Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
The UK’s European university
SoSySec December 15, 2017 /
Certifiably Biased?
Analysing the Security of Mifare DESFire EV1 & EV2 Smartcards
Darren Hurley-Smith & Julio Hernandez-Castro
Introduction
• Darren Hurley-Smith• Research Associate
• School of Computing, University of Kent
• Julio Hernandez-Castro• Professor
• School of Computing, University of Kent
• Current research related to this presentation:• Analysing the security features RFID smartcards
• Focusing on the trustworthiness of TRNG and QRNG
• Identifying issues in lightweight RNG implementations
• Developing new guidelines for testing, reporting, and
certifying smartcards
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 2
Presentation Outline
• Background on the Mifare DESFire family
• The relevance of Common Criteria EAL certification
• Evaluating the DESFire EV1 and 2 TRNG• Methodology
• Results
• Analysis
• Summary
• The EV2: A Commercial Distance Bounding Implementation• A brief introduction to Distance Bounding protocols
• The EV2 Distance Bounding protocol
• Summary
• Conclusion
• Quantum Randomness: Our Current Focus
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 3
The Mifare DESFire Family
• NXP Ltd produces this smartcard family
• We focus on the EV1 and EV2
• EV1 is commonly used in the UK• Publicly announced 2006• TfL Oyster Card is an EV1 implementation• AES-128 capable
• EV2 is multi-application smartcard• Publicly announced 2016• Based on the EV1 filesystem and shares many commands• Boasts distance bounding capabilities
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 4
DESFire EV1 and EV2 Hardware Overview
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 5
Features of the DESFire EV1
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 6
• Used in e-wallet, access control, loyalty schemes,
and travel card solutions• Notably used in Oyster cards – 8 million of which were circulated in
2015-2016
• Certified Common Criteria EAL4+ certified
• Crypto-coprocessor with AES-128
• Mutual three-pass authentication
• ‘True’ Random Number Generator
Features of the DESFire EV2
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 7
• Recently issued for commercial purchase• Used in Delerrok’s TouchPass system (CA - USA)
• Will not replace the EV1 for Oyster card
• Common Criteria EAL5+ certified
• Shares many elements of the EV1:• Crypto-coprocessor with AES-128
• Mutual three-pass authentication
• ‘True’ Random Number Generator
• Multiple application support
• New Features:• Virtual Card Architecture (VCA)
• Multi-application support without need to share secret keys
• Distance Bounding
Common Criteria (ISO/IEC 15408) Certification?
• Awarded as Evaluation Assurance Levels (EAL)
• There are 7 EAL tiers• Tiers increase their rigor in ascending order (1-7)• Each tier indicates an increase in scrutiny• Post production tests are a minimum requirement of each level• Work line audits and anti-tampering feature at higher levels• The highest levels (5-7) require design document analysis
• EAL4+ (EV1, Plus X)• Methodological design, testing, and review• Awarded in late/post-production• Independent testing and inspections of production lines
• EAL5+ (EV2)• Semi-formal design and manufacturing process evaluation• Must be sought by manufacturers prior to production• Independent design audits and iterative testing through
production
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 8
Our Research Strategy
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 9
• Limitations• Not equipped for physical deconstruction of the chips
• Basic, commercially available readers (ACR122U)
• Family-wide weaknesses• EV1 and EV2 share crypto-coprocessor and TRNG
• Weaknesses in either element may carry over
• History of weak RNG (DESFire/Classic)
• Associated Projects• InnovateUK funded project looking into viable ‘on skin’
RFID payment solutions
• Identifying weaknesses/limitations in resource-
limited/small RNG
Methodology: Pilot Study & Validation
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 10
• Initial investigation:• 3 DESFire EV1 cards from
1 batch
• 64MB of data collected
from three-pass
authentication
• Responsible disclosure of
findings to NXP Ltd.
