Abstract: This article describes the possible attacks on SHA-1 devices, and how to use the characteristics of SHA-1 devices or recommended solutions to prevent possible attacks, and explains the security of 1-Wire® and iButton® SHA-1 devices . For various types of service applications (including access control and e-wallets), 1-Wire device data and hardware authentication are key. The 1-Wire / iButton SHA-1 device is a mobile token that can generate a message authentication code (MAC) based on a random challenge using a hash algorithm with perfect encryption performance, so it is an ideal choice for the aforementioned service applications.
Introduction Before reading this article, please review White Paper 8: 1-Wire SHA-1 Overview. This article also introduces some 1-Wire SHA-1 devices as electronic payment (eCash) tokens.
This article describes the possible attacks on 1-Wire devices and how to use 1-Wire devices' own features or recommended solutions to prevent possible attacks (for clarity, specific terms, commands, or codes are in italics). For a glossary of terms, see White Paper 4: Glossary of 1-Wire SHA-1 Terms. What is an attack? An attack is all malicious destruction and intent to deceive the system. The motivation varies according to the different services provided. In electronic payment systems (such as vending machines), the motivation may be free snacks. If the attack is aimed at the access control of a top secret laboratory, the motivation may be completely different. The following attack methods are roughly arranged from simple to difficult. All of these attacks assume that the attacker has access to a legitimate user token (ie, part of the service), which means that the correct authentication password is set and the data in the device is legal. Copy attacks Copy attacks are achieved by copying legitimate service data from one device (which is part of the service) to another device (maybe or may not be part of the service). If the correct authentication password is installed, the device is part of the service. The purpose of this attack is to obtain one legal token and generate another based on it, thus generating two legal tokens. In this way, attributes such as identity or currency value (eCash) can be copied to another device, thereby creating more currency or gaining access rights that were not previously available.
| condition | Device | Ways to defend against attacks |
| The target device is not part of the system (the authentication password is incorrect). | DS1963S, DS1961S, DS2432, DS28E01 | Since the authentication password of the target device is not set to the correct value, no matter what data, the device will not be accepted by the service. |
| The target device is part of the system (the authentication password is correct). | DS1963S | The target device will pass the certification test. However, with the help of another MAC code (information authentication code) embedded in the service data, that is, the MAC (service data signature) uses the token's ROM ID as part of the SHA-1 calculation, it will be different due to the target device. ROM ID, so the data will be considered invalid and the device will be rejected. |
| The target device is part of the system (the authentication password is correct). | DS1961S, DS2432, DS28E01 | The correct MAC is required when writing data to the target device. Since the attacker does not know the password, it is impossible to write data to the device. |
Recurring attack The repetitive attacker uses the method of copying legitimate devices to generate service data to carry out the attack. The attacker then runs out of eCash or other application areas. Then copy the saved data back to the device. In this way, the original data is reproduced.
| condition | Device | Ways to defend against attacks |
| no | DS1963S | Each page used to store secure data has a read-only, acyclic counter for the number of page writes. When the device still generates the authentication MAC with the correct password, another MAC (service data signature) nested in the service data will be invalid. The MAC includes the count value of the number of written pages and the number of pages where it is located. Writing the original data back to this page or other pages will be invalid. Even if the same data is rewritten, it will be invalid, because the page write counter will increase. |
| no | DS1961S, DS2432, DS28E01 | The target device has a write protection feature and requires the correct MAC when copying data to it. Since the attacker does not know the password, it is impossible to copy data to the device. |
Eavesdropping attacks Eavesdropping attacks are a technique of monitoring 1-Wire communications to reveal passwords or repeating patterns that can be copied.
