Recover Mifare Classic key from authentication trace

Question

I have been given a Mifare Classic authentication trace and was wondering if there are any tools or tutorials I could use to obtain the key?

Start    | End     | Src | Data
---------|---------|-----|--------
0        | 4704    | Rdr | 60 00 f5 7b
6708     | 11380   | Tag | 21 91 c4 03
82240    | 83552   | Rdr | 26
249792   | 250848  | Rdr | 26
252020   | 254388  | Tag | 04 00
333568   | 336032  | Rdr | 93 20
337204   | 343092  | Tag | 45 c7 a6 23 07
446208   | 456672  | Rdr | 93 70 45 c7 a6 23 07 f8 f6
457908   | 461428  | Tag | 88 be 59
1870544  | 1875248 | Rdr | 60 00 f5 7b
1877252  | 1881924 | Tag | be fd 8b 22
1953424  | 1954736 | Rdr | 26
2120208  | 2121264 | Rdr | 26
2122452  | 2124820 | Tag | 04 00
2205152  | 2207616 | Rdr | 93 20
2208788  | 2214676 | Tag | 45 c7 a6 23 07
2317024  | 2327488 | Rdr | 93 70 45 c7 a6 23 07 f8 f6
2328724  | 2332244 | Tag | 88 be 59
2538400  | 2543104 | Rdr | 60 00 f5 7b
2545108  | 2549844 | Tag | b3 38 4c d0
2651552  | 2660864 | Rdr | 55 09 6b fe ec fa ba c2 !crc
2662100  | 2666836 | Tag | a3! bf! 4f 07
17282768 |17287536 | Rdr | ef b6 fc 33 !crc

score 4 · Answer 1 · edited Jun 20 '20 at 09:12

The paper Garcia et al.: Dismantling MIFARE Classic (ESORICS 2008) should give you a good starting point:

"The second and more efficient attack uses a cryptographic weakness of the CRYPTO1 cipher allowing us to recover the internal state of the cipher given a small part of the keystream. To mount this attack, one only needs one or two partial authentication from a reader to recover the secret key within one second, on ordinary hardware. This attack does not require any pre-computation and only needs about 8 MB of memory to be executed.

When an attacker eavesdrops communication between a tag and a reader, the same methods enable us to recover all keys used in the trace and decrypt it. This gives us sufficient information to read a card, clone a card, or restore a card to a previous state. We have successfully executed these attacks against real systems, including the London Oyster Card and the Dutch OV-Chipkaart."

In addition, the CRAPTO1 library (it's based on the above paper and some other discoveries) should give you a starting point on how to implement a tool to recover keys from recorded MIFARE Classic traces.

The interesting parts of this trace are:

  446208 | 456672 | Rdr | 93 70 45 c7 a6 23 07 f8 f6

That's the reader's select command, from which you can get the tag's UID: 45 c7 a6 23.

 1870544 | 1875248 | Rdr | 60 00 f5 7b

That's an authentication command with Key A for sector 0.

 1877252 | 1881924 | Tag | be fd 8b 22

That's the random number sent by the tag in response to the authentication command. THe command is aborted after the tag sent the random number.

 2538400 | 2543104 | Rdr | 60 00 f5 7b

That's an authentication command with Key A for sector 0.

 2545108 | 2549844 | Tag | b3 38 4c d0

That's the random number sent by the tag in response to the authentication command.

 2651552 | 2660864 | Rdr | 55 09 6b fe ec fa ba c2 !crc

That's the reader's random number (enciphered with keystream ks₁) and the reader's response to the tag's challenge (random number) based on the authentication key (enciphered with keystream ks₂).

 2662100 | 2666836 | Tag | a3! bf! 4f 07

That's the tag's response to the reader's challenge (random number) based on the authentication key (enciphered with keystream ks₃).

I wonder if my calculation is correct and the key is 36 ... 41!?

Recover Mifare Classic key from authentication trace

1 Answers1