Security Flaw in Mifare Classic

The Mifare team of the Digital Security Group of the Radboud University Nijmegen. Standing from left to right: Flavio Garcia, Wouter Teepe, Peter van Rossum, Bart Jacobs, Vinesh Kali. Sitting from left to right: Ruben Muijrers. Roel Verdult, Gerhard de Koning Gans, Ravindra Kali. Not on the photograph: Jaap-Henk Hoepman, Ronny Wichers Schreur.

A video demonstration of an attack on an access control system (our own, in fact!)

The special hardware used in our research

Introduction

On March 7, 2008, research by the Digital Security group has revealed a security vulnerability in Mifare Classic RFID chips, the most commonly used type of RFID chip worldwide, that affects many applications using Mifare Classic.

We have demonstrated that the proprietary CRYPTO1 encryption algorithm used on these cards allows the (48 bit) cryptographic keys to be relatively easily retrieved. Especially for RFID applications where the same common shared key is used on all RFID cards and card readers, which may be the case for instance in access control to buildings, this constitutes a serious risk, as explained in our press release.

This attack recovers the secret key from the MIFARE reader. To mount the attack we first need to gather a tiny amount of data from a genuine reader. With this data we can compute, off-line, the secret key within a second. There is no precomputation required, and only a small amount of RAM. Moreover, when one has an intercepted a "trace" of the communication between a card and a reader, we can compute all the cryptographic keys from this single trace, and decrypt it. We have implemented and executed these attack in practice, and managed to recover the secret keys.

The movie on the right shows a demonstration of the attack on the access control system for our university building.

The research was presented at the Esorics 2008 conference. The manufacturer of the Mifare Classic, NXP, has tried to obtain a court injunction against publication. But the judge ruled against NXP on July 18, see the university press release (English and Dutch) and the court ruling (in Dutch only).

Results

NEW The main paper is the ESORICS paper, which describes the cryptographic weaknesses of CRYPTO1, and the process of reverse engineering CRYPTO1 and its initialisation.

NEW The manuscript "Making the Best of Mifare Classic" contains countermeasures which can help to prevent state restoration attacks (updated on December 11, 2008).

NEW The paper "In sneltreinvaart je privacy kwijt" (in Dutch) gives an analysis of the privacy protection that the current Dutch OV-chipkaart offers. This will appear in Privacy & Informatie.

The CARDIS paper contains earlier results on the Mifare Classic, in particular the first practical attack, which exploits the malleability of the stream cipher, and the reverse engineered command set of the Mifare Classic.

The Master's thesis of Gerhard de Koning Gans is the work on which the CARDIS paper is based. Moreover, the process of programming the Proxmark3 is described in this thesis.

The Master's thesis of Roel Verdult describes a cloning attack on the Mifare Ultralight, which is the little sister of the Mifare Classic, and which has no encryption on board. Moreover, it describes the Ghost emulator device, which has been essential in the process of reverse eningeering CRYPTO1.

The report "Proof of concept, cloning the OV-Chip card" describes the practical execution of a cloning attack of the Mifare Ultralight in a non-technical manner.

Two German researchers, Karsten Nohl and Henryk Plötz have also been reverse engineering the CRYPTO1 algorithm. Their presentation at CCC is available online and contributed to our understanding of CRYPTO1.

Kerckhoffs' principle

All this demonstrates, once again, the dangers of relying on 'security by obscurity', keeping the design of a system secret and relying on this to keep the system secure. As all experts in the field agree, a better approach is the Kerckhoffs' principle: making the design of a system public so that it can be openly evaluated and scrutinised by experts, and only relying on the secrecy of the cryptographic keys for the security. The principle is named after the Dutch cryptographer Auguste Kerckhoffs, who first published this idea in 1833. Our Computer Security Master track is named after him.

Dutch public transport cards (the 'OV-chipkaart')

Mifare Classic and Mifare Ultralight chips are used in the RFID cards for public transport that are being introduced in the Netherlands, the 'Ov-chipkaart'. We have been able to demonstrate that both cards are subject to manipulation. The London Oyster card is very similar to the OV-chipkaart, and indeed vulnerable to the same attacks.

We have started a wiki on the use of RFID for mass public transport, not only to collect information on technical and privacy issues of the existing Dutch system - without the media hype and the associated inaccurate claims -, but also to collect ideas about better ways to design such systems, in an open and transparent fashion.

Press Releases

Our own press release in English and in Dutch.
Erratum: the Hong Kong subway does not use Mifare, as we claimed in our press release
Statement by the Dutch Minister of internal affairs (in Dutch).
NXP's information for end users of Mifare Classic chips and systems integrators.