Jefferson's Wheel

Chris Soghoian has a new article, Hackers target Facebook apps, March 27, 2008, that follows up his earlier article about Adrienne Felt’s analysis of privacy issues for the Facebook platform. Unsurprisingly, many Facebook applications are written without basic security protections; since they have access to private user data, flawed (but not intentionally malicious) Facebook applications can be exploited to compromise other user accounts.

The SecureIDNews podcast has an interview with Karsten Nohl about the Mifare cryptanalysis, as well representatives from NXP and the Smart Card Alliance: Episode 8: Interview with Mifare hacker Karsten Nohl, SecureIDNews Podcast, 2 April 2008.

Karsten Nohl is presenting talks this week in Vancouver:

Proprietary RFID Systems (with Jan “starbug” Krissler) at CanSecWest, Vancouver, Thursday, March 27.

and Seattle (at the University of Washington):

The (Im)possibility of Hardware Obfuscation, Monday, March 31

Here is the abstract for the talk at UW:

We will discuss several different approaches to reverse-engineering proprietary algorithms from hardware. The focus will be on a mostly automated approach I developed to reconstructing functionality by using a combination of image analysis of circuits and protocol analysis. The cryptography my approach finds on a widely deployed “secure” RFID token has several vulnerabilities including weaknesses in the random number generator and very low resistance against brute-force attacks. I will further raise the question of how small cryptography can be implemented and present our design for a small hash function that reuses circuitry already found on RFID tags.

(I believe the talk is open to the general public, but if you are interested in attending from outside the UW community, check with Evan Welbourne.)

The movie ’21′, about the MIT Blackjack Team opens next Friday, March 28. From the preview press, it sounds like this may be a cinematic breakthrough of Gaussian proportions!

MIT’s student newspaper has an interview with Ben Mezrich (author of Bringing Down the House on which the movie is based) and Jeffrey Ma (on whom one of the characters in the film is based):
MIT, Vegas, Hollywood, The Tech, March 14, 2008.

Sony’s official movie site: http://www.sonypictures.com/movies/21/.

This article in Computer World provides an excellent detailed description of how the Mifare reverse-engineering was done:
How they hacked it: The MiFare RFID crack explained, by Geetal Dayal, ComputerWorld, 19 March 2008. (It follows an earlier ComputerWorld article.)

From Trend Micro’s Malware Blog: Hacked RFIDs Render Smart Cards Less Smarter [sic]:

Falling into the wrong hands, this security loophole can be and will surely be used in high profile heists and break-ins, seemingly straight from a James Bond movie.

Our paper on supporting untrusted content in aggregated web pages is now available:

• Adrienne Felt, Pieter Hooimeijer, David Evans, Westley Weimer. Talking to Strangers Without Taking Their Candy: Isolating Proxied Content. First International Workshop on Social Network Systems, Glasgow, Scotland, April 2008. (PDF, 6 pages)

Adrienne Felt will present the paper in Glasgow in April 1.

Abstract
Social networks are increasingly supporting external content integration with platforms such as OpenSocial and the Facebook API. These platforms let users embed third-party applications in their profiles and are a popular example of a mashup. Content integration is often accomplished by proxying the third-party content or importing third-party scripts. However, these methods introduce serious risks of user impersonation and data exposure. Modern browsers provide no mechanism to differentiate between trusted and untrusted embedded content. As a result, content providers are forced to trust third-party scripts or ensure user safety by means of server-side code sanitization. We demonstrate the difficulties of server-side code filtering — and the ramifications of its failure — with an example from the Facebook Platform. We then propose browser modifications that would distinguish between trusted and untrusted content and enforce their separation.

Full Paper

NXP has released two statments about Mifare security: Information for end users and Information for system integrators.

The statements appear to be nearly identical. The excerpt below is from the statement for end users:

In December 2007 a group of researchers at the 24th Chaos Computer Club in Berlin claimed that they reverse engineered a MIFARE Classic chip and partially discovered the encryption algorithm of the chip. At the same time, they stated that they were not yet able to recover any keys from the chip.

