Karsten Nohl, PhD: University of Virginia, C.S. Dept

Karsten Nohl
Former Graduate Student
Computer Science Department
University of Virginia

Contact Information

E-mail:
PGP:	0ECC 358C 2595 1058 7861 4400 7DE2 766E 787C 2265
S/MIME:	Certificate, CA

About me

CV, Research Statement

I've been a graduate student at the University of Virginia from 2005 to 2008. At the moment, I live and work in Berlin. My PhD thesis proposes techniques for realizing Implementable Privacy for RFID Systems. My current research focuses on cryptography for small devices and touches on microchip security, privacy protection, and the economics of information. My advisor is David Evans.

GSM Security

Following our previous research of disclosing vulnerabilities in widely deployed systems, we are currently investigating several aspects of the GSM cell phone standard. The first major stream of this research computes a rainbow tables code book to decrypt A5/1.

Project web site with technical background:	A5/1 Security Project
Presentation at the 26C3:	Video, Slides

Some news articles covering our GSM research:

Aug 26th	USA Today: Researcher sets out to hack mobiles, including iPhone, Gphone
Aug 28th	The Tech Herald: GSM Alliance downplays seriousness of GSM project
Aug 31st	Financial Times: Snooping risk as hackers target mobile code
Dec 3rd	IEEE Spectrum: Open-Source Effort to Hack GSM
Dec 29th	New York Times: Cellphone Encryption Code Is Divulged
Dec 29th	The Register: Secret code protecting cellphone calls set loose
Dec 29th	The Tech Herald: GSM cracking project moves forward
Jan 1st	The Times of India: Code that safeguards mobile calls cracked
Jan 1st	cnet: Q&A: Researcher Karsten Nohl on mobile eavesdropping
Jan 3rd	Ethiopian Review: German computer scientist breaks mobile phone codes
Jan 7th	Reuters: Cellular group says mobile calls safe from hackers

Publications

Karsten Nohl. Implementable Privacy for RFID Systems. PhD Dissertation. January 2009.

Karsten Nohl, Erik Tews, and Ralf-Philipp Weinmann. Cryptanalysis of the DECT Standard Cipher.
International Workshop on Fast Software Encryption (FSE). February 2010.
Karsten Nohl and David Evans. Privacy through Noise: A Design Space for Private Identiﬁcation.
Annual Computer Security Applications Conference (ACSAC 2009). December 2009.
Mate Soos, Karsten Nohl, and Claude Castelluccia. Extending SAT Solvers to Cryptographic Problems.
Theory and Applications of Satisfiability Testing (SAT 2009). July 2009.
Sean O’Neil, Karsten Nohl, and Luca Henzen. EnRUPT Hash Function.
A submission to the NIST SHA-3 Hashing Competition. August 2008.
Karsten Nohl and David Evans. Design Trade-Offs for Realistic Privacy (Book Chapter).
Paris Kitsos and Yan Zhang (Ed.): RFID Security: Techniques, Protocols and System-On-Chip Design. 2008.
Karsten Nohl and David Evans. Hiding in Groups: On the Expressiveness of Privacy Distributions.
23rd International Information Security Conference (SEC 2008). September 2008.
Karsten Nohl, Starbug, Henryk Plötz, and David Evans. Reverse-Engineering a Cryptographic RFID Tag.
USENIX Security. August 2008.
Karsten Nohl. Privacy through Noise: A Design Space for Private Identification.
Secure Component and System Identification Workshop (SECSI). March 2008.
Karsten Nohl and David Evans. Quantifying Information Leakage in Tree-Based Hash Protocol (Extended Technical Report).
8th International Conference on Information and Communications Security (ICICS). December 2006.

Ongoing Hardware Security Research

We are continuing to reverse-engineer and pen-test embedded security functions. The current state of three of our projects was presented at 26th Chaos Communications Congress (26C3) in Berlin.

