Brute Force Cryptanalysis of MIFARE Classic Cards on GPU
Cihangir Tezcan
Department of Mathematics, Middle East Technical University, Ankara, Turkey
Informatics Institute, Department of Cyber Security, CYDES Laboratory, Middle East Technical University, Ankara, Turkey
cihangir@metu.edu.tr
Keywords:
MIFARE Classic, CRYPTO1, Cryptanalysis, GPU.
Abstract:
MIFARE Classic is the most widely deployed contactless smartcard on the market. However, many active and
passive attacks are provided after its proprietary stream cipher CRYPTO1 was reverse engineered. The short
48-bit key of the CRYPTO1 cipher, leaked parity bits and the encrypted error code that is sent after a failed
authentication (which is corrected in the hardened new cards) allow the adversary to perform offline brute
force attack and avoid detection. Such an attack requires wireless interaction with a card for less than a second
and then a brute force attack which was shown to take around 9 days on a single GTX280 GPU. We optimized
this brute force attack on modern GPUs by using bitsliced implementation technique and observed that a brute
force attack on a GTX970 GPU can be performed in less than 5 hours. Although this attack is not applicable
to hardened MIFARE Classic cards, a similar attack using the short key length and the leaked parity bits can
be performed when a single key is known, possibly using the default keys for unused sectors. Such an attack
requires wireless interaction with a card for less than a second and then a brute force attack which was shown
to take approximately one month on a single GTX460 GPU. Our bitsliced implementation of this attack takes
less than 7 hours on a GTX970 GPU.
1 INTRODUCTION
ISO/IEC 14443-A standard about identification, con-
tactless integrated circuit, and proximity cards con-
sists of four parts: Physical characteristics, radio
frequency power and signal interface, initialization
and anticollision, and transmission protocol. MIFARE
Classic, which is the most widely used contactless
smartcard on the market, is compatible with the first
three parts but it uses its own secure communica-
tion layer. It uses a proprietary stream cipher called
CRYPTO1 to provide data confidentiality and authenti-
cation between card and reader. Although kept secret
by the manufacturer NXP Semiconductors, both the
cipher CRYPTO1 (Nohl et al., 2008) and the commu-
nication layer (Garcia et al., 2008) have been reverse
engineered.
After the reverse engineering, many vulnerabili-
ties and attacks were provided. Most of the card-only
attacks rely on non-cryptographically related imple-
mentation flaws and some of these flaws are mitigated
by issuing replacement cards.
Currently the best known active card-only attack
is the ciphertext-only attack of (Meijer and Verdult,
2015), which only requires wireless interaction with
the card for a few minutes with consumer-grade har-
dware. Active attacks on these cards are summarized
in Table 1.
Moreover, offline attacks on these cards are possi-
ble due to the short key and the parity bit vulnerability.
If the card also has the keystream leakage through er-
ror vulnerability, it was shown in (Chih et al., 2010)
that the brute force attack provided in (Garcia et al.,
2009) can be performed in around 9 days on a single
GTX280 GPU. If the card does not have this vulnera-
bility, it was shown in (Meijer and Verdult, 2015) that
a brute force attack using the nested authentication
property can be performed in a month using a single
GTX460 GPU provided that a single key of a sector
is already known. Thus, one can perform these at-
tacks in a few hours by building a huge farm of GPUs.
However, we observed that the CRYPTO1 stream cip-
her of the MIFARE Classic card is very suitable for a
bitsliced (Biham, 1997) optimization and we reduced
the time of these attacks to 5 and 7 hours, respectively
on a single GTX970 GPU.
524
Tezcan, C.
Brute Force Cryptanalysis of MIFARE Classic Cards on GPU.
DOI: 10.5220/0006262705240528
In Proceedings of the 3rd International Conference on Information Systems Security and Privacy (ICISSP 2017), pages 524-528
ISBN: 978-989-758-209-7
Copyright
c
2017 by SCITEPRESS Science and Technology Publications, Lda. All rights reser ved
Table 1: Comparison of card only attacks.
Attack Traces Gather Compute
a b
(Garcia et al., 2009) 2 <1 sec <1 sec × X
(Courtois, 2009) 300 3 min <1 sec × ×
(Chiu et al., 2013) 100, 000 10-20 hours 2-15 min X ×
(Meijer and Verdult, 2015) 10, 000 6-12 min 5-10 min X X
a
Does not require a weak PRNG
b
Does not require the error code after a failed authentication
2 MIFARE CLASSIC CARDS
2.1 Memory Structure
The memory of a MIFARE Classic card is divided into
sectors that are divided into 16-byte blocks. The last
block of each sector stores two sector keys and the
access conditions for that sector. To perform an action
on a block, the reader must first authenticate itself for
that sector with a sector key.
