Exposing iClass key diversification

Authors:
Flavio D. Garcia;Gerhard De Koning Gans;Roel Verdult
Affiliations:
Institute for Computing and Information Sciences, Radboud University Nijmegen, The Netherlands;Institute for Computing and Information Sciences, Radboud University Nijmegen, The Netherlands;Institute for Computing and Information Sciences, Radboud University Nijmegen, The Netherlands
Venue:
WOOT'11 Proceedings of the 5th USENIX conference on Offensive technologies
Year:
2011

Citing 10
Cited 1

Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design

Cracking DES: Secrets of Encryption Research, Wiretap Politics and Chip Design
Dismantling MIFARE Classic

ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Reverse-engineering a cryptographic RFID tag

SS'08 Proceedings of the 17th conference on Security symposium
Attacks on the DECT Authentication Mechanisms

CT-RSA '09 Proceedings of the The Cryptographers' Track at the RSA Conference 2009 on Topics in Cryptology
Extending SAT Solvers to Cryptographic Problems

SAT '09 Proceedings of the 12th International Conference on Theory and Applications of Satisfiability Testing
Wirelessly Pickpocketing a Mifare Classic Card

SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Practical Algebraic Attacks on the Hitag2 Stream Cipher

ISC '09 Proceedings of the 12th International Conference on Information Security
Cryptanalysis of alleged A5 stream cipher

EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
A practical attack on KeeLoq

EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
Dismantling SecureMemory, CryptoMemory and CryptoRF

Proceedings of the 17th ACM conference on Computer and communications security

Gone in 360 seconds: Hijacking with Hitag2

Security'12 Proceedings of the 21st USENIX conference on Security symposium

Quantified Score

Hi-index	0.00

Visualization

Abstract

iClass is one of the most widely used contactless smartcards on the market. It is used extensively in access control and payment systems all over the world. This paper studies the built-in key diversification algorithm of iClass. We reverse engineered this key diversification algorithm by inspecting the update card key messages sent by an iClass reader to the card. This algorithm uses a combination of single DES and a proprietary key fortification function called 'hash0'. We show that the function hash0 is not one-way nor collision resistant. Moreover, we give the inverse function hash0-1 that outputs a modest amount (on average 4) of candidate pre-images. Finally, we show that recovering an iClass master key is not harder than a chosen plaintext attack on single DES. Considering that there is only one master key in all iClass readers, this enables an attacker to clone cards and gain access to potentially any system using iClass.