Archive for the 'RFID' Category

SecureID Podcast: Interviews with Nohl and NXP

Wednesday, March 26th, 2008

The SecureIDNews podcast has an interview with Karsten Nohl about the Mifare cryptanalysis, as well representatives from NXP and the Smart Card Alliance: Episode 8: Interview with Mifare hacker Karsten Nohl, SecureIDNews Podcast, 2 April 2008.

Talks on Hardware Security

Tuesday, March 25th, 2008

Karsten Nohl is presenting talks this week in Vancouver:

Proprietary RFID Systems (with Jan “starbug” Krissler) at CanSecWest, Vancouver, Thursday, March 27.

and Seattle (at the University of Washington):

The (Im)possibility of Hardware Obfuscation, Monday, March 31

Here is the abstract for the talk at UW:

We will discuss several different approaches to reverse-engineering proprietary algorithms from hardware. The focus will be on a mostly automated approach I developed to reconstructing functionality by using a combination of image analysis of circuits and protocol analysis. The cryptography my approach finds on a widely deployed “secure” RFID token has several vulnerabilities including weaknesses in the random number generator and very low resistance against brute-force attacks. I will further raise the question of how small cryptography can be implemented and present our design for a small hash function that reuses circuitry already found on RFID tags.

(I believe the talk is open to the general public, but if you are interested in attending from outside the UW community, check with Evan Welbourne.)

How they hacked it: The MiFare RFID crack explained

Thursday, March 20th, 2008

This article in Computer World provides an excellent detailed description of how the Mifare reverse-engineering was done:
How they hacked it: The MiFare RFID crack explained, by Geetal Dayal, ComputerWorld, 19 March 2008. (It follows an earlier ComputerWorld article.)

Hacked RFIDs Render Smart Cards Less Smarter

Wednesday, March 19th, 2008

From Trend Micro’s Malware Blog: Hacked RFIDs Render Smart Cards Less Smarter [sic]:

Falling into the wrong hands, this security loophole can be and will surely be used in high profile heists and break-ins, seemingly straight from a James Bond movie.

NXP Statements

Monday, March 17th, 2008

NXP has released two statments about Mifare security: Information for end users and Information for system integrators.

The statements appear to be nearly identical. The excerpt below is from the statement for end users:

In December 2007 a group of researchers at the 24th Chaos Computer Club in Berlin claimed that they reverse engineered a MIFARE Classic chip and partially discovered the encryption algorithm of the chip. At the same time, they stated that they were not yet able to recover any keys from the chip.

NXP has come to the conclusion that two research groups have by now retrieved the algorithm and developed attacks which can be done with faster means of breaking keys than brute force. Although we are trying to prevent this, there is a risk of the full algorithm becoming publicly known and we feel it is appropriate to inform you about the potential consequences and necessary measures to be taken to minimize the impact of such eventuality for your system infrastructure.

Although we trust that you have worked with a system integrator who has implemented in your systems effective mechanisms to detect fraudulent cards (which we understand is possible in a number of ways), we want to inform you that we are investigating scenarios how MIFARE Classic systems can be protected Mindful of the above, we ask you to contact your system integrator to assess whether your systems would need any additional security measures.

It is our assessment that for transport ticketing installations, end-to-end security systems can be designed with the MIFARE Classic chip such that the residual risk of fraud not being detected in time can be drastically reduced. Whether or not those scenarios are acceptable in your risk assessment depends on the assets to be protected which only you and your system integrator can determine.

End to end measures should also be applied for access management infrastructures, which are often complemented by additional measures e.g. camera surveillance, security personnel, etc. when valuable assets need to be protected. We recommend that your assessment of the impact of the recent and expected developments takes into account the particular way that the system is implemented and used, its relation to other protection in place, and specifically whether there is a need to prevent unauthorized single time access or access during a limited period of time.

RFID Journal: NXP Announces New, More Secure Chip for Transport, Access Cards

Monday, March 17th, 2008

RFID Journal has an article about NXP’s new Mifare Plus chip, which supports AES encryption and is backward-compatible with the Mifare Classic:
NXP Announces New, More Secure Chip for Transport, Access Cards by Mary Catherine O’Connor, 14 March 2008.