2.2 CRYPTO1
Nohl et al. reverse engineered CRYPTO1 stream cip-
her by slicing a MIFARE Classic chip and taking pic-
tures with a microscope (Nohl et al., 2008). It consists
of a 48-bit linear feedback shift register (LFSR) and
a non linear filter function f . Contents of the LFSR
are shifted one position to the left and the most signi-
ficant bit is discarded. A new bit is generated by the
feedback function L. During the authentication phase,
the input is also XORed to the output of L.
Definition 2.1. (Nohl et al., 2008) The feed-
back function L(x
0
x
1
. . . x
47
) : F
48
2
F
2
is defined by
L := x
0
x
5
x
9
x
10
x
12
x
14
x
15
x
17
x
19
x
24
x
25
x
27
x
29
x
35
x
39
x
41
x
42
x
43
Definition 2.2. (Garcia et al., 2008) The filter
function f (x
0
x
1
. . . x
47
) : F
48
2
F
2
is defined by
f := f
c
( f
a
(x
9
, x
11
, x
13
, x
15
), f
b
(x
17
, x
19
, x
21
, x
23
),
f
b
(x
25
, x
27
, x
29
, x
31
), f
a
(x
33
, x
35
, x
37
, x
39
),
f
b
(x
41
, x
43
, x
45
, x
47
) )
and f
a
, f
b
: F
4
2
F
2
and f
c
: F
5
2
F
2
are defined by
f
a
(y
0
, y
1
, y
2
, y
3
): = ((y
0
y
1
) (y
0
y
3
))
(y
2
((y
0
y
1
) y
3
))
f
b
(y
0
, y
1
, y
2
, y
3
): = ((y
0
y
1
) y
2
)
((y
0
y
1
) (y
2
y
3
))
f
c
(y
0
, y
1
, y
2
, y
3
, y
4
): = (y
0
((y
1
y
4
) (y
3
y
4
)))
((y
0
(y
1
y
3
))
((y
2
y
3
) (y
1
y
4
)))
If we denote the LFSR-stream with a
0
a
1
. . . and
keystream b
0
b
1
. . ., they are obtained as follows:
Definition 2.3. (Garcia et al., 2009) Given a key k =
k
0
k
1
. . . k
47
F
48
2
, a tag nonce n
T
= n
T,0
n
T,1
. . . n
T,31
F
32
2
, a uid u = u
0
u
1
. . . u
31
F
32
2
, and a reader nonce
n
R
= n
R,0
n
R,1
. . . n
R,31
F
32
2
, the internal state of the
cipher at time i is α
i
:= a
i
a
i+1
. . . a
i+47
F
48
2
.
Here the a
i
F
2
are given by
a
i
:= k
i
i [0, 47]
a
48+i
:= L(a
i
, . . . , a
47+i
) n
T,i
u
i
i [0, 31]
a
80+i
:= L(a
32+i
, . . . , a
79+i
) n
R,i
i [0, 31]
a
112+i
:= L(a
64+i
, . . . , a
111+i
) i N
Furthermore, the keystream bit b
i
F
2
at time i is
defined by
b
i
:= f (a
i
a
1+i
. . . a
47+i
) i N
Structure of CRYPTO1 stream cipher is provided
in Figure 1.
2.3 Tag and Reader Authentication
Protocol
The reverse engineered authentication protocol
(de Koning Gans et al., 2008) is as follows: The tag
is selected in the anticollision phase and it sends its
uid u to the reader. Then the reader asks to authenti-
cate for a specific memory block b. Consequently the
tag sends a challenge nonce n
T
. The reader responds
by encrypting its own challenge n
R
and the answer
a
R
= suc
64
(n
T
) where
suc(x
0
x
1
. . . x
31
) := x
1
x
2
. . . x
31
L
16
(x
16
x
17
. . . x
31
)
and
L
16
(x
0
x
1
. . . x
15
) := x
0
x
2
x
3
x
5
.
The authentication is concluded with the tag answer
a
T
= suc
96
(n
R
).
2.4 Known Vulnerabilities
Previous works provided many serious vulnerabilities
of MIFARE Classic. They are thoroughly explained
in (Meijer and Verdult, 2015) and we summarize the
ones that are used in this paper:
Brute Force Cryptanalysis of MIFARE Classic Cards on GPU
525
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
f
a
f
b
f
b
f
a
f
b
f
c
out
Figure 1: Structure of CRYPTO1 stream cipher.
