critical application development management, information assurance, crime science. MiFare Classic is the most popular contactless smart card with about 200 millions copies in circulation worldwide. At Esorics 2008 Dutch researchers showed that the underlying cipher Crypto-1 can be cracked in as little as 0.1 seconds if the attacker can access or eavesdrop the RF communications with the (genuine) reader. We discovered that a MiFare classic card can be cloned in a much more practical card-only scenario, where the attacker only needs to be in the proximity of the card for a number of minutes, therefore making usurpation of identity through pass cloning feasible at any moment and under any circumstances. For example, anybody sitting next to the victim on a train or on a plane is now be able to clone his/her pass. Other researchers have also (independently from us) discovered this vulnerability (Garcia et al., 2009) however our attack requires less queries to the card and does not require any precomputation. In addition, we discovered that certain versions or clones of MiFare Classic are even weaker, and can be cloned in 1 second. The main security vulnerability that we need to address with regard to MiFare Classic is not about cryptography, RFID protocols and software vulnerabilities. It is a systemic one: we need to understand how much our economy is vulnerable to sophisticated forms of electronic subversion where potentially one smart card developer can intentionally (or not), but quite easily in fact, compromise the security of governments, businesses and financial institutions worldwide. 1

Abstract. In this paper we report on the performance of the RSA variants of Brands protocols for zero-knowledge proof and restrictive blinded issuing [1]. The performance is relatively bad: For 4 attributes and an RSA key size of 1280 bits, blinded issuing takes about 10 seconds and the zero-knowledge proof takes about 9 seconds. For 2 attributes the zero-knowledge proof drops to 5 seconds. The poor performance comes from the fact that the cryptographic coprocessor on the Java card can only be employed in very limited ways. With appropriate support of the cryptographic coprocessor both protocols would run much faster. Key words: Java Card · selective disclosure · blinded issuing · performance 1

Abstract. This paper discusses the political relevance of ICT-architecture through a review of recent developments in the Netherlands, involving the bumpy introduction of a national smart card for public transport and the plans for electronic traffic pricing based on actual road usage of individual cars. One of the underlying themes is the centralised or decentralised storage of privacy-sensitive data, where centralised informational control supports centralised societal control. 1 Architectural issues Mitchell Kapor is one of the founders and the first chairman of the Electronic Freedom Foundation (EFF), an international non-profit organisation that aims to defend civil rights in the digital age. Kapor has coined the phrase Archtitecture is politics, see also [7]. It does not refer to architecture as the design and structure of buildings or bridges, but of ICT systems. In a broad sense ICT-architecture involves the structural organisation of hardware, applications, processes and information flow, and also its organisational consequences, for instance within enterprises or within society at large. Why is this form of architecture so much a political issue—and not chiefly a technical one? An (expanded) illustration may help to explain the matter. Many countries are nowadays in the process of replacing traditional analog electricity meters in people’s homes by digital (electronic) meters, also known as smart meters. The traditional meters are typically hardware based, and have a physical counter that moves forward under the influence of a metallic disc that turns with a speed proportional to the electricity consumption. This process takes place within a sealed container, so that tampering is not so easy and can be detected. It is in general fairly reliable. Such domestic meters may last for decades. From the (information) architectural perspective the main point is that the usage data are stored decentrally, in one’s own home. The reading of the meters Based on a keynote talk at the Computers, Privacy, and Data Protection (CPDP) conference, Brussels, 16-17 jan. 2009. This paper is intended for the CPDP proceedings.

Abstract This short note concentrates on an optimisation of the attribute-proving protocol by Batina et al. [1], and provides the improved performance figures. The protocol relies on elliptic curve cryptography with bilinear pairings. These pairings provide signatures that are stable under multiplication with a blinding factor. In this way multiple proofs are unlinkable, and thus provides a privacy-friendly solution. The optimisation involves better exploitation of the (limited) elliptic curve primitives that are available on the current generation of Java Card smart cards. It leads to a reduction of the on-card running times (wrt. to [1]) of roughly a factor three. Total running times with this new protocol are below one second. A further reduction with a factor two or three is needed to achieve performance that is acceptable in practice. Key words: anonymous credentials, elliptic curve cryptography, smart

Abstract. We investigated a real-world contactless payment application based on mifare Classic cards. In order to analyze the security of the payment system, we combined previous cryptanalytical results and implemented an improved card-only attack with customized low-cost tools, that is to our knowledge the most efficient practical attack to date. We found several flaws implying severe security vulnerabilities on the system level that allow for devastating attacks including identity theft and recharging the amount of money on the cards. We practically verify and demonstrate the attacks on the commercial system. 1

With more than 300 million cards sold, HID iClass is one of the most popular contactless smart cards on the market. It is widely used for access control, secure login and payment systems. The card uses 64-bit keys to provide authenticity and integrity.

University Nijmegen have discovered a serious security flaw in a widely used type of contactless smartcard [9], also called RFID tag. It concerns the ”Mifare Classic ” RFID card produced by NXP (formerly Philips Semiconductors). Earlier, German researchers Karsten Nohl en Henryk Pltz pointed out security weaknesses of this cards. Worldwide around 1 billion of these cards have been sold. This type of card is used for the Dutch ‘ov-chipkaart ’ [the RFID card for public transport throughout the Netherlands] and public transport systems in other countries (for instance the subway in London). Mifare cards are also widely used as company cards to control access to buildings and facilities. All this means that the flaw has a broad impact. Because some cards can be cloned, it is in principle possible to access buildings and facilities with a stolen identity. This has been demonstrated on an actual system. In many situations where these cards are used there will be additional security measures; it is advisable to strengthen these where possible. The Digital Security group found weaknesses in the authentication mechanism of the Mifare Classic. In particular: • TheworkingoftheCRYPTO1encryptionalgorithmhasbeenreconstructedindetail. • There is a relatively easy method to retrieve cryptographic keys, which does not rely on expensive equipment. Combining these ingredients we succeeded on mounting an actual attack, in which a Mifare Classic access control card was successfully cloned. In situation where there are no additional security measures, this would allow unauthorised access by people with bad intentions. 2