commit 1a6011733a291d1b12bc3dee59f0f954553578d4 Author: lukas-heiligenbrunner Date: Sat Dec 28 14:34:21 2024 +0100 init diff --git a/main.typ b/main.typ new file mode 100644 index 0000000..34d540c --- /dev/null +++ b/main.typ @@ -0,0 +1,261 @@ +#import "@preview/ichigo:0.1.0": config, prob +#import "@preview/algorithmic:0.1.0" +#import algorithmic: algorithm +#import "@preview/fletcher:0.5.1" as fletcher: diagram, node, edge +#import fletcher.shapes: house, hexagon +#import "@preview/linguify:0.4.1": load_ftl_data, linguify +#import "@preview/subpar:0.1.1" + +#let blob(pos, label, tint: white, ..args) = node( + pos, align(center, label), + width: 26mm, + fill: tint.lighten(60%), + stroke: 1pt + tint.darken(20%), + corner-radius: 5pt, + ..args, +) + +#let g(text) = table.cell( + fill: green.lighten(60%), +)[#text] +#show: config.with( + course-name: "UE Sequence Analysis and Phylogenetics +Exercise 15", + serial-str: "k12104785", + author-info: [ + Lukas Heiligenbrunner + ], + author-names: "Lukas Heiligenbrunner", +) + +#prob[ + What contactless smart cards do you have? Install an NFC card reader application on your phone + and analyze what data they provide about your cards! + For Android, useful applications to analyze your contactless smart cards are, for example, + - NFC TagInfo by NXP by NXP Semiconductors, + - MIFARE Classic Tool by IKARUS Projects (tailored to MIFARE Classic cards; note that brute- + force key mapping using the extended keyset will take a very long time), + - NFC Tools by wakdev (may display misleading/wrong information!), + - NFC Tag Reader by GoNext (mainly useful information about NFC Forum tags), + - my NFC TagInfo app (may no longer be available and does not work on Android 10 and + above), + - or try to find your own favorite app! + Some useful apps for reading specific card types: + - For electronic passports (eMRTD): + - ReadID Me by Inverid creators of ReadID (to read e-passports), + - e-Passport NFC reader by Anton Tananaev, + - For payment cards: + - Credit Card Reader NFC (EMV) by Julien MILLAU (see warning and note below, this app + reveals the data read from a card only after typing the last 4 digits of the card number), + - iso8583.info NFC reader by Aleksandr Shevelev (see warning below, app masks out parts + of the read information with (although full information is read from the card); recent + versions of the app seem to crash when removing the card; otherwise quite useful app), + - NFC Credit Card Reader (EMV) by PaymentWiser (see warning below), + - and there might be other suitable apps specific for your card! + Unfortunately, there is still no (useful) iOS app that can read interesting data from contactless smart + cards (though NFC TagInfo by NXP and NFC Tools are available on App Store). If you don’t have + access to an Android device with NFC, you may analyze the screenshots shown at the end of this + document instead. +][ + I downloaded the NFC TagInfo app by NXP. + + I tried to scan: JKU-student id, e\-card and Mammut membership id. + + = JKU\-student id: + #subpar.grid( + figure(image("rsc/jkucard_01.jpg"), caption: []), , + figure(image("rsc/jkucard_02.jpg"), caption: []), , + figure(image("rsc/jkucard_03.jpg"), caption: []), , + figure(image("rsc/jkucard_04.jpg"), caption: []), , + figure(image("rsc/jkucard_05.jpg"), caption: []), , + figure(image("rsc/jkucard_06.jpg"), caption: []), , + figure(image("rsc/jkucard_07.jpg"), caption: []), , + figure(image("rsc/jkucard_08.jpg"), caption: []), , + figure(image("rsc/jkucard_09.jpg"), caption: []), , + figure(image("rsc/jkucard_10.jpg"), caption: []), , + + + columns: (1fr, 1fr, 1fr, 1fr, 1fr), + caption: [JKU student id], + label: , + ) + + - Is the card a memory smart card or a processor smart card? + - Memory smart card $arrow$ MIFARE Classic EV1: googled and found out that it is a memory smart card. + - What communication protocols are implemented by the card? + - MIFARE Classic + - ISO/IEC 14443-3 Type A : Initialization and anticollision + - ISO/IEC 14443-2 Type A : Radio frequency power and signal interface + - Does the card “speak” APDUs? I.e. does the communication protocol rely on APDUs to inter-face the card? If not, what else? + - No, it does not speak APDUs. + - MIFARE Classic cards use a proprietary protocol to access memory sectors + - Not like cards that follow the ISO/IEC 7816 standard, which rely on APDUs for communication. + - Does the card contain a file system or only a flat memory structure? + - Yes, the card uses a flat memory structure. + - The memory is organized into 16 sectors, each containing 4 blocks (64 total blocks). This arrangement is a flat memory layout. + - What is the anti-collision identifier of your card? Is it static or randomly-generated? + - The UID of the chip is 74:2F:52:44 and is static. + - The "Re-used" and "Non-Unique" hints that the uid is not randomly generated but built in at fab time. + - What chip does the card contain and who is the manufacturer? + - The card contains a MIFARE Classic EV1 chip by NXP Semiconductors. (IC INFO) + - The detailed IC info is MF1S503xX/V1 available on EXTRA Tab. + - If the card is a processor card, can you find out the operating system? What chip model does the card contain? + - N/A $arrow$ not a processor card + - Can any personal or (potentially) sensitive data be read from the card without authentication? + Try specific apps if the generic reader apps don’t reveal any data! Please avoid providing screen- + shots that show actual personal/sensitive data. You don’t need to mention the actual data values in your + report, if you don’t want to. + - Only the first two secors of the card are used + - In the first sector the uid and some card info is publicly available. + - The second secotor is encrypted and might be used for door unlocking. + - Is there any data that can only be accessed with a secret key? Do you have that key? + - Yes the second block is accessible with a secret key + - I tried to get this key for the JKU card somehow but couldn't find any way to get it. + - What other interesting information can you spot? + - TSMC is the manufacturer + + = E-Card + + #subpar.grid( + figure(image("rsc/ecard_01.jpg"), caption: []), , + figure(image("rsc/ecard_02.jpg"), caption: []), , + figure(image("rsc/ecard_03.jpg"), caption: []), , + figure(image("rsc/ecard_04.jpg"), caption: []), , + figure(image("rsc/ecard_05.jpg"), caption: []), , + columns: (1fr, 1fr, 1fr, 1fr), + caption: [ECard], + label: , + ) + + - Is the card a memory smart card or a processor smart card? + - Processor smart card: Since the card supports ISO/IEC 7816-4, which indicates that this card supports command/response queries (ADPUs). + - What communication protocols are implemented by the card? + - ISO/IEC 7816-4 : Organization, security and commands for interchange + - ISO/IEC 14443-3 Type A : Initialization and anticollision + - ISO/IEC 14443-4 Type A : Transmission protocol + - Does the card “speak” APDUs? I.e. does the communication protocol rely on APDUs to inter-face the card? If not, what else? + - Yes, the card speaks APDUs. + - The ISO/IEC 7816-4 standard indicates that the card uses APDUs for communication. + - The android info also reports that extended APDUs are supported. + - Does the card contain a file system or only a flat