First of all – nice work!

Having read the paper, I have a note on the identifier of the Kiev cards. It’s stated that these cards are indistinguishable from any other card. However, to support that, the ATR string is presented. It is worth noting that ATR is by no means a precise description of a contactless card, as this is a “synthetic” value compiled especially for the purpose of PC/SC interface layer to allow the contactless card appear as an ordinary (contact) smartcard for the rest of the operating system.

Considerably more precise description would be the values of ATQA and SAK strings that are transmitted during the mandatory anti-collision procedure of ISO 14443A. If it was a contactless *smartcard* then the ATS (‘S’ not ‘R’ at the end) string would also be important (btw. ATR is a certain loose translation of those values here). Knowing ATQA and SAK, it could be easier to determine what the Kiev card is. Perhaps, it can be a MIFARE Classic emulation embedded into some contactless smartcard (i.e. a more sophisticated card emulating MF Classic for a backward compatibility), etc.

It’s a bit difficult to describe how to obtain ATQA/SAK in a nutshell here, but basing on what I have just read, I am sure that the author or his supporting technicians will know how to do that.

Kind regards,
Tomas Rosa

Hey Nicolas,

Interesting attack you describe. I'll try to look more carefully at the details soon.

The cards that always respond are probably not manufactured by NXP. They seem to be cheap unlicensed MIFARE Classic clones. In this post you will find an overview of the 5 available clones that I was able to track down. [www.proxmark.org]
Personally I have some Fudan FM11RF08 tags (which have this "always-answer-on-auth-failure" problem).

Maybe it is useful to know that MIFARE Classic cards only support the ISO14443A standard up to level 3 (not 4, where the ATS/ATR is described). This means that tools often simulate a (dummy) ATS for cards that do not support this. Original and clone cards are distinguishable though, let me sum up some ways.

- A genuine card will answer to a 7bits frame 0x0E (like the REQA/WUPA message), don't ask me why, but clones will not.
- You can authenticate and communicate to a clone card with incorrect parities, as long as you keep the CRC ok, you can send any parities you want. A genuine card will not accept this.
- The timing is different. The MIFARE Clones seem to be more vulnerable to timing side-channel attacks, while genuine cards are more constant in answering.
- The random number generator seems to be iterating different (slower?) on clones.
...
I've found more differences, let me know if you are interested in them, so I can dig them up for ya .

Kind regards,

Roel Verdult
Radboud University Nijmegen

Hello,

Thanks to Roel and Nicholas (among many others - thanks! - they know who they are) research and papers, crapto1 3.1 have some reference implementation of state recovery based on "dark-side paper" attack.

Also, a reference implementation demo is available - "Mifare Classic Dark-Side Key Recovery Tool"

[code.google.com]

Comments, questions, suggestions, (bug)reports are welcome.

Thanks a lot

Regards,
Andrei Costin - [andreicostin.com]

a



Edited 1 time(s). Last edit at 13-Nov-2012 21:43 by boskom.