• Validation:• 100 EV1 cards from 3
batches
• 1 EV2 card for comparison
• urandom (PRNG) used for
comparison
Extracting Randomness from EV1/2 Authentication
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 11
RndB (rand generated by card)
saved to binary file
Randomness Tests
• Dieharder• Statistical test battery that expands the Diehard tests
• EV1 and EV2 passed these tests
• NIST STS 2.1.2 (SP800-22)• National Institute of Standards and Technology designed
statistical test battery
• EV1 and EV2 passed this battery without issues
• Ent• A simple but effective test battery
• The EV1 performs extremely poorly on a simple byte-level
Chi-Square Goodness of Fit test
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 12
Dieharder TestsTest Card 1 Card 2 Card 3
p-value p-value p-value
Birthday Spacings 0.1819452 0.61105583 0.7826363
Overlapping Permutations 0.38044164 0.58693289 0.44201308
32x32 Binary Rank 0.42920693 0.234095 0.55699838
6x8 Binary Rank 0.3131149 0.32387215 0.6613758
Bitstream 0.97724174 0.18743536 0.59532464
Count the 1's (stream) 0.17108396 0.74984724 0.87214241
Count the 1's (byte) 0.65870385 0.01287807 0.00020194
Parking Lot 0.18078043 0.24200626 0.38128677
Minimum Distance (2d sphere) 0.76328 0.95091635 0.34980807
3d sphere (minimum distance) 0.23871272 0.20826216 0.39340851
Squeeze 0.62598919 0.08843989 0.77057749
Runs 0.99778832 0.62043244 0.90550208
0.44719093 0.91228597 0.04870531
Craps 0.54077256 0.92769962 0.91803037
0.57614807 0.94245583 0.95209393
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 13
NIST SP800-22 TestsTest Card 1 Card 2 Card 3
Frequency 198/200 200/200 197/200
Block Frequency 196/200 199/200 194/200
Cumulative Sums 2/2 2/2 2/2
(>193/200) (>193/200) (>193/200)
Runs 191/200 197/200 192/200
(<0.001) (-0.719747) (-0.00716)
Longest Run 196/200 198/200 198/200
Rank 198/200 199/200 197/200
FFT 197/200 199/200 198/200
Non-Overlapping Template 147/148 148/148 148/148
(>193/200) (>193/200) (>193/200)
Overlapping Template 198/200 198/200 198/200
Universal 198/200 198/200 198/200
Approximate Entropy 197/200 198/200 196/200
Random Excursions 8/8 8/8 8/8
(>113/118) (>114/118) (>113/118)
Random Excursions Variant 18/18 18/18 18/18
(>113/118) (>114/118) (>113/118)
Serial 2/2 2/2 2/2
(>193/200) (>193/200) (>193/200)
Linear Complexity 199/200 197/200 199/200
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 14
Pilot Test Results for Ent 1 of 3
Test EV1 Card 1 EV1 Card 2 EV1 Card 3 Expected
Entropy 7.999969 7.999989 7.999972 8
Optimal Compression 0 0 0 0
Chi-Square 2709.1 973.07 2470.32 255
Arith. Mean 127.492921 127.500582 127.5006 127.5
Monte Carlo Pi 3.14167 3.142019 3.141909 3.14159
Serial Correlation 0.000008 0.000045 0.000093 0
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 15
Ent results for 64MB of EV1 Data
• Results of pilot study (64MB samples from 3 cards)• 64MB is a lot of data to collect
– 10 days to collect for each card
• Unlikely that such a quantity of data could be collected ‘in the wild’
• Nothing stopping individuals conducting this analysis using bought cards…
• Do these results appear at smaller sample sizes?
Pilot Test Results for Ent 2 of 3
Test EV1 Card 1 EV1 Card 2 EV1 Card 3 Expected
Entropy 7.999780 7.999820 7.999786 8
Optimal Compression 0 0 0 0
Chi-Square 305.47 249 297.03 255
Arith. Mean 127.492921 127.500582 127.5006 127.5
Monte Carlo Pi 3.14167 3.142019 3.141909 3.14159
Serial Correlation 0.000008 0.000045 0.000093 0
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 16
Ent results for 1MB of EV1 Data
• All cards perform better when less data is tested• Card 2 shows that the previously poor results may disappear entirely
• This is an issue – are these cards tested with large enough samples when
certified?
• Cards 1 and 2 are still terrible! When will they ‘improve’?
