Dangers and countermeasures caused by Mifare 1 card cracking

Since the beginning of this year, a piece of news has shocked the entire IC card industry. Recently, researchers from Germany and the United States have successfully cracked the security algorithm of NXP's Mifare1 chip. Mifare1 chips are mainly used for access control cards of door access systems and some small payment cards, and their application scope has covered the world. Therefore, this "achievement" has caused a lot of panic, because a thief who masters the cracking technology can clone any access control card, so as to freely enter and exit government buildings or company offices; he can clone or forge various stored-value cards in batches to make large purchases without being discovered. It is estimated that hundreds of millions of such cards issued in China are in use, and its security involves the interests of many operating units and cardholders. Recently, a researcher announced that there are weak links in the security of MIFARE series products. In his laboratory, by studying the communication data between the reader and the card, he found the encryption algorithm and authentication communication protocol of this card, and there are two ways to obtain the partition password of the MIFARE class logical encryption card. In this way, the destroyer can easily obtain the password of an M1 card within 40ms using very cheap equipment. Faced with this catastrophic fact, some companies claim that they have ways to make up for this loophole, and users can continue to use this card without worrying. So, is the cracking of M1 cards really that destructive, and are some of the current "security" methods really effective? To answer this question, we need to start with understanding the structure and security authentication mechanism of the Mifare1 series of cards.

The Mifare series of contactless IC cards are classic IC card products of Philips of the Netherlands (now the IC card department of Philips is independent of NXP, and the product intellectual property rights belong to NXP). It mainly includes Mifare one S50 (1K bytes), S70 (4K bytes), which are widely used in access control, campus, and public transportation fields, as well as the simplified version of Mifare Light and the upgraded version of MifarePro. Among these chips, except Mifare Pro, they are all logical encryption cards, that is, there is no independent CPU and operating system inside, and they rely entirely on built-in hardware logic circuits to achieve security authentication and protection of IC cards.

The unit is used to complete the password authentication of the card and control the read and write permissions of each data sector; the Crypto Unit data encryption unit is the algorithm engine for its authentication and encryption and decryption operations. Mifare series IC cards are patented products of NXP. They use a unique encryption algorithm of NXP to complete authentication and encryption and decryption operations. Since this algorithm is unique to NXP and is not public, Mifare series IC cards use a special method to complete authentication without disclosing the algorithm. The same algorithm engine is placed in the dedicated Mifare read-write base station chip produced by NXP (such as the commonly used RC500 and RC531). The authentication process is completed between the user system and the Mifare chip by the base station chip "replacing" it. This authentication process is often promoted by the Mifare series chips. The essence is that the base station chip and the Mifare chip transmit random numbers and ciphertext of random numbers to each other, and the card is authenticated by decrypting and comparing the random number ciphertext. The "encrypted data transmission" that Mifare chips are proud of is also encrypted by the base station chip and transmitted to the Mifare chip. This process can be simplified as shown in the following figure:

As shown in the figure, the three-way authentication and input encryption transmission security features claimed by the M1 card refer to the authentication and encryption between the M1 card and NXP base station chips (or compatible chips) such as RC500. Since NXP strictly keeps the communication protocol and encryption authentication mechanism between the M1 card and the base station chip confidential, it is very difficult to crack from here. Unfortunately, the algorithm and mechanism were eventually cracked. The researchers found loopholes in the algorithm and communication protocol, and they can easily obtain all the keys of a card through dozens of trial attacks (about 40ms). In fact, since the day when compatible products with Mifare chips appeared, this secret is no longer a secret, because full compatibility actually means that the algorithm has been mastered. [page]

After the security problem of Mifare1 card was exposed, some companies publicly claimed that they had found a solution. The magic weapon is the so-called "one card, one password", that is, the key of each sector of each card is different. The CPU card is used to load the system root key, and the subkey is calculated according to the unique serial number of the Mifare1 card to prevent a card from being cracked and affecting the entire system. In fact, this solution has already appeared before the Mifare1 card was cracked. So, can one card, one password really solve the security problem of Mifare1? We still have to start with the authentication mechanism of Mifare1 card for analysis.

