SoSySecDecember 15, 2017 / Certifiably Biased?seminaire-dga.gforge.inria.fr/2017/20171215_DarrenHurley-Smith.pdf · Presentation Outline • Background on the Mifare DESFire family

The UK’s European university

SoSySec December 15, 2017 /

Certifiably Biased?

Analysing the Security of Mifare DESFire EV1 & EV2 Smartcards

Darren Hurley-Smith & Julio Hernandez-Castro

Introduction

• Darren Hurley-Smith• Research Associate

• School of Computing, University of Kent

• Julio Hernandez-Castro• Professor

• School of Computing, University of Kent

• Current research related to this presentation:• Analysing the security features RFID smartcards

• Focusing on the trustworthiness of TRNG and QRNG

• Identifying issues in lightweight RNG implementations

• Developing new guidelines for testing, reporting, and

certifying smartcards

Certifiably Biased? Analysing the Security of Mifare DESFire EV1 & EV2 SmartcardsPage 2

Presentation Outline

• Background on the Mifare DESFire family

• The relevance of Common Criteria EAL certification

• Evaluating the DESFire EV1 and 2 TRNG• Methodology

• Results

• Analysis

• Summary

• The EV2: A Commercial Distance Bounding Implementation• A brief introduction to Distance Bounding protocols

• The EV2 Distance Bounding protocol

• Summary

• Conclusion

• Quantum Randomness: Our Current Focus


The Mifare DESFire Family

• NXP Ltd produces this smartcard family

• We focus on the EV1 and EV2

• EV1 is commonly used in the UK• Publicly announced 2006• TfL Oyster Card is an EV1 implementation• AES-128 capable

• EV2 is multi-application smartcard• Publicly announced 2016• Based on the EV1 filesystem and shares many commands• Boasts distance bounding capabilities


DESFire EV1 and EV2 Hardware Overview


Features of the DESFire EV1


• Used in e-wallet, access control, loyalty schemes,

and travel card solutions• Notably used in Oyster cards – 8 million of which were circulated in

2015-2016

• Certified Common Criteria EAL4+ certified

• Crypto-coprocessor with AES-128

• Mutual three-pass authentication

• ‘True’ Random Number Generator

Features of the DESFire EV2


• Recently issued for commercial purchase• Used in Delerrok’s TouchPass system (CA - USA)

• Will not replace the EV1 for Oyster card

• Common Criteria EAL5+ certified

• Shares many elements of the EV1:• Crypto-coprocessor with AES-128

• Mutual three-pass authentication

• ‘True’ Random Number Generator

• Multiple application support

• New Features:• Virtual Card Architecture (VCA)

• Multi-application support without need to share secret keys

• Distance Bounding

Common Criteria (ISO/IEC 15408) Certification?

• Awarded as Evaluation Assurance Levels (EAL)

• There are 7 EAL tiers• Tiers increase their rigor in ascending order (1-7)• Each tier indicates an increase in scrutiny• Post production tests are a minimum requirement of each level• Work line audits and anti-tampering feature at higher levels• The highest levels (5-7) require design document analysis

• EAL4+ (EV1, Plus X)• Methodological design, testing, and review• Awarded in late/post-production• Independent testing and inspections of production lines

• EAL5+ (EV2)• Semi-formal design and manufacturing process evaluation• Must be sought by manufacturers prior to production• Independent design audits and iterative testing through

production


Our Research Strategy


• Limitations• Not equipped for physical deconstruction of the chips

• Basic, commercially available readers (ACR122U)

• Family-wide weaknesses• EV1 and EV2 share crypto-coprocessor and TRNG

• Weaknesses in either element may carry over

• History of weak RNG (DESFire/Classic)

• Associated Projects• InnovateUK funded project looking into viable ‘on skin’

RFID payment solutions

• Identifying weaknesses/limitations in resource-

limited/small RNG

Methodology: Pilot Study & Validation


• Initial investigation:• 3 DESFire EV1 cards from

1 batch

• 64MB of data collected

from three-pass

authentication

• Responsible disclosure of

findings to NXP Ltd.

