MIFARE - Security of MIFARE Classic

Security of MIFARE Classic

The encryption used by the MIFARE Classic card uses a 48 bit key.

A presentation by Henryk Plötz and Karsten Nohl at the Chaos Communication Congress in December 2007 described a partial reverse-engineering of the algorithm used in the MIFARE Classic chip. Abstract and slides are available online. A paper that describes the process of reverse engineering this chip was published at the August 2008 USENIX security conference.

In March 2008 the Digital Security research group of the Radboud University Nijmegen made public that they performed a complete reverse-engineering and were able to clone and manipulate the contents of a OV-Chipkaart which is a MIFARE Classic card. For demonstration they used the Proxmark device, a 125 kHz / 13.56 MHz research instrument. The schematics and software are released under the free GNU General Public License by Jonathan Westhues in 2007. They demonstrate it is even possible to perform card-only attacks using just an ordinary stock-commercial NFC reader in combination with the libnfc library.

The Radboud University published three scientific papers concerning the security of the MIFARE Classic:

• A Practical Attack on the MIFARE Classic
• Dismantling MIFARE Classic
• Wirelessly Pickpocketing a Mifare Classic Card

In response to these attacks, the Dutch Minister of the Interior and Kingdom Relations stated that they would investigate whether the introduction of the Dutch Rijkspas could be brought forward from Q4 of 2008.

NXP tried to stop the publication of the second article by requesting a preliminary injunction. However, the injunction was denied, with the court noting that, "It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does informing society about serious issues in the chip, because it allows for mitigating of the risks."

Both independent research results are confirmed by the manufacturer NXP. These attacks on the cards didn't stop the further introduction of the card as the only accepted card for all Dutch public transport the OV-chipkaart continued as nothing happened but in October 2011 the company TLS, responsible for the OV-Chipkaart announced that the new version of the card will be better protected against fraud

The MIFARE Classic encryption Crypto-1 can be broken in about 200 seconds on a laptop, if approx. 50 bits of known (or chosen) key stream are available. This attack reveals the key from sniffed transactions under certain (common) circumstances and/or allows an attacker to learn the key by challenging the reader device.

The attack proposed in recovers the secret key in about 40 ms on a laptop. This attack requires just one (partial) authentication attempt with a legitimate reader.

Additionally there are a number of attacks that work directly on a card and without the help of a valid reader device. These attacks have been acknowledged by NXP. In April 2009 new and better card-only attack on MIFARE Classic has been found. It was first announced at the Rump session of Eurocrypt 2009. This attack was presented at SECRYPT 2009. The full description of this latest and fastest attack to date can also be found in the IACR preprint archive. The new attack improves by a factor of more than 10 all previous card-only attacks on MIFARE Classic, has instant running time, and it does not require a costly precomputation. The new attack allows to recover the secret key of any sector of MIFARE Classic card via wireless interaction, within about 300 queries to the card. It can then be combined with the nested authentication attack in the Nijmegen Oakland paper to recover subsequent keys almost instantly. Both attacks combined and with the right hardware equipment such as Proxmark3, one should be able to clone any MIFARE Classic card in not more than 10 seconds. This is much faster than previously thought.