Weakness in CRYPTO-1 and its Implementation

MIFARE Classic has dozens of vulnerabilities in CRYPTO-1 as well as its implementa-tion. In this section, we enumerate these problems and discuss their implications.

4.2.1 CRYPTO-1 Structure

Small Key Size

It is customary to regard a modern cryptosystem as “secure” if it has a security level of at least 2⁸⁰. As an example, the well-known stream ciphers A5/1 and A5/2, used in voice encryption on mobile phone systems for more than twenty years, have internal states that are 64 bits long. Although CRYPTO-1 was invented later than A5/1 and A5/2, the length of the internal state in CRYPTO-1 is even shorter, only 48 bits long. To crack 48 bits by brute-force search is not a hard task for a modern PC nowadays. Thus, the key size or length of internal state in CRYPTO-1 is too short to resist such a brute-force search. Take our GPU implementation as an example. We can find an internal state in ten days by using a modern high-end NVIDIA GPU that costs less than 500 USD. This search work can be easily parallelized so that the cracking time is significantly shortened by increasing the number of GPUs.

Input Size of Filter Function

Another serious issue in CRYPTO-1 structure is that only a small number of bits in the internal state are used as the input to the filter function. Recall that the input of filter function in CRYPTO-1 consists of 20 bits from the 48-bit internal state, as shown below in polynomial form:

x⁹, x¹¹, x¹³, x¹⁵, x¹⁷, x¹⁹, x²¹, x²³, x²⁵, x²⁷, x²⁹, x³¹, x³³, x³⁵, x³⁷, x³⁹, x⁴¹, x⁴³, x⁴⁵, x⁴⁷.

Observation 1. Input of the Filter Function

The filter function only takes bits in the odd positions as the input. This implies that

the 48-bit register can be thought of consisting an odd register and an even register. To generate an output bit, the input of the filter switches between odd and even register. At some point, the filter function takes the odd register as input and then shifts the internal state. Next, the even register becomes the input to the filter function and is shifted again.

As a result, the odd and even registers takes turn as the input to the filter function. This observation makes the task of recovery much easier.

Observation 2. Pre-image Size of the Filter Function Given two-level filter functionf : X → Y in CRYPTO-1, X = {x|x ∈ {0, 1, 2, ..., 2²⁰− 1}},

The observation indicates that the size of the pre-image of the filter function is 2¹⁹. Assume we need four bytes to store each item in the table, then the pre-image takes about two megabytes to store. This size is much smaller compared with O(2⁴⁷), the size of the pre-image of the 48-bit internal state, which needs more than 128 terabytes to store. This makes TMD on inverting the filter function feasible for modern-day commodity PCs.

4.2.2 Plaintexts that Provide Consecutive Keystream Bits

With TMD, we can recover the secret key on CRYPTO-1 with a small amount of memory consumption and time when we can obtain a sufficient number of keystream bits. At least two routes that we know provide the attacker with long segment keystream from communication trace. The first route is through the three-way authentication, through which PCD and PICC achieves mutual authentication if they share a same secret key. An example data trace for the authentication looks like:

PCD ← PICC N_t

PCD → PICC {N_r} {A_r} A_r = suc⁶⁴(N_t) PCD ← PICC {A_t} A_t= suc⁹⁶(N_t) We can then obtain 64-bit consecutive keystream bits via

{A_r}{A_t} ⊕ A_rA_t.

A second route is via nested authentication. In a typical MIFARE Classic transaction, there usually involves more than one memory operations after a three-way authentication succeeds. The memory operations includes read, write, increment, decrement, and re-store, and they manipulate the memory blocks in the authenticated sector. These memory operations are encrypted 32-bit commands, each of which consists of one-byte command code, one-byte block number, and two-byte CRC. The two-byte CRC is computed over the first two bytes. Therefore, the command can be determined by guessing the first two bytes. In order to assist our guessing code, we classify the memory operations into four categories, namely R, W, V, and A, according to the amount of exchanged data. When the category of the command is known, there are at most four possibilities in block num-ber. In addition, we can determine the unique command with the help from the encrypted parity check bits, whose detail will be shown in Section 4.4. In any case, it is easy for the cryptanalyst to obtain more than 32 consecutive keystream bits via the second route.

4.2.3 Implementation Vulnerabilities

PRNG

The PRNG in MIFARE Classic PICC is always initialized with the same seed. In other words, the sequences of the pseudo random number generated are picked from a small fixed set. It is then much easier for the attacker to hit the current number from 2¹⁶possible numbers in the set. Besides, the attacker can examine whether the deciphered random number is in the set to check whether the key is correct.

N_t

Technique 1. Examining encrypted nonce n

We denote the set generated by MIFARE Classic’s PRNG asM C_{P RN G}. Each element in M C_{P RN G}is a 32-bit numbern₀. . . n₃₁satisfying the property that the first 16 bits can be generated by the other 16 bits. That is,

n16+i = n7+i⊕ n_5+i⊕ n_4+i⊕ n_i ∀i = 0 to 15.

Say we haven ∈ M C_{P RN G} and an encrypted nonce{n} in the trace. We can generate the corresponding keysteamks by CRYPTO-1 from an internal state S⁰ under test. Then, we can check whether

ks ⊕ {N1} = N₁⁰ ∈ M CP RN G, and if it is true, thenks may be a correct key.

Nested Authentication

After the first authentication successfully completes by a known key, PCD can imme-diately authenticate another sector with an unknown key. The authentication command is encrypted by the current keystream that is generated from the known key, but the tag challenge nonce N_tis encrypted by a new keystream generated from the unknown key.

This implementation vulnerability is a derivative of the PRNG problem, which is shown in Figure 4.1. Because of the small nonce space, we can recover the possible N_t and reveal the keystream that encrypted N_tfairly easily. This vulnerability also applies to

PCD-based remaining-key attack in Section 4.3.2.

Encrypted Parity Bits

In order to ensure data integrity, MIFARE Classic transmits a parity bit for every byte transmitted. Computing parity bits over ciphertext does not leak any information about the plaintext since they can be computed from the ciphertext by anyone. However, the parity bits in MIFARE Classic are computed over plaintext and are encrypted by the next keystream bit. This leaks one bit of information about the keystream for every byte transmitted.

We use a simple example to illustrate how we utilize this vulnerability to launch an attack. Suppose that we are given one byte of ciphertext C = c₁, . . . , c₈ along with its parity bit {p}. Assume the plaintext T is of t₁, . . . , t₈. In our attacks, we usually try many internal states in parallel, decrypting the trace with each of them. We assume the corresponding keystream bits generated from the internal state I_i are k₁, . . . , k₈, k₉. We can check

{p} ⊕ k₉ = c₁⊕ c₂⊕ ... ⊕ c₈⊕ k₁⊕ k₂⊕ ... ⊕ k₈.

Each candidate has a probability of 1/2 to pass this check, so on average we can eliminate half of the candidate internal states for every byte we capture.

Encrypted Error Code

As explained in Section 2.6.3, PICC will send out an error code when PCD’s response passes the parity check. This happens roughly with a probability of 1/256. In practice, it only takes a few minutes to acquire enough error-code traces. For cryptanalysis, an error-code trace provides 12-bit of information on the candidate internal states. This implementation vulnerability allows an attacker to launch PCD-based attack, as described in Section 4.3.1.

Observation 3. Efficiency of obtaining keystream [Encrypted Error Code]

[Encrypted Parity]

For eight bits of keystream, we can get one bit of information.