memory structure? + - The card seems to contain a filesystem + - The extra section reports elements like "Master File," "EF.DIR," and "EF.ATR," which are part of the hierarchical file system structure used in smart cards. + - What is the anti-collision identifier of your card? Is it static or randomly-generated? + - The uid is 08:7D:3A:B3, and it is randomly generated. + - It is explicitly stated "Random ID", so this id is generated after every power-up. + - What chip does the card contain and who is the manufacturer? + - The IC type is unknown, the card reports "Unknown Manufacturer" and "Unknown IC." + - If the card is a processor card, can you find out the operating system? What chip model does the card contain? + - There seems to run an operating system on the card but its hard to figure out which one. + - I couldn't find any hints on further information. + - Can any personal or (potentially) sensitive data be read from the card without authentication? + Try specific apps if the generic reader apps don’t reveal any data! Please avoid providing screen- + shots that show actual personal/sensitive data. You don’t need to mention the actual data values in your + report, if you don’t want to. + - No personal or sensitive data can be read without authentication and I have no way to authenticate to this card. + - Is there any data that can only be accessed with a secret key? Do you have that key? + - Yes there is informations that can only be accessed with a secret key. + - What other interesting information can you spot? + - Multiple DF selection methods are supported. + + = Mammut card + #subpar.grid( + figure(image("rsc/mammut_01.jpg"), caption: []), , + figure(image("rsc/mammut_02.jpg"), caption: []), , + figure(image("rsc/mammut_03.jpg"), caption: []), , + figure(image("rsc/mammut_04.jpg"), caption: []), , + columns: (1fr, 1fr, 1fr, 1fr), + caption: [Mammut key card], + label: , + ) + + - Is the card a memory smart card or a processor smart card? + - Memory smart card $arrow$ MIFARE Ultralight EV1: googled and found out that it is a memory smart card. + - What communication protocols are implemented by the card? + - ISO/IEC 14443-3 + - ISO/IEC 14443-2 (Type A) + - Does the card “speak” APDUs? I.e. does the communication protocol rely on APDUs to inter-face the card? If not, what else? + - No, it does not speak APDUs. + - MIFARE Ultralight cards use a simpler command set + - Does the card contain a file system or only a flat memory structure? + - Yes, the card uses a flat memory structure. + - The memory is organized into 12 pages, each containing 4bytes. + - What is the anti-collision identifier of your card? Is it static or randomly-generated? + - The UID of the chip is 04:3C:1F:42:03:74:85 and is static. + - It can be read on the full-scan page at memory content + - What chip does the card contain and who is the manufacturer? + - The card contains a MIFARE Ultralight EV1 (MF0UL11) chip by NXP Semiconductors. (IC INFO) + - The detailed IC Subtype is 17pF available on EXTRA Tab. + - If the card is a processor card, can you find out the operating system? What chip model does the card contain? + - N/A $arrow$ not a processor card + - Can any personal or (potentially) sensitive data be read from the card without authentication? + Try specific apps if the generic reader apps don’t reveal any data! Please avoid providing screen- + shots that show actual personal/sensitive data. You don’t need to mention the actual data values in your + report, if you don’t want to. + - The full memory content is readable without authentication. + - Somehow a user-id must be stored within the card to identify the