Dec 27th '09:	26C3 Talk: GSM: SRSLY?
	\|-- Reactions: see above.
Dec 28th '09:	26C3 Talk: Legic Prime: Obscurity in Depth
	\|-- Summary at Heise
	\|-- Example for the far-reaching impact of the insecurities at German airports
Dec 29th '09:	26C3 Talk: DECT Security
	\|-- Summary at Heise
	\|-- Positive reaction form the DECT Forum

The GSM project and two other projects were previously presented at the Hacking at Random (HAR) conference:

Aug 15th '09:	HAR Talk: Cracking A5 GSM Encryption
Aug 15th '09:	HAR Talk: Breaking Hitag2
Aug 15th '09:	HAR Talk: Deep Silicon Analysis

Starbug and I illustrated the state of reverse engineering smart cards (also summarized by Heise) in a talk at 25th Chaos Communications Congress:

Dec 28th '08:

25C3 Talk: Hardware Reverse Engineering

Our research blog has periodic updates on other projects of the security research group at UVa.

TI EVM Firmware

We strongly believe that security systems generally get compromised at some point. In the case of smart card installations, a compromise typically mandates the entire reader infrastructure and all cards to be replaced. This excessive cost of security breaches is avoidable when the reader infrastructure can be upgraded to implement countermeasures and support new cards.

Towards a multi-standard fully-upgradable RFID reader, we implemented Mifare Classic support in the Texas Instruments TRF7960 RFID Evaluation Module. This module provides a sound base for countermeasures including card fingerprinting, and appears to be a good upgrade platform from Mifare Classic to cards with stronger encryption. Further development on this platform is coordinated through this mailing list

Download: The firmware and GUI from TI, and our patches for firmware and GUI to add Mifare Classic support.

This software includes a patch for the EVM stock firmware (TRF7960_Parallel_SPI_Firmware_Ver3-2_EXP.zip), which is available through the RFID-TRF7960/61 extranet. Contact TI to get access.

Mifare Security

Henryk Plötz and Starbug from the CCC Berlin and I announced the break of the crypto algorithm in Mifare Classic RFID smartcards at the 24C3 congress in December 2007. The Mifare Classic card is used in many micro-payment application including the Oyster card, the CharlieCard, and the OV-Chipkaart.

To address concerns about the security of the Dutch OV-Chipkaart, we have issued this press release:

Jan 8th '08: Lost Mifare obscurity raises concerns over security of OV-Chipkaart (PDF).

In response to our work, the research agency TNO assessed the security of the OV-chipkaart system and found our claims to be accurate in a report issued Feb 29th. We welcome the report's call for the currently used cards to be replaced with more secure cards, but question the estimate that an attack will not happen within two years.

To help further understand the security of Mifare Classic-based systems, we assess the strength of the underlying cryptographic cipher and find that secret keys can be recovered within minutes on a typical PC:

Mar 10th '08: Cryptanalysis of Crypto-1 (PDF).

NXP, the manufacturer of the Mifare cards, announced an improved version that addresses all recent points of critique: it's build around standard cryptography and even provides some level of privacy protection.

Mar 10th '08: NXP introduces Mifare Plus.

The smart-card group at Royal Holloway, University of London released a third (and final) assessment of OV-Chipkaart's security for the Dutch government. The assessment confirms our analysis and recommends operators of Mifare Classic-based systems to migrate to more secure cards with publicly scrutinized cryptography:

Apr 15th '08: Royal Holloway: Security assessment of Mifare Classic in public transport.

Through further analysis of Crypto-1, we found the cipher to be highly vulnerable to algebraic attacks. Our most efficient attack takes only seconds on a PC, can operate on passively sniffed data from meters away, and works despite strong random numbers in Mifare Plus. The results were first announced at EuroCrypt 2008's rump session.

Apr 15th '08: Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards.

Our technique of hardware reverse-engineering used to recover the Mifare Crypto-1 cipher will be presented at Usenix Security:

May 14th '08: Reverse-Engineering a Cryptographic RFID Tag.

Steve Ragan at The Tech Harald covers our story in great detail and with extensive technical expertise in a series of articles:

Mar 4th '08	University students in Virginia crack smartcard chips
Mar 12th '08	U.VA. researchers crack smartcard chips . Mifare Classic security proven weak
Mar 12th '08	Did NXP finally acknowledge security problems in their Mifare chip?
Mar 14th '08	Interview: Karsten Nohl - Mifare Classic researcher speaks up
Apr 15th '08	Replacement suggested for NXP chips used in OV-Chipkaart
Apr 16th '08	More trouble for the MiFare chips

Some news articles covering the story include:

