Serious RFID vulnerability discovered

Here the goal is that two parties prove who they are. This is done by demonstrating that they know some common secret information, a so-called shared secret (cryptographic) key. Both parties, in this case the Mifare card and the card reader, carry out certain operations and then check each other’s results to be sure of whom they are dealing with. Authentication is needed to control access to facilities and buildings, and Mifare cards are commonly used for this purpose. Successful authentication is also a prerequisite to reading or writing part of the memory of the Mifare Classic. The card’s memory is divided into sectors, each protected by two cryptographic keys. Proper key management is a subject in its own right. Roughly speaking, there are two possibilities:

1. All cards and all card readers used for a some application have the same keys for authentication. This is common when cards are used for access control

2. Each card has its own cryptographic keys. To check the keys of a card, the card reader should then first determine which card it is talking to and then look up or calculate the associated key(s). This is called key diversification. It is claimed that this approach is used for the Dutch public transport card.

Now, the Digital Security group found weaknesses in the authentication mechanism of the Mifare Classic. In particular:

1. The working of the CRYPTO1 encryption algorithm has been reverse engineered, and the group developed our own implementation of the algorithm

2. The group found a relatively easy method to retrieve cryptographic keys, which does not rely on expensive equipment

To reverse engineer the CRYPTO1 encryption algorithm the group used flawed authentication attempts. If one does not precisely follow the rules of the prescribed protocol, one can obtain some information about of the way it works. Combining such information is was possible to reconstruct the algorithm. Once the algorithm is known, one can find out the keys that are used by a so-called brute force attack, that is, simply trying all possible keys. In this case the keys are 48 bits long. Trying all the keys then requires around nine hours on advanced equipment, according to the recent TNO report 34643 `Security Analysis of the Dutch OV-chipkaart, published February 26th 2008.

Here too, however, certain flaws in the authentication protocol could be exploited, as the group discovered. This led members of the digital security group to the