A practical attack on patched mifare classic

Yi Hao Chiu; Wei Chih Hong; Li Ping Chou; Jintai Ding; Bo Yin Yang; Chen Mou Cheng

doi:10.1007/978-3-319-12087-4_10

A practical attack on patched mifare classic

Yi Hao Chiu, Wei Chih Hong^*, Li Ping Chou, Jintai Ding, Bo Yin Yang, Chen Mou Cheng

^*Corresponding author for this work

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

5 Citations (Scopus)

Abstract

MIFARE Classic is the world’s most widely deployed RFID (radio-frequency identification) technology. It was claimed to be cryptographically protected by the proprietary Crypto-1 stream cipher. However, it proved inadequate after weaknesses in the design and implementation of Crypto-1 and MIFARE Classic started surfacing since late 2007 [7,8,12–17]. Some operators ofMIFARE Classic-based systems reacted by upgrading to more secure alternatives such as MIFARE DESFire. However, many (especially in Asia) opted to “patch”MIFARE Classic instead. Their risk analysis might have gone as follows: “The most serious threat comes from efficient card-only attacks, where the attacker only needs an off-the-shelf reader and a PC to tamper a target tag. All efficient card-only attacks depend on certain implementation flaws. Ergo, if we just fix these flaws, we can stop themost serious attacks without an expensive infrastructure upgrade.” One such prominent case is “EasyCard 2.0,” today accepted in Taiwan as a means of electronic payment not only in public transportation but also in convenient stores, drug stores, eateries, cafes, supermarkets, book stores, movie theaters, etc. Obviously, the whole “patching” approach is questionable because Crypto-1 is fundamentally aweak cipher. In support of the proposition, we present a new card-only attack based on state-of-the-art algebraic differential cryptanalytic techniques [1,2]. Still using the same cheap reader as previous attacks, it takes 2–15 min of computation on a PC to recover a secret key of EasyCard 2.0 after 10–20 h of data collection.We hope the new attack makes our point sufficiently clear, and we urge that all MIFARE-Classic operators with important transactions such as electronic payment upgrade their systems to the more secure alternatives soon.

Original language	English
Title of host publication	Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers
Editors	Moti Yung, Dongdai Lin, Shouhuai Xu, Moti Yung
Publisher	Springer Verlag
Pages	150-164
Number of pages	15
ISBN (Electronic)	9783319120867
DOIs	https://doi.org/10.1007/978-3-319-12087-4_10
Publication status	Published - 2014
Externally published	Yes
Event	9th China International Conference on Information Security and Cryptology, Inscrypt 2013 - Guangzhou, China Duration: 27 Nov 2013 → 30 Nov 2013

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	8567
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	9th China International Conference on Information Security and Cryptology, Inscrypt 2013
Country/Territory	China
City	Guangzhou
Period	27/11/13 → 30/11/13

Keywords

Algebraic Cryptanalysis
Card-only attack
MIFARE Classic
RFID security

Access to Document

10.1007/978-3-319-12087-4_10

Cite this

Chiu, Y. H., Hong, W. C., Chou, L. P., Ding, J., Yang, B. Y., & Cheng, C. M. (2014). A practical attack on patched mifare classic. In M. Yung, D. Lin, S. Xu, & M. Yung (Eds.), Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers (pp. 150-164). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8567). Springer Verlag. https://doi.org/10.1007/978-3-319-12087-4_10

Chiu, Yi Hao ; Hong, Wei Chih ; Chou, Li Ping et al. / A practical attack on patched mifare classic. Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers. editor / Moti Yung ; Dongdai Lin ; Shouhuai Xu ; Moti Yung. Springer Verlag, 2014. pp. 150-164 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{1debab5b90a74aba9b85640585519dbf,

title = "A practical attack on patched mifare classic",

abstract = "MIFARE Classic is the world{\textquoteright}s most widely deployed RFID (radio-frequency identification) technology. It was claimed to be cryptographically protected by the proprietary Crypto-1 stream cipher. However, it proved inadequate after weaknesses in the design and implementation of Crypto-1 and MIFARE Classic started surfacing since late 2007 [7,8,12–17]. Some operators ofMIFARE Classic-based systems reacted by upgrading to more secure alternatives such as MIFARE DESFire. However, many (especially in Asia) opted to “patch”MIFARE Classic instead. Their risk analysis might have gone as follows: “The most serious threat comes from efficient card-only attacks, where the attacker only needs an off-the-shelf reader and a PC to tamper a target tag. All efficient card-only attacks depend on certain implementation flaws. Ergo, if we just fix these flaws, we can stop themost serious attacks without an expensive infrastructure upgrade.” One such prominent case is “EasyCard 2.0,” today accepted in Taiwan as a means of electronic payment not only in public transportation but also in convenient stores, drug stores, eateries, cafes, supermarkets, book stores, movie theaters, etc. Obviously, the whole “patching” approach is questionable because Crypto-1 is fundamentally aweak cipher. In support of the proposition, we present a new card-only attack based on state-of-the-art algebraic differential cryptanalytic techniques [1,2]. Still using the same cheap reader as previous attacks, it takes 2–15 min of computation on a PC to recover a secret key of EasyCard 2.0 after 10–20 h of data collection.We hope the new attack makes our point sufficiently clear, and we urge that all MIFARE-Classic operators with important transactions such as electronic payment upgrade their systems to the more secure alternatives soon.",

keywords = "Algebraic Cryptanalysis, Card-only attack, MIFARE Classic, RFID security",

author = "Chiu, {Yi Hao} and Hong, {Wei Chih} and Chou, {Li Ping} and Jintai Ding and Yang, {Bo Yin} and Cheng, {Chen Mou}",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing Switzerland 2014.; 9th China International Conference on Information Security and Cryptology, Inscrypt 2013 ; Conference date: 27-11-2013 Through 30-11-2013",

year = "2014",

doi = "10.1007/978-3-319-12087-4_10",

language = "English",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "150--164",

editor = "Moti Yung and Dongdai Lin and Shouhuai Xu and Moti Yung",

booktitle = "Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers",

}

Chiu, YH, Hong, WC, Chou, LP, Ding, J, Yang, BY & Cheng, CM 2014, A practical attack on patched mifare classic. in M Yung, D Lin, S Xu & M Yung (eds), Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 8567, Springer Verlag, pp. 150-164, 9th China International Conference on Information Security and Cryptology, Inscrypt 2013, Guangzhou, China, 27/11/13. https://doi.org/10.1007/978-3-319-12087-4_10

