The only possibly secure algorithm is one that's peer reviewed by knowledgeable people who are independent of the creators and their management. Even then, flaws will be found years later. But you'll still have a better algorithm.
Of course, the likes of NXP, Microsoft and others still think they can do better. I certainly hope that these proprietary second-class security attempts are never used to lock up anything really important.
Here is a good video.
There is a good video on this here:
Seems like Industrial Espionage rather than some guy doing a PhD. Of strongly believe that a competitor has been bankrolling this guy to reverse engineer the chip to see if there are any weaknesses under the name of 'education'.
The moral is
Don't try to develop your own 'secret' security protocol (except, perhaps, if you have the resources of GCHQ or the NSA behind you). In their defence, I suppose it may be possible that development work began before AES was available and single-DES was being deprecated (and wasn't particularly friendly for very low power applications, such as smartcards).
AIMaster Key for Cyber Storms and TEMPESTuous C++++
"They also say the attack defeats only a single layer of security and that additional layers would most likely prevent any misuse."
Not so, whenever you Realise that the Key is Virtualisation.
Good moral to this story
"moral of the story is that proprietary encryption schemes like NXP's Crypto1 are almost always a bad idea."
Very true, not submitting a scheme to public review only allows the creators to "believe" it is secure which is often a delusion.
Was expecting a pun along the lines of-
"when you have the tech to break these cards, the world is your Oyster"
Relying on secret processes is so 19th Century
Incidentally, this is also one of those sci-fi cyberpunk scenarios that people used to think ridiculous.
Video available too
If you want so see a video of the presentation where this was first publicised go to video.google.co.uk and search for mifare, the video 24C3 - Mifare security - #2378 is the presentation where details of this were talked about.
So let me get this right, they took the cheapest option of a range of products, and its not as secure as the more expensive versions of the same products?
Oh well, at least the people responsibile for buying them will learn their lesson...
Oh , if truth be told whilst the makers claim that there is supposedly 48 bits in the key one can surmise logically and convenience to the makers that we have reserved first 4 bits for country code(stops transatlantic fools from opening Welsh garage doors), say 3 bits for industry type code (after all you don't want a tram ticket to give some innocent fool access to a place like Porton Down do we and for level access limits too ?) another 5 bit unique industry identifier code(replace wankers who lose things or reorders) a possible 5 bit date code and one check bit too ! , so in reality the keys would have a mere 30 bits left for the real key !
Little wonder they were able to crack the codes so easily!!
Idocracy rules supreme !
One can surmise sales of RFID shielding cases for these devices would be a minimum mandatory requirement at the very least !
***The research team was able to obtain the card's proprietary encryption scheme by physically dissecting its chip and examining it under a microscope. They then photographed various levels of its circuitry and used optical recognition software to produce a 3D representation of the entire chip. By examining the logic gates in great detail, they were able to deduce the proprietary algorithm, which NXP dubs Crypto1.***
***"It only takes a few minutes to break any card in particular," Nohl said in an interview. He said the modest amount of time and equipment required to crack any Mifare Classic card - in many cases less than 10 minutes on a typical PC - makes the attack ripe for criminals to carry out in the real-world attacks.***
So having dissected, photographed, and 3D mapped the end result with optical recognition software to verify the logic gates, criminals will now be able to crack these cards with ease...? Sorry, but that sounds a little complicated to me, one would almost think it would be far less effort to blow the bloody doors off!!
@ Tony Barnes
I think you'll find that once they worked out the algorithm once, they don't need to do it again for every card....
All it would need is a RFID reader and a bit of software.
Reading comprehension FTW! :)
Is this new? I thought I read months ago that the Oyster card had been cracked. Maybe Bruce Schneier mentioned it, or it's somewhere on http://rfidiot.org/ , but I can't spot it on either.
Or maybe I dreamt it. Oh dear.
Dissecting the chip and examining it under a microscope is only done once to understand the algorithm. Once you understand the algorithm, you can break *any* card within minutes.
