Crypto-1

Last updated
Crypto1
Crypto1.png
NXP Crypto1
General
DesignersPhilips/NXP
First publishedOctober 6, 2008
Cipher detail
Key sizes 48 bits
Security claims48 bits
Structure NLFSR, LFSR
Best public cryptanalysis
Garcia, Flavio D.; Peter van Rossum; Roel Verdult; Ronny Wichers Schreur (2009-03-17). "Wirelessly Pickpocketing a Mifare Classic Card"

Crypto1 is a proprietary encryption algorithm (stream cipher) and authentication protocol created by NXP Semiconductors for its MIFARE Classic RFID contactless smart cards launched in 1994. Such cards have been used in many notable systems, including Oyster card, CharlieCard and OV-chipkaart.

Contents

By 2009, cryptographic research had reverse engineered the cipher and a variety of attacks were published that effectively broke the security. [1] [2] [3] [4] [5]

NXP responded by issuing "hardened" (but still backwards compatible) cards, the MIFARE Classic EV1. However, in 2015 a new attack rendered the cards insecure, [6] [7] and NXP now recommends migrating away from MIFARE Classic. [8]

Technical description

Crypto1 is a stream cipher very similar in its structure to its successor, Hitag2. Crypto1 consists of

The usual operation of Crypto1 and Hitag2 ciphers uses nonlinear feedback only during the initialization/authentication stage, switching to operation as a LFSR with a nonlinear output filter (filter generator) for the rest of the communications.

See also

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

<span class="mw-page-title-main">Stream cipher</span> Type of symmetric key cipher

A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream. Since encryption of each digit is dependent on the current state of the cipher, it is also known as state cipher. In practice, a digit is typically a bit and the combining operation is an exclusive-or (XOR).

<span class="mw-page-title-main">Symmetric-key algorithm</span> Algorithm

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption. However, symmetric-key encryption algorithms are usually better for bulk encryption. With exception of the one-time pad they have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption is often used to exchange the secret key for symmetric-key encryption.

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.

Articles related to cryptography include:

A5/1 is a stream cipher used to provide over-the-air communication privacy in the GSM cellular telephone standard. It is one of several implementations of the A5 security protocol. It was initially kept secret, but became public knowledge through leaks and reverse engineering. A number of serious weaknesses in the cipher have been identified.

<span class="mw-page-title-main">MIFARE</span> Brand of smart and proximity cards

MIFARE is a series of integrated circuit (IC) chips used in contactless smart cards and proximity cards.

Stream ciphers, where plaintext bits are combined with a cipher bit stream by an exclusive-or operation (xor), can be very secure if used properly. However, they are vulnerable to attacks if certain precautions are not followed:

<span class="mw-page-title-main">EasyCard</span> Contactless smart card used in Taiwan

The EasyCard is a contactless smartcard system operated by the EasyCard Corporation, which was previously named the "Taipei Smart Card Corporation", for payment on the Taipei Metro, buses, and other public transport services in Taipei since June 2002, and its usage has since expanded to multiple kinds of businesses. Its use has also since been expanded to include convenience stores, department stores, supermarkets, taxis, and other retailers since 1 April 2010. Like conventional electronic fare systems, the card employs RFID technology to operate without physical contact. They are available for purchase at all Metro stations and all chain convenience stores.

<span class="mw-page-title-main">CharlieCard</span> Public transit smart card used in Boston

The CharlieCard is a contactless smart card used for fare payment for transportation in the Boston area. It is the primary payment method for the Massachusetts Bay Transportation Authority (MBTA) and several regional public transport systems in the U.S. state of Massachusetts.

<span class="mw-page-title-main">VEST</span> Family of stream ciphers

VEST (Very Efficient Substitution Transposition) ciphers are a set of families of general-purpose hardware-dedicated ciphers that support single pass authenticated encryption and can operate as collision-resistant hash functions designed by Sean O'Neil, Benjamin Gittins and Howard Landman. VEST cannot be implemented efficiently in software.

Grain is a stream cipher submitted to eSTREAM in 2004 by Martin Hell, Thomas Johansson and Willi Meier. It has been selected for the final eSTREAM portfolio for Profile 2 by the eSTREAM project. Grain is designed primarily for restricted hardware environments. It accepts an 80-bit key and a 64-bit IV. The specifications do not recommend a maximum length of output per pair. A number of potential weaknesses in the cipher have been identified and corrected in Grain 128a which is now the recommended cipher to use for hardware environments providing both 128bit security and authentication.

The Texas Instruments digital signature transponder (DST) is a cryptographically enabled radio-frequency identification (RFID) device used in a variety of wireless authentication applications. The largest deployments of the DST include the Exxon-Mobil Speedpass payment system, as well as a variety of vehicle immobilizer systems used in many late model Ford, Lincoln, Mercury, Toyota, Nissan, Kia, Hyundai and Tesla vehicles.

<span class="mw-page-title-main">Rejsekort</span> Electronic fare card used in Denmark

Rejsekort is an electronic ticket system for public transport in Denmark. The system is a collaborative work between DSB, HUR, Ørestadsselskabet, and various regional bus companies, and work on it started on August 18, 2003. In June 2005, Thales Group and Accenture were chosen as suppliers.

