This Article 
 Bibliographic References 
 Add to: 
2013 IEEE CS Security and Privacy Workshops (SPW2013)
San Francisco, CA USA
May 23-May 24
ISBN: 978-1-4799-0458-7
Nicolas T. Courtois, Univ. Coll. London, London, UK
Daniel Hulme, Univ. Coll. London, London, UK
Kumail Hussain, Univ. Coll. London, London, UK
Jerzy A. Gawinecki, Mil. Univ. of Technol., Warsaw, Poland
In this paper we study the randomness of some random numbers found in real-life smart card products. We have studied a number of symmetric keys, codes and random nonces in the most prominent contactless smart cards used in buildings, small payments and public transportation used by hundreds of millions of people every day. Furthermore we investigate a number of technical questions in order to see to what extent the vulnerabilities we have discovered could be exploited by criminals. In particular we look at the case MiFare Classic cards, of which some two hundred million are still in use worldwide. We have examined some 50 real-life cards from different countries to discover that it is not entirely clear if what was previously written about this topic is entirely correct. These facts are highly relevant to the practical feasibility of card cloning in order to enter some buildings, make small purchases or in public transportation in many countries. We also show examples of serious security issues due to poor entropy with another very popular contactless smart card used in many buildings worldwide.
Index Terms:
Cryptography,Smart cards,Buildings,Entropy,Generators,Educational institutions,MiFare Classic,Random Number Generators (RNG),human factors,cryptography,smart cards,RFID,building access control,contactless payments,HID Prox,HID iClass
Nicolas T. Courtois, Daniel Hulme, Kumail Hussain, Jerzy A. Gawinecki, Marek Grajek, "On Bad Randomness and Cloning of Contactless Payment and Building Smart Cards," spw, pp.105-110, 2013 IEEE CS Security and Privacy Workshops (SPW2013), 2013
Usage of this product signifies your acceptance of the Terms of Use.