Former Graduate Student
Computer Science Department
University of Virginia
Contact Information
| E-mail: |
|
| PGP: | 0ECC 358C 2595 1058 7861 4400 7DE2 766E 787C 2265 |
| CV |
| Karsten Nohl Former Graduate Student Computer Science Department University of Virginia Contact Information
|
|
About me
I've been a graduate student at the University of Virginia from 2005 to 2008. At the moment, I live and work in Berlin. My PhD thesis proposes techniques for realizing Implementable Privacy for RFID Systems. Currently, my research focuses on cryptography for small devices and touches on microchip security, privacy protection, and the economics of information. My advisor is David Evans.
Publications
Karsten Nohl. Implementable Privacy for RFID Systems. PhD Dissertation. January 2009.Ongoing Hardware Security Research
We are continuing to reverse-engineer and pen-test embedded security functions. The current state of three of our projects was presented at the Hacking at Random (HAR) conference:
| Aug 15th '09: | HAR Talk: Cracking A5 GSM Encryption |
| Aug 15th '09: | HAR Talk: Breaking Hitag2 |
| Aug 15th '09: | HAR Talk: Deep Silicon Analysis |
Starbug and I illustrated the state of reverse engineering smart cards (also summarized by Heise) in a talks at 25th Chaos Communications Congress:
| Dec 28th '08: | 25C3 Talk: Hardware Reverse Engineering |
| Our research blog has the latest updates and references. |
TI EVM Firmware
We strongly believe that security systems generally get compromised at some point. In the case of smart card installations, a compromise typically mandates the entire reader infrastructure and all cards to be replaced. This excessive cost of security breaches is avoidable when the reader infrastructure can be upgraded to implement countermeasures and support new cards.
Towards a multi-standard fully-upgradable RFID reader, we implemented Mifare Classic support in the Texas Instruments TRF7960 RFID Evaluation Module. This module provides a sound base for countermeasures including card fingerprinting, and appears to be a good upgrade platform from Mifare Classic to cards with stronger encryption. Further development on this platform is coordinated through this mailing list
| Download: The firmware and GUI from TI, and our patches for firmware and GUI to add Mifare Classic support. |
This software includes a patch for the EVM stock firmware (TRF7960_Parallel_SPI_Firmware_Ver3-2_EXP.zip), which is available through the RFID-TRF7960/61 extranet. Contact TI to get access.
Mifare Security
Henryk Plötz and Starbug from the CCC Berlin and I announced the break of the crypto algorithm in Mifare Classic RFID smartcards at the 24C3 congress in December 2007. The Mifare Classic card is used in many micro-payment application including the Oyster card, the CharlieCard, and the OV-Chipkaart.
To address concerns about the security of the Dutch OV-Chipkaart, we have issued this press release:
| Jan 8th '08: Lost Mifare obscurity raises concerns over security of OV-Chipkaart (PDF). |
In response to our work, the research agency TNO assessed the security of the OV-chipkaart system and found our claims to be accurate in a report issued Feb 29th. We welcome the report's call for the currently used cards to be replaced with more secure cards, but question the estimate that an attack will not happen within two years.
To help further understand the security of Mifare Classic-based systems, we assess the strength of the underlying cryptographic cipher and find that secret keys can be recovered within minutes on a typical PC:
| Mar 10th '08: Cryptanalysis of Crypto-1 (PDF). |
NXP, the manufacturer of the Mifare cards, announced an improved version that addresses all recent points of critique: it's build around standard cryptography and even provides some level of privacy protection.
| Mar 10th '08: NXP introduces Mifare Plus. |
The smart-card group at Royal Holloway, University of London released a third (and final) assessment of OV-Chipkaart's security for the Dutch government. The assessment confirms our analysis and recommends operators of Mifare Classic-based systems to migrate to more secure cards with publicly scrutinized cryptography:
| Apr 15th '08: Royal Holloway: Security assessment of Mifare Classic in public transport. |
Through further analysis of Crypto-1, we found the cipher to be highly vulnerable to algebraic attacks. Our most efficient attack takes only seconds on a PC, can operate on passively sniffed data from meters away, and works despite strong random numbers in Mifare Plus. The results were first announced at EuroCrypt 2008's rump session.
| Apr 15th '08: Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards. |
Our technique of hardware reverse-engineering used to recover the Mifare Crypto-1 cipher will be presented at Usenix Security:
| May 14th '08: Reverse-Engineering a Cryptographic RFID Tag. |
Steve Ragan at The Tech Harald covers our story in great detail and with extensive technical expertise in a series of articles:
Some news articles covering the story include:
Please note that we have not compromised the security of credit cards as some of the articles suggest. As far as we can tell, RFID-enabled credit cards have no security (yet?), and hence there is nothing to compromise.
Further clarifications on our smartcard work have been posted to our research blog.
Google has a video of our talk at 24C3 (slides):