1. Short key length: The key size of 48 bits is too
small. Although the delay introduced by the com-
munication and authentication procedure prevents
an online brute force attack, reverse engineering
of CRYPTO1 algorithm allowed offline brute force
attacks.
2. The nested authentication: When the authentica-
tion for a sector is completed, the reader can re-
quest another authentication for a different sector
and key. This request initializes the internal cip-
her state to the key of that sector. But this time,
the nonce n
T
is also sent encrypted. In case the
card has the weak pseudo-random number gene-
rator vulnerability, the attack provided in (Garcia
et al., 2009) can be used to recover 32 bits of key-
stream by only wirelessly interacting with a card.
3. Parity bits: The MIFARE Classic sends a parity bit
for each byte it transmits but these parity bits are
computed over plaintext instead of ciphertext.
4. Keystream leakage through error: During authen-
tication protocol, the card always first checks the
parity bits and if the parity bits are correct but the
answer a
R
is wrong, the card provides the 0x5 fai-
led authentication error code. But this error is sent
encrypted and thus 4 bits of the keystream is le-
aked. This weakness is removed with hardened
MIFARE Classic cards since they do not send au-
thentication error code.
Note that it is important for the adversary to re-
trieve all data for every sector because deployed sys-
tems using MIFARE Classic sequentially authenticate
for several sectors verifying the data in the card. It
was observed in (Meijer and Verdult, 2015) that the
only way left in hardened cards that leak secret key
information without communicating with a genuine
reader is through parity bits. Using this vulnerability,
(Meijer and Verdult, 2015) provided an online attack
for these hardened cards that requires data gathering
for 6-12 minutes and an offline attack that requires
wireless interaction with a card for less than a second
and then a brute force attack which take approxima-
tely one month on a single GTX460 GPU. Authors
noted that their implementation is not bitsliced (Bi-
ham, 1997) and a bitsliced implementation would im-
prove the attack performance by at least a factor of
four. In Section 3.2, we show that a bitsliced optimi-
zation of this attack provides much better speed ups
and the attack takes only 7 hours on a GTX970 GPU.
3 BRUTE FORCE ATTACKS ON
GPU
CRYPTO1 stream cipher uses a short key of 48 bits,
tag serial, tag nonce, and reader nonce to produce key-
stream. Thus, if the attacker captures the keystream
and the nonces, then a 48-bit exhaustive search on a
GPU can find the key in less than an hour. In this at-
tack the adversary can check the keystream for each
bit produced by a key and thus early abort the search.
However, the proposed attacks in the literature can-
not capture the keystream directly but can capture the
parity of bytes of the keystream. Moreover, early ver-
sions of MIFARE classic cards send 4-bit encrypted
error code after failed authentication. Thus, we can
divide brute force attacks on MIFARE Classic into two
categories which depends on if the card sends encryp-
ted error code after failed authentication or not.
3.1 Brute Force using Encrypted Error
Code
The brute force attack in the presence of encrypted
error code is proposed in (Garcia et al., 2009). In
this attack, the attacker tries to authenticate for a sec-
tor and answers the challenge of the tag with eight
random bytes and eight random parity bits for n
R
and
a
R
. When the parity bits are correct but the answer
a
R
is wrong, the tag sends the encrypted 4-bit error
code. Thus, a success leaks 12 bits of entropy about
the key. Therefore, we need at least 4 authentication
sessions with correct parity bits but in practice 6 au-
thentication sessions are generally used to avoid false
positives. Since the probability of correctly guessing
8 parity bits is
1
256
, gathering six authentication ses-
sions with correct parity bits takes 6 · 256 = 1536 au-
ICISSP 2017 - 3rd International Conference on Information Systems Security and Privacy
526
thentication attempts on average and it can be done in
less than one second.
In (Garcia et al., 2009), it was pessimistically
assumed that COPACOBANA which finds a 56-bit
DES key in on average 6.4 days can find the 48-
bit CRYPTO1 key in 36 minutes if once can fit the
same number of CRYTO1 checks on FPGA as DES-
decryptions. Note that COPACOBANA costs approx-
imately 10,000 USD. In another work (Chih et al.,
2010), it was shown that 16 GTX280 GPUs can per-
form this attack in 14 hours. Thus, it takes around 9.3
days for a single GTX280 (240 cores, processor clock
1296 MHz) to perform this attack.
In our bitsliced implementation, we kept the 48-
bit keys using 48 32-bit registers and thus performed
each operation on 32 different keys simultaneously.