We already know that the authentication of Mifare1 card is essentially the authentication between the card and the base station chip. Commonly used base station chips such as RC500 are already well known in the industry, and its interface and communication protocol are public. Before the base station authenticates the Mifare1 card, the password of the Mifare1 card needs to be loaded into the base station chip through the LoadKey command. This process is a plain text writing process, which is transmitted from the main control microcontroller of the terminal device (such as the card reader) to the RC500, and the command transmission of the microcontroller to the RC500 is unencrypted. As shown in the figure below: In this way, the key of the M1 card can be obtained by intercepting the communication between the microcontroller and the RC500. To do this, a technician who has used RC500 and has a little understanding of microcontroller technology can easily achieve it. So, is it safe to install a SAM card in the card reader and calculate the card key through the SAM card to achieve one card and one password? The idea is very good, but the result is not what people want. This approach not only does not increase security, but also increases security vulnerabilities. As shown in the figure below: As shown in the figure, the M1 card uses the SAM card to achieve one card and one password. In essence, the master key in the SAM card is dispersed by the card number of the M1 card to obtain the subkey of the M1 card, but this subkey still needs to be sent to the RC500 chip in plain text through the terminal microcontroller to complete the authentication of the M1 card. What's more serious is that the SAM card sends the plain text password of the Mifare1 card. As long as the hacker obtains a SAM card, he can obtain the passwords of all cards through it without even using any cracking means. In addition, if the M1 card consumption password is leaked, even if the online recharge method is adopted, the interests of the operator cannot be protected, because in this case, the thief can use the forged M1 card without using the system recharge password, and directly use the M1 card's default password to "recharge" the card, and then use the real consumption password to consume on the terminal. In this case, even if the blacklist mechanism is adopted, it is difficult to avoid losses to the operator and the card-granting merchant, because the blacklist mechanism is a post-event prevention mechanism that prevents the same counterfeit card from being traded again. Today, with the increasing popularity of M1 card small-amount consumption, the thief only needs to use the counterfeit card once to obtain a much higher profit than the cost of a counterfeit card. In this way, we can assume the following situations: External personnel commit the crime: The perpetrator steals a formally used terminal device, obtains the key sent to RC500 by the single-chip microcomputer through line interception, and thus cracks the key of the M1 card. The perpetrator steals the PSAM card in the terminal and obtains the subkey of each M1 card by sending a key dispersion instruction to the PSAM card. Internal staff: The terminal equipment developer uses his/her work to steal the plaintext key of the M1 card in the terminal or the plaintext key of the M1 card sent to the RC500 through the single-chip microcomputer. The staff of the issuing institution uses their work to intercept the plaintext key sent by the PC to the M1 card through the M1 card reader. Or directly operate the PSAM card to steal the plaintext key. The system developer uses his/her work to steal the plaintext key of the PSAM card. [page]

Either possibility will have a fatal impact on the security of the entire system. In essence, this one-card-one-password approach borrows the one-card-one-password concept in the CPU card authentication mechanism. However, it intentionally or unintentionally ignores a very important fact, that is, the CPU card and the logic encryption card are two completely different cards, and their authentication mechanisms are completely different. Because the CPU card has a CPU processor and an operating system COS inside, the authentication process is completely carried out between the user card and the SAM card. During the authentication process, random numbers and ciphertext are transmitted, and the card reader base station chip is only a communication channel; the authentication process cannot be copied; the algorithm used is a public algorithm, and its security is based on the CPU card's protection of the key rather than the algorithm. The key cannot be read from the user card or the SAM card, and the key installation is carried out through ciphertext. After the system goes online, even the card issuer and the developer cannot obtain the key plaintext, which fundamentally guarantees the security of the system. It is precisely because of the awareness of the potential security issues of the M1 card that the Ministry of Construction has held many meetings to promote the use of CPU cards. The dual-interface CPU card has been praised by all parties for its flexibility in application and support for financial regulations.

Of course, the security of a system does not only depend on which card and which security mechanism is used, but also the security measures in system design can make up for some card security deficiencies. The security of a product cannot rely on a single security aspect. It should be based on the overall logic of a system to improve security and improve possible unsafe features through the overall system. The original unsafe system should be modified. For example, in the IC card specification of the Ministry of Construction, it is stipulated that the MAC authentication code in the card must be verified before calculating the card password in SAM for the one-card-one-password of M1 card, which greatly reduces the possibility of stealing SAM card. Unfortunately, most M1 card application systems do not adopt similar remedial measures, and such measures cannot completely eliminate the use of cloned cards and counterfeit cards. Although blacklists and other preventive measures are effective, they are after all post-event prevention and are difficult to solve the problem fundamentally. Especially in the current context of Mifare1 card being cracked, the simple use of patching is even more of an act of covering one's ears and stealing the bell.

For an IC card application system, the security of the card is like the foundation of a skyscraper. For a card security mechanism, corresponding protection measures must be formulated to protect this foundation. When the security of the card changes fundamentally, the original protection measures have lost their effectiveness, and the foundation of the entire building has been shaken. At this time, taking patch measures is tantamount to reinforcing the structure on the ground of the building. No matter how good the measures are, it is difficult to change the fact that the foundation is shaken. The fundamental solution is to re-lay a solid foundation and improve the security protection system of the system from the root.

