Clarifications on Smartcard Work
11 March 2008It’s nice to see our research being cited in so many places. Most of the news coverage is accurate and resonates our call for better security through open designs.
We would still like to clarify a few facts and address some points of critique: The focus of our research was on Mifare Classic RFID tags. While these are by far the most popular contactless smart cards, there are plenty of others that may or may not be secure. Using a proprietary cipher is usually evidence of bad design and only cards with standard ciphers such as 3-DES, AES, and ECC should be considered for security applications.
Our results do not apply to contactless credit cards since these do not encrypt data.
The manufacturer of the Mifare cards has repeatedly claimed that we have only broken one layer of security, which is true when looking at systems as a whole. Cryptography can only ever provide one layer of protection, two of the others being automated fraud detection and law enforcement. Computerized systems tend to rely on the cryptography, however, and are much more vulnerable to attacks once this layer of security is lost.
We believe in the potential of RFIDs to improve security in many domains. The current discussion will hopefully provide guidance in building more open, more secure systems.