We also kept the nonce, uid, and parity information on
the shared memory of the GPU to reduce the number
of used registers. Data on the shared memory can be
reached on 32 memory lanes and two threads in warp
trying to use the same warp causes collision. Howe-
ver, if each 32 threads in a warp tries to access the
same memory bank, then the data is broadcast and
no collision occurs. Since every thread uses the same
nonce, uid, and parity information, no collisions occur
in our implementation. We used CUDA SDK version
6.5 instead of 7.5 because it provided better results.
Our implementation uses 154 registers, 2080 bytes
of shared memory and 360 bytes of constant memory
when compiled with compute capability 5.0 or 5.2 but
number of registers and performance vary for diffe-
rent compute capability. We noted that using 48 64-bit
registers for bitslicing increases the number of regis-
ters and reduce the performance. We performed our
experiments on a medium range desktop and a laptop
GPUs. Brute force attack results are provided in Table
2.
Table 2: Brute Force Attack on MIFARE Classic.
GTX 860M GTX 970
Cores 640 1664
Clock 1020 MHz 1253 MHz
Compute Capability 5.0 5.2
Keys per second 6,673 M 15,575 M
48-bit search 11.7 hours 5 hours
3.2 Brute Force Attack on Hardened
MIFARE Classic
It was noted in (Meijer and Verdult, 2015) that most
deployed systems leave default keys intact for unu-
sed sectors and nearly all deployed systems that use
key diversification leave at least one sector key non-
diversified because it is recommended in the manufac-
turer guidelines for system integrators. Therefore, we
can assume that the adversary always knows at least
one key of a sector. Once the adversary authenticates
against that sector, they can send another authentica-
tion request for a different sector and key. This new
authentication command sets the internal state of the
cipher to the key of the new sector but this time the
challenge generated by the tag n
T
is also sent encryp-
ted. Thus, the adversary can perform brute force at-
tack on the parity bits of the encrypted nonce sent by
the tag. Since an encrypted 32-bit nonce has 4 parity
bits, on average 12 encrypted nonces are required to
determine the 48-bit key. This requires wireless inte-
raction with a card for less than a second.
A brute force attack with an Nvidia GTX460 GPU
(336 cores, 1350 MHz processor clock) was perfor-
med in (Meijer and Verdult, 2015) and it was dedu-
ced that a full 48-bit exhaustive search would take
approximately 1 month. Thus, the authors conclude
that 180 Nvidia GTX460 GPUs would cost around
$12, 600 USD and would recover a single key within
an hour. However, this implementation is not bitsli-
ced and CRYPTO1 stream cipher is very suitable for
bitsliced implementation on GPUs.
In our bitsliced implementation, we kept the 48-
bit keys using 48 32-bit registers and thus performed
each operation on 32 different keys simultaneously.
We also kept the nonce and parity information on
the shared memory of the GPU to reduce the number
of used registers. Since every thread uses the same
nonce and parity information, no collisions occur in
our implementation when shared memory is acces-
sed. We again used CUDA SDK version 6.5 instead
of 7.5 because it provided better results. Our imple-
mentation uses 95 registers, 1952 bytes of shared me-
mory and 356 bytes of constant memory when compi-
led with compute capability 5.0 or 5.2 but number of
registers and performance vary for different compute
capability. We noted that using 48 64-bit registers for
bitslicing increases the number of registers and reduce
the performance. We performed our experiments on a
medium range desktop and a laptop GPU. Brute force
attack results are provided in Table 3.
Table 3: Brute Force Attack on Hardened MIFARE Classic.
GTX 860M GTX 970
Cores 640 1664
Clock 1020 MHz 1253 MHz
Compute Capability 5.0 5.2
Keys per second 3,635 M 11,105 M
48-bit search 21 hours 7 hours
This attack is slower than the brute force attack
of Section 3.1 because in this case we do not have
the leaked 4-bit keystream. This is because harde-
ned MIFARE classic cards do not send encrypted er-
Brute Force Cryptanalysis of MIFARE Classic Cards on GPU
527
ror code. However, we get a speed up because our
implementation uses only 95 registers per thread of
the GPU, compared to 154 registers of the attack of
Section 3.1. This way we can call 512 threads per
block of GPU to get better occupancy, compared to
256 threads used in the other attack. During these ex-
periments, although our GTX970 GPU has a proces-
sor clock of 1253 MHz, it was clocked to 1329 MHz
due to its GPU Boost technology.