<span class="mw-page-title-main">Breeze Card</span> Public transit smart card used in Atlanta, Georgia

The Breeze Card is a stored value smart card that passengers use as part of an automated fare collection system which the Metropolitan Atlanta Rapid Transit Authority (MARTA) introduced to the general public in early October 2006. The card automatically debits the cost of the passenger’s ride when placed on or near the Breeze Target at the fare gate. Transit riders are able to add value or time-based passes to the card at Breeze Vending Machines (BVM) located at all MARTA stations. The major phases of MARTA's Breeze transformation took place before July 1, 2007 when customers were still able to purchase TransCards from ridestores or their employers. They were also able to obtain paper transfers from bus drivers to access the train. As of July 1, 2007 the TransCard and the paper transfers were discontinued and patrons now use a Breeze Card or ticket to access the system, and all transfers are loaded on the card. Breeze Vending Machines (BVM) distribute regional transit provider passes The Breeze Card employs passive RFID technology currently in use in many transit systems around the world.

Massachusetts Bay Transportation Authority v. Anderson, et al., Civil Action No. 08-11364, was a challenge brought by the Massachusetts Bay Transportation Authority (MBTA) to prevent three Massachusetts Institute of Technology (MIT) students from publicly presenting a security vulnerability they discovered in the MBTA's CharlieCard automated fare collection system. The case concerns the extent to which the disclosure of a computer security flaw is a form of free speech protected by the First Amendment to the United States Constitution.

<span class="mw-page-title-main">TFI Leap Card</span> Irish rapid transit payment card

The TFI Leap Card is a contactless smart card for automated fare collection overseen by Transport for Ireland (TFI). It was introduced in the Greater Dublin area in 2011 for Luas, DART, Iarnród Éireann and Dublin Bus, but acceptance has significantly expanded, and it is now accepted in cities nationwide and on some longer distance commuter routes. Initially, Leap Cards offered only a pre-paid electronic wallet system for single-trip fares; since May 2014, it has also been possible to load it with weekly, monthly and annual subscriptions. In September 2017, there were over 2.5 million Leap Card users according to the National Transport Authority. The Leap Card is the result of many years' work by the Railway Procurement Agency and the National Transport Authority as part of the rollout of an integrated ticketing scheme for public transport in Dublin city. Fares are generally discounted compared to cash prices, and integrated ticketing is offered in the Dublin area via a flat fare system across all modes of transport. The minimum top-up for the card is currently €5, and it can be topped up via iPhone/Android App, at LUAS or DART ticketing machines, and in convenience stores offering Payzone services.

<span class="mw-page-title-main">Simon (cipher)</span> Family of lightweight block ciphers

Simon is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. Simon has been optimized for performance in hardware implementations, while its sister algorithm, Speck, has been optimized for software implementations.

<span class="mw-page-title-main">Karsten Nohl</span> German cryptography expert and hacker (born 1981)

Karsten Nohl is a German cryptography expert and hacker. His areas of research include Global System for Mobile Communications (GSM) security, radio-frequency identification (RFID) security, and privacy protection.

<span class="mw-page-title-main">Proxmark3</span>

Proxmark3 is a multi-purpose hardware tool for radio-frequency identification (RFID) security analysis, research and development. It supports both high frequency and low frequency proximity cards and allows users to read, emulate, fuzz, and brute force the majority of RFID protocols.

References

  1. de Koning Gans, Gerhard; J.-H. Hoepman; F.D. Garcia (2008-03-15). "A Practical Attack on the MIFARE Classic" (PDF). 8th Smart Card Research and Advanced Application Workshop (CARDIS 2008), LNCS, Springer. Archived from the original (PDF) on 2022-04-22. Retrieved 2020-07-19.
  2. Courtois, Nicolas T.; Karsten Nohl; Sean O'Neil (2008-04-14). "Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards". Cryptology ePrint Archive.
  3. Nohl, Karsten; David Evans; Starbug Starbug; Henryk Plötz (2008-07-31). "Reverse-engineering a cryptographic RFID tag". SS'08 Proceedings of the 17th Conference on Security Symposium. USENIX: 185–193.
  4. Garcia, Flavio D.; Gerhard de Koning Gans; Ruben Muijrers; Peter van Rossum, Roel Verdult; Ronny Wichers Schreur; Bart Jacobs (2008-10-04). "Dismantling MIFARE Classic" (PDF). 13th European Symposium on Research in Computer Security (ESORICS 2008), LNCS, Springer. Archived from the original (PDF) on 2021-02-23. Retrieved 2020-07-19.
  5. Garcia, Flavio D.; Peter van Rossum; Roel Verdult; Ronny Wichers Schreur (2009-03-17). "Wirelessly Pickpocketing a Mifare Classic Card" (PDF). 30th IEEE Symposium on Security and Privacy (S&P 2009), IEEE. Archived from the original (PDF) on 2022-01-02. Retrieved 2020-07-19.
  6. Meijer, Carlo; Verdult, Roel (2015-10-12). "Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards". Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. CCS '15. Denver, Colorado, USA: Association for Computing Machinery. pp. 18–30. doi:10.1145/2810103.2813641. hdl: 2066/151451 . ISBN   978-1-4503-3832-5. S2CID   4412174.
  7. Meijer; Verdult. "Ciphertext-only Cryptanalysis on Hardened Mifare Classic" (PDF). R. Verdult's page at Institute for Computing and Information Sciences, Radboud University . Archived (PDF) from the original on 2021-04-29.
  8. Grüll, Johannes (October 12, 2015). "Security Statement on Crypto1 Implementations". www.mifare.net. Retrieved 2021-04-29.


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.