Comments for Cryptanalysis http://cryptanalysis.eu/blog breaking news Wed, 08 Sep 2010 10:50:39 +0000 http://wordpress.org/?v=2.7 hourly 1 Comment on MiFare’s CRYPTO1 algorithm mostly reverse-engineered by RFID Fails the counterfeit test « Counterfeit Drug Blog http://cryptanalysis.eu/blog/?p=14&cpage=1#comment-1462 RFID Fails the counterfeit test « Counterfeit Drug Blog Sat, 08 Mar 2008 17:57:25 +0000 http://cryptanalysis.eu/blog/2007/12/29/mifare-crypto1/#comment-1462 [...] The newest attack was demonstrated at the 24th Congress of the Chaos Computer Club in Berlin last December. Interest in the study has been spreading steadily from the arcane world of security hackers. One of the researchers is Karsten Nohl, a graduate student in the University of Virginia’s Computer Science Department, in Charlottesville, the other two are Henryk Plotz and “Starbug.” The trio apparently demonstrated a practical and effective way to break the Mifare encryption key, confirming what many cryptographers had suspected. [...] [...] The newest attack was demonstrated at the 24th Congress of the Chaos Computer Club in Berlin last December. Interest in the study has been spreading steadily from the arcane world of security hackers. One of the researchers is Karsten Nohl, a graduate student in the University of Virginia’s Computer Science Department, in Charlottesville, the other two are Henryk Plotz and “Starbug.” The trio apparently demonstrated a practical and effective way to break the Mifare encryption key, confirming what many cryptographers had suspected. [...]

]]> Comment on MiFare’s CRYPTO1 algorithm mostly reverse-engineered by Ralf http://cryptanalysis.eu/blog/?p=14&cpage=1#comment-449 Ralf Sun, 13 Jan 2008 01:58:28 +0000 http://cryptanalysis.eu/blog/2007/12/29/mifare-crypto1/#comment-449 @Ruptor: alrighty. that's not my content though. and neither is that page linked from here. I understand your point, I simply suggest that your finger is pointing into the wrong direction, that's all. End of discussion on this topic. @Ruptor: alrighty. that’s not my content though. and neither is that page linked from here. I understand your point, I simply suggest that your finger is pointing into the wrong direction, that’s all. End of discussion on this topic.

]]> Comment on MiFare’s CRYPTO1 algorithm mostly reverse-engineered by Ruptor http://cryptanalysis.eu/blog/?p=14&cpage=1#comment-448 Ruptor Sun, 13 Jan 2008 01:15:16 +0000 http://cryptanalysis.eu/blog/2007/12/29/mifare-crypto1/#comment-448 Ralf, you tried to correct me... I was talking about the http://www.cs.virginia.edu/~kn5f/OV-card_security.html article. Ralf, you tried to correct me… I was talking about the http://www.cs.virginia.edu/~kn5f/OV-card_security.html article.

]]> Comment on MiFare’s CRYPTO1 algorithm mostly reverse-engineered by Ralf http://cryptanalysis.eu/blog/?p=14&cpage=1#comment-446 Ralf Sat, 12 Jan 2008 22:29:47 +0000 http://cryptanalysis.eu/blog/2007/12/29/mifare-crypto1/#comment-446 Ruptor, this is getting surreal. Maybe you're confusing something. Please tell me where I supposedly have written the words that you're stating! Remember I'm not part of the team that presented @24C3, I merely reported on Karsten, Henryk and Starbug's presentation. Moreover, I don't remember them saying much about Hitag2 in the talk, but I'd have to watch the whole video again to make sure. Best, Ralf Ruptor, this is getting surreal. Maybe you’re confusing something. Please tell me where I supposedly have written the words that you’re stating! Remember I’m not part of the team that presented @24C3, I merely reported on Karsten, Henryk and Starbug’s presentation. Moreover, I don’t remember them saying much about Hitag2 in the talk, but I’d have to watch the whole video again to make sure.

Best,
Ralf

]]> Comment on MiFare’s CRYPTO1 algorithm mostly reverse-engineered by Ruptor http://cryptanalysis.eu/blog/?p=14&cpage=1#comment-441 Ruptor Sat, 12 Jan 2008 13:46:53 +0000 http://cryptanalysis.eu/blog/2007/12/29/mifare-crypto1/#comment-441 Ralf: I did read carefully ;-P "Other types of RFID tags ... including the Hitag2+ tags ... are not affected by our findings." That is where you said it. Of course they are all affected! People will now rightfully doubt all those tags. cpaar: I hear PRESENT is too big for the lowest-cost RFIDs. According to Karsten, 500 gates is the limit... Ralf: I did read carefully ;-P

“Other types of RFID tags … including the Hitag2+ tags … are not affected by our findings.”