4 CONCLUSIONS
MIFARE Classic is the most widely deployed contact-
less smartcard on the market and many vulnerabili-
ties are provided in the literature. Offline attacks on
these cards are possible due to the short key, parity
bit vulnerability, and keystream leakage through er-
ror vulnerability. In this work, we optimized these
brute force attacks on GPUs using a bitsliced imple-
mentation and observed that it takes less than only 5
hours to perform the attack of (Garcia et al., 2009) on
a single GTX970 GPU when we have the keystream
leakage through error vulnerability. Hardened cards
do not have this vulnerability and we showed that the
brute force attack of (Meijer and Verdult, 2015) for
these cards takes around 7 hours to perform it on a
single GTX970 GPU. Thus, we show that these brute
force attacks to clone MIFARE Classic cards are way
more practical than it was assumed.
ACKNOWLEDGEMENTS
This work was supported by The Scientific
and Technological Research Council of Turkey
(T
¨
UB
˙
ITAK) under the grant 115E447 titled ”Quasi-
Differential Factors and Time Complexity of Block
Cipher Attacks”.
REFERENCES
Biham, E. (1997). A fast new DES implementation in soft-
ware. In Biham, E., editor, Fast Software Encryption,
4th International Workshop, FSE ’97, Haifa, Israel,
January 20-22, 1997, Proceedings, volume 1267 of
Lecture Notes in Computer Science, pages 260–272.
Springer.
Chih, M.-Y., Shih, J.-R., Yang, B.-Y., Ding, J., and Cheng,
C.-M. (2010). MIFARE Classic: Practical attacks and
defenses. In Proceedings of the 19th Cryptology and
Information Security Conference (CISC 2010), Hsin-
chu, Taiwan.
Chiu, Y., Hong, W., Chou, L., Ding, J., Yang, B., and
Cheng, C. (2013). A practical attack on patched MI-
FARE classic. In Lin, D., Xu, S., and Yung, M., edi-
tors, Information Security and Cryptology - 9th In-
ternational Conference, Inscrypt 2013, Guangzhou,
China, November 27-30, 2013, Revised Selected Pa-
pers, volume 8567 of Lecture Notes in Computer
Science, pages 150–164. Springer.
Courtois, N. (2009). The dark side of security by obscurity
- and cloning mifare classic rail and building passes,
anywhere, anytime. In Fern
´
andez-Medina, E., Ma-
lek, M., and Hernando, J., editors, SECRYPT 2009,
Proceedings of the International Conference on Secu-
rity and Cryptography, Milan, Italy, July 7-10, 2009,
SECRYPT is part of ICETE - The International Joint
Conference on e-Business and Telecommunications,
pages 331–338. INSTICC Press.
de Koning Gans, G., Hoepman, J., and Garcia, F. D.
(2008). A practical attack on the MIFARE classic.
In Grimaud, G. and Standaert, F., editors, Smart Card
Research and Advanced Applications, 8th IFIP WG
8.8/11.2 International Conference, CARDIS 2008,
London, UK, September 8-11, 2008. Proceedings, vo-
lume 5189 of Lecture Notes in Computer Science, pa-
ges 267–282. Springer.
Garcia, F. D., de Koning Gans, G., Muijrers, R., van Ros-
sum, P., Verdult, R., Schreur, R. W., and Jacobs, B.
(2008). Dismantling MIFARE classic. In Jajodia,
S. and L
´
opez, J., editors, Computer Security - ESO-
RICS 2008, 13th European Symposium on Research
in Computer Security, M
´
alaga, Spain, October 6-8,
2008. Proceedings, volume 5283 of Lecture Notes in
Computer Science, pages 97–114. Springer.
Garcia, F. D., van Rossum, P., Verdult, R., and Schreur,
R. W. (2009). Wirelessly pickpocketing a mifare clas-
sic card. In 30th IEEE Symposium on Security and
Privacy (S&P 2009), 17-20 May 2009, Oakland, Ca-
lifornia, USA, pages 3–15. IEEE Computer Society.
Meijer, C. and Verdult, R. (2015). Ciphertext-only crypta-
nalysis on hardened mifare classic cards. In Ray, I., Li,
N., and Kruegel, C., editors, Proceedings of the 22nd
ACM SIGSAC Conference on Computer and Commu-
nications Security, Denver, CO, USA, October 12-6,
2015, pages 18–30. ACM.
Nohl, K., Evans, D., Starbug, and Pl
¨
otz, H. (2008). Reverse-
engineering a cryptographic RFID tag. In van Oor-
schot, P. C., editor, Proceedings of the 17th USE-
NIX Security Symposium, July 28-August 1, 2008, San
Jose, CA, USA, pages 185–194. USENIX Association.
ICISSP 2017 - 3rd International Conference on Information Systems Security and Privacy
528