Compared with the MIFARE1 card, the contactless CPU card is a real "smart card". The integrated circuit in the CPU card includes the central processing unit (CPU), read-only memory (ROM), random access memory (RAM), electrically erasable programmable read-only memory (EEPROM) and other main parts, just like an ultra-small computer. It has the advantages of large amount of information, high anti-counterfeiting security, offline operation, and multi-functional development. The CPU card adopts a powerful and stable security controller to enhance the security of the card, and the contactless transmission interface can meet the requirements of fast transactions (such as the fast passage of public transportation). CPU cards use a variety of chip-level anti-attack methods and are basically impossible to forge. The internal and external authentication mechanisms unique to CPU cards and the special authentication mechanisms represented by financial IC card specifications can fully guarantee the legitimacy of transactions. During the authentication and transaction process, the CPU key does not appear in plain text on the line. Each time it is sent out, it is encrypted with a random number. Moreover, because of the participation of random numbers, the content of each transmission is different, ensuring the security of the transaction. The keys used in the authentication and transaction process are generated in a secure card issuance environment and installed in the SAM card and user card in ciphertext. The keys are not exposed during the entire process. The application firewall function of the CPU card can ensure the security independence of different applications in the same card. The financial industry with high security requirements uses CPU cards as the standard for the next generation of bank cards. The use of contactless CPU cards can prevent counterfeit cards, counterfeit terminals, and counterfeit transactions, and ultimately ensure the security of the system.

At the same time, the large-capacity storage space of the contactless CPU card can meet the storage of more customer information required by the expected large-amount consumption applications. At this time, security is not only the security of the electronic currency stored in the card, but also the security of personal information. The security mechanism of the contactless CPU card can provide good protection for this.

Because of the above incomparable advantages, contactless CPU cards are very suitable for electronic wallets, electronic passbooks, highway automatic toll collection systems, bus automatic ticketing systems, social security systems, IC card refueling systems, security access control and many other application fields. Contactless CPU cards will gradually replace logical encryption cards and become the main choice of IC cards. In the situation where M1 cards are cracked, using contactless CPU cards to replace M1 cards is the ultimate solution to solve the M1 card crisis.

Since the news of MIFARE card cracking was disclosed at the beginning of this year, it has caused a lot of controversy. Many Mifare users have begun to worry about the security of their systems. Through a systematic analysis of the principle and impact of M1 card cracking, we can conclude that M1 cards are indeed no longer safe, and the security foundation of the system based on M1 cards has been shaken. We must take action to select appropriate products to replace M1 cards and re-strengthen the security cornerstone that is about to collapse.

CPU cards use a variety of chip-level anti-attack methods and are basically impossible to forge; the internal and external authentication mechanisms unique to CPU cards and the dedicated authentication mechanisms represented by financial IC card specifications can fully guarantee the legitimacy of transactions; during the authentication and transaction process, the CPU key will never be exposed, and it sends out encrypted random numbers every time. The keys used in the authentication and transaction process are generated in a secure card issuance environment and installed in ciphertext into the SAM card and user card, and the keys are not exposed during the entire process. The application firewall function of the CPU card can ensure the security independence of different applications in the same card. The financial industry with high security requirements uses CPU cards as the standard for the next generation of bank cards. The use of contactless CPU cards can prevent counterfeit cards, counterfeit terminals, and counterfeit transactions, ultimately ensuring the security of the system.

Due to the above incomparable advantages, contactless CPU cards are very suitable for electronic wallets, electronic passbooks, highway automatic toll collection systems, bus automatic ticketing systems, social security systems, IC card refueling systems, security access control and many other application fields. Contactless CPU cards will gradually replace logical encryption cards and become the main choice of IC cards. [page]

Compared with the contactless logic encryption card represented by Mifare1 and the CPU card, the contactless logic encryption card and the contactless CPU card are both contactless IC cards, but the two cards are completely different grades of cards.

The following is a comparison between MIFARE I card and contactless CPU card:

Through analysis, we can see that using CPU cards instead of Mifare1 cards is the fundamental way to completely solve the Mifare card crisis. However, for a large number of Mifare1 card application systems, how can we complete this upgrade conversion with the least investment and the fastest speed? Do we need to tear down the system and start over? In fact, it is not necessary. As we mentioned above, the security of a system does not only depend on which card is used. A card system is often composed of multiple subsystems, among which only a few parts directly related to the card are affected by Mifare1 card cracking. We only need to transform and upgrade these parts to fully guarantee the safe and stable operation of our system.
Taking the security access control system as an example, in an access control management system, it mainly includes the following parts

The management center is a software platform that is responsible for the coordination and command of the entire system. Its main functions include: stipulating and adjusting system setting requirements and implementing them; monitoring the main entrances and public places; handling alarms generated by the access control system; providing event records; and issuing and registering cards.

