Introduction

NXP Semiconductors received information that three research groups have retrieved the algorithm and developed attacks to break keys of MIFARE Classic-enabled cards. These are the group around Karsten Nohl, who initially presented the reverse engineering of MIFARE Classic chips in December 2007 at the 24th Chaos Computer Congress in Berlin, the IT security specialists from the Radboud University of Nijmegen as well as Nicolas T. Courtois from the University College London. According to our information the respective research groups plan to publish their findings including the algorithm by fall of this year latest.

This also means that there is a high risk that the MIFARE Classic cryptographic algorithm may become known to the public. System integrators therefore have to reconsider whether they have implemented appropriate security measures for the use of the MIFARE Classic card for applications that need security. In any scheme, it is the overall end-to-end system security that should be taken into account. The security of a system must not be restricted to the individual components. It is also essential to ensure that the individual components are used in the right way to prevent some attacks on the system.

For every application the actual security requirements need to be specified, along with the needed security level for those targets. When the security requirements for the system are known, the actual threats and required countermeasures can be determined.

MIFARE Classic vulnerabilities

One of the protection elements of the MIFARE Classic card has been the confidentiality of its cryptographic algorithm. Retrieving the cryptographic algorithm from the card requires extensive knowledge, but the abovementioned research groups have recently been able to do it by reverse engineering the MIFARE Classic chip.

Even if the algorithm is known, it still requires quite some expertise to exploit it in an attack. Researchers of the Radboud University however have used the knowledge of the algorithm to develop attacks to retrieve the keys and the data that is stored on the MIFARE Classic card. In the case that attack software and attack equipment would become available to the public, then the hurdle for attacks would become low.

Such attacks would allow that:

• Through overhearing successful communications between the reader of an existing infrastructure and a valid card, the data and/or the keys involved in that transaction could be read
• While overhearing failed communications between the reader of an existing infrastructure and any card, the key used by the reader during that transaction could be retrieved
• These attacks could be carried out in minutes or less and with means involving a laptop and equipment which can be built with limited material cost (100 Euros)

Although a residual risk remains, there are techniques and countermeasures to detect cards and data which have been tampered with, some of which are described in the confidential application notes published by NXP. We are happy to provide such application notes to the interested parties (such as system integrators and service operators) under a Non-Disclosure Agreement.

NXP actions and other main events - a brief summary