Is the MiFare Classic RFID system blown?
A decisive breakthrough has been made in the cryptanalysis of the Crypto1 encryption algorithm of the MiFare Classic RFID system used in many contactless travel payment systems including the Transport for London Oyster card. According to a newly published report by Nicolas Courtois, Karsten Nohl and Sean O'Neil, the encryption can be cracked in a few seconds on PC hardware, without the laborious precalculation of rainbow tables. The researchers conclude that the security of the algorithm is "close to zero".
Instead of rainbow tables, the new method makes use of a set of polynomial equations, and requires only about 50 bits of data from a single encryption to be captured. Using this small amount of data, the researchers obtained the full 48-bit key in 200 seconds on one 1.66 GHz Centrino CPU. The known vulnerabilities in MiFare Classic's random-number generator, on which previous attacks were based, are not used.
Nohl told heise Security that the necessary data can be obtained merely by passively observing card transactions rather than actively reading the code with a manipulated reader. He pointed out that this can be accomplished over a range of up to one metre. Nohl added that the revised Mifare Plus that is expected for early next year is still vulnerable to the new attack if the readers are not upgraded to the new Plus standard which uses AES encryption.
Last year, together with other CCC boffins, Nohl investigated the MiFare chip at microscopic level, as a result of which they were able to discover the Crypto1 algorithm, which had been kept secret by the manufacturer. Even then it was clear that the system displayed flagrant security flaws.
- Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards, research report by Courtois, Nohl and O'Neil