• Validation:• 100 EV1 cards from 3

batches

• 1 EV2 card for comparison

• urandom (PRNG) used for

comparison

Extracting Randomness from EV1/2 Authentication


RndB (rand generated by card)

saved to binary file

Randomness Tests

• Dieharder• Statistical test battery that expands the Diehard tests

• EV1 and EV2 passed these tests

• NIST STS 2.1.2 (SP800-22)• National Institute of Standards and Technology designed

statistical test battery

• EV1 and EV2 passed this battery without issues

• Ent• A simple but effective test battery

• The EV1 performs extremely poorly on a simple byte-level

Chi-Square Goodness of Fit test


Dieharder TestsTest Card 1 Card 2 Card 3

p-value p-value p-value

Birthday Spacings 0.1819452 0.61105583 0.7826363

Overlapping Permutations 0.38044164 0.58693289 0.44201308

32x32 Binary Rank 0.42920693 0.234095 0.55699838

6x8 Binary Rank 0.3131149 0.32387215 0.6613758

Bitstream 0.97724174 0.18743536 0.59532464

Count the 1's (stream) 0.17108396 0.74984724 0.87214241

Count the 1's (byte) 0.65870385 0.01287807 0.00020194

Parking Lot 0.18078043 0.24200626 0.38128677

Minimum Distance (2d sphere) 0.76328 0.95091635 0.34980807

3d sphere (minimum distance) 0.23871272 0.20826216 0.39340851

Squeeze 0.62598919 0.08843989 0.77057749

Runs 0.99778832 0.62043244 0.90550208

0.44719093 0.91228597 0.04870531

Craps 0.54077256 0.92769962 0.91803037

0.57614807 0.94245583 0.95209393


NIST SP800-22 TestsTest Card 1 Card 2 Card 3

Frequency 198/200 200/200 197/200

Block Frequency 196/200 199/200 194/200

Cumulative Sums 2/2 2/2 2/2

(>193/200) (>193/200) (>193/200)

Runs 191/200 197/200 192/200

(<0.001) (-0.719747) (-0.00716)

Longest Run 196/200 198/200 198/200

Rank 198/200 199/200 197/200

FFT 197/200 199/200 198/200

Non-Overlapping Template 147/148 148/148 148/148

(>193/200) (>193/200) (>193/200)

Overlapping Template 198/200 198/200 198/200

Universal 198/200 198/200 198/200

Approximate Entropy 197/200 198/200 196/200

Random Excursions 8/8 8/8 8/8

(>113/118) (>114/118) (>113/118)

Random Excursions Variant 18/18 18/18 18/18

(>113/118) (>114/118) (>113/118)

Serial 2/2 2/2 2/2

(>193/200) (>193/200) (>193/200)

Linear Complexity 199/200 197/200 199/200


Pilot Test Results for Ent 1 of 3

Test EV1 Card 1 EV1 Card 2 EV1 Card 3 Expected

Entropy 7.999969 7.999989 7.999972 8

Optimal Compression 0 0 0 0

Chi-Square 2709.1 973.07 2470.32 255

Arith. Mean 127.492921 127.500582 127.5006 127.5

Monte Carlo Pi 3.14167 3.142019 3.141909 3.14159

Serial Correlation 0.000008 0.000045 0.000093 0


Ent results for 64MB of EV1 Data

• Results of pilot study (64MB samples from 3 cards)• 64MB is a lot of data to collect

– 10 days to collect for each card

• Unlikely that such a quantity of data could be collected ‘in the wild’

• Nothing stopping individuals conducting this analysis using bought cards…

• Do these results appear at smaller sample sizes?



Entropy 7.999780 7.999820 7.999786 8


Chi-Square 305.47 249 297.03 255

Arith. Mean 127.492921 127.500582 127.5006 127.5

Monte Carlo Pi 3.14167 3.142019 3.141909 3.14159



Ent results for 1MB of EV1 Data

• All cards perform better when less data is tested• Card 2 shows that the previously poor results may disappear entirely

• This is an issue – are these cards tested with large enough samples when

certified?

• Cards 1 and 2 are still terrible! When will they ‘improve’?



Entropy 7.999635 7.999640 7.999641 8


Chi-Square 253.55 249.26 249.03 255

Arith. Mean 127.492921 127.500582 127.5006 127.5

Monte Carlo Pi 3.14167 3.142019 3.141909 3.14159



Ent results for 5KB of EV1 Data

• At 5KB all cards seem fine

• Card 1 shows problems at data sizes larger than 7.5KB

• Are these cards passing tests due to trivial oversights?• Sample size

• Number of tests and their relatedness

Analysis: Bias at the Byte level


• The EV1 (a) shows a clear non-random distribution of bytes

• Repetitive pattern, clear cycles, almost no values close to zero

(a) DESFire EV1 Bias (b) urandom Bias

Analysis: Fourier Analysis of the Bias


• The Fourier series for all three EV1 cards defines the bias

• All cards demonstrate a regular period of 32

• Exactly half of the possible byte values occur more frequently than the other half

