View
221
Download
1
Category
Preview:
Citation preview
NFC
i@dangfan.me
mailto:i@dangfan.me
2
!
SIM
"
4
!
Tamper-resistant computer, on a single chip, embedded in piece of plastic, with very limited resources.
capable of securely:- storing data- processing data
Smartcards and RFID http://www.cs.ru.nl/~kursawe/SiO2011/Slides/sio_smartcards.pdf
5
!
Memory Card vs Processor Card
vs
vs
6
!
ISO/IEC 7816
ISO/IEC 14443 Part 1 Part 2 Part 3Type A/B Part 4
7
!
CPU 8051
RAMROM EEPROM
MIFARE Classic / Ultralight / DESFire FM1208 NXP SmartMX
8
!
COS FMCOS / MIFARE DESFire
JavaCard
9
NFC!
2002 2013ISO/IEC 18092 14443 Type A/BFeliCa P2P
10
!
SD SIM eSE
#
12
01
02 03 Pay04 05
!
13
!
14
!
Wiegand
ID4
13.56MHz - Type A 125KHz - ID
15
!
Broadcom http://stackoverflow.com/questions/28409934/editing-functionality-of-host-card-emulation-in-android UID
http://stackoverflow.com/questions/28409934/editing-functionality-of-host-card-emulation-in-androidhttp://stackoverflow.com/questions/28409934/editing-functionality-of-host-card-emulation-in-android
16
!
Card Terminal(with SAM)
Read basic info
Success
Request Random Number Verify
Random Number (R)Calculate
MACEntrance Data (with MAC)
Success
Fig. 3: The entrance protocol.
Entrance protocol. When a passenger (with an AFC card)wants to enter a station, the AFC system needs to execute theentrance protocol, which is shown in Fig. 3.
First, the stations terminal requests and reads the basicinformation of this passengers AFC card, including the cardnumber, the expiration, and the balance. The terminal verifiesthis information, including checking the expiration and whetherthe balance is sufficient.
Second, if the above verification succeeds, the terminalwould try to write the entrance data to the Metro Datafile (just using the metro as an example). However, beforewriting the entrance data, the AFC card needs to perform aone-way authentication to the terminal. As shown in Fig. 3, theterminal gets a random number R from the AFC card, and thencalculates a MAC by encrypting R with a pre-installed key2shared with this AFC card (right-hand operations in Fig. 4).
Finally, after generating MAC, the terminal sends theentrance data with the calculated MAC to the AFC card. Thecard performs an external authentication (shown in Fig. 4): ifpassed, the entrance data would be written on the card. Onthe other hand, the external authentication works as follows.As shown in Fig. 4 (left-hand), the AFC card first encryptsthe random number R with the key shared with the terminal.Because the AFC card has received the terminals MAC, whichhas been computed by encrypting the same random number Rwith the same key (the right-hand operation in Fig. 4), the AFCcard can check whether the terminals authentication passesthrough comparing the two ciphertext. If the terminal is fake,the authentication fails.
After the whole protocol is executed, the passenger will beallowed to enter the station, and her AFC card has been writtenher entrance information.
Exit protocol. When the trip is finished, the passenger tapsher card on the exit terminal. Fig. 5 details the exit protocol.
First, the terminal reads the same basic information as theentrance stage, including the card number and the expiration,as well as the entrance data from the card. Then, the terminal
2In fact, the key differs in each card. Instead of storing all keys (which isobviously impossible), the key of each card is generated using a root key andits card number. The root key is stored in a so-called SAM module attachedon the terminal. The terminal uses SAM to generate the each-card key.
Generate Random Number (R)
Secret Key (K)
=?
Accept
Reject
Secret Key (K)
Smart Card Terminal
Fig. 4: External authentication, used by the card to validatethe terminal.
Card Terminal(with SAM)Read basic info &
entrance dataSuccess
Debit (with MAC)Verify &
Calculate fare
Success (with MAC) Upload
Fig. 5: The exit protocol.
verifies the above information. If the verification succeeds, theterminal calculates the fare that the passenger needs to pay.The verification process is the same as the first step in theentrance protocol.
Second, in order to upload the transaction log informationto the AFC backend, the card and terminal need to perform amutual authentication with each other. In other words, besidesthe authentication to the terminal, in this step (called debitchecking step), the terminal also needs to check whetherthe AFC card is emulated or fake. The process that thecard authenticates the terminal is almost the same as theauthentication step in the entrance protocol. On the contrary,i.e., the terminal authenticating the card, the AFC card needsto use its private transaction key TK to generate a sessionkey SK and a MAC (generated using the SK), and then sendsthem to the terminal for the authentication. The most importantproperty in this step is: a fake or emulated AFC card cannothave a transaction key to pass the authentication.
After the mutual authentication, the terminal uploads thetransaction information to its backend.
III. ATTACK DESIGN AND LESSPAY IMPLEMENTATION
In this section, we first present how we design our attack(in Section III-A and Section III-B) and the implementationof the LessPay app (in Section III-C).
As shown in Fig. 1, our attack has six steps (i.e., Step 1-2and Step 4-7). Step 3 and 8 do not belong to our attack, sincethey occur on the terminal side and are not controlled by us.
17
!
2008MIFARE Classic MIFARE
18
!
mfoc
19
!
20
!
21
! JR/T 0025.52013
125
MDK
DES(
)
UDKA
DES(
)
UDKB
PANPAN
MDK
PANPAN
MDK
ICDEAA(UDKA)DEAB(UDKB)
UDKA3DES
UDKB
3DES
D.5 DES
PAN816D1
DESA00
16
16 0
16 16
D1DESB
D.6DESABUDKAUDKB
A. B.
SK = f(ATC, UDKA, UDKB) ARQC = g(, , ATC, )
22
!
23
! /Samsung/MI Pay
eSE
24
!
PBOC 2.0
Type A Type B COS
25
TFCOS v2.0
80
1 6 4 3
5-74
5.4.5.3.
IC POS PSAM
POS PSAM PSAM
PSAM
8 10
PSAM 8 10
DATA:
PSAM MAC1
MAC1
DATA:
MAC1
MAC1
MAC1 TAC MAC2
PSAM MAC2
TAC MAC2
MAC2
MAC0
5-75
.
26
!
NFC
NXP TagInfo Banking Card Reader NFC Tools Pro
PCWindows
ACR 122u mfoc SpringCard/CardWerk API
27
!
Smart Card Handbook MIFARE Classic/Ultralight/DESFire Datasheet FMCOS 2.0 Manual PBOC 3.0 GB/T 31778
FAQ
Recommended