http://computerworld.co.nz/news.nsf/scrt/3FF9713E23292846CC25740A0069243E
The Dutch government has issued a warning about the security of access keys that are based on the widely used Mifare Classic RFID chip. The warning comes in a week when two research teams independently demonstrated hacks of the chip's security algorithm. Criminals can use the hack to clone cards that use the Mifare Classic chip, allowing them to create copies of building access keys or commit identity theft. The chip is used in payment systems worldwide, such as the Oyster Card in the UK and the CharlieCard that is used in Boston. Both offer payment systems that allow for wireless transactions. The chip is the basis of a national proof-of-payment system for public transport. A recently published government-issued study by the Netherlands Organisation for Applied Scientific Research dismissed the potential security threat, claiming that hackers would take at least two years to crack the security codes. (The article is short enough it is hard to do fair-use justice.) The cryptanalysis: http://www.cs.virginia.edu/~kn5f/pdf/Mifare.Cryptanalysis.pdf A March 12th Press Release from Radboud University Nijmegen: http://www2.ru.nl/media/pressrelease.pdf In HTML: http://www.ru.nl/ds/group/ds_group/press_release/ A link to a demo video on Youtube: http://www.ru.nl/ds/group/ds_group/press_release/film/ Run time is 1:55, 4.9 MB and a Flash Video The demo is an attack on a door security system. A recent report stating that it would take at least two years for the cryptographic algorithm to be broken and used casually (From the video I'd say this is optomistic by almost two years): http://www.translink.nl/media/bijlagen/nieuws/TNO_ICT_-_Security_Analysis_OV-Chipkaart_-_public_report.pdf A Mifare+ fix for the security weaknesses is announced (Mar 12th): http://www.thetechherald.com/article.php/200811/394 On Monday NXP Semiconductors said they plan to release a new version of the Mifare chip; the chip that has gained fame lately after its security was broken by researchers at U. VA. Dubbed the Mifare Plus, the new chip addresses the exact security problems that its predecessor the Mifare Classic faced. The new NXP offering is boasting 128-bit encryption over the original 48-bit. The NXP press release: http://www.nxp.com/news/content/file_1418.html There are a couple of things of note. They are seeking EAL-4+ evaluation rating (which Windows 2000 has), it uses AES 128 bit encryption, and it has backward compatibility with the 48 bit encryption, Also the new cards won't be available until Q4. The cost of infrastructure upgrade (equipment cost versus card processing delay) might cause an adoption lag. NXP Semiconductors also claims to lead the car access and immobilzation markets. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
