Category Archives: RFID

KeeLoq hacked

Posted on by
Reply

KeeLoq is a RFID system that protects many anti-theft cards, and garage openers. Already some published cryptanalysis highlighted the weaknesses of the cipher. But the attack were not practical. A group of six German and Iranian researchers designed a set of very practical attacks.

Using Differential Power Attack (DPA), they were able to extract the device key . What is impressive is that they did the attack without the knowledge of the chip. They were working with a black box. For instance, they had to guess when the encryption process occurred. They extract the device key in less than one hour Of course, DPA required physical access to the emitting device. The performed a similar attack to extract the manufacturer from the receiver. It took less than one day.

With this information, by eavesdropping a receiver, it is possible to impersonate it. They extract the seed, the secret and the current counter value. The counter value has to been “loosely” synchronized with the one of the receiver. Of course, by impersonating the emitter, it is easy to desynchronize the receiver from the genuine emitter. The owner of the genuine emitter will have to push his key 2^15 times to open his door. Nice denial of service.

This is the second hack of RFID security in a month. Recently it was NXP Mifare that was hacked. Once more, the security of a RFID was too weak. It has at least two types of known flaws:

  • a weak LFSR based cipher
  • No protection against side channel attacks.

The industry of secure processors is aware of these types of weaknesses for about one decade and fights them. It is time, that RFID industry adapts also to them. Is it compatible with the price constraints.

A paper at Eurocrypt08 will present this attack. The details of the attacks are available on Ruhr University site

Some thoughts about RFID and passports

Posted on by
Reply

Last week, I discussed with a well known cryptographer: JJQ. We were exchanging about RFID security, last mifare hack, and security of RFID-based passports. During the discussion, we went through a new threat.
Let us now assume that the RFID passport is largely used, and even that one country requires RFID-based passport for entering. We assume that forging a RFID-based passport is extremely difficult (it will never be impossible, law 1). We may assume that forging the paper part of the passport will be easier (else why replacing them with more expensive passports). But the forgery would be detected by mismatch between the information in the passport and the RFID.
The obvious attack would be to blast the RFID of the passport. Then the border guard would check only the paper part. Nevertheless, this may not be sufficient because we may assume that the border guard will be watchful because he faces an exceptional case.
Let us now assume that the attacker was able to build a gimmick that blasts all the RFID of every passports in a plane before leaving it. You will have several hundreds of exceptional cases. In other words, the border guards will be overwhelmed by the situation. Furthermore, if the attacker will present itself among the last ones, then his probability to go through with the forged passport will significantly raise.
Here it is a nice example of combined attacks: technique to blast the RFID and social engineering by creating an exceptional situation to stress the border guards.
Thus, for such type of applications, Denial of Services attacks should be carefully studied and prevented.

NXP enhances the security of its chip

Posted on by
Reply

NXP, the RFID manufacturer, has announced the launching of new generation of mifare RFID chips: mifare plus. This new version has enhanced the security comared to previous mifare classic. For instance, it implements 128-bit AES, and more diversity for the identification. Mifare Plus seem to have an easy migration path from mifare clasic.

For memory, it was the NXP mifare classic that was recently hacked. This is a nice timely answer to this hack. How long will the new generation resist?

RFID and weak security

Posted on by
Reply

NXP Mifare Classic RFID chips are widely used in transportation or access control in Europe. NOHL Karsten, a researcher, publishes a cryptanalysis of this chip (the paper). His analysis demonstrates that the design was extremely weak. The cipher uses a LSFR and a 48-bit key.

It is obvious that the design was weak. Nevertheless, the main design constraint was probably to have a small number of gates for the implementation to reduce the cost. The security assumed that this algorithm would stay secret, in other words violating the principle of Kerckoffs. Furthermore, using a 48 bit key was inadequate. Currently, it is recommended to have at least a 90 bit key. With 48 bit key, it is easy to have a brut force attack.

Is it a problem? It depends on the application using the chip and its security assumptions. If the hypothesis is that the chip is extremely secure, than the answer is that it is an error. If the goal is to protect low cost assets, then the answer is right solution. As always, security is not simple and Manichean.

Forecasts: RFID will spread. Due to this massive use, cost constraints will be such that we will anticipate that many RFID chip will implement weak algorithm but with low cost. I will surely report many such events.