Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > If the encryption on the Mifare Classic RFID has been cracked, are smart cards insecure?
Ask The Security Expert: Questions & Answers
EMAIL THIS

If the encryption on the Mifare Classic RFID has been cracked, are smart cards insecure?

Joel Dubin EXPERT RESPONSE FROM: Joel Dubin

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 11 August 2008
I recently read that the encryption on the Mifare Classic RFID technology has been cracked. Since Mifare is used in millions of smart cards, is this a legitimate concern for enterprises? Does it put the future security of smart cards or RFID in jeopardy?

>
EXPERT RESPONSE
The cracking of a widely used smart card, like those with the Mifare Classic RFID chip, is definitely a cause for concern. It could expose facilities worldwide to malicious access, since 1 billion passes have been distributed outside its original base in the Netherlands.

But the issue goes far beyond the Mifare chip to the security of smart cards and RFID chips in general. The technology definitely has some security chinks in its armor, but it would be premature to say it's in jeopardy because of security issues. The technology is growing in popularity and ease of use, but its security isn't quite mature yet.

Smart cards and RFID chips, on the surface, are supposed to be stronger forms of authentication than, say, user IDs and passwords, which are easy to steal and guess. But on the other hand, the chips on cards also have weaknesses. Over the past two years, several researchers in the UK, Germany and the Netherlands have designed ways to clone chips and cards, steal data from radio signals emanating from RFID chips or break the encryption algorithms on chips. In some cases, they've used homemade devices that can be cheaply constructed from readily available materials.

RFID chips have been criticized heavily as being the most exposed. The chips are now used on credit cards and some U.S. passports, opening up users to potential credit card fraud or identity theft. The issue is that signals from RFID chips frequently aren't encrypted and can be easily captured by readers. Someone with an RFID credit card in their wallet could unwittingly lose his or her account number just by walking past a malicious reader a few feet away.

The other issue with both smart cards and RFID chips is that they can only hold a limited number of encryption keys due to their small size and capacity, making their algorithms susceptible to cracking.

The security issues that need to be resolved are encryption of RFID signals, shielding of RFID signals from malicious access and better encryption of chips on smart cards. Until then, simply cutting out the chips on credit cards could make them inoperable and would invalidate a passport. But despite those challenges, security is still playing catch up as the technology's usage and popularity continues to grow.

More information:

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Identity Management and Access Control
What are the options for a mechanical (not electrical) door security system on a server room door?
What's the difference between access control mechanisms and identity management techniques?
What courses can improve fundamental knowledge of infrastructure systems (Active Directory, LDAP, etc.)?
What tools provide user provisioning and single sign-on for PeopleSoft- and Unix-based products?
Should a new user have to confirm his or her email address before gaining access?
Can home PCs provide a way for viruses and spyware to enter a corporate LAN?
What should an enterprise look for in a password token, and in a vendor?
Is it possible to write a batch file that allows user access to the local admin group for a short time?
IAM best practices for employees with varying degrees of access to the same computer
What are some good pre-boot biometric user authentication tools or strategies?

Tokens and Smart Cards
Security token and smart card authentication
Hackers can target embedded smart card chips
What should an enterprise look for in a password token, and in a vendor?
What are good features to look for when searching for new access control software?
Product review: Secure Computing SafeWord 2008
Video: Changes ahead for MIT Kerberos Consortium
Kerberos: Authentication with some drawbacks
What techniques are being used to hack smart cards?
What are the dangers of using radio frequency identification (RFID) tags?
How to prevent hack attacks against smart card systems.

Two-Factor and Multifactor Authentication Strategy
PKI and digital certificates: Security, authentication and implementation
Security token and smart card authentication
Enterprise single sign-on: Easing the authentication process
Exploring authentication methods: How to develop secure systems
What should an enterprise look for in a password token, and in a vendor?
How do RFID-blocking passport wallets work?
What are good features to look for when searching for new access control software?
Quiz: The new school of enterprise authentication
The steps of privileged account management implementation
The New School of Enterprise Authentication

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
authentication server  (SearchSecurity.com)
Chameleon Card  (SearchSecurity.com)
key chain  (SearchSecurity.com)
key fob  (SearchSecurity.com)
key string  (SearchSecurity.com)
national identity card  (SearchSecurity.com)
security token  (SearchSecurity.com)
smart card  (SearchSecurity.com)
tokenization  (SearchSecurity.com)
two-factor authentication  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts