On Bad Randomness and Cloning of Contactless Payment and Building Smart Cards

2013 IEEE Security and Privacy Workshops Pub Date : 2013-05-23 DOI:10.1109/SPW.2013.29

N. Courtois, Daniel Hulme, K. Hussain, J. Gawinecki, M. Grajek

{"title":"On Bad Randomness and Cloning of Contactless Payment and Building Smart Cards","authors":"N. Courtois, Daniel Hulme, K. Hussain, J. Gawinecki, M. Grajek","doi":"10.1109/SPW.2013.29","DOIUrl":null,"url":null,"abstract":"In this paper we study the randomness of some random numbers found in real-life smart card products. We have studied a number of symmetric keys, codes and random nonces in the most prominent contactless smart cards used in buildings, small payments and public transportation used by hundreds of millions of people every day. Furthermore we investigate a number of technical questions in order to see to what extent the vulnerabilities we have discovered could be exploited by criminals. In particular we look at the case MiFare Classic cards, of which some two hundred million are still in use worldwide. We have examined some 50 real-life cards from different countries to discover that it is not entirely clear if what was previously written about this topic is entirely correct. These facts are highly relevant to the practical feasibility of card cloning in order to enter some buildings, make small purchases or in public transportation in many countries. We also show examples of serious security issues due to poor entropy with another very popular contactless smart card used in many buildings worldwide.","PeriodicalId":383569,"journal":{"name":"2013 IEEE Security and Privacy Workshops","volume":"48 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-05-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 IEEE Security and Privacy Workshops","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SPW.2013.29","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

Abstract

In this paper we study the randomness of some random numbers found in real-life smart card products. We have studied a number of symmetric keys, codes and random nonces in the most prominent contactless smart cards used in buildings, small payments and public transportation used by hundreds of millions of people every day. Furthermore we investigate a number of technical questions in order to see to what extent the vulnerabilities we have discovered could be exploited by criminals. In particular we look at the case MiFare Classic cards, of which some two hundred million are still in use worldwide. We have examined some 50 real-life cards from different countries to discover that it is not entirely clear if what was previously written about this topic is entirely correct. These facts are highly relevant to the practical feasibility of card cloning in order to enter some buildings, make small purchases or in public transportation in many countries. We also show examples of serious security issues due to poor entropy with another very popular contactless smart card used in many buildings worldwide.

查看原文本刊更多论文

非接触式支付和楼宇智能卡的不良随机性和克隆性研究

本文研究了现实生活中智能卡产品中一些随机数的随机性。我们研究了数亿人每天在建筑物、小额支付和公共交通中使用的最常见的非接触式智能卡中的大量对称密钥、代码和随机符号。此外，我们还调查了一些技术问题，以了解我们发现的漏洞在多大程度上可能被犯罪分子利用。我们特别关注MiFare经典卡的情况，其中约有2亿张卡仍在全球范围内使用。我们检查了来自不同国家的50张真实的卡片，发现之前关于这个话题的描述是否完全正确并不完全清楚。这些事实与卡克隆的实际可行性高度相关，以便在许多国家进入一些建筑物，进行小额购买或乘坐公共交通工具。我们还展示了另一种非常流行的非接触式智能卡由于熵差而导致严重安全问题的例子，这种智能卡在全球许多建筑物中使用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 IEEE Security and Privacy Workshops

自引率

0.00%

发文量