| condition | Device | Ways to defend against attacks |
| Monitor and record 1-Wire communications in legal transactions. | DS1963S, DS1961S, DS2432, DS28E01 | When the authentication device verifies whether it is part of the service, the MAC calculation includes a random challenge mechanism. This random value (salt) greatly changes the flow of 1-Wire communication during each transaction. In addition, in addition to installing the password in a protected environment, the password will never appear on the 1-Wire bus. |
ABA attack The ABA attack attempts to make two different currency SCUs (service control units) interfere with each other to deceive them to provide more products and then compensate. This ABA attack first gives the token to the first SCU "A". Then remove it before paying the cash, but it should be close enough to the end to make the SCU think it is complete but not certified. This can be achieved by monitoring 1-Wire communication and can stop the process at an appropriate time. Then SCU "A" will wait for the token to be re-introduced to verify the integrity of the payment. The token is then provided to another SCU "B" to complete a complete cash payment process and generate products. The token then returns to the first SCU "A", proving that the transaction is complete. This will make "A" mistakenly think it has completed the cash payment and provide the product again. In this way, two products were obtained with only one payment.
| condition | Device | Ways to defend against attacks |
| The transaction on SCU "A" must be terminated within a limited time. | DS1963S, DS1961S, DS2432, DS28E01 | The random value called the transaction ID is part of the service data and it makes each payment event unique. When returning to SCU "A" to verify whether the payment is completed, the action will fail due to the incorrect transaction ID. |
The simulation attack uses a microprocessor to simulate a 1-Wire token. The emulator must be fast enough to achieve a 1-Wire master response speed close to the actual device. As shown below, as long as the attacker does not know the authentication password, there is no danger. Using the ROM ID as part of the key calculation allows the device to have a unique authentication password (unique authentication password), which can further reduce system risk.
| condition | Device | Ways to defend against attacks |
| The authentication password is unknown. | DS1963S, DS1961S, DS2432, DS28E01 | Analog devices cannot generate the correct MAC for a given challenge. Therefore it will not be accepted as part of the service. |
| The authentication password is known. | DS1963S, DS1961S, DS2432, DS28E01 | no
Communicate with SHA devices at the fastest data rate possible. The 1-Wire master (SCU) hopes to complete the SHA calculation within 1ms to 2ms. This makes it very difficult to build such simulators.
Never expose the authentication password. |
Brute force attack (MAC) Brute force attack is to exhaust all possibilities to get the desired result. The MAC of this attack is different, including enumerating all challenge response pairs, and keeping the results in the database for the simulator to use. This requires access to legal 1-Wire devices that are part of the service. The random challenge is three bytes long (DS28E01 is five bytes long), and the number of possible challenge response pairs exceeds 1.6 million (DS28E01 challenge response pairs are 1.1 × 1012). Since the calculated SHA-1 MAC length is 20 bytes, the data generated by the 3-byte challenge is: 0xFFFFFF (question) × 20 (MAC size) = 335,544,300 bytes (320MB). Thus, a pre-calculated MAC lookup table is generated for use by the simulator.
| condition | Device | Ways to defend against attacks |
| Dynamic data (such as eCash). Whenever a device appears, a new service record with service data signature is generated and written. | DS1963S, DS1961S, DS2432, DS28E01 | After writing the new service record to the token, it must be re-read and authenticated. Authentication of new service records may discover different MACs, and the simulator must also know this. The service record should contain a so-called random transaction ID, so that the emulator cannot predict what the new service record is and thus cannot brute force attack the new MAC. |
| Static data. The data is unchanged and only certified. | DS1963S, DS1961S, DS2432, DS28E01 | After authenticating the static data, write random data to the unused page and start another authentication with that page. The emulator will not know the new MAC. |
Brute force attack (password) Password brute force attack refers to enumerating all possible passwords until the correct MAC is generated. The token as part of the service provides what is the correct MAC. If a password is found, as long as there is a SHA-1 coprocessor that can perform spurious operations within 1 ms, it can be used on the simulator. The password length is eight bytes (FFFFFFFFFFFFFFFF hex). If it takes 1ms to calculate SHA-1 on a fast computer, it would take an estimated 580,000 years to enumerate all passwords.