So the way organised crime works these days, some enterprising people will probably dissect one of those cards and go through the same steps as those guys to understand the algorithm and how to break it. Once they've done this, they'll sell the method to crack any card for £50 on some underground network, or whatever amount they think they can get away with. Then other enterprising people who think they can make a profit out of copying such cards will buy the method, copy gazillions of Oyster or other cards and sell the copies at a profit or use them to get access where they shouldn't.
The process is indeed expensive if you want to break the one card. But if you make it into a business, this could be a nice money spinner for criminals.
... er did you *read* the article. The inital dissection & 3D mapping has been done. It doesn't need repeating. However it's lead to being able to crack a card in minutes .....
@ AC @ Tony Barnes
I think Tony is saying that "All well and good, this research company has elucidated the algorithm. What's the problem if they keep it out of the grubby mitts of those with criminal intent?"
To which there are two answers which don't require any malice on the part of the researchers:
1) They can't guarantee no one will steal the algoritm
a) There are a lot of clever people and rich criminals to employ and equip them who may actually already have done this and refrained from publishing their results in order to reap the criminal benefit.
So safe for train tickets, but not for security
Ticket fraud would not be economic with this method if you can sell the cloned cards. It should be possible to trace multiplied cards (if there are enough of them using the same code) and either shut out the users from the system or even apprehend them when they try to pass the scanners.
The reference test is whether it is easier or less expensive to clone a card than it is to fake a paper (or magnet strip) ticket.
Corporate and government security is a different issue since these may be high value targets even if only a single card is cloned, but as I understand it, these cards are not being marketed for that purpose (which of course dosn't prevent some idiot from using them).
"With anything proprietary, you can never guaranty that."
"guarantee". The word is "guarantee".
"Industrial Espionage"? Meh.
"Seems like Industrial Espionage rather than some guy doing a PhD"
I don't think so. Still if they can get the any money needed for the tools by doing a little flipchart presentation at the competitor's head office, then get a PhD thrown in for the results, more power to them.
Also, "Industrial Espionage" is such a bigmouth word with nasty associations. What about "bespoke knowledge elicitation"?
Who's the ENEMY for fuck sake???
So much of everyday life reads like a dystopian war screenplay these days. God knows who's protecting what.
And all the ingenuity wasted a) on thinking up "terror" scenarios to be guarded against, and b) on thinking up ways of getting round the guarding.
Seems to me the enemy is more and more the ordinary consumer and Joe Public. Government and official premises are becoming as barb-wired and repellent as an Imperialist cop shop in Derry, and transport users seem to be considered as criminal joyriders instead of people who are forced to use public transport for hours to get to some crappy and insecure job just to make ends meet.
Get rid of the secretive and undemocratic bastards now running things, and open doors will become the norm.
Get rid of charges for something as fundamental to the functioning of a modern society as the public transport infrastructure, and you'll have a much pleasanter and smoother-running system.
I somehow doubt that this was done with any old microscope. I remember at Uni being shown an uncovered ARM chip - that was about ten years ago and I don't know how old that chip was at the time. It was quite funny to look at even with the naked eye because it didn't have a colour. The feature size was at that time comparable to the wavelength of light, and the colour various portions appeared to be depended on the precise angle you held it with respect to the light.
That was ten years ago and things have got even smaller since then. If light was too big then it certainly is now. You can't do that kind of work with an optical microscope. An electron microscope sure, but that isn't something that your average fraudster has access to.
The Mifare Classic chip that this stuff is based on was released in 94. Not a good start. The UltraLight version used in Oyster cards was released in 2001. This makes it too early to benefit from the friuts of the AES program, but the inherent weakness of short key algorithms in general, and the various recommendations against secret algorithms untested by skilled cryptanalysts are older than that.
Silly people. New techniques aside, the fact that you can brute force one of the cards 'in a few days' (depending on how much cheap, easily available hardware you have to parallelise the process) means that the whole thing is totally and fundamentally flawed.
And thats what happens when you purchase throwaway hardware, designed and built as cheaply as possible.
