Not to defend the designers in any way or fashion, but I'd like to ask, How much security can you put into a plastic card, the size of a credit card, that has to perform its function in a secure manner, all in under 2 seconds (in under 1 second in parts of Asia)? And it has to do this while receiving its power via the electromagnetic field being generated by the reader.

You are raising a very interesting point. The constraints under which
RFIDs and contactless smart-cards need to operate seem to vary widely
depending on the application.

The Mifare Classic cards, for example, authenticate in under 2 ms, but
wouldn't need to be that fast as you point out. Their crypto is also
very small, much smaller even than their flash memory. What good is it,
though, to have a lot of memory that is badly protected?

Last, the power consumption of the Mifare cards is certainly lower than others, which doesn't matter, though, in the near-field where even
micro-processor based designs can operate. This is where contactless
smart-cards and RFIDs get confused often. Only for the latter ones power
consumption is a limiting constraint.

To answer your question directly: Within the limits of Mifare Classic
(48-bit cipher, 16-bit RNG), one can build a 64-bit cipher that
generates 'random' numbers internally. Within the same limits, one could
almost implement TEA which at least has undergone its share of
peer-review. Again: Trading some of the memory for this much higher
level of security would certainly have been worth it.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to