(a) EV1 Card 1 (b) EV1 Card 2 (c) EV1 Card 3

Initial Findings


• Certification appears to rely on tests that do not identify

underlying issues in the DESFire EV1 TRNG• Dieharder and NIST STS 2.1.2 are unable to identify the

bias in the EV1

• These two tests form the backbone of many certification

schemes

• One must also consider the possibility of designing for

tests

• Bit level Chi-square tests do not show any problems• The focus of many tests is bit-level analysis

• This may not find issues in generators that exhibit a

high-order bias

• Context and underlying hardware are often overlooked,

but can determine which tests are appropriate

Further Testing


• Preliminary testing showed a serious bias in the EV1 TRNG

• Disclosure to NXP Ltd was answered:• They confirmed our findings• They stated that this is a ‘non-critical’ flaw• Suggested that it was due to an improperly implemented

whitening function

• Further analysis was required to characterise the bias:• The EV1 is nearing the end of its production life• Many still in circulation, but EV2 due to be marketed

instead• We studied the TRNG of the DESFire EV2• A larger sample of 100 EV1 cards was studied• Multiple batches were sourced to ensure this wasn’t an

isolated finding

Analysis: EV2 Bias and Fourier Analysis


• The EV2 did not demonstrate any observable bias for 64MB

of data

• It also passed Dieharder and NIST STS 2.1.2 without issues

DESFire EV2 Bias EV2 Fourier Analysis

Analysis: Mask Test Results 1 of 2


(a) EV1 card 1 (b) EV1 card 2

(c) EV1 card 3 (d) urandom



• urandom (d) has biases of magnitude 10-4

• Biases seem spread across all byte values

• No specific bytes show significant deviation from the norm

• The 3 EV1 cards (a, b, and c) all show biases

of magnitude 10-3

• Specific bytes show orders-of-magnitude larger biases

than the majority

• This indicates a byte level bias

• The mask test highlighted a significant bias in

all 3 EV1 cards• Byte value 24 (00011000) under occurs significantly

• There doesn’t appear to be a sympathetic over

occurrence



DESFire EV2 urandom

• The EV2 doesn’t show any of the issues seen in the EV1

• Side-by-side comparison with urandom shows that EV2 conforms with the properties of a reliably random source

• Unclear if this issue is fixed, or whether re-engineering of the EV2 wafer resolved the TRNG issue

• This suggests that NXP claims of a faulty whitening function have merit

TestU01


• Alphabits• Hardware RNG focused test suite

• EV1 cards failed MultinomialBitsOver (L=2, 4, and 8)

• EV1 cards 1 and 3 failed Hamming Indep (L=16)

• Rabbit• A slower but more comprehensive test battery

• EV1 fails:– MultinomialBitsOver (card 1)

– Fourier3 (ALL cards)

– HammingIndep (L=16) (cards 1 and 2)

– Autocor (ALL cards)

– Run of Bits (ALL cards)

• EV2 passes all Alphabits and Rabbit tests

Expanding the Tests: 100 EV1 Cards


• The bias in the EV1 has been established• Only three cards have been tested, more needed!

• 100 EV1 cards tested:– 50 2k model, 50 4k model

– 4k cards selected randomly from a pool of 100 cards

– 2k cards randomly picked from 200 cards (2 batches)

• The EV2 TRNG shows no sign of similar bias• No further randomness tests

• The mask test has allowed us to characterise

the EV1 bias

DESFire EV1 Ent Results (100 cards) 1 of 2


Chi-Square results for 100 EV1 cards

DESFire EV1 Ent Results (100 cards) 2 of 2


• 1MB of data has been tested for each card• Cards randomly selected to minimise relatedness

• 3 batches tested to avoid production line dependencies

• 78% of EV1 cards fail the Chi-Square test• Mean Chi-Square is 314.17

• Of the 22% of cards that pass, half show very low p-values

• The problem isn’t restricted to our pilot sample• NXP confirmation indicates they can independently

replicate our results

• This test shows that we can replicate our results over

unrelated EV1 cards

• The issue is a model, not batch, issue

DESFire EV1 Mask Results (100 cards) 1 of 3


Composite graph of 100 mask test results



5 worst performing cards Mask test results



• The majority of cards (78%) show significant bias• This bias presents as an under-occurrence of mask

00011000 (24)

• The 5 worst performing cards all have Chi-Square scores

worse than 415!• This indicates that it is this specific bias contributing to the

poor Chi-Square score

• No other anomalous biases affect the score as much

• The observed bias is between -0.0036 and -0.0061

Summary: EV 1 Bias


• Clear and consistent biases have been identified

• Findings have been responsibly disclosed to NXP Ltd.• They confirm our findings

• They suggest that a flawed whitening function is the source

(unconfirmed)

