Burton Group Identity Blog

Blogger: Mark Diodati

Some of you may have read that the proprietary symmetric key cryptographic algorithm of the MIFARE Classic card has been broken. The MIFARE Classic card is used in physical access control systems (PACS) and contactless payment systems (including tollway and public transportation systems).  By some estimates, there are 500 million MIFARE cards deployed worldwide, and the majority of them are MIFARE Classic cards.  Karsten Nohl and his team completed the hack, and the team was able to clone a MIFARE Classic card in less than two minutes (the “skimming” or reading of the card takes less than a few seconds).  Perhaps not co-incidentally, NXP (the owners of the MIFARE intellectual property) announced on March 10 that they have a new-and-improved MIFARE card that leverages AES 128-bit encryption.  The first samples will be available in Q4 of 2008.  The refreshment of hundreds of millions of cards will be completed at a much later date.

You may be aware of the MIFARE vs. HID Prox card religious war in the PACS space.  From my experience talking with customers, there are more HID Prox cards used in PACS in the United States as compared to the MIFARE card.  The MIFARE proponents consistently tout the security value of MIFARE technology over HID Prox technology, and have pointed to the fact that HID Prox cards could be readily cloned.  You can see a video of the HID Prox card clone, from the 2007 RSA Conference here.  The conventional wisdom was that the MIFARE card was unclonable.  The conventional wisdom was wrong.

The impact of the MIFARE hack for those reliant payment systems (and its consumers) is increased fraud.  The cloning of the card does not require possession, only proximity.  I am unaware of any preventative measures that would preclude a fraudster from walking around a parking garage and cloning those tollway cards that are mounted in everyone’s windshield.  Some people might consider this an act of civil disobedience, particularly if they drive on the Illinois Tollway with any frequency (as Triumph the Insult Comic Dog would say “I keed!”).  Also, skimming and cloning the user’s public transportation card while they ride the train is a likely outcome.  If you are aware of any preventative measures, please let me know.

What is the impact to PACS security?  The reality is that many PACS deployments did not leverage the MIFARE encryption features.  The management of symmetric keys across the relatively complex PACS environment (specifically, cards, readers, controllers, and hosts) remains a daunting process.  For these deployments without encryption, it’s business as usual.  Those organizations that deployed the MIFARE technology with encryption should realize that they are not as secure as they thought.  Either way, as we have said before, no authentication method is bulletproof.  Organizations should be using other controls – like auditing and security event correlation – to enhance the security of their PACS. 

Finally, when will people learn their lesson?  Cryptographic algorithms should be public so that they can be scrutinized and tested.  Secret algorithms aren’t more valuable because they are secret.  Bruce Schneier has been saying this for years.

If you are interested more details on PACS architecture and components, I recommend my recent Burton Group research document “Let’s Get Logical: The Convergence of Physical Access Control and Identity Systems” (subscription required).

Blogger: Mark Diodati

Tim Renshaw is a VP at TriCipher, and he has a blog over at http://eyedentityonline.com.  TriCipher is a consumer authentication company; its technology provides mobile PKI in various forms, and provides additional security by splitting the private key.  He had a post about my two-part interview with Jeff Gould at eWeek (the second part of the interview is here, and Tim’s blog entry is here).  Basically, he says I don’t know what I am talking about.  How can I resist a reply?

One fact that I have stated continually over the years is that no mainstream authentication method (consumer or enterprise) is bulletproof.  Even the PKI solution Tim touts is problematic, and I don't agree with his assessment that it will solve the consumer authentication problem.  It's clear from talking to the world's largest financial institutions that most FIs are not prepared to deploy a full-blown client and/or hardware solution - U.S. consumers don't want them (note: the recent VeriSign/eBay announcement is not a bellwether for general consumer usage), and the FIs are unprepared for the onslaught of help desk calls.  But, let's assume for the sake of argument that FIs could deploy smart cards on a large scale.

Smart cards offer a highly tamper-resistant storage mechanism for private keys.  Most people would agree that smart cards are the most mainstream secure storage mechanism for private keys (after all, the deployment of HSMs to end users is impractical, right?).  I like the technology for the right use cases, and I think it is perhaps the best authenticator available from a security perspective (provided, as with any authentication technology, that the identity proofing is done correctly).  But even smart cards are subject to attack.  Let's say that the client middleware is configured to authenticate the user once via PIN (or biometric), then enable continual access to the private key.  User malware can send data down to the smart card for signing by the private key, but the user would never know.  Let's kick it up a notch - let's make the user enter the PIN every time a signing function is required (ignoring usability implications).  Malware could send down data to the card for signature that is different from what the user is expecting to sign.

Software-based PKI solutions overcome some of the smart card deployment concerns, but they are not as secure as smart cards and are subject to similar attacks as the one Tim specifies for typing biometrics.

Another fact that I have also stated over the years is that authentication solutions must be layered to provide an adequate level of identity assurance that is required for the application.  This is why you are seeing the FIs overlay risk analytic engines on top of primary authentication mechanisms.  No one technology will do the trick.  I’m not summarily dismissing either the typing biometric or PKI technologies.  To suggest however, that PKI will solve the consumer authentication problem is disingenuous.