HO HO guess what?
In common with almost every other "proprietary" encryption lash-up, this one is based on the hobbyists favourite, the Linear Feedback Shift Register (LFSR) - its too funny to be true again, and from Philips who should know better. This baby can be cracked with only twice the key length of output stream, messrs Berlekamp and Massey did it in ~1960. many attempts have been made since to include LFSR's into genuinely strong schemes, but they all break.
Any one reviewer could have told them their Crypto-1 is based on fool's gold, and imho the detailed description of how they dissected the chip and made a 3D database is all bollocks, no way can you get the doping pattern (at one in 10^10) out of the silicon, and they will run some n-type tracking for confusion. You will get the metal layers, but these will be obfuscated with dummy traces, it is simply not machine-crackable.
It is just a face-saver for NXP, a system like this can be (and almost certainly was..) cracked just from looking at the signals.
look out for the next update, where another team does just this.
how dismally poor, have they won a tranche of our ID card business yet?
Internet Exploring ...Industrial Espionage
"So having dissected, photographed, and 3D mapped the end result with optical recognition software to verify the logic gates, criminals will now be able to crack these cards with ease...? Sorry, but that sounds a little complicated to me, one would almost think it would be far less effort to blow the bloody doors off!!" ...... By Tony Barnes Posted Wednesday 12th March 2008 09:02 GMT
With that algorithm knowledge, there are no bloody doors, Tony. IT would then be Presented with AIDanegeld* Font for XSSXXXXSource or at least ITs Lead Followers would.
*"bespoke knowledge elicitation"? :-)
... you'll be looking at that busker in the tube a little differently today won't you...
If he really a scruffy genuine busker, or is he really a scruffy techie and that guitar conceal a huge antenna?
All your oysters are belong to us!
@ those who thought I didn't read the article...
Yes, as confirmed by an AC, I was highlighting the fact that the crooks would have to do this original bit of cracking themselves, unless the researchers were short sighted enough to leave copies lying around. Keeping their traps shut, and invoking an investigation as to whether a large amount of keys were being cracked worldwide would of been an infinitely more responsible approach than polishing their knobs so publicly.
So for those who implied I needed to read the article, before stating something that was in fact correct, try reading the post you are replying to, and engaging your brain. Alternatively, if sufficient AC's let me know that I am too cryptic (!), I will explain each and every word I bother posting on here to the nth degree, to try and avoid any miscommunication of the bastard obvious!!!
effort of cracking
Classic mifare cards have several data slots on them, each slot is protected by two encryption keys. one of the choices of mode for a slot is designed for ticketing/emoney applications and has one key that can do read/decrement, and the other key do read/write. so all your turnstiles would have the key to be able to read how much credit you have and deduct some, but only the charging stations would have the write key and be able to up your credit.
if people like oyster have used this standard method, and trusted that the cards are secure, then all it would take is to crack the write key theyve used and you could trivially alter any card or create new ones.
there are of course ways to be more cunning and secure about the whole thing if you use a little thought, but since when have large projects ever done that.
Who wants to bet...
Our Nuclear Power stations use these?!
microscope not needed any more
The crooks could just kidnap the guy who cracked the algorithm and threaten to cut his bits off unless they are told how to crack the card. Surely a much simpler, cheaper and quicker solution than doing the microscopy and reverse engineering again.
Sometimes low-tech >> high tech.
New door opens
I was watching the video on how they found the encryption (link: http://www.hackaday.com/2008/01/01/24c3-mifare-crypto1-rfid-completely-broken/ ) and was struck by a scary thought. I wonder if they realize that they have also come up with a method that would allow reverse engineering of any silicon chip without the need of the photo templates. This could be bad for Intel, AMD, IBM or any other proprietary chip maker. While the dissection wouldn't yield a perfect copy of the design it would give enough data to reproduce the chip with just a little bit of digital logic used to fill in the blanks. Think of it as a logic version of hang-man. Couple that with the standard black box engineering probably already used and this could significantly reduce the reverse engineering time.
