Title :
On Bad Randomness and Cloning of Contactless Payment and Building Smart Cards
Author :
Courtois, Nicolas T. ; Hulme, Daniel ; Hussain, Kumail ; Gawinecki, Jerzy A. ; Grajek, Marek
Author_Institution :
Univ. Coll. London, London, UK
Abstract :
In this paper we study the randomness of some random numbers found in real-life smart card products. We have studied a number of symmetric keys, codes and random nonces in the most prominent contactless smart cards used in buildings, small payments and public transportation used by hundreds of millions of people every day. Furthermore we investigate a number of technical questions in order to see to what extent the vulnerabilities we have discovered could be exploited by criminals. In particular we look at the case MiFare Classic cards, of which some two hundred million are still in use worldwide. We have examined some 50 real-life cards from different countries to discover that it is not entirely clear if what was previously written about this topic is entirely correct. These facts are highly relevant to the practical feasibility of card cloning in order to enter some buildings, make small purchases or in public transportation in many countries. We also show examples of serious security issues due to poor entropy with another very popular contactless smart card used in many buildings worldwide.
Keywords :
random number generation; security of data; smart cards; MiFare classic cards; card cloning; contactless payment cloning; contactless smart card; public transportation; random nonces; real-life smart card products; security issues; symmetric keys; Buildings; Cryptography; Educational institutions; Entropy; Generators; Smart cards; HID Prox; HID iClass; MiFare Classic; RFID; Random Number Generators (RNG); building access control; contactless payments; cryptography; human factors; smart cards;
Conference_Titel :
Security and Privacy Workshops (SPW), 2013 IEEE
Conference_Location :
San Francisco, CA
Print_ISBN :
978-1-4799-0458-7
DOI :
10.1109/SPW.2013.29
