"Fixed/New" Mifare classic remaining vulnerabilities (after prng fix)

jbf · 2015-06-25 09:23:29

Hi,

I am currently testing what seems to be quite recent Mifare classic card. Darkside attack & offline nested are not working, I am pretty sure it is due to the PRNG that has been fixed on new cards.

1/ Do you know if the snoop attack is still working on newer mifare classic cards ?
2/ Could the vulnerability exploited in the snoop attack be fixed on the card or reader without breaking compatibility (as it has been done with the PRNG fix) ?

Thanks

iceman · 2015-06-25 10:30:52

1)
Usually snooping a correct authentication and run the mfkey32/mfkey64 on it gives you the key.
With that key, you can try the nested attack. You might get lucky. If not, then you need to snoop the rest of the keys.

2)
if the NACK bug is not present, the darkside attack doesn't work. (see Piwi's latest PR to give u feedback on it)
if the PRNG is fix, the nested attack might not work, (see Piwi's latest PR to give u feedback on it)

and if the PRNG is new, by my experience the mfkey32/mfkey64 works 50% of the times

jbf · 2015-06-25 12:03:21

Thanks for your reply,

For 1/ If I understand correctly, when you snoop you can only get the key used by the reader to authenticate. If the other key are never used by the reader, you are out of luck. Am I right ?

For the nested attack, my understanding is that you need to know at least one key in order to get the other ones. In my case I got several keys A, that would mean that if the attack was successful I could get every keys including B keys, right ?

Is not the darkside also taking advantage of the weak PRNG causing nonces to repeat ? hence if the PRNG is fixed, then this attack can't work ?

What I understand from your last sentence is that the snooping attack also need a weak PRNG to work ? Or do you think it might be related to an inaccurate snooping that might be due to a weak signal for example ?

Maybe I am thinking too much in term of black vs white regarding the PRNG, is there shades of grey, meaning some new PRNG are far better than original ones but still weak enough to be exploited ?

Could you link Piwi's post you are talking about, I have not found it ?

iceman · 2015-06-25 14:41:17

How about you try the darkside/nested attacks and see if they work for you.

piwi's PullRequest is on the GitHub. Very easy to find.
https://github.com/Proxmark/proxmark3/pull/125

jbf · 2015-06-25 15:34:49

So sorry ! I kept on getting Internal server errors while posting...

Darkside & nested are a no go, at least with the SCL3711 I have (after 12 hours, I did not get any duplicated nonce).
I wil think about renting or buying a proxmark to test if it iw working better.

Do you know which part has been fixed on newer tags ? Only the PRNG or other vulnerabilities ?

So far the different attacks I know about :

1/ "Snooping" attack (in Dismantling MIFARE Classic). My understanding is that is is a weakness of crypto1 itself and cannot be fixed without breaking compatibility.

2/ "darkside" attack (in The dark side of security by obscurity), implemented in mfcuk. Exploit weakness in the PRNG + Parity bits + Non linear filter generator used for the keystream.
As the PRNG has been fixed, this attack does not work on new versions of mifare classic cards

3/ Attacks described in in "Wirelessly pickpocketing a mifare classic card"
3.1/ (Described in 4.1 on the paper) Exploit a weakness in the way parity bit are computed (can't be fixed) + the fact that the tag reply with a NACK (transmission error) if parity bits are wrong (can be fixed?)
3.2/ (Described in 4.2 on the paper) Exploit the weak PRNG + parity
As the PRNG has been fixed, this attack does not work on new versions of mifare classic cards
3.3/ (Described in 4.3 on the paper) Basically same as 3.1 but with precomputed 300GB tables
3.4/ (Described in 4.3 on the paper) "nested attack", implemented in mfoc. Exploiting PRNG issues (& other issues)
As the PRNG has been fixed, this attack does not work on new versions of mifare classic cards

So the remaining attack are 1, 3.1, 3.3.
I would say 1 can't be fixed. I am not so sure about 3.1 & 3.3 as NACK could be removed without breaking everything I guess, but still some reader might expect the transmission error return so it seems risky to remove it...

Do you think the 50% failure you are seeing on attack 1 might be related to an inaccurate snooping that might be due to a weak signal for example ?

Have you heard of any implementation of 3.1 and 3.3 ?

Please correct me when I am wrong

iceman · 2015-06-25 15:58:37

i really cant answer questions of other devices or code other than PM3.

If you have questions for mfuc/mfoc please turn to their forums instead.

When it comes to the mifare tags, as I understand it both the NACK bug and weak prng is fixed in newer tags.

Regarding snooping and failures I'm not sure why. It could be the prng is the cause of it.

jbf · 2015-06-25 16:47:46

Thanks,
I will try to get my hand on a proxmark to look into that.

jbf · 2016-02-08 21:58:03

If someone is looking for the same answer, the paper Ciphertext-only_Cryptanalysis_on_Hardened_Mifare_Classic_Cards does an awesome job at explaining the different attacks and the vulnerability that still works on 'new' cards.

They also introduce a card only attack that allows to crack any key by knowing only one key from one sector.

http://www.cs.ru.nl/~rverdult/Ciphertext-only_Cryptanalysis_on_Hardened_Mifare_Classic_Cards-CCS_2015.pdf

iceman · 2016-04-27 20:20:59

With the release of a new bruteforce solver for the hardnested command, I think you have even more reason to buy a proxmark3.

I have a pm3 rdv2.0 kit left over

Proxmark3 community

Announcement

#1 2015-06-25 09:23:29

"Fixed/New" Mifare classic remaining vulnerabilities (after prng fix)

#2 2015-06-25 10:30:52

Re: "Fixed/New" Mifare classic remaining vulnerabilities (after prng fix)

#3 2015-06-25 12:03:21

Re: "Fixed/New" Mifare classic remaining vulnerabilities (after prng fix)

#4 2015-06-25 14:41:17

Re: "Fixed/New" Mifare classic remaining vulnerabilities (after prng fix)

#5 2015-06-25 15:34:49

Re: "Fixed/New" Mifare classic remaining vulnerabilities (after prng fix)

#6 2015-06-25 15:58:37

Re: "Fixed/New" Mifare classic remaining vulnerabilities (after prng fix)

#7 2015-06-25 16:47:46

Re: "Fixed/New" Mifare classic remaining vulnerabilities (after prng fix)

#8 2016-02-08 21:58:03

Re: "Fixed/New" Mifare classic remaining vulnerabilities (after prng fix)

#9 2016-04-27 20:20:59

Re: "Fixed/New" Mifare classic remaining vulnerabilities (after prng fix)

Board footer