarsh.gadodia09@imperial.ac.uk Diversification Is diversification good? Is it always required? Simulation by Elton et al Warren Buffet I dont agree Sometimes we are better off not

661 views • 35 slides
May 2019 1 Table of Contents Market Outlook What is Value? Value bias

May 2019 1 Table of Contents Market Outlook What is Value? Value bias

May 2019 1 Table of Contents Market Outlook What is Value? Value bias Multi-Cap Investment strategy Diversification Resilient performance across cycles Portfolio Composition Scheme Facts & Asset

383 views • 36 slides
EXPOSING PARTICLE PARALLELISM IN THE XGC PIC CODE BY EXPLOITING GPU MEMORY HIERARCHY Stephen

EXPOSING PARTICLE PARALLELISM IN THE XGC PIC CODE BY EXPLOITING GPU MEMORY HIERARCHY Stephen

EXPOSING PARTICLE PARALLELISM IN THE XGC PIC CODE BY EXPLOITING GPU MEMORY HIERARCHY Stephen Abbott, March 26 2018 ACKNOWLEDGEMENTS Collaborators: Oak Ridge Nation Laboratory- Ed DAzevedo NVIDIA - Peng Wang Princeton Plasma Physics

376 views • 19 slides
Diversification and Discussion of Risk Conference of the County Investment Academy San Antonio June

Diversification and Discussion of Risk Conference of the County Investment Academy San Antonio June

Diversification and Discussion of Risk Conference of the County Investment Academy San Antonio June 2019 PFIA 2256.008c Requires Training in: Investment Diversification 2 Capital Market Theory 12.0% 10.0% 8.0% E( r) P* 6.0% * 4.0% 2.0%

349 views • 22 slides
Combining Implicit and Explicit Topic Representations for Result Diversification Jiyin He, Vera

Combining Implicit and Explicit Topic Representations for Result Diversification Jiyin He, Vera

Combining Implicit and Explicit Topic Representations for Result Diversification Jiyin He, Vera Hollink, Arjen de Vries Centrum Wiskunde & Informatica SIGIR 2012, Portland 1 Subtopics in result diversification Python 2 Implicit

600 views • 18 slides
Cryptography [Symmetric Encryption] Spring 2020 Franziska (Franzi) Roesner

Cryptography [Symmetric Encryption] Spring 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

583 views • 21 slides
Introduc)on to the Remedial Acquisi)on Framework RAF 101 INTERNAL EPA USE ONLY Learning

Introduc)on to the Remedial Acquisi)on Framework RAF 101 INTERNAL EPA USE ONLY Learning

Introduc)on to the Remedial Acquisi)on Framework RAF 101 INTERNAL EPA USE ONLY Learning Objec)ves Increase awareness of pressures to change the Superfund remedial programs way of doing business Develop an understanding of the

803 views • 55 slides
Approche Algorithmique des Syst` emes R epartis (AASR) Guillaume Pierre

Approche Algorithmique des Syst` emes R epartis (AASR) Guillaume Pierre

Approche Algorithmique des Syst` emes R epartis (AASR) Guillaume Pierre guillaume.pierre@irisa.fr Dapr` es un jeu de transparents de Maarten van Steen VU Amsterdam, Dept. Computer Science 06a: Synchronization (1/2) Contents Chapter

603 views • 41 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
Amphi 2 : triangulations de Delaunay (I) Steve Oudot INF562 G eom etrie Algorithmique

Amphi 2 : triangulations de Delaunay (I) Steve Oudot INF562 G eom etrie Algorithmique

INF562 G eom etrie Algorithmique et Applications Amphi 2 : triangulations de Delaunay (I) Steve Oudot INF562 G eom etrie Algorithmique et Applications Amphi 2 : triangulations de Delaunay (I) Steve Oudot (certains slides

1.31k views • 113 slides
IntroductiontoCryptology(NSchapter2)

IntroductiontoCryptology(NSchapter2)

IntroductiontoCryptology(NSchapter2) ComputerandNetworkSecurity Encryption: plaintext+key ciphertext CMSC414 Decryption:

784 views • 16 slides
Computer Graphics - Introduction - Philipp Slusallek Computer Graphics WS 2019/20 Philipp

Computer Graphics - Introduction - Philipp Slusallek Computer Graphics WS 2019/20 Philipp

Computer Graphics - Introduction - Philipp Slusallek Computer Graphics WS 2019/20 Philipp Slusallek Overview Today Administrative stuff History of Computer Graphics (CG) Next lecture Overview of Ray Tracing Computer

818 views • 59 slides
Nice Apr/2005 Checkpointing++ 1 Note for the website version: This is the babel fish!

Nice Apr/2005 Checkpointing++ 1 Note for the website version: This is the babel fish!

Nice Apr/2005 Checkpointing++ 1 Note for the website version: This is the babel fish! somebody on the web c Look for its insightful blue translations! Utke Argonne National Laboratory Nice Apr/2005

417 views • 14 slides

More recommend