0

I am currently playing around with Mifare Classic 1k. And everything I have read about it's security is true. So it's not exactly the best thing to use to avoid cloning. But I was wondering if someone manages to hack one of these cards following online tutorial could we stop them from knowing what's on the card itself?

Maybe using some sort of Crytography tool to "hide" the data that's written to the block? For instance, If I want the card to expire on the 10/25/2020 11:15:20 I could convert that value to a decimal i.e 1603710920 epoch time and then convert it to a hex value 5F96AFC8. And then take it a step forward and have the first row in the block be encrypted using maybe AES? so even if the card is cloned the clone would still expire unless the hacker could figure out how to change the expiration date.

Marco Fernandes
  • 101

1 Answers1

0

If you are reading and writing raw data, you may assign whatever meaning you want.

In fact, an epoch of 1603710920 would probably be stored as bytes "5F 96 AF C8" (or perhaps C8 AF 96 5F, if using a different endianness). However, you could equally store the expiration as the number of seconds since birth of your first child, or as days since start of validity. You get to choose the meaning.

Using odd values would probably difficult understanding what is there, but probably not solve the original problem. Let's say you encrypt 5F96AFC8 resulting to 55F1A991, someone fiddles with the contents of an expired card and, trying to enlarge it blindly decides to write 55FF0000. You read the contents and after decryption that decodes to 11/04/2035. So it returns "not expired"

What you probably want instead is authentication, the assurance that the contents of the card have not been tampered with. A really simple way to ensure that would be to include a hmac of the card contents with a secret value. A more advanced solution could instead use an elliptic curve signature over the contents. The point is that you verify that the signature is valid before trusting any data in the card.

This could be done in addition to encryption or not use encryption at all (perhaps the contents of the card aren't secret at all, e.g. "Card #1234 belonging to John Smith, expires Oct 26 2020 10:15 UTC").

In any case, you should note that none of those approaches prevent cloning. If you have a card storing "credit", a user could copy its contents, spend some money, then write back the old contents. They don't need to know which field stores the amount or if it is encrypted. They just know that it reverts back to a card with X credit.

Similarly, John Smith could clone the card of Paula Bean which won't expire for another six months. Being restricted to cloning a full card means that it would be linked to Paula (in case someone would check the name, perhaps John doesn't look like her ☺), but it doesn't stop the potential fraudulent use of a clone.

In case, you should (in the case of card holding money, ideally they would verify the credit online -so John cannot change the amount stored in the card, and cloning Paula's card would still empty her credit-, or at least it should be reconciled so that a card with more credit than inserted into it after deducting the purchases would get automatically banned)

Ángel
  • 17,578
  • 3
  • 25
  • 60