Legic Prime: Obscurity in Depth Henryk Pl¨ otz, Karsten Nohl Legic Primer Master Token System Control Attack overview Legic Prime: Obscurity in Depth Analyzing LEGIC RF The case of the CRC The obfuscation Henryk Pl¨ otz, Karsten Nohl function Understanding the ploetz@informatik.hu-berlin.de , Legic Prime protocol nohl@virginia.edu Mastering MTSC Comprehending card contents Conclusions December 28th 2009 (1/45) Legic Prime: Obscurity in Depth – 2009-12-28
Legic Prime: Legic tokens are RFID access and payment Obscurity in Depth Henryk Pl¨ otz, cards Karsten Nohl Legic Primer Master Token System Control Attack overview Analyzing LEGIC ◮ Contactless smart cards at 13.56MHz RF The case of the CRC ◮ Legic Prime: Proprietary, marketed The obfuscation function since 1992 Understanding the ◮ Legic Advant: ISO compliant, Legic Prime protocol marketed since 2004 Mastering MTSC ◮ Predominantly used in access control, Comprehending card contents but payment applications exist (i.e., Conclusions cafeteria) ◮ Can hold several applications, but this feature is rarely seen (2/45) Legic Prime: Obscurity in Depth – 2009-12-28
Legic Prime: Legic Prime Obscurity in Depth Henryk Pl¨ otz, Karsten Nohl Legic Primer Master Token System ◮ Old card type, as old as Mifare Classic Control Attack overview (and at least as insecure) Analyzing LEGIC RF ◮ Proprietary radio protocol (applied to The case of the CRC become ISO 14443 Appendix F): The obfuscation function ”LEGIC RF“ Understanding the Legic Prime ◮ Proprietary ’Legic Encryption‘ protocol ◮ Slow data rate ( ∼ 10 kbit/s), Mastering MTSC Comprehending comparatively high read range card contents (supposedly up to 70 cm) Conclusions ◮ Card types: MIM22 (outdated), MIM256 (234 bytes storage), MIM1024 (1002 bytes storage) (3/45) Legic Prime: Obscurity in Depth – 2009-12-28
Legic Prime: Legic Advant Obscurity in Depth Henryk Pl¨ otz, Karsten Nohl Legic Primer Master Token System Control Attack overview ◮ New card type, developed in the 2000’s Analyzing LEGIC RF ◮ Based on ISO 14443A or ISO 15693 The case of the CRC The obfuscation ◮ 3DES or AES, also backward function compatible to ’Legic Encryption‘ Understanding the Legic Prime protocol ◮ Several ATC card types with varying Mastering MTSC sizes (15693: 128-944 bytes, 14443: Comprehending 544-3680 bytes) card contents Conclusions ◮ Not yet analyzed by us, therefore not covered in this talk (4/45) Legic Prime: Obscurity in Depth – 2009-12-28
Legic Prime: Legic takes obscurity to the extreme Obscurity in Depth Henryk Pl¨ otz, Karsten Nohl Legic Primer Master Token System Control Attack overview Analyzing LEGIC ◮ Shrouded in a cloud of closed-ness and exclusivity RF The case of the CRC ◮ Compared to Mifare: much harder to get cards and readers The obfuscation function on the free market (this is on purpose) Understanding the ◮ No documentation available beyond layer 1+2 Legic Prime protocol (in rejected ISO 14443F) Mastering MTSC ◮ Most marketed feature and main difference to other Comprehending card contents systems: Master Token System Control Conclusions (5/45) Legic Prime: Obscurity in Depth – 2009-12-28
Legic Prime: Master Token System Control Obscurity in Depth Henryk Pl¨ otz, Karsten Nohl The powerful LEGIC Master-Token System Control Legic Primer Master Token System (MTSC) [...] is unique in the security industry. With Control Attack overview MTSC no sensitive passwords are needed. Instead, a Analyzing LEGIC special physical Master-Token [...] is used containing RF The case of the CRC a unique genetic code which securely links cards and The obfuscation readers. – Source: function Understanding the http://www.legic.com/unique security.html Legic Prime protocol Mastering MTSC ◮ Cards are segmented and access is regulated on a Comprehending per-segment basis card contents Conclusions ◮ Segment access is bestowed not through the knowledge of keys or passwords but through a physical token ◮ The MSTC token itself is a Legic card (either Prime or Advant) (6/45) Legic Prime: Obscurity in Depth – 2009-12-28
Legic Prime: Segment protection Obscurity in Depth Henryk Pl¨ otz, Karsten Nohl Legic Primer ◮ Node identifier in the master token structure is called the Master Token System Control stamp (or ’genetic code‘) Attack overview ◮ Segments on cards are imprinted with a stamp on creation Analyzing LEGIC RF ◮ Stamp comes from the token that authorized the creation The case of the CRC The obfuscation ◮ Stamp can not be changed function Understanding the ◮ Optionally, segments can be ”read protected“ Legic Prime protocol ◮ Readers are initialized with access rights for Mastering MTSC none/one/multiple stamps Comprehending card contents ◮ Card–Reader interaction: Conclusions ◮ Read read-protected segment and write: only if reader has access rights for that segment’s stamp ◮ Read non-read-protected segments: All readers can do this (7/45) Legic Prime: Obscurity in Depth – 2009-12-28
