Abstract. The mifare Classic is the most widely used contactless smart card in the market. Its design and implementation details are kept secret by its manufacturer. This paper studies the architecture of the card and the communication protocol between card and reader. Then it gives a practical, low-cost, attack that recovers secret information from the memory of the card. Due to a weakness in the pseudo-random generator, we are able to recover the keystream generated by the CRYPTO1 stream cipher. We exploit the malleability of the stream cipher to read all memory blocks of the first sector of the card. Moreover, we are able to read any sector of the memory of the card, provided that we know one memory block within this sector. Finally, and perhaps more damaging, the same holds for modifying memory blocks. 1

www.crypto.rub.de

Abstract. Since the introduction of the Machine Readable Travel Document (MRTD) that is also known as e-passport for human identification at border control debates have been raised about security and privacy concerns. In this paper, we present the first hardware implementation for cracking Basic Access Control (BAC) keys of the e-passport issuing schemes in Germany and the Netherlands. Our implementation was designed for the reprogrammable key search machine COPACOBANA and achieves a key search speed of 2 28 BAC keys per second. This is a speed-up factor of more than 200 if compared to previous results and allows for a runtime in the order of seconds in realistic scenarios.

Abstract. Many distance bounding protocols appropriate for RFID technology have been proposed recently. However, the design and the analysis of these protocols are not based on a formal perspective. Motivated by this need, a formal framework is presented that helps the future attempts to cryptanalyze and design new distance bounding protocols. We first formalize the adversary scenarios, the protocol means, and the adversary goals in general. Then, we focus on the formalism for RFID systems by describing and extending the adversary strategies and the prover model. Two recently published distance bounding protocols are cryptanalyzed using our formal framework to demonstrate its relevancy and efficiency. Our formalism thus allows to prove that the adversary success probabilities are higher than the originally claimed ones.

Abstract – The general goal of power management (PM) is to achieve optimal system performance while meeting power constraints. Minimizing the energy consumption is mostly not sufficient. Especially power management policies for battery-powered and RFpowered devices require a deep understanding of the supplies ’ electrical characteristics. Thus, battery-aware PM aims to efficiently utilize the battery by reducing average current and avoiding relatively long (ms-sec) intervals of high discharge. In turn, RF-powered devices are additionally sensitive to instantaneous power consumption. This paper gives an overview of battery-aware PM approaches and draws avenues how these algorithms can be adapted and/or extended for RF-powered devices. Simulation and experimental results are presented to show the effects of power management policies on system life time and performance. I.

RFID technology is the prevalent method for implementing proximity identification in a number of security sensitive applications. The perceived proximity of a token serves as a measure of trust and is often used as a basis for granting certain privileges or services. Ensuring that a token is located within a specified distance of the reader is therefore an important security requirement. In the case of high-frequency RFID systems the limited operational range of the near-field communication channel is accepted as implicit proof that a token is in close proximity to a reader. In some instances, it is also presumed that this limitation can provide further security services. The first part of this dissertation presents attacks against current proximity identification systems. It documents how eavesdropping, skimming and relay attacks can be implemented against HF RFID systems. Experimental setups and practical results are provided for eavesdropping and skimming attacks performed against RFID systems adhering to the ISO 14443 and ISO 15693 standards. These attacks illustrate that the limited operational range cannot prevent unauthorised access to stored information on the token, or ensure that transmitted data remains confidential. The practical implementation of passive and

Abstract. RFID systems often use near-field magnetic coupling to implement communication channels. The advertised operational range of these channels is less than 10 cm and therefore several implemented systems assume that the communication channel is location limited and therefore relatively secure. Nevertheless, there have been repeated questions raised about the vulnerability of these near-field systems against eavesdropping and skimming attacks. In this paper I revisit the topic of RFID eavesdropping attacks, surveying previous work and explaining why the feasibility of practical attacks is still a relevant and novel research topic. I present a brief overview of the radio characteristics for popular HF RFID standards and present some practical results for eavesdropping experiments against tokens adhering to the ISO 14443 and ISO 15693 standards. Finally, I discuss how an attacker could construct a low-cost eavesdropping device using easy to obtain parts and reference designs.

The mifare Classic is the most widely used contactless smart card in the market. Its design and implementation details are kept secret by its manufacturer. We investigate the mifare Classic because this card should become the new ticket, called the OV-Chipkaart, in the Dutch public transport system. This thesis studies the architecture of the card and the communication protocol between card and reader. At the start of this research, there was no information available on the mifare Classic protocol nor the implementation of the OV-Chipkaart. To perform this research we used the Proxmark, a device that allows us to eavesdrop on the communication between the reader and the card. Our contributions are as follows. First, an ISO14443-A firmware implementation for the Proxmark that enables eavesdropping on the mifare Classic, among other card types. Secondly, we present an overview of the commands and responses of the protocol. Furthermore, we develop a method to read data from the mifare Classic card without knowledge of the secret key. Due to a weakness in the pseudo-random generator, we are able to recover the keystream generated by the CRYPTO1 stream cipher. We exploit the malleability of the stream cipher to read all memory blocks of the first sector of the card. Moreover, we are able to read any sector of the memory of the card, provided that we know one memory block within this sector. Finally, and perhaps more damaging, the same holds for modifying memory blocks. 1

Usage of Radio Frequency Identification is winning ground everywhere. Advantages of contactless communication compared to chips with contact are transaction speed, durability and ease to use. A major disadvantage is that messages can be intercepted from a distance by a malicious user. Eavesdropping of unsecured transmissions can be a serious security risc. This research describes a way to intercept this information. Furthermore, it shows the vulnerabilities in different major RFID systems and demonstrates how to exploit them.

Smart cards are an ideal medium for use in secure applications. Such applications require mechanisms for cryptographic authentication, password based authentication, confidential data exchange, detection of data tampering and verification of origin integrity. Cryptographic techniques based on symmetric key algorithms and/or public key cryptography can be used to address these issues. In this thesis, we focus on development of public key infrastructure on smart cards. Public key cryptography provides easier key management since keys are assigned on per user basis as opposed to per communication pair basis as in the case of symmetric key cryptography. Further, the public key cryptography can be used to perform key exchange for symmetric key and then the symmetric key cryptography can be used to perform further cryptographic operations. Smart cards are secure devices since the keys are kept in it securely and only the operations using such keys are permitted to be performed. We propose a comprehensive design for development of public key infrastructure on smart cards. This design is compliant to ISO/IEC-7816 international standards for