Topic: Security and MIFARE Classic

Hi,

Just for fun, I have written a PAM module which use libnfc. It allow me to login my PC with Mifare Classic tag.
At this moment, authentication is based on a pre-associated user and uid. I know it's a really poor security since it seems to be really easy to made an hardware that can provide "custom" uid.

I have think about store a private GPG-like key in Mifare Classic (or a "particular" message crypted with GPG) but it's also possible to "clone" Mifare card.

So, my question is : Is there is any way to provide a secured authentication module using Mifare Classic ?

Romuald Conty

2 (edited by TomBu 2009-06-30 11:06:33)

Re: Security and MIFARE Classic

Hi,


When doing authentication people generally use at least one or preferably a combination of :
1.) something you have
2.) something you know
3.) something you are

Category 3.) can be disregarded since I presume biometrics is out of the question.

The Mifare Classic as means to authenticate falls in category 1.) something you have. The problem with it is that it is not always unique. It can be forged. So you can make it unique by storing an encrypted bit of information, each time it is used.

Additionally you could opt to increase security by adding something from category 2.) something you know, something like a small password or PIN.

Now putting it all together, you could store username in the clear in one sector and store in another sector  (readable with another Key A and writable with even another Key B) the encrypted last time the card was used and use a hash of the PIN as a seed for the encryption.

It still does not make it 200% unbreakable, however it better then most systems use, nowadays. (IMHO)


Kind regards,
Tom

Re: Security and MIFARE Classic

If you ask me you better use some DESFire or Plus tags in stead of the old Classic ones.
The access key to the data stored on the card could be encrypted with a hash of what the user supplies (password?).
This means that the DATA only can be accessed by knowing the password. The DATA then should contain could contain the necessary information to log-in to the system. Only recovery of both parts would grant you access, they are useless without each other.

The MIFARE Classic tag instead you are using does not provide more security than a mag-stripe (but then wirelessly accessible).

Re: Security and MIFARE Classic

Dear,


It is true the the Mifare Classic can be replaced with other, currently better looking, alternatives. However topic starters request was regarding the Classic.

Personally, I think that writing something back to the card after succesfull login, combined with a lock of the desktop when the card is removed is a substantial security benefit over a MagStripe. Naturally it's all in the implementation details.

However I do agree that one should regard the protection of the propriatary Crypto1 cypher as non exsistant, indeed.


Kind regards,
Tom

Re: Security and MIFARE Classic

TomBu wrote:

Personally, I think that writing something back to the card after succesfull login

Not sure how that really changes anything, just making something more complex doesn't automatically make it more secure. Also, consider partial failure and how somebody can legitimately logon to multiple machines.

I've had a play with the fingerprint readers for login and I actually like them. smile

Re: Security and MIFARE Classic

TomBu wrote:

Personally, I think that writing something back to the card after succesfull login, combined with a lock of the desktop when the card is removed is a substantial security benefit over a MagStripe.

Is this not exactly how MagStripes are used? From what I've heard is that parts of the data in the Dutch banking cards (still MagStripe) are updated during each transaction.

It indeed improves complexity, but also could initiate synchronization problems when an attack has accessed the system with a copied card wink