user. + - Maybe just the card-id is used for this, I can't read from the memory content anything that looks like a user-id. + - Is there any data that can only be accessed with a secret key? Do you have that key? + - Yes the card has a password-protected area for writing as indicated by the locked sections 12 and 13. + - Access to these sections requires a secret key. (maybe a user id is stored there?) + - What other interesting information can you spot? + - The card has no limit on wrong password attempts (which may be a security consideration?) + - Strong load modulation is disabled which may affect signal strength. + - chips signature is verified with NXPs public key. + +] + +#prob[ + The following trace shows the communication between a smart card reader and a smart card. Lines + beginning with R->C are commands (C-APDUs) sent by the terminal. Lines beginning with C->R + are responses (R-APDUs) by the card. + + ```c + R->C 00A404000E315041592E5359532E444446303100 + C->R 6F46840E315041592E5359532E4444463031A5348801055F2D046465656EBF0C275F540B42594C4144454D313030315F5316444530323132303330303030303030303030303030309000 + R->C 00B2012C00 + C->R 701D611B4F07A0000000031010500B566973612043726564697487010173009000 + R->C 00B2022C00 + C->R 6A83 + R->C 00A4040007A000000003101000 + C->R 6F238407A0000000031010A518500B56697361204372656469745F2D086465656E667265739000 + R->C 80A8000002830000 + C->R 800E5C000801030010010101180103009000 + R->C 00B2010C00 + C->R 701D57134548180123445500D08072010100000000000F9F1401059F23010A9000 + R->C 00B2020C00 + C->R 703E8C159F02069F03069F1A0295055F2A029A039C019F37048D178A029F02069F03069F1A0295055F2A029A039C019F37049F080200849F420209789F4401029000 + R->C 00B2030C00 + C->R 70415F201A524F4C414E442F4D49434841454C2020202020202020202020205F300202019F1F183031303030303030303030303030303030303030303030309F4A01829000 + R->C 00B2011400 + C->R 70485A0845481801234455005F24030807315F280200405F3401008E1000000000000000005E03410342031F009F0702FF009F0D05F060ACA8009F0E0500100000009F0F05F068BCF8009000 + R->C 00B2011C00 + C->R 708183908180A1DAB6962BE6908DE93662C091260D6A6E96C893031D59C99FA569A28A34319E756546A889867E047AFF693E8538B8D3FEE7F1ABEF64340CC31830F42D3D3B4D2528174923207DEBA92A9E02ABC23E7B9A62B0F08F6796402F615881B68059BF813A5AD7B7F753519FD873F344648BBCEF244C69E0670638F832BA8B94A24FFE9000 + R->C 00B2021C00 + C->R 702D8F01019F3201039224E598988DE173C1911BEC0F5F930B423AD7D542CACCC8903F22F87604CCFF5716342A74059000 + R->C 00B2031C00 + C->R 7081839381801522FB9F3ECE609D716CF1BD92A11335F520333BD5B50B0914735D0E2B0FADC26719BB00C9A252894CC3C7B224A04A45EDB8662D0717A93DD3008DE5F5281B2CD354594D894A0A97374A5A57286714E11BA2BB69F5046D6AC7FCF4814E20AA870E64EB35E7DC31FF7610B1FF771EEF529E4F5BB0EBA95CC82BA5CF22CCBF80FB9000 + R->C 0020008008243653FFFFFFFFFF + C->R 63C2 + R->C 0020008008248495FFFFFFFFFF + C->R 63C1 + R->C 0020008008247742FFFFFFFFFF + C->R 9000 + ``` + + Analyze the trace and answer the questions below! Note that you do not need to understand ev- + ery bit and byte. Stick to the inter-industry command set1. Start by analyzing the APDU headers + and trailers (particularly CLA, INS, and SW1-SW2) to match them with commands from the inter- + industry command set. Don’t invest too much time to analyze commands of the proprietary class + (i.e. commands not part of the inter-industry command set). Remember that data on smart cards + is often organized in TLV data structures. A good online tool to decode and analyze ASN.1 TLV + encoded data is https://emvlab.org/tlvutils/. + Your analysis should, in particular, answer the following questions: + + What is going on in the trace? What commands are sent? What