2009 Reports :  Cryptology ePrint Archive Forum
Discussion forum for Cryptology ePrint Archive reports posted in 2009. Please put the report number in the subject.  
Goto Thread: PreviousNext
Goto: Forum ListMessage ListNew TopicSearchLog In
2009/137 (Kiev card, par. 4.4)
Posted by: tomas_rosa (IP Logged)
Date: 27 March 2009 11:16

First of all – nice work!

Having read the paper, I have a note on the identifier of the Kiev cards. It’s stated that these cards are indistinguishable from any other card. However, to support that, the ATR string is presented. It is worth noting that ATR is by no means a precise description of a contactless card, as this is a “synthetic” value compiled especially for the purpose of PC/SC interface layer to allow the contactless card appear as an ordinary (contact) smartcard for the rest of the operating system.

Considerably more precise description would be the values of ATQA and SAK strings that are transmitted during the mandatory anti-collision procedure of ISO 14443A. If it was a contactless *smartcard* then the ATS (‘S’ not ‘R’ at the end) string would also be important (btw. ATR is a certain loose translation of those values here). Knowing ATQA and SAK, it could be easier to determine what the Kiev card is. Perhaps, it can be a MIFARE Classic emulation embedded into some contactless smartcard (i.e. a more sophisticated card emulating MF Classic for a backward compatibility), etc.

It’s a bit difficult to describe how to obtain ATQA/SAK in a nutshell here, but basing on what I have just read, I am sure that the author or his supporting technicians will know how to do that.

Kind regards,
Tomas Rosa

Re: 2009/137 (Kiev card, par. 4.4)
Posted by: roel (IP Logged)
Date: 30 March 2009 21:56

Hey Nicolas,

Interesting attack you describe. I'll try to look more carefully at the details soon.

The cards that always respond are probably not manufactured by NXP. They seem to be cheap unlicensed MIFARE Classic clones. In this post you will find an overview of the 5 available clones that I was able to track down. [www.proxmark.org]
Personally I have some Fudan FM11RF08 tags (which have this "always-answer-on-auth-failure" problem).

Maybe it is useful to know that MIFARE Classic cards only support the ISO14443A standard up to level 3 (not 4, where the ATS/ATR is described). This means that tools often simulate a (dummy) ATS for cards that do not support this. Original and clone cards are distinguishable though, let me sum up some ways.

- A genuine card will answer to a 7bits frame 0x0E (like the REQA/WUPA message), don't ask me why, but clones will not.
- You can authenticate and communicate to a clone card with incorrect parities, as long as you keep the CRC ok, you can send any parities you want. A genuine card will not accept this.
- The timing is different. The MIFARE Clones seem to be more vulnerable to timing side-channel attacks, while genuine cards are more constant in answering.
- The random number generator seems to be iterating different (slower?) on clones.
...
I've found more differences, let me know if you are interested in them, so I can dig them up for ya winking smiley.

Kind regards,

Roel Verdult
Radboud University Nijmegen

Re: 2009/137 (Kiev card, par. 4.4)
Posted by: zveriu (IP Logged)
Date: 16 November 2009 14:17

Hello,

Thanks to Roel and Nicholas (among many others - thanks! - they know who they are) research and papers, crapto1 3.1 have some reference implementation of state recovery based on "dark-side paper" attack.

Also, a reference implementation demo is available - "Mifare Classic Dark-Side Key Recovery Tool"

[code.google.com]

Comments, questions, suggestions, (bug)reports are welcome.

Thanks a lot

Regards,
Andrei Costin - [andreicostin.com]

Re: 2009/137 (Kiev card, par. 4.4)
Posted by: boskom (IP Logged)
Date: 13 November 2012 21:42

a



Edited 1 time(s). Last edit at 13-Nov-2012 21:43 by boskom.



Please log in for posting a message. Only registered users may post in this forum.