Algebraic Attacks on the Crypto-1 Stream
Cipher in MiFare Classic and Oyster Cards
Nicolas T. Courtois
, Karsten Nohl
, and Sean O’Neil
University College London, UK
University of Virginia, USA
VEST Corporation, France
this paper is an early announcement of a research in progress.
MiFare Crypto 1 is a lightweight stream cipher used in Lon-
don’s Oyster card, Netherland’s OV-Chipcard, US Boston’s CharlieCard,
and in numerous wireless access control and ticketing systems worldwide.
Recently, researchers have been able to recover this algorithm by reverse
engineering [11, 13].
We have examined MiFare from the point of view of the so called
. We can recover the full 48-bit key of the MiFare algorithm in
200 seconds on a PC, given 1 known IV (from one single encryption).
The security of this cipher is therefore close to zero. This is particularly
shocking, given the fact that, according to the Dutch press, 1 billion of
MiFare Classic chips are used worldwide, including many government
London Oyster card, Dutch public transit OV-Chipcard,
Boston’s CharlieCard RFID tags, Mifare Crypto 1 algorithm, stream
ciphers, algebraic cryptanalysis, Boolean functions, Gr¨obner bases, SAT
Recently, several researchers have been able to reverse-engineer the MiFare Clas-
sic cryptographic algorithm Crypto-1 that is used (among others) in London’s
Oyster card, Netherland’s OV-Chipcard, US Boston’s CharlieCard, and in nu-
merous wireless access control and ticketing systems worldwide [11, 13].
The MiFare cipher is a proprietary algorithm and its speciﬁcation was not
published so far. The researchers have been fair play: they informed the author-
ities and announced that the industry should have some time to upgrade their
systems. However this does not make the system very secure: if we do not publish
Crypto 1 for the time being, hackers will without doubt recover it very soon.
How secure are these algorithms? Dutch researchers exploited mostly the