Dutch Transport Card Broken

Crawford Nathan-HMGT87 HMGT87 at motorola.com
Tue Jan 29 14:34:47 EST 2008


Why require contactless in the first place?

Is swiping one's card, credit-card style too difficult for the average
user?  I'm thinking two parallel copper traces on the card could be used
to power it for the duration of the swipe, with power provided by the
reader.  Why, in a billion-dollar project, one must use COTS RFIDs -
with their attendant privacy and security problems - is beyond me. 

A little ingenuity would have gone a long way.

-----Original Message-----
From: owner-cryptography at metzdowd.com
[mailto:owner-cryptography at metzdowd.com] On Behalf Of Karsten Nohl
Sent: Monday, January 28, 2008 12:41 AM
To: Aram Perez
Cc: Cryptography
Subject: Re: Dutch Transport Card Broken

> Not to defend the designers in any way or fashion, but I'd like to 
> ask, How much security can you put into a plastic card, the size of a 
> credit card, that has to perform its function in a secure manner, all 
> in under
> 2 seconds (in under 1 second in parts of Asia)? And it has to do this 
> while receiving its power via the electromagnetic field being 
> generated by the reader.

You are raising a very interesting point. The constraints under which
RFIDs and contactless smart-cards need to operate seem to vary widely
depending on the application.

The Mifare Classic cards, for example, authenticate in under 2 ms, but
wouldn't need to be that fast as you point out. Their crypto is also
very small, much smaller even than their flash memory. What good is it,
though, to have a lot of memory that is badly protected?

Last, the power consumption of the Mifare cards is certainly lower than
others, which doesn't matter, though, in the near-field where even
micro-processor based designs can operate. This is where contactless
smart-cards and RFIDs get confused often. Only for the latter ones power
consumption is a limiting constraint.

To answer your question directly: Within the limits of Mifare Classic
(48-bit cipher, 16-bit RNG), one can build a 64-bit cipher that
generates 'random' numbers internally. Within the same limits, one could
almost implement TEA which at least has undergone its share of
peer-review. Again: Trading some of the memory for this much higher
level of security would certainly have been worth it.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list