Legic Prime: MTSC Structure Obscurity in Depth Henryk Pl¨ otz, ◮ Token structure is hierarchical: a token can only create Karsten Nohl objects with higher nesting level than its own → longer Legic Primer Master Token System stamp, but same prefix Control Attack overview Analyzing LEGIC RF The case of the CRC The obfuscation function Understanding the Legic Prime protocol Mastering MTSC Comprehending card contents Conclusions (8/45) Legic Prime: Obscurity in Depth – 2009-12-28
Legic Prime: Token Types Obscurity in Depth Henryk Pl¨ otz, Karsten Nohl General Authorization Media (GAM) Legic Primer Master Token System Token-creating token that carries the Control temporary authorization to create Attack overview Analyzing LEGIC sub-tokens RF The case of the CRC The obfuscation Identification Authorization Media (IAM) function Segment-creating token that carries Understanding the Legic Prime the temporary authorization to create protocol segments on cards Mastering MTSC Comprehending card contents System Authorization Media (SAM) Conclusions ’Reader-creating‘ token that bestows the permanent authorization to write to existing segments on cards (and read read-protected segments) (9/45) Legic Prime: Obscurity in Depth – 2009-12-28
Legic Prime: Token Sub-Types Obscurity in Depth Henryk Pl¨ otz, Karsten Nohl Legic Primer Master Token System ◮ For the SAM (a.k.a. SAM63, a.k.a ’Taufkarte‘), which Control Attack overview ’launches‘ readers (’ taufen ‘), there is a counterpart: Analyzing LEGIC SAM64 (a.k.a ’Enttaufkarte‘) to de-launch readers RF The case of the CRC (’ enttaufen ‘) The obfuscation function ◮ Other types (possibly restricted to advant): Understanding the XAM Permanent permission to create segments Legic Prime protocol (e.g. a launching version of IAM) Mastering MTSC IAM+ Restricted version of IAM, which only allows Comprehending card contents to create a given number of segments Conclusions ◮ There are references to SAM4 ’Parametrierkarte‘, which changes reader parameters. Also some systems may use other ’SAM...‘ types for sneakernet purposes. (10/45) Legic Prime: Obscurity in Depth – 2009-12-28
Legic Prime: Roadmap and attack targets Obscurity in Depth Henryk Pl¨ otz, Karsten Nohl Legic Primer Master Token System Control Attack overview Analyzing LEGIC RF The case of the CRC The obfuscation function Understanding the Legic Prime ◮ Attacks were implemented using the Proxmark3: protocol Mastering MTSC Comprehending card contents Conclusions (11/45) Legic Prime: Obscurity in Depth – 2009-12-28
Legic Prime: LEGIC RF Obscurity in Depth Henryk Pl¨ otz, Karsten Nohl Legic Primer Master Token System Control Attack overview ◮ ISO 14443 Annex F gives general parameters: Analyzing LEGIC ◮ RWD to TAG: Pulse-pause modulation, 100% AM, RF The case of the CRC off-duration: 20 µ s, ’0‘-bit: on-duration 40 µ s, ’1‘-bit: The obfuscation function on-duration 80 µ s, data rate 10 kHz–16.6 . . . kHz Understanding the (data-dependent) Legic Prime protocol ◮ TAG to RWD: On-off-keying, load-modulation, subcarrier Mastering MTSC f c / 64 ( ∼ 212kHz), bit-duration: 100 µ s Comprehending ◮ Framing ”defined by the synchronization of the card contents communication“ Conclusions ◮ No frame start/stop information for tag originated frames (12/45) Legic Prime: Obscurity in Depth – 2009-12-28
Legic Prime: Sniffing LEGIC RF Obscurity in Depth Henryk Pl¨ otz, Karsten Nohl ◮ Sniffing with OpenPICC2 (fixed threshold, not so good) or Legic Primer Master Token System Proxmark3 (hysteresis, much better) and oscilloscope or Control logic analyzer Attack overview Analyzing LEGIC RF The case of the CRC The obfuscation function Understanding the Legic Prime protocol Mastering MTSC Comprehending card contents Conclusions (13/45) Legic Prime: Obscurity in Depth – 2009-12-28
Legic Prime: Sniffing LEGIC RF Obscurity in Depth Henryk Pl¨ otz, Karsten Nohl ◮ Oscilloscope view: Legic Primer Master Token System Control Attack overview Analyzing LEGIC RF The case of the CRC The obfuscation function Understanding the Legic Prime protocol Mastering MTSC Comprehending card contents Conclusions (13/45) Legic Prime: Obscurity in Depth – 2009-12-28
Recommend
More recommend