Pilot Test Results for Ent 3 of 3
Test EV1 Card 1 EV1 Card 2 EV1 Card 3 Expected
Entropy 7.999635 7.999640 7.999641 8
Optimal Compression 0 0 0 0
Chi-Square 253.55 249.26 249.03 255
Arith. Mean 127.492921 127.500582 127.5006 127.5
Monte Carlo Pi 3.14167 3.142019 3.141909 3.14159
Serial Correlation 0.000008 0.000045 0.000093 0
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 17
Ent results for 5KB of EV1 Data
• At 5KB all cards seem fine
• Card 1 shows problems at data sizes larger than 7.5KB
• Are these cards passing tests due to trivial oversights?• Sample size
• Number of tests and their relatedness
Analysis: Bias at the Byte level
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 18
• The EV1 (a) shows a clear non-random distribution of bytes
• Repetitive pattern, clear cycles, almost no values close to zero
(a) DESFire EV1 Bias (b) urandom Bias
Analysis: Fourier Analysis of the Bias
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 19
• The Fourier series for all three EV1 cards defines the bias
• All cards demonstrate a regular period of 32
• Exactly half of the possible byte values occur more frequently than the other half
(a) EV1 Card 1 (b) EV1 Card 2 (c) EV1 Card 3
Initial Findings
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 20
• Certification appears to rely on tests that do not identify
underlying issues in the DESFire EV1 TRNG• Dieharder and NIST STS 2.1.2 are unable to identify the
bias in the EV1
• These two tests form the backbone of many certification
schemes
• One must also consider the possibility of designing for
tests
• Bit level Chi-square tests do not show any problems• The focus of many tests is bit-level analysis
• This may not find issues in generators that exhibit a
high-order bias
• Context and underlying hardware are often overlooked,
but can determine which tests are appropriate
Further Testing
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 21
• Preliminary testing showed a serious bias in the EV1 TRNG
• Disclosure to NXP Ltd was answered:• They confirmed our findings• They stated that this is a ‘non-critical’ flaw• Suggested that it was due to an improperly implemented
whitening function
• Further analysis was required to characterise the bias:• The EV1 is nearing the end of its production life• Many still in circulation, but EV2 due to be marketed
instead• We studied the TRNG of the DESFire EV2• A larger sample of 100 EV1 cards was studied• Multiple batches were sourced to ensure this wasn’t an
isolated finding
Analysis: EV2 Bias and Fourier Analysis
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 22
• The EV2 did not demonstrate any observable bias for 64MB
of data
• It also passed Dieharder and NIST STS 2.1.2 without issues
DESFire EV2 Bias EV2 Fourier Analysis
Analysis: Mask Test Results 1 of 2
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 23
(a) EV1 card 1 (b) EV1 card 2
(c) EV1 card 3 (d) urandom
Analysis: Mask Test Results 2 of 3
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 24
• urandom (d) has biases of magnitude 10-4
• Biases seem spread across all byte values
• No specific bytes show significant deviation from the norm
• The 3 EV1 cards (a, b, and c) all show biases
of magnitude 10-3
• Specific bytes show orders-of-magnitude larger biases
than the majority
• This indicates a byte level bias
• The mask test highlighted a significant bias in
all 3 EV1 cards• Byte value 24 (00011000) under occurs significantly
• There doesn’t appear to be a sympathetic over
occurrence
Analysis: Mask Test Results 3 of 3
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 25
DESFire EV2 urandom
• The EV2 doesn’t show any of the issues seen in the EV1
• Side-by-side comparison with urandom shows that EV2 conforms with the properties of a reliably random source
• Unclear if this issue is fixed, or whether re-engineering of the EV2 wafer resolved the TRNG issue
• This suggests that NXP claims of a faulty whitening function have merit
TestU01
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 26
• Alphabits• Hardware RNG focused test suite
• EV1 cards failed MultinomialBitsOver (L=2, 4, and 8)
• EV1 cards 1 and 3 failed Hamming Indep (L=16)
• Rabbit• A slower but more comprehensive test battery
• EV1 fails:– MultinomialBitsOver (card 1)
– Fourier3 (ALL cards)
– HammingIndep (L=16) (cards 1 and 2)
– Autocor (ALL cards)
– Run of Bits (ALL cards)
• EV2 passes all Alphabits and Rabbit tests
Expanding the Tests: 100 EV1 Cards
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 27
• The bias in the EV1 has been established• Only three cards have been tested, more needed!
• 100 EV1 cards tested:– 50 2k model, 50 4k model
– 4k cards selected randomly from a pool of 100 cards
– 2k cards randomly picked from 200 cards (2 batches)
• The EV2 TRNG shows no sign of similar bias• No further randomness tests
• The mask test has allowed us to characterise
the EV1 bias
DESFire EV1 Ent Results (100 cards) 1 of 2
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 28
Chi-Square results for 100 EV1 cards
DESFire EV1 Ent Results (100 cards) 2 of 2
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 29
• 1MB of data has been tested for each card• Cards randomly selected to minimise relatedness
• 3 batches tested to avoid production line dependencies
• 78% of EV1 cards fail the Chi-Square test• Mean Chi-Square is 314.17
• Of the 22% of cards that pass, half show very low p-values
• The problem isn’t restricted to our pilot sample• NXP confirmation indicates they can independently
replicate our results
• This test shows that we can replicate our results over
unrelated EV1 cards
• The issue is a model, not batch, issue
DESFire EV1 Mask Results (100 cards) 1 of 3
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 30
Composite graph of 100 mask test results
DESFire EV1 Mask Results (100 cards) 2 of 3
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 31
5 worst performing cards Mask test results
DESFire EV1 Mask Results (100 cards) 3 of 3
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 32
• The majority of cards (78%) show significant bias• This bias presents as an under-occurrence of mask
00011000 (24)
• The 5 worst performing cards all have Chi-Square scores
worse than 415!• This indicates that it is this specific bias contributing to the
poor Chi-Square score
• No other anomalous biases affect the score as much
• The observed bias is between -0.0036 and -0.0061
Summary: EV 1 Bias
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 33
• Clear and consistent biases have been identified
• Findings have been responsibly disclosed to NXP Ltd.• They confirm our findings
• They suggest that a flawed whitening function is the source
(unconfirmed)
• Characteristics of the bias have been identified• Mask 00011000 under occurs significantly (byte value (int) 24)
• No practical attacks have yet been identified
• The EV2 doesn’t exhibit this bias• However, it has a notable feature…
DESFire EV2 – Distance Bounding
• Unlike EV1, EV2 provides distance bounding
functionality• This potentially limits the range from which an attack can be
performed
• The distance bounding protocol also allows us to capture
random values• Random values are vital to the challenge-phase of the protocol
• Our study of the protocol itself is limited at this time• We intended to explore it as a means to extract random
numbers
• Slower than authentication for random data acquisition
• Protocol poorly understood due to closed documentation
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 34
An Example Distance Bounding Protocol
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 35
Hancke and Kuhn’s Distance Bounding Protocol
Protocol Derivation
• Public documentation provides the basic structure• The protocol flow is public knowledge
• The names and order of commands are public knowledge
• APDU codes are not publicly available• Basic command structure is public, but command bytes, and
concatenation schemes mixing aren’t
• However, we already know DESFire EV1 command codes!
