Title: 48-bits sir? That'll do nicely!

Author: 

Date: 16 March 2008 20:03:43 +00:00 or Sun, 16 March 2008 20:03:43 +00:00

Summary: [16-03-2008] Alan muses on the dangers of hardwiring your encryption into card readers and the cards...

Body: 

Bad news for those organisations using smart (aka 'idiot') cards fitted with NXP's Mifare chip. Researchers at Radbound University in Nijmegen have developed a method of easily cracking the chip's rather pathetic 48-bit key encryption. That may not sound earth shattering, until you realise that there are something like two billion cards around using this chip! They are used by a lot of public transport systems (London Transport's Oyster card, for instance), and in security swipe access cards used by governments and corporations.

It's going to be expensive to fix, since the encryption is in hardware in both the reader and the chip, both will have to be replaced. You can't just issue new cards. Rumour has it that some organisations are adding armed guards to their entry areas, though if the situation is that sensitive, one has to wonder why they were so stupid as to only rely on a card in the first place! I suspect this story may soon die, since all involved have an interest in hushing it up...

[Source: Risks Digest 25.08]

Alan produces a (nearly) weekly tech news newsletter. Find the details at http://www.ibgames.net/alan/winding/index.html

Notes: 

More fields may be available via dynamicdata ..