A practical attack on patched mifare classic. / Chiu, Yi Hao; Hong, Wei Chih; Chou, Li Ping et al.
Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers. ed. / Moti Yung; Dongdai Lin; Shouhuai Xu; Moti Yung. Springer Verlag, 2014. p. 150-164 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8567).

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

TY - GEN

T1 - A practical attack on patched mifare classic

AU - Chiu, Yi Hao

AU - Hong, Wei Chih

AU - Chou, Li Ping

AU - Ding, Jintai

AU - Yang, Bo Yin

AU - Cheng, Chen Mou

N1 - Publisher Copyright: © Springer International Publishing Switzerland 2014.

PY - 2014

Y1 - 2014

N2 - MIFARE Classic is the world’s most widely deployed RFID (radio-frequency identification) technology. It was claimed to be cryptographically protected by the proprietary Crypto-1 stream cipher. However, it proved inadequate after weaknesses in the design and implementation of Crypto-1 and MIFARE Classic started surfacing since late 2007 [7,8,12–17]. Some operators ofMIFARE Classic-based systems reacted by upgrading to more secure alternatives such as MIFARE DESFire. However, many (especially in Asia) opted to “patch”MIFARE Classic instead. Their risk analysis might have gone as follows: “The most serious threat comes from efficient card-only attacks, where the attacker only needs an off-the-shelf reader and a PC to tamper a target tag. All efficient card-only attacks depend on certain implementation flaws. Ergo, if we just fix these flaws, we can stop themost serious attacks without an expensive infrastructure upgrade.” One such prominent case is “EasyCard 2.0,” today accepted in Taiwan as a means of electronic payment not only in public transportation but also in convenient stores, drug stores, eateries, cafes, supermarkets, book stores, movie theaters, etc. Obviously, the whole “patching” approach is questionable because Crypto-1 is fundamentally aweak cipher. In support of the proposition, we present a new card-only attack based on state-of-the-art algebraic differential cryptanalytic techniques [1,2]. Still using the same cheap reader as previous attacks, it takes 2–15 min of computation on a PC to recover a secret key of EasyCard 2.0 after 10–20 h of data collection.We hope the new attack makes our point sufficiently clear, and we urge that all MIFARE-Classic operators with important transactions such as electronic payment upgrade their systems to the more secure alternatives soon.

AB - MIFARE Classic is the world’s most widely deployed RFID (radio-frequency identification) technology. It was claimed to be cryptographically protected by the proprietary Crypto-1 stream cipher. However, it proved inadequate after weaknesses in the design and implementation of Crypto-1 and MIFARE Classic started surfacing since late 2007 [7,8,12–17]. Some operators ofMIFARE Classic-based systems reacted by upgrading to more secure alternatives such as MIFARE DESFire. However, many (especially in Asia) opted to “patch”MIFARE Classic instead. Their risk analysis might have gone as follows: “The most serious threat comes from efficient card-only attacks, where the attacker only needs an off-the-shelf reader and a PC to tamper a target tag. All efficient card-only attacks depend on certain implementation flaws. Ergo, if we just fix these flaws, we can stop themost serious attacks without an expensive infrastructure upgrade.” One such prominent case is “EasyCard 2.0,” today accepted in Taiwan as a means of electronic payment not only in public transportation but also in convenient stores, drug stores, eateries, cafes, supermarkets, book stores, movie theaters, etc. Obviously, the whole “patching” approach is questionable because Crypto-1 is fundamentally aweak cipher. In support of the proposition, we present a new card-only attack based on state-of-the-art algebraic differential cryptanalytic techniques [1,2]. Still using the same cheap reader as previous attacks, it takes 2–15 min of computation on a PC to recover a secret key of EasyCard 2.0 after 10–20 h of data collection.We hope the new attack makes our point sufficiently clear, and we urge that all MIFARE-Classic operators with important transactions such as electronic payment upgrade their systems to the more secure alternatives soon.

KW - Algebraic Cryptanalysis

KW - Card-only attack

KW - MIFARE Classic

KW - RFID security

UR - http://www.scopus.com/inward/record.url?scp=84909606470&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-12087-4_10

DO - 10.1007/978-3-319-12087-4_10

M3 - Conference Proceeding

AN - SCOPUS:84909606470

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 150

EP - 164

BT - Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers

A2 - Yung, Moti

A2 - Lin, Dongdai

A2 - Xu, Shouhuai

A2 - Yung, Moti

PB - Springer Verlag

T2 - 9th China International Conference on Information Security and Cryptology, Inscrypt 2013

Y2 - 27 November 2013 through 30 November 2013

ER -

Chiu YH, Hong WC, Chou LP, Ding J, Yang BY, Cheng CM. A practical attack on patched mifare classic. In Yung M, Lin D, Xu S, Yung M, editors, Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers. Springer Verlag. 2014. p. 150-164. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-12087-4_10

A practical attack on patched mifare classic

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this