This is an interesting development, but its not clear to me exactly what “backward-compatible” means: readers need to be upgraded to interact with the new tags. According to the article,

An RFID interrogator can employ the AES encryption deployed on the Mifare Plus chip to authenticate that chip before accepting its data and triggering a function, such as opening a locked door or allowing a commuter to pass through a transit turnstile. A number of additional security features, through the support of secure random identifiers, can prevent individuals from being identified and tracked by nefarious parties with RFID readers, NXP reports.

The chip’s encryption scheme uses a 128-bit key, whereas the Mifare Classic’s security algorithm employs a 48-bit key. The larger an encryption key, the longer it will take hackers to determine the key through reverse engineering.

NXP declines to reveal pricing for the Mifare Plus chip, but a chip’s price generally increases in step with its security features, so it will most likely cost more than the Classic chip. NXP says it will continue to manufacture and sell the Mifare Classic chip. Compared with other chips in the Mifare product family, the Classic supports the fewest security features. According to Manuel Albers, NXP’s director of regional marketing in the Americas, the Plus is more secure than the Classic but less secure than the Mifare DESfire chip, which uses a very robust data protection scheme called triple-DES.

Note: the comment that, “The larger an encryption key, the longer it will take hackers to determine the key through reverse engineering.” isn’t quite technically correct. If the key is larger, the time required to do a brute force key search is longer (it scales exponentially with the key size). The time to reverse engineer the algorithm scales with the complexity of the logic. The key size gives some minimum size for this complexity, and ciphers with longer keys are likely to have more complex logic, but this is not necessarily the case.

Interview: Karsten Nohl – Mifare Classic researcher speaks up

Monday, March 17th, 2008

The Tech Herald has posted an interview with Karsten Nohl: Interview: Karsten Nohl – Mifare Classic researcher speaks up, by Steve Ragan, 14 March 2008.

This follows three earlier articles:

London Tube Smartcard Cracked

Friday, March 14th, 2008

Bruce Schneier’s blog has another post about the Mifare cryptanalysis: London Tube Smartcard Cracked, Schneier on Security, 14 March 2008.

Some other blogs have picked up on this, and there are some comments.

RFID hack could crack open 2 billion smart cards

Friday, March 14th, 2008

This article in ComputerWorld has an excellent account of the Mifare cryptanalysis and its implications: RFID hack could crack open 2 billion smart cards: Analyst: One European government sent armed guards to protect facilities using the card by Sharon Gaudin, Computer World, 14 March 2008.

A student at the University of Virginia has discovered a way to break through the encryption code of RFID chips used in up to 2 billion smart cards used to open doors and board public transportation systems.

Karsten Nohl, a graduate student working with two researchers based in Germany, said the problem lies in what he calls weak encryption in the MiFare Classic, an RFID chip manufactured by NXP Semiconductors. Now that he’s broken the encryption, Nohl said he would only need a laptop, a scanner and a few minutes to get the cryptographic key to an RFID door lock and create a duplicate card to open it at will.

And that, according to Ken van Wyk, principal consultant at KRvW Associates, is a big security problem for users of the technology.

“It turns out it’s a pretty huge deal,” said van Wyk. “There are a lot of these things floating around out there. Using it for building locks is the biggy, especially when it’s used in sensitive government facilities — and I know for a fact it’s being used in sensitive government facilities.”

The article also includes some interesting comments from a spokesman for NXP Semiconductors.

NXP reacts to our research

Wednesday, March 12th, 2008

NXP, the manufacturer of the smart cards we analyzed recently, announced an improved card that could help with the migration to higher security levels. The Tech Herald has more on this.

The Mifare Plus cards implement secure 128-bit AES as well as the proprietary Crypto-1 cipher (that we have shown to be weak), but allow for the latter to be switched off once all cards have been migrated. Since all readers and cards still have to be replaced, the new cards are not necessarily a better choice than alternative cards. And while the Plus card won’t be seen in the market for another year, other cards with strong cryptography such as DESfire are readily available.

One feature of the Plus card that might be worth the wait is its improved privacy protection. Protecting individuals from being tracked has long been a research interest of ours and we are curious to see how industry solved this challenging problem.