We have demonstrated that the proprietary CRYPTO1 encryption algorithm used on these cards allows the (48 bit) cryptographic keys to be relatively easily retrieved. Especially for RFID applications where the same common shared key is used on all RFID cards and card readers, which may be the case for instance in access control to buildings, this constitutes a serious risk, as explained in our press release.
This attack recovers the secret key from the MIFARE reader. To mount the attack we first need to gather a tiny amount of data from a genuine reader. With this data we can compute, off-line, the secret key within a second. There is no precomputation required, and only a small amount of RAM. Moreover, when one has an intercepted a "trace" of the communication between a card and a reader, we can compute all the cryptographic keys from this single trace, and decrypt it. We have implemented and executed these attack in practice, and managed to recover the secret keys.
The movie on the right shows a demonstration of the attack on the access control system for our university building.
The research was presented at the Esorics 2008 conference. The manufacturer of the Mifare Classic, NXP, has tried to obtain a court injunction against publication. But the judge ruled against NXP on July 18, see the university press release (English and Dutch) and the court ruling (in Dutch only).
NEW The manuscript "Making the Best of Mifare Classic" contains countermeasures which can help to prevent state restoration attacks (updated on December 11, 2008).
NEW The paper "In sneltreinvaart je privacy kwijt" (in Dutch) gives an analysis of the privacy protection that the current Dutch OV-chipkaart offers. This will appear in Privacy & Informatie.
The CARDIS paper contains earlier results on the Mifare Classic, in particular the first practical attack, which exploits the malleability of the stream cipher, and the reverse engineered command set of the Mifare Classic.
The Master's thesis of Gerhard de Koning Gans is the work on which the CARDIS paper is based. Moreover, the process of programming the Proxmark3 is described in this thesis.
The Master's thesis of Roel Verdult describes a cloning attack on the Mifare Ultralight, which is the little sister of the Mifare Classic, and which has no encryption on board. Moreover, it describes the Ghost emulator device, which has been essential in the process of reverse eningeering CRYPTO1.
The report "Proof of concept, cloning the OV-Chip card" describes the practical execution of a cloning attack of the Mifare Ultralight in a non-technical manner.
Two German researchers, Karsten Nohl and Henryk Plötz have also been reverse engineering the CRYPTO1 algorithm. Their presentation at CCC is available online and contributed to our understanding of CRYPTO1.
We have started a wiki on the use of RFID for mass public transport, not only to collect information on technical and privacy issues of the existing Dutch system - without the media hype and the associated inaccurate claims -, but also to collect ideas about better ways to design such systems, in an open and transparent fashion.