| Karsten Nohl Graduate Student Computer Science Department University of Virginia Contact Information
|
 |
About me
I am a graduate student at the University of Virginia. Currently, I am working on my PhD thesis titled Implementable Privacy for RFID Systems. My research is centered around cryptography for small devices and touches on computer security, information privacy, and the economics of information. My advisor is David Evans.
Smartcard Security
| Our research blog has the latest updates and references. |
Henryk Plötz and Starbug from the CCC Berlin and I have recently announced the break of the crypto algorithm in Mifare Classic RFID smartcards (which are used in many micro-payment application including the Oyster card, the CharlieCard, and the OV-Chipkaart).
To address concerns about the secuirty of the Dutch OV-Chipkaart, we have issued this press release:
| Jan 8th '08: Lost Mifare obscurity raises concerns over security of OV-Chipkaart (PDF). |
In response to our work, the research agancy TNO assessed the security of the OV-chipkaart system and found our claims to be accurate in a report issued Feb 29th. We welcome the report's call for the currently used cards to be replaced with more secure cards, but question the estimate that an attack will not happen within two years.
To help further understand the security of Mifare Classic-based systems, we assess the strength of the underlying cryptographic cipher and find that secret keys can be recovered within minutes on a typical PC:
| Mar 10th '08: Cryptanalysis of Crypto-1 (PDF). |
NXP, the manufacturer of the Mifare cards, announced an improved version that addresses all recent points of critique: it's build around standard cryptography and even provides some level of privacy protection.
| Mar 10th '08: NXP introduces Mifare Plus. |
The smart-card group at Royal Holloway, University of London released a third (and final) assessment of OV-Chipkaart's security for the Dutch government. The assessment confirms our analysis and recommends operators of Mifare Classic-based systems to migrate to more secure cards with publicly scrutinized cryptography:
| Apr 15th '08: Royal Holloway: Security assessment of Mifare Classic in public transport. |
Through further analysis of Crypto-1, we found the cipher to be highly vulnerable to algebraic attacks. Our most efficient attack takes only seconds on a PC, can operate on passively sniffed data from meters away, and works despite strong random numbers in Mifare Plus. The results were first announced at EuroCrypt 2008's rump session.
| Apr 15th '08: Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards. |
Our technique of hardware reverse-engineering used to recover the Mifare Crypto-1 cipher will be presented at Usenix Security:
| May 14th '08: Reverse-Engineering a Cryptographic RFID Tag. |
Steve Ragan at The Tech Harald covers our story in great detail and with extensive technical expertise in a series of articles:
Some recent news articles covering the story include:
Please note that we have not compromised the security of credit cards as some of the articles suggest. From what we can see, RFID-enabled credit cards have no security (yet?), and hence there is nothing to compromise.
Further clarifications on our smartcard work have been posted to our research blog.
Google has a video of our talk at 24C3 (slides):
