There has this month been a flurry of press releases from ITSO regarding their strategy for withdrawing support for the Mifare 1K, 4K and JCOP cards. In the case of JCOP we are of course referring to the Mifare emulation.
It all started in January this year when ITSO put out a press release regarding an 'Alleged Mifare Crypto Hack'. This of course was referring to the Karsten Nohl and Henryk Plotz presentation at the Chaos Computer Club in Berlin at the end of December 2007. Given the depth of the technical detail surrounding the proprietary Crypto-1 algorithm in the presentation one would hardly think the word alleged is appropriate, in fact during discussion with Karsten we were so impressed with his work that we reported his findings as the lead article in January’s newsletter. It is this lack of rigour and incorrect interpretation of risk that is severely unsettling the ITSO membership.
In case you were not convinced, the Radboud University (Holland) Digital Security Group went on to publish more information on the Mifare cryptographic algorithm in March (reported in March’s Newsletter) and published a full paper in October after an injunction banning its publication by NXP was overturned by the judge. Surely there can be no doubt that the Mifare Crypto-1 algorithm has been well and truly hacked, however what really matters is the risk profile for its continued use in a particular environment. This is a matter we shall return to later.
ITSO has put out another press release in November explaining their decision to stop support for the Mifare Classic 1K and 4K cards due to a 'theoretical risk' posed by these cryptographic breaches. What on earth is a theoretical risk? The fact that the Mifare card can be broken is not in doubt and therefore there must be some additional risk to the system, no matter how small, otherwise the card would have no value in the security design and you might as well use any basic memory device such as a magnetic stripe card.
Other ITSO papers go on to explain that in a simple smart card scheme using only the Mifare Classic security that the risk of cloning and fraudulent activity is now high. How this relates to the previous theoretical risk is not clear. However the paper then goes on to explain that the Mifare cryptography is only used as a means of communicating with the card and that the ITSO products are independently protected by the ITSO seal which uses different and more secure cryptography.
So is that right, that the security of the Mifare card is irrelevant and poses no more than a 'theoretical risk'? Let the reader be the judge,
If it is possible to clone a Mifare classic card then it follows that it is perfectly viable to have a set of cards that all look the same.
It also follows that it is equally viable to read the memory contents of an authentic ITSO card and to copy the contents onto the cloned set of cards. It would be equally possible to replay messages that alter or reset the state of a product on a card.
From this we can deduce that it is possible to create a set of Mifare cards bearing ITSO products that all look the same. In other words an authentic ITSO terminal could not tell one card or the stored ITSO product from another. (It is not necessary to breach the ITSO cryptography which is effectively some cryptographic check sum applied to the product definition and reputed to be using a symmetric algorithm such as 3DES, which is called an ITSO Seal).
Now these are the simple facts so first of all what do we mean by high risk? Nearly all risk methodologies have the concept of attack paths, vulnerabilities and the likelihood of a (successful) breach of security, which leads to some measure of residual risk after taking account of the security controls. High risk would mean that taking account of all the security controls that a highly likely method of attack exists that can successfully exploit a vulnerability in the scheme.
Now we can look at two different scenarios that might involve an ITSO card,
A stored value card might be used as a prepaid cash balance to pay for travel on demand or even to buy goods and services. Clearly this is an area that would be of interest to hackers and even organised crime. We have already shown that it would be possible to create a fraudulent card or even to reset the value on a card so what is the likelihood of detection? That would be down to the sophistication of the back-end transaction processing system and its timeliness. However you look at it this would not appear to be an acceptable risk for any business.
The travel entitlement card is at the opposite end of the risk scale. A concessionary card for bus travel for example is unlikely to attract the level of organised and motivated attackers that you might get for a stored value card. The card and the bearer of the card are also more likely to be subjected to visual checks. You might argue that this is a low risk system for which the Mifare Classic card is still 'fit for purpose'.
ITSO has actually been very transparent about their plans for the Mifare Classic cards,
This is referring to the CMD 1/3 (Customer Media Device) from the allowed ITSO platforms, which have been recently compared in an ITSO matrix,
At one time the CMD 2 was the preferred option but there have been problems with the transaction response times. ITSO has recently phased out support for cards that have a transaction time greater than 600mS, which is still pretty slow compared with the Mifare Classic at less than 150mS. The problem here is the overhead when the CPU chip in the card is enabled, there is a certain amount of necessary housekeeping that all adds to the initialisation time before the transaction is even undertaken. If the card could be held in the magnetic field the second transaction could be less than 150mS. It would be possible to minimise this initialisation overhead in the operating system on the card but that might not be desirable for a general purpose contactless smart card.
Just for reference ITSO has now released figures on the Mifare Classic cards in their domain,
English National Concessionary Travel Scheme (ENCTS) 7.2 million
Scottish Entitlement Scheme 1.4 million
Welsh Concessionary Scheme 0.5 million
The question is whether there is an adequate reason in terms of risk profile as to why these cards need to be changed? A better ITSO strategy might have been to remove support from certain product types on the Mifare Classic cards?
David Everett, Technical Editor