Breaking Hitag 2 Revisited
Many Radio Frequency IDentification (RFID) applications such as car immobilizers and access control systems make use of the proprietary stream cipher Hitag 2 from the company NXP. Previous analysis has shown that the cipher is vulnerable to different attacks due to the low complexity of the cipher and its short 48-bit secret key. However, all these attacks either rely on expensive reconfigurable hardware, namely the Field Programmable Gate Array (FPGA) cluster COPACOBANA, or are impractical. In this paper we develop the first bit-sliced OpenCL implementation for the exhaustive key search of Hitag 2 that runs on off-the-shelf hardware. Our implementation is able to reveal the secret key of a Hitag 2 transponder in less than 11 hours on a single Tesla C2050 card in the worst case. The speed of our approach can be further improved due to its scalability, i.e., we estimate a speed of less than one hour on a heterogeneous platform cluster consisting of CPUs and GPUs that can be realized with a budget of less than 5,000 €. This result enables anyone to obtain the secret key with only two sniffed communications in shorter time and with significantly less cost compared to systems such as the COPACOBANA.
KeywordsBrute-force Attacks HITAG2 GPU Cryptanalysis OpenCL
Unable to display preview. Download preview PDF.
- 1.Agosta, G., Barenghi, A., De Santis, F., Pelosi, G.: Record Setting Software Implementation of DES using CUDA. In: Proceedings of the 2010 Seventh International Conference on Information Technology: New Generations, ITNG 2010, pp. 748–755. IEEE Computer Society, Washington, DC (2010)CrossRefGoogle Scholar
- 2.Bachani, R.: Time-memory-data cryptanalysis of the HiTag2 stream cipher. Master’s thesis, Technical University of Denmark (2008), http://code.google.com/p/cryptanalysis-of-hitag2/
- 3.Biham, E.: A Fast New DES Implementation in Software, pp. 260–272. Springer (1997)Google Scholar
- 4.Bogdanov, A., Paar, C.: On the Security and Efficiency of Real-World Lightweight Authentication Protocols (2008)Google Scholar
- 5.Courtois, N.T., O’Neil, S.: FSE Rump Session – Hitag 2 Cipher (2008), http://fse2008rump.cr.yp.to/00564f75b2f39604dc204d838da01e7a.pdf (August 30, 2012)
- 7.Henryk Plötz, K.N.: Breaking Hitag 2 (August 2009), https://har2009.org/program/attachments/113_breaking_hitag2_part1_hardware.pdf
- 8.NXP. HITAG 2 transponder IC, http://www.nxp.com/products/identification_and_security/smart_label_and_tag_ics/hitag/series/HITAG_2_TRANSPONDER_IC.html#overview (August 30, 2012)
- 9.NXP. HT2 Transponder Family Communication Protocol – Revision 2.1, http://www.proxmark.org/files/index.php?dir=Documents%2F125+kHz+-+Hitag%2F&download=HT2protocol.pdf (August 30, 2012)
- 10.SILCA. Die neueste Silca Transponder Technologie, http://www.silca.de/media/112090/v4/File/silca-id46-solution-rw4.pdf (August 30, 2012)
- 11.Soos, M.: Cracking Industrial Ciphers at a Whim (April 2011), http://50-56-189-184.static.cloud-ips.com/wordpress/wp-content/uploads/2011/04/hes2011.pdf (August 30, 2012)
- 12.Stembera, P.: Cryptanalysis of Hitag-2 Cipher. Master’s thesis, Czech Technical University in Prague (2011), https://dip.felk.cvut.cz/browse/pdfcache/stembpe1_2011dipl.pdf (August 30, 2012)
- 13.Unknown. Hitag2 Stream Cipher C Implementation and Graphical Description (2006-2007), http://cryptolib.com/ciphers/hitag2/ (June 14, 2012)