| condition | Device | Ways to defend against attacks |
| Super computing power and unlimited time. | DS1963S, DS1961S, DS2432, DS38E01 | Each device uses a unique password (unique authentication password), thereby reducing the severity of the problem. This is achieved by using the device's unique ROM ID as part of the data to generate the password. If a password is found, the system will not crash completely. Only devices with that specific ROM ID can be simulated. Blacklisting the ROM ID will prevent the attacker from carrying out another brute force attack on other devices. |
Microprobe physical attack (password) Physical attack is an attack that attempts to probe the internal silicon chip to read the unique authentication password. This is difficult to achieve. Compared with EEPROM devices, NV RAM devices (DS1963S) are more difficult. The iButton version of the 1-Wire SHA-1 device also adds a protective layer to protect it from probe attacks with its packaging. The silicon wafer is protected in a stainless steel casing. If the battery in the DS1963S is removed, the internal password will be cleared even for a short period of time. During a brute force attack, if a password is found, it can be used on the emulator to obtain information about the behavior of legitimate devices in the service. The simulated device can then be used to reproduce the original data (such as eCash). The conditions and partial solutions for this attack are the same as the brute force password attack described above. The host / SCU attack (password) probes the authenticated 1-Wire SCU to obtain the host authentication password and host signature password.
| condition | Device | Ways to defend against attacks |
| You must have physical access to the SCU. | no | Can guarantee the safety of SCU. For example, use a secure microprocessor that does not allow firmware reading, such as the DS5002. |
| You must have physical access to the SCU. | DS1963S as a coprocessor | The ideal solution is to use the DS1963S as a "coprocessor" for device authentication and data confirmation in the SCU. Password security can be guaranteed during detection. However, if the padding data (original signature) is known, the coprocessor can be used to generate a legitimate service data signature. |
Competitor attack Competitor attack is an attack that attempts to damage the system's reputation by intentionally destroying data.
| condition | Device | Ways to defend against attacks |
| The token must be provided to a malicious attacker. | DS1963S | All data that invalidates the token can be rewritten. However, the write password operation can be detected by checking the counter of the number of write pages associated with it. If the device is reloaded with the correct data and password, it can be reused. |
| The token must be provided to a malicious attacker. | DS1961S, DS2432, DS28E01 | The target device has protection features and requires the correct MAC when writing data to user memory. Since the attacker does not know the password, it is impossible to write to the device. The target device also has a write protection mechanism for passwords. To prevent an attacker from rewriting the password, this feature must be enabled. |
Conclusion Data and hardware authentication are the key to various service applications (including access control and electronic money). Mobile tokens can generate information authentication codes (MAC) based on random challenges and use spurs with good encryption performance, which is ideal for the above applications. Dallas Semiconductor's 1-Wire SHA-1 device provides an economical and rugged solution.
Gmaii pos guarantees your business the lowest integrated payment processing rate, customized to match your transaction volume.
More Ways to Bring In Money
Our register = your secret weapon. Zip through transactions and easily accept all payment types, including Apple Pay and EMV chip cards.
Cherry-Pick Your Retail POS Setup
Whatever POS hardware your retail business needs, we've got you. We'll even walk you through the hardware selection process.
Grow on Your Own Terms
You do you. As your business grows Gmaii pos`s retail store software is designed to help you pivot with advanced features.
Retailer Accepts Credit Card Payment with POS System
Master Work-Life Balance
Whether you're running errands, on vacation, or simply away from your retail location, you're going to love how easy it is to keep an eye on your business with the Gmaii pos Pocket Appâ„¢.
Simplify Your Day, Every Day
Breathe a sigh of relief. Manual managing of those pesky day-to-day tasks, like counting inventory and exporting data for accounting, is a thing of the past.
Bye Bye Long Lines
Gmaii pos's Tablet Pos System empowers you to strategically place staff throughout the store, minimizing long wait times during peak business hours.
Peace of Mind. All Day, Every Day.
There's no two ways about it: Customer Care should be 24/7/365. Gmaii pos's award-winning support will be here if you need us.
Gmaii pos's Powerful Register Makes Payments Painless
Gmaii pos's smart, modern register, is built for speed and efficiency. From ringing up items to tracking customers and beyond, increasing productivity with the Gmaii pos cash register is always a couple of button taps away, like it should be!
Pos Software for Retail Shops
Transactions
Customize your Gmaii pos register layout the way you want for maximum transaction speed. Plus, never miss a sale again with offline credit card payments.
Retail Pos System
Restaurant Pos System,Cheap Pos System ,Pos System Retail,Cheap Pos System
Shenzhen Gmaii Technology Limited , https://www.gmaiipos.com