NXP has come to the conclusion that two research groups have by now retrieved the algorithm and developed attacks which can be done with faster means of breaking keys than brute force. Although we are trying to prevent this, there is a risk of the full algorithm becoming publicly known and we feel it is appropriate to inform you about the potential consequences and necessary measures to be taken to minimize the impact of such eventuality for your system infrastructure.

Although we trust that you have worked with a system integrator who has implemented in your systems effective mechanisms to detect fraudulent cards (which we understand is possible in a number of ways), we want to inform you that we are investigating scenarios how MIFARE Classic systems can be protected Mindful of the above, we ask you to contact your system integrator to assess whether your systems would need any additional security measures.

It is our assessment that for transport ticketing installations, end-to-end security systems can be designed with the MIFARE Classic chip such that the residual risk of fraud not being detected in time can be drastically reduced. Whether or not those scenarios are acceptable in your risk assessment depends on the assets to be protected which only you and your system integrator can determine.

End to end measures should also be applied for access management infrastructures, which are often complemented by additional measures e.g. camera surveillance, security personnel, etc. when valuable assets need to be protected. We recommend that your assessment of the impact of the recent and expected developments takes into account the particular way that the system is implemented and used, its relation to other protection in place, and specifically whether there is a need to prevent unauthorized single time access or access during a limited period of time.
…

RFID Journal has an article about NXP’s new Mifare Plus chip, which supports AES encryption and is backward-compatible with the Mifare Classic:
NXP Announces New, More Secure Chip for Transport, Access Cards by Mary Catherine O’Connor, 14 March 2008.

This is an interesting development, but its not clear to me exactly what “backward-compatible” means: readers need to be upgraded to interact with the new tags. According to the article,

An RFID interrogator can employ the AES encryption deployed on the Mifare Plus chip to authenticate that chip before accepting its data and triggering a function, such as opening a locked door or allowing a commuter to pass through a transit turnstile. A number of additional security features, through the support of secure random identifiers, can prevent individuals from being identified and tracked by nefarious parties with RFID readers, NXP reports.

The chip’s encryption scheme uses a 128-bit key, whereas the Mifare Classic’s security algorithm employs a 48-bit key. The larger an encryption key, the longer it will take hackers to determine the key through reverse engineering.

NXP declines to reveal pricing for the Mifare Plus chip, but a chip’s price generally increases in step with its security features, so it will most likely cost more than the Classic chip. NXP says it will continue to manufacture and sell the Mifare Classic chip. Compared with other chips in the Mifare product family, the Classic supports the fewest security features. According to Manuel Albers, NXP’s director of regional marketing in the Americas, the Plus is more secure than the Classic but less secure than the Mifare DESfire chip, which uses a very robust data protection scheme called triple-DES.

Note: the comment that, “The larger an encryption key, the longer it will take hackers to determine the key through reverse engineering.” isn’t quite technically correct. If the key is larger, the time required to do a brute force key search is longer (it scales exponentially with the key size). The time to reverse engineer the algorithm scales with the complexity of the logic. The key size gives some minimum size for this complexity, and ciphers with longer keys are likely to have more complex logic, but this is not necessarily the case.

Our paper on using data diversity in a redundant execution framework is now available:

• Anh Nguyen-Tuong, David Evans, John C. Knight, Benjamin Cox, Jack W. Davidson. Security through Redundant Data Diversity. 38^th IEEE/IFPF International Conference on Dependable Systems and Networks, Anchorage, Alaska, June 2008. (PDF, 10 pages; Abstract)

Anh Nguyen-Tuong will present the paper in Anchorage at the DSN conference in June.

This paper builds on our pervious work on N-Variant Systems. It includes the earliest systems-related technical related work in any paper I’ve been involved in, and I doubt we’ll be able to get an earlier one anytime soon. It turns out efforts Nevil Maskelyne led back in the 1700s to compute astronomical tables is closely related to the techniques we describe in this paper.