zbMATH — the first resource for mathematics

A practical attack on patched MIFARE Classic. (English) Zbl 1347.94028
Lin, Dongdai (ed.) et al., Information security and cryptology. 9th international conference, Inscrypt 2013, Guangzhou, China, November 27–30, 2013. Revised selected papers. Cham: Springer (ISBN 978-3-319-12086-7/pbk; 978-3-319-12087-4/ebook). Lecture Notes in Computer Science 8567, 150-164 (2014).
Summary: MIFARE Classic is the world’s most widely deployed RFID (radio-frequency identification) technology. It was claimed to be cryptographically protected by the proprietary Crypto-1 stream cipher. However, it proved inadequate after weaknesses in the design and implementation of Crypto-1 and MIFARE Classic started surfacing since late 2007. Some operators of MIFARE Classic-based systems reacted by upgrading to more secure alternatives such as MIFARE DESFire. However, many (especially in Asia) opted to “patch” MIFARE Classic instead. Their risk analysis might have gone as follows: “The most serious threat comes from efficient card-only attacks, where the attacker only needs an off-the-shelf reader and a PC to tamper a target tag. All efficient card-only attacks depend on certain implementation flaws. Ergo, if we just fix these flaws, we can stop the most serious attacks without an expensive infrastructure upgrade.”. One such prominent case is “EasyCard 2.0”, today accepted in Taiwan as a means of electronic payment not only in public transportation but also in convenient stores, drug stores, eateries, cafes, supermarkets, book stores, movie theatres, etc. Obviously, the whole “patching” approach is questionable because Crypto-1 is fundamentally a weak cipher. In support of the proposition, we present a new card-only attack based on state-of-the-art algebraic differential cryptanalytic techniques. Still using the same cheap reader as previous attacks, it takes 2-15 min of computation on a PC to recover a secret key of EasyCard 2.0 after 10-20 h of data collection. We hope the new attack makes our point sufficiently clear, and we urge that all MIFARE-Classic operators with important transactions such as electronic payment upgrade their systems to the more secure alternatives soon.
For the entire collection see [Zbl 1319.94005].
94A60 Cryptography
Full Text: DOI