Starbug and Henryk Plötz Karsten Nohl and David Evans Chaos Computer Club University of Virginia USENIX 2008 Bart Kosciarz
Radio-frequency iden0fica0on: the use of radio waves to read and capture informaJon stored on a tag(usually aLached to an item)
Used in: Access control systems Tickets for public transport Cipher: stream cipher with 48-bit symmetric keys Cheap: Sells for .5 Euro in small quanJJes Small: 400 2-NAND Gate equivalents 128-bit AES is 3400
Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvénient tomber entre les mains de l’ennemi. A cryptosystem should be secure even if everything about the system is publicly known(except the key!)
• Black box analysis: Lorenz Cipher & DST cipher • So]ware disassembly: A 5/1, A 5/2 & Hitag2 and Keeloq And now…. • Silicon ImplementaJon: MIFARE Classic
Use acetone to dissolve plasJc of the card Polish thin layers of the chip and limit JlJng Use microscope to image 6 layers (and account for the Jlt) Build a library of the logic gates and create templates
Use MATLAB image processing for template matching
Can find the cipher implementaJon by finding a 48-bit register and XOR gates Random Number Generator has output but no input Finish reverse engineering the cipher by looking to the protocol layer communicaJon
OpenPCD RFID reader is open source and has an ARM micro-controller Test if secret key and tag ID are shi]ed in sequenJally The info from this + results from hardware analysis = Crypto-1 stream cipher
RNG is generated by a 16-bit LFSR IniJalized to a constant Can predict future random numbers by examining when previous number occur
Key space is small (48-bit) Can brute force in 50 minutes with 64 FPGAs Since random numbers are controllable and the session key + ID result in only one possible secret key, we can computer a codebook for a single ID that works for all other IDs
Don’t need a RNG: Memory cells begin in a “random” state. Start cipher in this state and evolve with the feedback loop. Use the area saved for a longer key (48+16=64-bit) Introduce non-linearity to protect against staJsJcal aLacks
Key contribuJons of this paper? CriJcisms/LimitaJons of the paper? Is there a place for secret ciphers? How feasible are reverse engineering aLacks like this as chips conJnue to shrink?
Recommend
More recommend
