From bea671820a3af5b40b19098d07902d51bd302eca Mon Sep 17 00:00:00 2001 From: Karsten Date: Wed, 18 Aug 2010 12:57:36 +0200 Subject: Changed section titles to more constructive voice --- paper/easycard.tex | 76 ++++++++++++++++++++++-------------------------------- 1 file changed, 31 insertions(+), 45 deletions(-) diff --git a/paper/easycard.tex b/paper/easycard.tex index ebaaf83..1f430de 100644 --- a/paper/easycard.tex +++ b/paper/easycard.tex @@ -13,12 +13,12 @@ \setlength{\headsep}{0in} \setlength{\textwidth}{6.5in} \setlength{\textheight}{9.5in} -%\setlength{\parindent}{0in} +\setlength{\parindent}{0in} \setlength{\parskip}{0.05in} \begin{document} -\title{Security analysis of the EasyCard payment card in Taiwan} +\title{Security Analysis of the EasyCard Payment System} \author{Harald Welte $<$laforge@gnumonks.org$>$} \date{UNRELEASED (September XX, 2010)} \maketitle @@ -26,16 +26,15 @@ %%%%%%%%%%%%%%%%%%% \begin{abstract} One of Asia's most popular electronic payment systems uses insecure technology. -The EasyCard system, established in 2001, is the most popular store-valued card +The EasyCard system, established in 2001, is the most popular stored-valued card in Taiwan. With more than 18 million issued cards, it is the predominant means of paying for public transportation services in the capital Taipei. In 2010, use of the EasyCard was extended beyond transportation. Card holders can now pay in all major convenience stores and major retail companies like -Starbucks or even SOGO [TODO: Starbuck ist keine Retailer und SOGO ist kein bekannter Begriff]. +Starbucks or even SOGO [TODO: Starbuck ist kein Retailer und SOGO ist kein bekannter Begriff]. -Despite the large fraud potential, the EasyCard system uses the MIFARE Classic RFID transponder -technology, whose proprietary encryption cipher CRYPTO1 relied on obscurity and was quickly broken~\cite{mifare-attack-esorics} after the cipher was revealed~\cite{mifare}. +Despite the large fraud potential, the EasyCard system uses the MIFARE Classic RFID technology, whose proprietary encryption cipher CRYPTO1 relied on obscurity and was quickly broken~\cite{mifare-attack-esorics} after the disclosure of the cipher ~\cite{mifare}. This document analyzes the results of combining the practical attacks on the MIFARE Classic CRYPTO1 system in the context of the EasyCard payment @@ -48,7 +47,7 @@ system. \section{Disclaimer} This document is the result of independent research on the EasyCard -system. It was done out of personal interest in security technology and to create awareness about the risks of everyday technology. +system. It was done out of personal interest in security technology and to raise awareness about the risks of everyday technology. No competitor of the EasyCard corporation, or other business or political stakeholder ever encouraged, supported or funded this work in any way. @@ -61,34 +60,33 @@ validate it. This paper is also directed at the legislator and the regulatory authorities, in the hope that it will help them to produce better rules and requirements on -the technology designed for and used by operators of security relevant systems +the technology designed for and used by operators of security relevant systems such as banking. %%%%%%%%%%%%%%%%%%% -\section{Introducing the EasyCard} +\section{Technical Background} -FIXME +FIXME: Describe system -- Mifare Classic + Unique keys + (online?) fraud detection %%%%%%%%%%%%%%%%%%% -\section{Published security research on MIFARE Classic} +\section{MIFARE Classic security} FIXME: Summarize the existing research on mifare classic systems %%%%%%%%%%%%%%%%%%% -\section{Published tools for MIFARE Classic attacks} +\section{MIFARE Classic Attack Tools} \subsection{Crapto1} \subsection{libnfc} \subsection{MFOC} \subsection{MFCUK} \subsection{CryptoMiniSat} -FIXME: summarize results (12 seconds per key), state that attack applied to Mifare DESfire, Mifare Plus in Classic emulation mode +FIXME: summarize results (12 seconds per key), state that attack applies to Mifare DESfire, Mifare Plus in Classic emulation mode %%%%%%%%%%%%%%%%%%% \section{Analyzing the EasyCard} -A new, genuine EasyCard was obtained from one of the EasyCard vending machines -in a Taipei MRT station. +The following results were generated using new EasyCard obtained from a vending machines in a Taipei MRT station in August 2010. As it is public knowledge that the EasyCard system is based on MIFARE technology, any MIFARE-compatible RFID reader (PCD, Proximity Coupling Device) @@ -101,18 +99,9 @@ the EasyCard in fact is a card with ISO 14443-3 compatible anti-collision procedure. The ATQA response also looks like that of a standard MIFARE Classic transponder. -\subsection{Attempting to use standard keys} - -As some users of MIFARE Classic systems only use some sectors of a card, but -not all, an attempt was made to authenticate to any of the sectors using the -manufacturer-programmed standard keys. However, none of the card sectors were -using those standard keys. +Often MIFARE Classic systems use standard keys for some card sectors, for example for empty sectors. This seems not to be the case for the EasyCard where all sector keys are card-specific. Therefore, the fastest key recovery method where keys are recovered based on one known key does not apply~\cite{pickpocketing}. -This also means that we could not use the key recovery method described in -FIXME, where keys of all other sectors are recovered based on the knowledge of -they key of at least one different sectors. - -\subsection{Recovering