• Characteristics of the bias have been identified• Mask 00011000 under occurs significantly (byte value (int) 24)

• No practical attacks have yet been identified

• The EV2 doesn’t exhibit this bias• However, it has a notable feature…

DESFire EV2 – Distance Bounding

• Unlike EV1, EV2 provides distance bounding

functionality• This potentially limits the range from which an attack can be

performed

• The distance bounding protocol also allows us to capture

random values• Random values are vital to the challenge-phase of the protocol

• Our study of the protocol itself is limited at this time• We intended to explore it as a means to extract random

numbers

• Slower than authentication for random data acquisition

• Protocol poorly understood due to closed documentation


An Example Distance Bounding Protocol


Hancke and Kuhn’s Distance Bounding Protocol

Protocol Derivation

• Public documentation provides the basic structure• The protocol flow is public knowledge

• The names and order of commands are public knowledge

• APDU codes are not publicly available• Basic command structure is public, but command bytes, and

concatenation schemes mixing aren’t

• However, we already know DESFire EV1 command codes!

• Only 256 possible APDUs and we already know several dozen

• We also know the concatenation/mixing schemes as CMAC

calculation on the EV1 requires these

• Virtual Card Architecture is publicly available• Accessing the VCA is critical for third-party secure card access

• Distance bounding is only available as an option for VCA mode


The EV2 Distance Bounding Protocol 1 of 2


• Three phases• PreparePC

• ProxCheck

• VerifyPC

• Significant concessions

made due to platform limits

• Key Differences between

Theory and Practice:• Timing info shared in PrepPC

• No nonces in initial slow phase

• Challenges are bytes not bits!

• VerifyPC involves mutual

authentication

Summary: EV2 Distance Bounding

• The search for sources of data that reveal information about a device can lead to interesting places

• Originally just looking for a way to get more random numbers• Reuse of features is required in limited devices• This can make reverse engineering much easier

• Currently just an overview of the protocol structure• Our timing analysis is primitive and requires more work

• This commercially available implementation differs from theoretical DB protocols

• The fast phase is a two-way exchange of random bytes• Mutual authentication in final slow phase• Reader performs all time-based verification (one-way distance bound)

• Hardware constraints are the final arbiter of most compromises

• There’s only so much silicon ‘real estate’


Conclusion

• The DESFire EV1 was found to have a flawed TRNG• Simple Chi-Square tests identify this flaw• Observable on small (7.5KB) data sets• Disclosed to NXP and independently reproduced• Our findings have been published in IEEE TIFS

– Hurley-Smith, D., Hernandez-Castro, J: “Certifiably Biased: An In-depth Analysis ofa Common Criteria EAL4+ certified TRNG”, IEEE, IEEE Transactions onInformation Forensics and Security, DOI10.1109/TIFS.2017.2777342, 2017 (pre-print)

• The DESFire EV2 doesn’t appear to share this flaw• Currently unknown why, but re-engineering of the wafer would account for

this change

• The EV2 DB protocol is closed, but possible to derive• One of the first commercially available DB implementations• Obfuscated in the documentation, but draws on common practices in the

DESFire family

• Certification schemes need to adapt to new needs• As RNG are developed to address current test batteries, new ones must be

used to ensure a constant state of vigilance and rigor• Designing devices to pass tests is no guarantee that they are generally

secure


Our Current Focus: Quantum Randomness

• Exploring Quantum random number generation• We have identified serious biases in the Quantis QRNG

• Now testing Comscire devices – good initial results

• Online QRNG (Hotbits, ANU Generator, and Humbolt Physik)

provide more evidence of variable implementation standards and

their effects on output

• Expanding our P/Q/TRNG analysis and developing tests• We continue to scrutinise standards and testing regarding RNG

• Exploring and innovating new test batteries based on experience


Acknowledgements

• This work received funding from InnovateUK as part of the

authenticatedSelf project, under reference number 102050

• This work received funding from the European Union’s Horizon 2020

research and innovation programme, under grant agreement

No.700326 (RAMSES project).

• We would like to thank ECOST – CRYPTACUS action for their valuable

and insightful discussion of this work

• We would like to convey our thanks to NXP Semi-conductors Ltd for

their timely and professional response to our responsible disclosure


Thank you for listening.

[email protected]

@Dsmith_Eng


mailto:[email protected]

THE UK’S EUROPEAN UNIVERSITY

www.kent.ac.uk

Documents

SoSySecDecember 15, 2017 / Certifiably Biased?seminaire-dga.gforge.inria.fr/2017/20171215_DarrenHurley-Smith.pdf · Presentation Outline • Background on the Mifare DESFire family