166 - Algebraic Attacks on the Crypto-1 Stream Cipher in...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards Nicolas T. Courtois 1 , Karsten Nohl 2 , and Sean O’Neil 3 1 University College London, UK 2 University of Virginia, USA 3 VEST Corporation, France Disclaimer: this paper is an early announcement of a research in progress. Abstract. MiFare Crypto 1 is a lightweight stream cipher used in Lon- don’s Oyster card, Netherland’s OV-Chipcard, US Boston’s CharlieCard, and in numerous wireless access control and ticketing systems worldwide. Recently, researchers have been able to recover this algorithm by reverse engineering [11, 13]. We have examined MiFare from the point of view of the so called algebraic attacks . We can recover the full 48-bit key of the MiFare algorithm in 200 seconds on a PC, given 1 known IV (from one single encryption). The security of this cipher is therefore close to zero. This is particularly shocking, given the fact that, according to the Dutch press, 1 billion of MiFare Classic chips are used worldwide, including many government security systems. Keywords: London Oyster card, Dutch public transit OV-Chipcard, Boston’s CharlieCard RFID tags, Mifare Crypto 1 algorithm, stream ciphers, algebraic cryptanalysis, Boolean functions, Gr¨obner bases, SAT solvers. 1 Background Recently, several researchers have been able to reverse-engineer the MiFare Clas- sic cryptographic algorithm Crypto-1 that is used (among others) in London’s Oyster card, Netherland’s OV-Chipcard, US Boston’s CharlieCard, and in nu- merous wireless access control and ticketing systems worldwide [11, 13]. The MiFare cipher is a proprietary algorithm and its specification was not published so far. The researchers have been fair play: they informed the author- ities and announced that the industry should have some time to upgrade their systems. However this does not make the system very secure: if we do not publish Crypto 1 for the time being, hackers will without doubt recover it very soon. How secure are these algorithms? Dutch researchers exploited mostly the
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/02/2011 for the course SECURITY 2354 taught by Professor Morganjones during the Spring '11 term at Ucla Venezuela.

Page1 / 3

166 - Algebraic Attacks on the Crypto-1 Stream Cipher in...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online