The access control unit is a hardware platform, which is a variety of controllers similar to channel management, such as door lock controllers, elevator controllers, parking lot controllers, and attendance terminals (expandable functions), all of which belong to the access control unit. The access control unit is the execution device of various management methods set by the management center.

The standard configuration of the access control unit equipment in the access control system is shown in the figure below.

The card reader is a card recognition device in the access control system, which transmits the user's card swiping information to the controller and management system for the control system to judge and process.

Electric door locks, gates, etc. are the actuators of the access control system, which perform the opening and closing control of doors and channels. [page]

In the entire access control management system, the access control IC card is the basic core of security management. The M1 card was cracked this time, which broke the core security control of the access control system and made it possible to copy and forge the access control card. To solve the security problem of the access control system, the M1 card needs to be replaced with a CPU card. There are only two places in the entire system that have direct interaction with the card: the card issuance subsystem in the background system and the front-end identification system, that is, the access control card reader. For most access control systems, the access control card reader only reads the card number and sends it to the background system through the controller. The system controls it through the card number and background authorization. In this way, when we upgrade the system, we only need to transform the access control card reader and the card issuance subsystem so that it can recognize and read and write CPU cards and complete the authentication of CPU cards. Other systems and software do not need to be changed, and the migration from M1 card to CPU card can be quickly completed.

The specific plan is as follows:

1. Replace the access control card reader and use an access control card reader that supports CPU cards. Since the communication interface between the access control card reader and the controller has a unified specification, this replacement and transformation is easy to achieve.

2. Modify the card issuance subsystem in the original system and replace the card reader so that it can issue CPU cards. Since the software platforms of various access control manufacturers are different, this modification requires the cooperation of the original access control system manufacturer.

3. If it is difficult to directly modify the card issuance system software, you can develop a new CPU card issuance subsystem and connect it to the original system background database to implement CPU card issuance. This method is relatively simple to implement, but it requires understanding the database interface of the original system and still requires some support from the original manufacturer. However, many access control management software support the issuance method of directly entering the card number, which creates very convenient conditions for system modification.

Similar to the access control system, although the urban public transportation card system is more complicated, the main parts of the system such as clearing and settlement are not directly related to the IC card. As shown in the figure:

In the one-card system, the subsystems directly related to the card include: card issuance subsystem, consumer terminal, and card management subsystem; the transformation of the card issuance subsystem mainly involves transforming the initialization process of the M1 card into the initialization process of the CPU card; the transformation of the card management subsystem is also relatively simple, and it only needs to realize the reading and writing operations of the CPU card; the key to determining whether the transformation is successful is the upgrading of the consumer terminal, which not only needs to be able to read and write CPU cards, but also needs to upgrade the transaction process of the M1 card to the standard transaction process of the CPU card. For system developers, they need to have sufficient experience and understanding of the application of CPU cards. [page]

Tongfang Co., Ltd. is a well-known smart card application development service and product provider in China, and is one of the earliest companies engaged in CPU card research and application development in China. As early as 1998, the "Financial IC Card Operating System ZTCOS1.0" developed by the Smart Card COS Research Group jointly established by Tsinghua Tongfang R&D Center and Tsinghua University Computer Department was awarded the "China Financial Integrated Circuit Card PBOC1.0 Test Certificate" issued by the Bank Card Testing Center of the People's Bank of China. The company keeps up with the world's most advanced IC card technology and is a pioneer and leader in ISO14443 TypeB contactless standard products and applications in China. The Shenyang City One Card System undertaken by the company is the earliest and largest city CPU card one card application project in China. So far, the actual issuance of dual-interface CPU cards has exceeded 3.5 million, which has a huge influence in the field of domestic city pass cards. Relying on many years of development and application experience in contactless smart cards, Tongfang Co., Ltd. is committed to the development of city one card application systems and related products, and has formed a complete contactless CPU card product system including contactless CPU cards and card reading terminals. The dual-interface CPU card developed by the company has obtained the "China Financial Integrated Circuit Card PBOC2.0 Test Certificate". Faced with the opportunity of the booming development of contactless smart card applications, Tongfang Co., Ltd. is deeply exploring the market, accelerating the development and research of new products, and contributing to the rapid development of China's contactless smart card industry.