I can see the the patent lawsuits already...
What intrigues me is that they say they've sold 1-2 billion. That means they're not sure of whether they've sold a billion cards or not, in my view.
Would you trust a card from an outfit like that to keep track of anything at all? (I have to: got an Oyster for daily commute)
@New door opens
someone at my cybersecurity lab mentioned that didn't AMD do this decap and decode in order to reverse engineer the trusty old '386??
ah memories....I bought a Compaq 386SX with 4Meg Ram upgrade....that'd buy me a whole coWPAtty 15*FPGA E-12 SuperCluster nowadays
Flat out wrong?
It looks like you would have to have quite a few invalid communications with the card before you could get the key and start valid communications. Why not just add code to disable the card if it has too many invalid connection attempts? I'm guessing that's the thinking de Bot was using when he mentioned "appropriate measures." Of course, this would probably allow for a DoS attack where somebody could intentionally block cards of passersby, but for some cards that's an acceptable tradeoff.
Further to Tony Barnes
I did understand what Tony Barnes meant and, further to his comment, I have a question.
"All you'd need is an RFID reader and some software". I have no idea how much an RFID reader costs and, similarly, what 'some' software that would be or how much it would cost.
That all aside, let's talk about return on investment here. Assuming Tony's implied argument is correct and Mr. Crook would have to fork out for the weak algorithm, let's add whatever an RFID and 'some' software would cost, take a step further and assume that Mr. Crook is better educated than I am and knows what to do with an RFID reader and 'some' software and then postulate that Mr. Crook does..............what?
Steal a free ride or three on the Tube?
Not really suprised that the Algorithim was easy to crack when they give an estimate of how many cards have been sold
"NXP says it's sold 1 billion to 2 billion of the cards"
Fairly accurate then ?
@hat Mr. Crook does..............what?
er......we use RFID systems in Nuclear Seals, no, not the cuddly ones that live off the coast of Windscale but the serious ones that lock away warm things. Of course our seals are impervious to this sort of attack, harrumph!
.. a company that can't quantify the number its sold more precisely than this...
"NXP says it's sold 1 billion to 2 billion of the cards"
...may not be the most reliable for number based operations.
A bit like saying "My wife gave birth to 1 to 2 babies"
The only excuse for this type of imprecision is vast overindulgence in alcohol or other mind twisting substances.....
Mines the one or two coats on the one or two coat racks in the one or two cloakrooms over there (or there)
>Steal a free ride or three on the Tube?
Or reprogram the day ticket into an annual all zones travel card worth £2600 and sell them in the pub for £200
You can also use them to make purchases of upt £90 in shops IIRC.
Then when they are expanded to pay for congestion charges / road tolls and rail services they are worth even more.
@John A Blackley
Actually, there's quite a lot you can do with a cracked Oyster card. BTW. A Reader/Writer should be available for a couple of hundred quid tops ( search t'internet ). The researchers used a 150 Euro model.
Once you can write to your Oyster, you can
- Get free travel on the Tubes/Buses/Trains. A bit of playing around probably, but in Annual Travelcard costs a couple of thousand pounds per year. Well worth the effort.
- A number of shops are rolling out Oyster for small payments ( Hong Kong's Octopus card shows the way ), so you can not only get a free ride, but a free lunch too, probably at McDonalds. And a paper too.
- I suspect you could change the serial/identity number on the card, to make yourself harder to track. TfL have all your movements keyed to your card, but that'll be much harder if you change identity every trip.
Can you be a bit more specific?
"It's also used by public transit systems in Boston and London"
Do you mean the widely used Oyster card system? If so why not say so?
@Further to Tony Barnes
An RFID reader and some software that a single student can write between pub runs (especially now that the leg work has been done) would not cost that much.
On the other hand, a "free ride or three on the Tube" currently retails for £968.00 per year for Zones 1 and 2. The hardware and coding effort will be worth less than that (for the first user alone), and what's the chance they'll replace it with an incompatible system in under a year?
