End to end system security risk considerations for implementing MIFARE Classic

MIFARE Classic Crypto1, contactless card, end-to-end system security, vulnerabilities, threat and attack analysis, countermeasures

MIFARE Classic vulnerabilities

The MIFARE Classic card has always been protected by the confidentiality of the cryptographic algorithm. Retrieving the cryptographic algorithm requires extensive knowledge, but research groups have recently been able to retrieve it by reverse engineering the MIFARE Classic chip. Even if the algorithm is known, it still requires quite some expertise to exploit it in an attack. In the mean time parts of the attack software and the schematic of attack equipment have become available to the interested public. Therefore the hurdle for attacks has become very low. All these research activities have decreased the protection level of the card features dramatically. With some low-euro value equipment (cost less than 100 euros) and an ordinary laptop or personal computer, an attacker can potentially mount these attacks4:

  1. Eavesdropping only one valid transaction between a legitimate reader and a legitimate card of an application. From the recorded data, all keys and data that were involved in the transaction can be recovered anywhere between a few seconds to a few minutes. The Radboud University in Nijmegen, the Netherlands, even claims that they discovered an attack that recovers the key in just 0.1 second using a specially optimized implementation.
  2. Eavesdropping just what the reader sends during one or two valid transactions between a legitimate reader and a legitimate card. This attack makes it possible to eavesdrop from a larger distance, because you only need the data that is transmitted by the reader. Please note that only the keys can be recovered in this way, not the data that is read from the card. But having the keys allows the intruder to approach the person with the card later and then read the data from the card.
  3. Eavesdropping the result of two failed authentications5 between a legitimate reader of an application and any MIFARE Classic card (authentic or emulated). From this recorded data the key that was used by the reader in those authentications can be recovered in a few seconds.
  4. A while ago researchers in the Digital Security group of the Radboud University Nijmegen have discovered another vulnerability in the MIFARE Classic card that allowed them to develop an attack without the need to eavesdrop a legitimate transaction. They have confidentially informed NXP about it so that system integrators could be warned as early as possible. For this attack they use an especially developed MIFARE Classic reader to interact with a legitimate card. This special reader provides low-level access to the data that is exchanged over the air interface. The data that they can harvest with this reader allows them to discover one key of that card. The researchers have indicated that they can demonstrate this attack in a controlled lab environment. The attack currently takes significant pre-computation time, but the execution time of the attack itself takes less than a minute to find a key. Currently their implementation does not give guaranteed success when applied just sitting next to someone and sniffing his card. However from the attack parameters/properties, it cannot be excluded that improved implementations might become available in the future. After having retrieved one key with this method, an attacker can use attack #5 to retrieve the rest of the keys and read all the data that is stored on the card.
    Latest news from scientific community

    5. Researchers from Radboud University Nijmegen have informed NXP about yet another vulnerability of the MIFARE Classic card. They have demonstrated that this vulnerability can be exploited to develop a new attack. With the knowledge of just one key of a card (e.g. because the card contains a MAD or the card is part of a public scheme or because they have been able to use one of the other attacks) they can retrieve all other keys of the card in just seconds per key, without using a legitimate reader. This attack consists of three parts. In the first part they need access to the card for less than a second to harvest the required data. In the second part they can use that data to calculate all the keys in less than a second per key without significant pre-computation time. For this second part they do not need access to the card. After the second part they have all the keys. In the third step they need to get access to the card again and are able to read all the data that is stored on the card. This attack does not require lab conditions. It can be executed by just sitting next to someone who has a card in a pocket and retrieve all keys and data from a MIFARE Classic card if they know just one key of that card.

    Remark: The times mentioned above represent times measured on an ordinary modern personal computer or laptop. To achieve those times there is neither a requirement for excessive memory nor a need to pre-calculate large tables.

    The table below provides a general overview of the known vulnerabilities per card IC.

    Table 1. Applicability of Vulnerabilities per card IC type
    Vulnerability MIFARE Classic MIFARE Classic

    emulation in SmartMX

    MIFARE Plus in

    MIFARE Classic mode

    Other MIFARE Classic

    implementations

    (non-NXP)

    1. Eavesdropping one valid transaction Yes Yes Yes Yes
    2. Eavesdropping the reader transmissions of one or two valid transaction Yes Yes Yes Yes
    3. Making two failed authentications with a legitimate reader Yes Yes Yes Yes
    4. Card only attack Yes Yes No Dependent on implementation
    5. Card only attack when knowing one key of the card Yes No No Dependent on implementation