the MIFARE CRYPTO1 keys} +\subsection{Recovering sector keys} Since none of the sector keys was known, the publicly available MFCUK (MiFare Classic Universal toolKit) implementation of the ``Dark Side'' attack (Nicolas T. @@ -130,7 +119,7 @@ hard-realtime control over the communication with the EasyCard. Furthermore, the key recovery can be optimized based on known-plaintext that is common to all cards. -\subsection{Dumping the content of the EasyCard} +\subsection{Extracting raw data} Once the sector keys have all been recovered, the full content of the EasyCard can be dumped using any RFID reader supporting MIFARE Classic. The author @@ -207,7 +196,7 @@ content: 00003f0 ea02 0bda b62a 7708 008f 0000 0000 0000 \end{verbatim} -\subsection{Re-engineering the on-card data format} +\subsection{Parsing the card content} When the author started his research, there was no pre-existing public knowledge on the data format used by the EasyCard system. As such, @@ -237,7 +226,7 @@ any of the tested transactions. The result of this analysis can be found in the next section: -\section{Re-engineered EasyCard Data Format} +\section{EasyCard data format} \subsubsection{Sector 0 and 1: The header} FIXME @@ -348,9 +337,9 @@ detects that the current day-of-the-month is different from that stored on the card, the sum is re-set and starts new for that day. -\section{Manipulating the EasyCard} +\section{Tampering with the EasyCard} -\subsection{Decreasing the Value of the card} +\subsection{Decreasing card value} In order to decrease the account balance on the card, the following method was tested: @@ -375,7 +364,7 @@ This specifically confirms that the vending terminal did not have an online connection to a centralized database. In that case, the erroneous values on the card would have been corrected and the original value restored. -\subsection{Increasing the value of the card} +\subsection{Increasing card value} The approach works similar to the previous one. First, a purchase in a store is being made, preferrably with relatively high value. Later, the transaction @@ -384,7 +373,7 @@ this purchase appear cheaper than it actually was. So after purchasing an item with 1000 NTD, the card will look like only 100 NTD were spent for the purchase, giving an extra balance of 900 NTD to the attacker. -\subsection{Bypassing the maximum daily spending of NTD 3000} +\subsection{Bypassing daily spending threshold} As the sum of all purchases on a given day-of-the-month is stored in Sector 15, there are two methods of evading the per-day payment limit: @@ -398,13 +387,12 @@ all purchases in the transaction log to appear as if they were made on a previous day. -\section{Mistakes of the EasyCard Corporation} +\section{Lessons Learned} -Based on this research as well as publicly known information on the -EasyCard Corporation, we can identify a series of mistakes with cumulative -effect. +Based on this research as well as publicly known information the +technical and procedural decision in the EasyCard system, a series of mistakes with cumulative effect can be identified. -\subsection{Deploying old technology} +\subsection{Use state-of-the-art building blocks} The Taipei Smart Card corporation (predecessor to the EasyCard Company) was established in 2000, and it took until June 2002 to deploy the first EasyCard @@ -419,7 +407,7 @@ was definitely no longer state-of-the-art in the year 2000. At that time, the popular web-browser Netscape Navigator (used e.g. for web-based online banking) had already introduced support for symmetric 128bit ciphers. -\subsection{Deploying proprietary security technology} +\subsection{Review proprietary technology} There are two concepts of achieving security in any system: {\em Security by design} and {\em Security by obscurity}. @@ -439,20 +427,18 @@ the system is broken. FIXME: Link to Bruce Schneier -\subsection{Not reacting to academic research in the field} +\subsection{Consider academic results} Starting in 2007, researchers have published a variety of attacks on the CRYPTO-1 cipher and MIFARE Classic system. For a list of related publications, see the bibliography of this paper. -\subsection{Not reacting to public availability of MIFARE attack tools} - Following-up the scientific publications, tools implementing practical attacks on MIFARE Classic have been developed and published. Such tools implement a variety of attacks, including card-only key-recovery attacks. -\subsection{No upgrade to more secure cards as they become available} +\subsection{Anticipate upgrade path} In the same year the EasyCard was first deployed (2002), the supplier of the MIFARE Classic system has already been shipping a much more secure system @@ -471,7 +457,7 @@ So, in order to save USD 1 per each issued card, the EasyCard corporation has artificially kept down the security level of their system, not catching up with state-of-the-art commercially available technology. -\subsection{Extending EasyCard to generic payment outside public transport} +\subsection{Limit fraud incentives} The security of any system always has to be analyzed in the context of the threat model, i.e. what can an attacker gain from compromising the system. @@ -507,7 +493,7 @@ end it will be the consumer who pays them indirectly due to higher prices including such fees. -\section{Proposed Changes / Improvements} +\section{Improvement potential} The author of this paper argues that use of the current EasyCard system should immediately be restricted to payment for public transportation, -- cgit v1.2.3