"about 50 cents apiece"
Is that 50 eurocents (Dutch card, Dutch currency) or 50 US cents (US-centric writer)?
The odds of a system being replaced once a significant amount of money is lost will be quite high - after all, the costs are pushed onto the customer, aren't they?
Besides, according to the Terms & Conditions (http://www.tfl.gov.uk/termsandconditions/901.aspx) of the Oyster card, particularly the bit about "Lost or stolen Oyster card", simply reporting that your card is stolen (without you knowing the ID of the card, eh?) allows them to update the system and disable use of the card.
Does this mean there is a database that allows tracking of the card's usage? What is to keep them from implementing this (if not already) to confirm "amount on the card", etc? What is to say that it doesn't just read off the ID to confirm against the database of accounts and not even use the data on the card?
If there is no database that they are checking against IRT, then the costs would be in setting up communications and access. That in itself may not be a small amount and could extend the lifetime of any nefarious projects.
Anyone looking to make some extra dosh would have to get these questions answered first before selling "services" to the masses...
[ Yay! I got to use "nefarious" in a post, too!]
Re: Industrial Espionage
William, it was really nothing ... of the sort.
Surely the researcher is doing the company a favour by forcing them to strengthen their security? Blowing security by obscurity is more rightly compared with saying the Emperor has no clothes than the comparison with industrial espionage. No actual break-in was performed against the company (or its clients) and no secrets were subsequently stolen. All these guys did was point out that the locks don't work, and provided the proof to back up the assertion.
I pity the poor fools that buy into fake security bullshit.
Thoughts for the Future
OK, it's time to think of the future, and I think there are two things that must be addressed here:
ONE: Make the use of proprietary encryption algorithms flat-out illegal. The *only* secret should be the key. This is well understood by those with a clue: it is not just co-incidence that the OpenBSD implementation of ssh is considered to be the reference standard and the much less well known proprietary version, distributed without Source Code, languishes in obscurity. Not everybody has a clue, however. If they can make supermarkets print "CONTAINS GLUTEN" on a bag of flour (even though everybody should know that flour is made from wheat, which contains gluten -- but obviously someone doesn't, otherwise they wouldn't need the warning), they can surely ban "crypto" providers from keeping secrets which could compromise the integrity of the products they are selling (even though everybody should know there are occasions when you have no alternative but to insist on the Source Code -- but obviously someone doesn't).
TWO: Outlaw "technology discrimination" (e.g., charging different prices according to whether payment is being made by electronic transfer or actual shiny round pieces of metal). This will hopefully prevent people being coerced into using inappropriate or improperly-tested technologies.
Any sensible business plan should build in the cost of a crack
I remember reading that one of the big reasons why ONDigital (later ITVDigital) went down was because the smartcard that went in their set top boxes had been compromised. Unlike Sky, who had built into their business plan an assumption that cards would need to be replaced around every five years due to exploits, ONDigital hadn't built this cost into their calculations and so couldn't afford to reissue cards to all their customers.
Maybe payback for Oyster rip off?
I have detected early last year that the Oyster charging for cash-on-card is seriously flawed and charges a LOT more than it should (we're talking up to 30% or so more). If you buy a weekly or monthly, fine, but if you travel on cash (because, for instance, you're not that often in London) I would VERY strongly recommend you keep checking on what Oyster takes off your card because I've seen it screw up repeatedly - strangely never in my favour (which is a bit of a giveaway). This was noticed with two different cards, for all sorts of different journeys.
Most revealing is the reaction of Transport for London support - they KNOW about this..
You can tell the encryption is sub-standard when the paper detailing how it was broken doesn't contain the name "Shamir".
Even Further To Tony Barnes
Okay, I apologise. I didn't really mean ONE free ride on the tube. I'm sorry, okay?
What I meant to imply in my original post was that, given the intent, investigative skills, time and money to hack an Oyster card (Yes, yes. I know. Oyster cards are also used to lock the doors to the nation's plutonium deposits and Natalie Denning's bedroom.) the potential return on investment is hardly the Heathrow bullion heist, is it?