下載本文檔
版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認(rèn)領(lǐng)
文檔簡介
Nijmegen,March12,DismantlingcontactlessOnMarch7,2008researchersandstudentsoftheDigitalSecuritygroupoftheRadboudUniversityNijmegenhavediscoveredaserioussecurityflawinawidelyusedtypeofcontactlesssmartcard,alsocalledRFIDtag.Itconcernsthe"MifareClassic"RFIDcardproducedbyNXP(formerlyPhilipsSemiconductors).Earlier,GermanresearchersNohlandPl?tzpointedoutsecurityweaknessesofthiscards.Worldwidearound1billionofthesecardshavebeensold.ThistypeofcardisusedfortheDutch`ov-chipkaart'[theRFIDcardforpublictransportthroughouttheNetherlands]andpublictransportsystemsinothercountries(forinstancethesubwayinLondonandHongKong).Mifarecardsarealsowidelyusedascardstocontrolaccesstobuildingsandfacilities.Allthismeansthattheflawhasabroadimpact.Becausesomecardscanbecloned,itisinpriplepossibletoaccessbuildingsandfacilitieswithastolenidentity.Thishasbeendemonstratedonanactualsystem.Inmanysituationswherethesecardsareusedtherewillbeadditionalsecuritymeasures;itisadvisabletostrengthenthesewherepossible.TheDigitalSecuritygroupfoundweaknessesintheauthenticationmechanismoftheMifareClassic.InTheworkingoftheCRYPTO-1encryptionalgorithmhasbeenreconstructedinThereisarelativelyeasymethodtoretrievecryptographickeys,whichdoesnotrelyonexpensiveCombiningtheseingredientswesucceededonmountinganactualattack,inwhichaMifareClassicaccesscontrolcardwassuccessfullycloned.Insituationwheretherearenoadditionalsecuritymeasures,thiswouldallowunauthorisedaccessbypeoplewithbadintentions.TheMifareClassicisacontactlesssmartcarddevelopedinthemid90s.Itisamemorycardthatofferssomememoryprotection.Thecardisnotprogr ble.Thecryptographicoperationsitcanperformareimplementedinhardware,usingaso-calledlinearshiftfeedbackregister(LSFR)anda"filterfunction".TheencryptionalgorithmthisimplementsisaproprietaryalgorithmCRYPTO-1whichisatradesecretofNXP.ThesecurityofthecardreliesinpartonthesecrecyofCRYPTO-1algorithm,whichisknownas"securitybyobscurity".MifareClassiccardsaretypicallyusedforauthentication.Herethegoalisthattwopartiesprovewhotheyare.Thisisdonebydemonstratingthattheyknowsomecommonsecretinformation,aso-calledsharedsecret(cryptographic)key.Bothparties,inthiscasetheMifarecardandthecardreader,carryoutcertainoperationsandthencheckeachother'sresultstobesureofwhomtheyaredealingwith.Authenticationisneededtocontrolaccesstofacilitiesandbuildings,andMifarecardsarecommonlyusedforthispurpose.SuccessfulAuthenticationisalsoaprerequisitetoreadingorwritingpartofthememoryoftheMifareClassic.Thecard'smemoryisdividedintosectors,eachprotectedbytwocryptographickeys.Properkeymanagementisasubjectinitsownright.Roughlyspeaking,therearetwoAllcardsandallcardreadersusedforasomeapplicationhave thesamekeysforauthentication.Thisiscommonwhencardsare usedforaccesscontrol.Eachcardhasitsowncryptographickeys.Tocheckthekeysof acard,thecardreadershouldthenfirstdeterminewhichcard itistalkingtoandthenlookuporcalculatetheassociated key(s).Thisiscalledkeydiversification.Itiedthat thisapproachisusedfortheDutchpublictransportcard.SecurityweaknessoftheMifareTheDigitalSecuritygroupfoundweaknessesintheauthenticationmechanismoftheMifareClassic.InTheworkingoftheCRYPTO-1encryptionalgorithmhasbeenreverseengineered,andwedevelopedourownimplementationofthealgorithm.Wefoundarelativelyeasymethodtoretrievecryptographickeys,whichdoesnotrelyonexpensiveToreverseengineertheCRYPTO-1encryptionalgorithmweusedflawedauthenticationattempts.Ifonedoesnotpreciselyfollowtherulesoftheprescribedprotocol,onecanobtainsomeinformationaboutofthewayitworks.Combiningsuchinformationiswaspossibletoreconstructthealgorithm.Oncethealgorithmisknown,onecanfindoutthekeysthatareusedbyaso-calledbruteattack,i.e.simplytryingallpossiblekeys.Inthiscasethekeysare48bitslong.Tryingallthekeysthenrequiresaroundninehoursonadvancedequipment,accordingtotherecentTNOreport34643"SecurityysisoftheDutchOV-chipkaart",publishedFebruary26th2008.However,heretoocertainflawsintheauthenticationprotocolcouldbeexploited,aswediscovered.Thisleadsustothesecondpoint:thereisawaytorelativelyeasilyretrievethekeywithoutcarryingoutalengthybruteattack.Thiscanbedonebyfirstcarryingoutmanyfailedauthenticationattempts,whichdoprovidesomeinformation.Storingtheresultsofthisinabigtable,onecanlookforamatchandretrievethekey.Thetableonlyhastobeconstructedonce,andcanbepreparedinadvancebyrepeatedlyrunningtheCRYPTO-1algorithmonafixedinput.Ourproof-of-conceptdemonstrationofthisattackstillrequiredmanyauthenticationattemptsoncethistablehadbeenconstructed.Recordingtheseattemptstookseveralhours,butcouldbecarriedoutbyahiddenantennatoeavesdroponacardreader.Itseemsthatthecomplexitycanbefurtherreduced,possiblydramaticallyso,makingtheattackmuchsimpler.ExploitingtheseOncethesecretcryptographickeyisretrieved,therewillbepossibilitiesforabuse.Howseverethesepossibilitiesarewilldependonthesituation.Ifallcardssharethesamekey,thenthesystemwillbeextremelyvulnerable.Thismaybethecaseifcardsareusedforaccesscontroltobuildingsandfacilities,bothintheprivateandpublicsector.Thereishowevernoinformationonhowcommonthisis.Forsuchasettingwedemonstratedanactualattack,whereacardof,say,anemployeecanbeclonedbybumintothatwithaportablecardreader.Thewhoseidentityisbeingstolenmaythenbecompleyunawarethatanythinghashappened.Inasituationwherediversifiedkeysareused,abusewillbemoredifficult,butnotimpossible.Noactualattackshavebeendemonstratedforsuchascenario.Atthetechnicalleveltherearecurrentlynoknowncountermeasures.Shieldingcardswhentheyarenotinuse,e.g.inametalcontainer,reducestheriskofanattackersecretlyreadingoutacard.However,whenthecardisbeingused,itisstillpossiblytoeavesdroponthecommunication,withahiddenantennaneartheaccesspoint.Strengtheningoftraditionalaccesscontrolmeasuresisthereforeadvisable.Accesstosensitivefacilitieswill(orshould)beprotectedbyseveralprotectionmechanismsanyway,ofwhichtheRFIDtagisonlyone.GermanInDecember2007,KartenNohlandHenrykPl?tzannouncedthattheyhadreconstructedCRYPTO-1atahackers'conferenceinBerlin.Wehavebeenintouchwiththem,andourworkbuildsontheirresults.However,NohlandPl?tzkeptsomeinformationaboutCRYPTO-1tothemselves.ToreverseengineerCRYPTO-1,theycarriedoutaphysicalattack,wheretheystudiedthelayoutofthehardwareimplementingthealgorithmonanactualMifareClassicchip.Theirapproachiscompleydifferentfromours,asweonlyexploitedweaknessesoftheprotocolanddidnotlooklookingatthehardwareWhendiscoveringasecurityflawthereisadilemmaonhowtohandlethisinformation.Immediatepublicationofthedetailscanencourageattacksanddoseriousdamage.Keetheflawsecretforalongperiodmaymeanthatnecessarystepstocounterthevulnerabilityarenottaken.Itiscommonpracticeinthesecuritycommunitytotrytostrikeabalancweentheseconcerns,andrevealflawsaftersomedelay.Thisistheapproachwehavetaken.OnFriday,March72008,theernmentwasinformed,becausenationalsecurityissuesmightbeatstake.OnSaturday,March8,expertsoftheDutchSignalsSecurityBureau(NBV)oftheGeneralInligenceandSecurityService(AIVD)visitedNijmegentoassessthesituation,wheretheyconcludedthattheapproachwedemonstratedwasaneffectiveattack.OnSunday,March9,NXPwasinformed,andonMonday,March10,TransLinkSystems(thedevelotheDutchpublictransportcard).Wespoketorepresentativesofbothcompaniesaboutthetechnicaldetails,andarecollaboratingwiththemtoysetheimpactandthinkofpossiblecountermeasures.OnWednesday,March12,ministerTerHorsthasinformedAbouttheDigitalSecurityTheDigitalSecurityGroupattheRadboudUniversityNijmegenconsistsofabout25researchers.Theresearchfocusesontwothemes:softwaresecurityandidentity-centricsecurity.Overtime,thegrouphasdevelopedaconsiderableexpertiseinthefieldofsmartcards.Thegrouphasforinstanceadvisedontechnicalaspectsoftheelectronicpassportthatwasintroducedlastyear.Thegroupisalsoactiveintheareasofelectron
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。
最新文檔
- 五年級蘇教版透鏡現(xiàn)象解析
- 初中數(shù)學(xué)蘇教版目錄概覽
- 北師大版五年級數(shù)學(xué)上冊計算題突破策略與學(xué)習(xí)方法
- 初三數(shù)學(xué)學(xué)習(xí)策略分享完全版
- 人教版圓的要點詳解與教育未來
- 蘇教版二年級下冊數(shù)學(xué)全套試卷完整解析
- 人教版解讀離子鍵在材料科學(xué)中的應(yīng)用
- 一年級蘇教版數(shù)學(xué)分合教案設(shè)計
- 2024年CNG調(diào)壓設(shè)備合作協(xié)議書
- 秋八年級生物上冊期中測試卷北師大版
- 《基礎(chǔ)工程課程設(shè)計》課程教學(xué)大綱
- 四年級上冊數(shù)學(xué)課件-2.11、商不變的規(guī)律-蘇教版 (共25張PPT)
- 《劉景源教授溫病學(xué)》講稿
- 26個英文字母教學(xué)練習(xí)課件
- HP機-圓錐破碎機資料
- 導(dǎo)樂分娩服務(wù)工作細(xì)節(jié)及制度
- 110T生物質(zhì)循環(huán)流化床鍋爐運行規(guī)程
- 鋼筋混凝土擋土墻施工方案-
- 高一物理 必修一《速度變化快慢的描述-加速度》教學(xué)設(shè)計
- 廠房項目施工管理合理化建議
- 創(chuàng)傷關(guān)節(jié)骨科災(zāi)害脆弱性分析
評論
0/150
提交評論