Movatterモバイル変換

Crypto-1

From Wikipedia, the free encyclopedia

Stream cipher

Crypto1
General
NXP Crypto1
Designers	Philips/NXP
First published	October 6, 2008
Cipher detail
Key sizes	48 bits
Security claims	48 bits
Structure	NLFSR,LFSR
Best publiccryptanalysis
Garcia, Flavio D.; Peter van Rossum; Roel Verdult; Ronny Wichers Schreur (2009-03-17). "Wirelessly Pickpocketing a Mifare Classic Card" claim that the cipher can be broken "in seconds".

Crypto1 is a proprietaryencryption algorithm (stream cipher) and authentication protocol created byNXP Semiconductors for itsMIFARE ClassicRFID contactless smart cards launched in 1994. Such cards have been used in many notable systems, includingOyster card,CharlieCard andOV-chipkaart.

By 2009, cryptographic research hadreverse engineered the cipher and a variety of attacks were published that effectively broke the security.^[1]^[2]^[3]^[4]^[5]

NXP responded by issuing "hardened" (but still backwards compatible) cards, the MIFARE Classic EV1. However, in 2015 a new attack rendered the cards insecure,^[6]^[7] and NXP now recommends migrating away from MIFARE Classic.^[8]

Technical description

[edit]

Crypto1 is astream cipher very similar in its structure to its successor, Hitag2. Crypto1 consists of

a 48-bitlinear feedback shift register for the state of the cipher,
a two-layer 20-to-1 nonlinear function used to generate the keystream, and
a 16-bit LFSR which is used during the authentication phase as apseudo random number generator

The usual operation of Crypto1 and Hitag2 ciphers uses nonlinear feedback only during the initialization/authentication stage, switching to operation as a LFSR with a nonlinear output filter (filter generator) for the rest of the communications.

References

[edit]

^de Koning Gans, Gerhard; J.-H. Hoepman; F.D. Garcia (2008-03-15)."A Practical Attack on the MIFARE Classic"(PDF). 8th Smart Card Research and Advanced Application Workshop (CARDIS 2008), LNCS, Springer. Archived fromthe original(PDF) on 2022-04-22. Retrieved2020-07-19.
^Courtois, Nicolas T.; Karsten Nohl; Sean O'Neil (2008-04-14)."Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards". Cryptology ePrint Archive.
^Nohl, Karsten; David Evans; Starbug Starbug; Henryk Plötz (2008-07-31)."Reverse-engineering a cryptographic RFID tag".SS'08 Proceedings of the 17th Conference on Security Symposium. USENIX:185–193.
^Garcia, Flavio D.; Gerhard de Koning Gans; Ruben Muijrers; Peter van Rossum, Roel Verdult; Ronny Wichers Schreur; Bart Jacobs (2008-10-04)."Dismantling MIFARE Classic"(PDF). 13th European Symposium on Research in Computer Security (ESORICS 2008), LNCS, Springer. Archived fromthe original(PDF) on 2021-02-23. Retrieved2020-07-19.
^Garcia, Flavio D.; Peter van Rossum; Roel Verdult; Ronny Wichers Schreur (2009-03-17)."Wirelessly Pickpocketing a Mifare Classic Card"(PDF). 30th IEEE Symposium on Security and Privacy (S&P 2009), IEEE. Archived fromthe original(PDF) on 2022-01-02. Retrieved2020-07-19.
^Meijer, Carlo; Verdult, Roel (2015-10-12)."Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards".Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. CCS '15. Denver, Colorado, USA: Association for Computing Machinery. pp. 18–30.doi:10.1145/2810103.2813641.hdl:2066/151451.ISBN 978-1-4503-3832-5.S2CID 4412174.
^Meijer; Verdult."Ciphertext-only Cryptanalysis on Hardened Mifare Classic"(PDF).R. Verdult's page at Institute for Computing and Information Sciences,Radboud University.Archived(PDF) from the original on 2021-04-29.
^Grüll, Johannes (October 12, 2015)."Security Statement on Crypto1 Implementations".www.mifare.net. Retrieved2021-04-29.

External links

[edit]

Radboud Universiteit Nijmegen press releasePDF Archived 2021-05-13 at theWayback Machine (in English)
Details of Mifare reverse engineering by Henryk PlötzPDF (in German)
Windows GUI Crypto1 tool, optimized for use with the Proxmark3

Stream ciphers

Widely used ciphers

eSTREAM Portfolio

Software	HC-128 Rabbit Salsa20 SOSEMANUK
Hardware	Grain MICKEY Trivium

Other ciphers

Generators

Theory

Attacks

v t e Cryptography
General	History of cryptography Outline of cryptography Classical cipher Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Secure Hash Algorithms Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Machines Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network
Mathematics	Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography
Category