Jan 21st '08	Schneier: Dutch RFID Transit Card Hacked
Feb 26th '08	UVa Today: Group Demonstrates Security Hole in World's Most Popular Smartcard
Feb 28th '08	Daily Progress: Security code easy hacking for UVa student
Feb 29th '08	WCAV TV: UVa Grad Student Cracks Smart Card Security Code (with video)
Feb 29th '08	WSLS.com: UVA grad, 2 other hackers claim they cracked credit cards and security badges codes
These articles are derivatives of the stories run by the Associated Press and the Media General News Service:
\|-- Mar 1st '08	Daily Press: U.Va. student, hackers crack credit card security code
\|-- Mar 1st '08	WVEC-TV: UVA student hackers say they've cracked smartcard encryption
\|-- Mar 1st '08	WVIR NBC-29: UVA Student, Hackers Crack Credit Card Security Code
\|-- Mar 2nd '08	Washington Times: Student decodes security devices
\|-- Mar 2nd '08	WAVY-TV: UVA Student, Hackers Crack Credit Card Security Code
\|-- Mar 2nd '08	Culpeper Star Exponent: Smartcard encryption code hacked
Mar 5th '08	Sc Magazine: Hackers claim RFID smart-card hack, but chip vendor disagrees
Mar 6th '08	Boston Gobe: T card has security flaw, says researcher (with video)
Mar 6th '08	Boston Herald: CharlieCard is far from hack-proof
Mar 6th '08	WCVB ABC-5 Teh Boston Channel: Problem Surfaces With CharlieCard Security
Mar 7th '08	PC World: Hackers Find a Way to Crack Popular Smartcard in Minutes
Mar 7th '08	Computerworld UK: Questions raised about Oyster card security
Mar 7th '08	PC World Australia: RFID encryption flawed in smart cards, researchers claim
Mar 9th '08	Richmond Times-Dispatch:
	U.Va. student claims to have cracked smartcard encryption
Mar 10th '08	Computerworld NZ: Hackers find a way to crack popular smartcard in minutes
Mar 10th '08	Infrasite News (Netherlands): Security hole in world's most popular smartcard
Mar 12th '08	The Register: Microscope-wielding boffins crack Tube smartcard
Mar 12th '08	PC World: RFID-Hack Hits 1 Billion Digital Access Cards Worldwide
Mar 13th '08	Contactless News (FL): Hacked smart card chips? Alliance says no
Mar 13th '08	TechRadar.com (UK): Is your Oyster card safe from hackers?
Mar 14th '08	Computerworld: RFID hack could crack open 2 billion smart cards
Mar 14th '08	RFID Journal: NXP Announces New, More Secure Chip for Transport, Access Cards
Mar 14th '08	Windows IT Pro: Countless RFID Cards At Risk
Mar 14th '08	Schneier: London Tube Smartcard Cracked
Mar 18th '08	Computerworld UK: 'Soldiers deployed' following RFID hack
Mar 19th '08	Computerworld: How they hacked it: The MiFare RFID crack explained
Mar 19th '08	CIO Today: Student Claims to Have Cracked Smartcard Encryption
Mar 21st '08	The Chronicle of Higher Education:
	Computer-Science Researchers Expose Security Vulnerability of Some Electronic Key-Cards
Mar 23rd '08	Tamil Star (Sri Lanka!): RFID-Hack Hits 1 Billion Digital Access Cards Worldwide
Mar 26th '08	SecureIDNews: Interview with Mifare hacker Karsten Nohl (Podcast)
Apr 1st '08	EETimes: NXP RFID encryption cracked
Apr 11th '08	Brisbane Times (Australia): Go cards 'doomed' over security
Apr 15th '08	Computerworld: MiFare RFID crack more extensive than previously thought
Apr 16th '08	Brisbane Times (Australia): New report slams go card security
Apr 16th '08	The Register: Dutch transit card crippled by multihacks
Apr 21st '08	Heise: Is the MiFare Classic RFID system blown?
May 12th '08	The Green Sheet: Fraud busting, electronic style

Please note that we have not compromised the security of credit cards as some of the articles suggest. As far as we can tell, RFID-enabled credit cards have no security (yet?), and hence there is nothing to compromise.

Further clarifications on our smartcard work have been posted to our research blog.

Google has a video of our talk at 24C3 (slides):