That is where you said it. Of course they are all affected! People will now rightfully doubt all those tags.

cpaar: I hear PRESENT is too big for the lowest-cost RFIDs. According to Karsten, 500 gates is the limit…

]]> Comment on MiFare’s CRYPTO1 algorithm mostly reverse-engineered by cpaar http://cryptanalysis.eu/blog/?p=14&cpage=1#comment-434 cpaar Fri, 11 Jan 2008 16:48:37 +0000 http://cryptanalysis.eu/blog/2007/12/29/mifare-crypto1/#comment-434 During the Q&A session at the end, there was a brief discussion about the PRESENT cipher. This is our new block cipher optimized for (cost sensitive) RFID chips. If anybody is interested, here is a description of the cipher: http://www.crypto.ruhr-uni-bochum.de/en_publications.html It is in the article "PRESENT: An Ultra-Lightweight Block Cipher" which appeared at this year's CHES workshop. PRESENT has an 80 bit key. Note that there is currently NO attack known against PRESENT which is better than the 2^80 steps that are needed for a brute-force attack. REMARK: There is a result with an attack complextiy of 2^64, but that's only an attack against the first 16 rounds PRESENT. However, PRESENT has 31 rounds and the attack completely fails against the full cipher. Breaking reduced round versions of block cipher is not uncommon in the scientific community. For instance, note that you can break 5-round AES with about 2^30 ciphertexts. However, this is of no practical use since AES has 10 rounds... :) During the Q&A session at the end, there was a brief discussion about the PRESENT cipher. This is our new block cipher optimized for (cost sensitive) RFID chips. If anybody is interested, here is a description of the cipher:
http://www.crypto.ruhr-uni-bochum.de/en_publications.html

It is in the article “PRESENT: An Ultra-Lightweight Block Cipher” which appeared at this year’s CHES workshop.

PRESENT has an 80 bit key. Note that there is currently NO attack known against PRESENT which is better than the 2^80 steps that are needed for a brute-force attack.

REMARK: There is a result with an attack complextiy of 2^64, but that’s only an attack against the first 16 rounds PRESENT. However, PRESENT has 31 rounds and the attack completely fails against the full cipher. Breaking reduced round versions of block cipher is not uncommon in the scientific community. For instance, note that you can break 5-round AES with about 2^30 ciphertexts. However, this is of no practical use since AES has 10 rounds… :)

]]> Comment on MiFare’s CRYPTO1 algorithm mostly reverse-engineered by Ralf http://cryptanalysis.eu/blog/?p=14&cpage=1#comment-433 Ralf Fri, 11 Jan 2008 15:03:15 +0000 http://cryptanalysis.eu/blog/2007/12/29/mifare-crypto1/#comment-433 Ruptor: Read carefully. Where does it say that Hitag2 is not affected? In fact, I haven't said anything about Hitag2 at all, since I never looked into it. But if it has the same key size, it will of course be vulnerable to the same kind of TMTOs if the full specification is publicly available. And as I understood from your posts, it is. The question that was discussed previously is whether Hitag2 is <b>identical</b> or not to Mifare. Ruptor: Read carefully. Where does it say that Hitag2 is not affected? In fact, I haven’t said anything about Hitag2 at all, since I never looked into it. But if it has the same key size, it will of course be vulnerable to the same kind of TMTOs if the full specification is publicly available. And as I understood from your posts, it is. The question that was discussed previously is whether Hitag2 is identical or not to Mifare.

]]> Comment on MiFare’s CRYPTO1 algorithm mostly reverse-engineered by Ruptor http://cryptanalysis.eu/blog/?p=14&cpage=1#comment-432 Ruptor Fri, 11 Jan 2008 14:53:23 +0000 http://cryptanalysis.eu/blog/2007/12/29/mifare-crypto1/#comment-432 Why does it say that Hitag2 systems are not affected? ;-))) Someone should say something... Why does it say that Hitag2 systems are not affected? ;-))) Someone should say something…

]]> Comment on Meaningful results against Trivium with reduced key setup by Kryptoblog » Blog Archive » FSE 2008 och slutspurt i eSTREAM http://cryptanalysis.eu/blog/?p=11&cpage=1#comment-427 Kryptoblog » Blog Archive » FSE 2008 och slutspurt i eSTREAM Thu, 10 Jan 2008 20:56:52 +0000 http://cryptanalysis.eu/blog/2007/11/12/meaningful-results-against-trivium-with-reduced-key-setup/#comment-427 [...] gäller Trivium, har bloggen Cryptanalysis tidigare publicerat delar av det resultat som antagligen kommer att presenteras på konferensen. Resultaten är baserade på en förenklad variant av Trivium, men är ändå mycket [...] [...] gäller Trivium, har bloggen Cryptanalysis tidigare publicerat delar av det resultat som antagligen kommer att presenteras på konferensen. Resultaten är baserade på en förenklad variant av Trivium, men är ändå mycket [...]

]]> Comment on MiFare’s CRYPTO1 algorithm mostly reverse-engineered by karsten http://cryptanalysis.eu/blog/?p=14&cpage=1#comment-416 karsten Tue, 08 Jan 2008 22:51:42 +0000 http://cryptanalysis.eu/blog/2007/12/29/mifare-crypto1/#comment-416 Our analysis has caused an extensive debate over the new Dutch ticketing system for public transport. Finally people are staring to be concerned about system security :). Our take on the security of this and similar systems: http://www.cs.virginia.edu/~kn5f/OV-card_security.html Our analysis has caused an extensive debate over the new Dutch ticketing system for public transport. Finally people are staring to be concerned about system security :).
Our take on the security of this and similar systems:
http://www.cs.virginia.edu/~kn5f/OV-card_security.html

]]>