Open, Sesame! On the Security of Electronic Locks David Oswald - - PowerPoint PPT Presentation
Open, Sesame! On the Security of Electronic Locks David Oswald (david.oswald@rub.de) Ruhr-Uni Bochum / Kasper & Oswald No, I did not do all this stuff alone Christof Paar Timo Kasper Benedikt Driessen Simon Kppers Gregor
David Oswald (david.oswald@rub.de) Ruhr-Uni Bochum / Kasper & Oswald
On the Security of Electronic Locks
2
No, I did not do all this stuff alone
3
Ruhr-University Bochum: beautiful.
5
(The life of) a typical pirate
Pegleg Eye patch Pirate hat Pirate laughter
6
7
8
„Opening“ doors – LEVEL 1
9
14
Opening doors – LEVEL 2
15
Access Control System
1st block of 1st sector
16
Clone on Blank Card Fails (wrong UID)
Wrong UID
17
https://github.com/emsec/ChameleonMini
http://kasper-oswald.de/gb/chameleonmini
18
Succeeds
(emulates everything including UID) Quite old prototype, was actually stolen …
19
20
Level 2: Summary
(from 125 kHz to DESFire EV1…)
hotel rooms
22
Opening doors – LEVEL 3
23
Electronic Locking System
Token Lock
27
Reverse-Engineering (1)
Black-box analysis: Token and lock perform authentication protocol
Token Lock
Authentication protocol
???
28
Lock Token
Reverse-Engineering (2)
30
Lock
Embedded code?
Read-out protection!
Token
Reverse-Engineering (3)
31
Decapping an IC (1)
32
Decapping an IC (2)
33
Decapping an IC (3)
34
Decapping an IC (4)
35
Microscopic View of the Silicon Die
36
Exposure to UV-C: Disable Read-Out Protection (1)
37
Exposure to UV-C: Disable Read-Out Protection
38
Exposure to UV-C: Why it works
39
Reverse-Engineering continued
all internals known
40
Challenge C
88 32 32 24 32 80
Key derivation
KT IDL IDT D
Compute KT = SKL(IDT, D)
KL
Both: RKT(C, D, IDT, IDL) = RT || RL
Response RT (verify RL) Response RL (verify RT)
41
Weaknesses and Attacks (1)
42
Challenge C
88 32 32 24 32 80
KT IDL IDT D
Compute KT = SKL(IDT, D)
KL
Both: RKT(C, D, IDT, IDL) = RT || RL
Response RT (verify RL) Response RL (verify RT)
Authentication
43
𝑱𝑬𝑼 𝑬 𝑳𝑴
O*
64
DES*
1..64
O
65..128 128 128 128 128
O
128 128 64 128
O
DES*
1..64 65..128 128
𝒂𝑺 𝒂𝑻
Cryptographic Functions R and S
IDL IDT D C RT || RL KT
44
𝑱𝑬𝑼 𝑬 𝑳𝑴
O*
64
DES*
1..64
O
65..128 128 128 128 128
O
128 128 64 128
O
DES*
1..64 65..128 128
𝒂𝑻
Cryptographic Functions R and S
IDL IDT D C RT || RL KT
45
𝑳𝑴
O*
64
DES*
1..64
O
65..128 128 128 128 128
O
128 128 64 128
O
DES*
1..64 65..128 128
𝒂𝑻
Cryptographic Functions R and S
IDL IDT D C RT || RL KT IDT D
46
O*
64
DES*
1..64
O
65..128 128 128 128 128
O
128 128 64 128
O
DES*
1..64 65..128 128
Cryptographic Functions R and S
IDL IDT D C RT || RL KT IDT D KL
47
O*
64
DES*
1..64
O
65..128 128 128 128 128
O
128 128 64 128
O
DES*
1..64 65..128 128
Cryptographic Functions R and S: Security Vulnerabilities
RT || RL KT IDT D IDL IDT D C ZR KL 40 bit of ZR used as C in next run 128 bit from 64 bit entropy ... O has „bad“ cryptographic properties
48 Protocol Runs Run-Time Key Candidates 3 3,36 min 21,34 4 11,5 s 1 5 1,2 s 1 6 650 ms 1
Consequence: Wireless Lock-only Attack
49
Protocol Runs Run-Time Key Candidates 3 3,36 min 21,34 4 11,5 s 1 5 1,2 s 1 6 650 ms 1
Consequence: Wireless Lock-only Attack
Improve Report flaws
50
Level 3: Management Summary
to any door
– Insecure hardware – Proprietary cryptography – „Bad“ system design
– Cryptanalytical attacks: Firmware update (cheap) – HW attacks: Require replacing all devices (expensive)
Responsible Disclosure
When pirates do good ...
53
54
By RedAndr, Wikimedia Commons
55
Responsible Disclosure
– Vendor informed ~ 1 year before – Discussion of found flaws – Deployed patch to fix mathematical attacks
– Altera FPGAs: Informed ~ 6 months before – Yubikey: Informed ~ 9 months before
56
Countermeasures
57
Countermeasures
– Secure hardware (certified devices) – Algorithmic level
– Detect: Shadow accounts, logging – Minimize impact (where possible): Key diversification
58
„Everything that can go wrong, will go wrong“
59
Expect the unexpected.
Questions now?
david.oswald@rub.de @sublevado