• Only 256 possible APDUs and we already know several dozen
• We also know the concatenation/mixing schemes as CMAC
calculation on the EV1 requires these
• Virtual Card Architecture is publicly available• Accessing the VCA is critical for third-party secure card access
• Distance bounding is only available as an option for VCA mode
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 36
The EV2 Distance Bounding Protocol 1 of 2
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 37
• Three phases• PreparePC
• ProxCheck
• VerifyPC
• Significant concessions
made due to platform limits
• Key Differences between
Theory and Practice:• Timing info shared in PrepPC
• No nonces in initial slow phase
• Challenges are bytes not bits!
• VerifyPC involves mutual
authentication
Summary: EV2 Distance Bounding
• The search for sources of data that reveal information about a device can lead to interesting places
• Originally just looking for a way to get more random numbers• Reuse of features is required in limited devices• This can make reverse engineering much easier
• Currently just an overview of the protocol structure• Our timing analysis is primitive and requires more work
• This commercially available implementation differs from theoretical DB protocols
• The fast phase is a two-way exchange of random bytes• Mutual authentication in final slow phase• Reader performs all time-based verification (one-way distance bound)
• Hardware constraints are the final arbiter of most compromises
• There’s only so much silicon ‘real estate’
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 38
Conclusion
• The DESFire EV1 was found to have a flawed TRNG• Simple Chi-Square tests identify this flaw• Observable on small (7.5KB) data sets• Disclosed to NXP and independently reproduced• Our findings have been published in IEEE TIFS
– Hurley-Smith, D., Hernandez-Castro, J: “Certifiably Biased: An In-depth Analysis ofa Common Criteria EAL4+ certified TRNG”, IEEE, IEEE Transactions onInformation Forensics and Security, DOI10.1109/TIFS.2017.2777342, 2017 (pre-print)
• The DESFire EV2 doesn’t appear to share this flaw• Currently unknown why, but re-engineering of the wafer would account for
this change
• The EV2 DB protocol is closed, but possible to derive• One of the first commercially available DB implementations• Obfuscated in the documentation, but draws on common practices in the
DESFire family
• Certification schemes need to adapt to new needs• As RNG are developed to address current test batteries, new ones must be
used to ensure a constant state of vigilance and rigor• Designing devices to pass tests is no guarantee that they are generally
secure
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 39
Our Current Focus: Quantum Randomness
• Exploring Quantum random number generation• We have identified serious biases in the Quantis QRNG
• Now testing Comscire devices – good initial results
• Online QRNG (Hotbits, ANU Generator, and Humbolt Physik)
provide more evidence of variable implementation standards and
their effects on output
• Expanding our P/Q/TRNG analysis and developing tests• We continue to scrutinise standards and testing regarding RNG
• Exploring and innovating new test batteries based on experience
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 40
Acknowledgements
• This work received funding from InnovateUK as part of the
authenticatedSelf project, under reference number 102050
• This work received funding from the European Union’s Horizon 2020
research and innovation programme, under grant agreement
No.700326 (RAMSES project).
• We would like to thank ECOST – CRYPTACUS action for their valuable
and insightful discussion of this work
• We would like to convey our thanks to NXP Semi-conductors Ltd for
their timely and professional response to our responsible disclosure
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 41
Thank you for listening.
@Dsmith_Eng
Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 42
THE UK’S EUROPEAN UNIVERSITY
www.kent.ac.uk