data is returned? + + What files/applications are accessed? Can you determine specific application and file IDs? What are these IDs? + + What type of card could this be? + + Is there any potentially privacy-critical data transmitted unencrypted? E.g. personal data, identifying data, account numbers, etc. + + Is there any potentially security-critical data transmitted unencrypted? E.g. a password or PIN, private keys (of cryptographic key pairs), etc. + + Could the data extracted from this trace be abused by an attacker who stole that card? Why? Why not? + + Could the data extracted from this trace be abused by an attacker who does not have physical access to the card? Keep in mind that some online shops only ask for a credit card number (but no verification code) when you pay. Hint: What’s a “PAN”? +][] diff --git a/rsc/ecard_01.jpg b/rsc/ecard_01.jpg new file mode 100644 index 0000000..ed69c69 Binary files /dev/null and b/rsc/ecard_01.jpg differ diff --git a/rsc/ecard_02.jpg b/rsc/ecard_02.jpg new file mode 100644 index 0000000..ff4d553 Binary files /dev/null and b/rsc/ecard_02.jpg differ diff --git a/rsc/ecard_03.jpg b/rsc/ecard_03.jpg new file mode 100644 index 0000000..09fdbfa Binary files /dev/null and b/rsc/ecard_03.jpg differ diff --git a/rsc/ecard_04.jpg b/rsc/ecard_04.jpg new file mode 100644 index 0000000..c824982 Binary files /dev/null and b/rsc/ecard_04.jpg differ diff --git a/rsc/ecard_05.jpg b/rsc/ecard_05.jpg new file mode 100644 index 0000000..9149dd4 Binary files /dev/null and b/rsc/ecard_05.jpg differ diff --git a/rsc/jkucard_01.jpg b/rsc/jkucard_01.jpg new file mode 100644 index 0000000..eb9e66d Binary files /dev/null and b/rsc/jkucard_01.jpg differ diff --git a/rsc/jkucard_02.jpg b/rsc/jkucard_02.jpg new file mode 100644 index 0000000..40865ae Binary files /dev/null and b/rsc/jkucard_02.jpg differ diff --git a/rsc/jkucard_03.jpg b/rsc/jkucard_03.jpg new file mode 100644 index 0000000..62dd4fb Binary files /dev/null and b/rsc/jkucard_03.jpg differ diff --git a/rsc/jkucard_04.jpg b/rsc/jkucard_04.jpg new file mode 100644 index 0000000..6603a4a Binary files /dev/null and b/rsc/jkucard_04.jpg differ diff --git a/rsc/jkucard_05.jpg b/rsc/jkucard_05.jpg new file mode 100644 index 0000000..f969ce3 Binary files /dev/null and b/rsc/jkucard_05.jpg differ diff --git a/rsc/jkucard_06.jpg b/rsc/jkucard_06.jpg new file mode 100644 index 0000000..b779912 Binary files /dev/null and b/rsc/jkucard_06.jpg differ diff --git a/rsc/jkucard_07.jpg b/rsc/jkucard_07.jpg new file mode 100644 index 0000000..978f987 Binary files /dev/null and b/rsc/jkucard_07.jpg differ diff --git a/rsc/jkucard_08.jpg b/rsc/jkucard_08.jpg new file mode 100644 index 0000000..0d434be Binary files /dev/null and b/rsc/jkucard_08.jpg differ diff --git a/rsc/jkucard_09.jpg b/rsc/jkucard_09.jpg new file mode 100644 index 0000000..0ca8440 Binary files /dev/null and b/rsc/jkucard_09.jpg differ diff --git a/rsc/jkucard_10.jpg b/rsc/jkucard_10.jpg new file mode 100644 index 0000000..b23b75f Binary files /dev/null and b/rsc/jkucard_10.jpg differ diff --git a/rsc/mammut_01.jpg b/rsc/mammut_01.jpg new file mode 100644 index 0000000..3b243a0 Binary files /dev/null and b/rsc/mammut_01.jpg differ diff --git a/rsc/mammut_02.jpg b/rsc/mammut_02.jpg new file mode 100644 index 0000000..0398e1e Binary files /dev/null and b/rsc/mammut_02.jpg differ diff --git a/rsc/mammut_03.jpg b/rsc/mammut_03.jpg new file mode 100644 index 0000000..da0ba34 Binary files /dev/null and b/rsc/mammut_03.jpg differ diff --git a/rsc/mammut_04.jpg b/rsc/mammut_04.jpg new file mode 100644 index 0000000..67f556d Binary files /dev/null and b/rsc/mammut_04.jpg differ