Problem solve Get help with specific problems with your technologies, process and projects.

Are smart cards insecure if Mifare Classic RFID encryption is cracked?

The security of RFID chips and smart cards may not be fully mature, but there are best practices to keep facilities safe. Identity and access management expert Joel Dubin explains.

I recently read that the encryption on the Mifare Classic RFID technology has been cracked. Since Mifare is used...

in millions of smart cards, is this a legitimate concern for enterprises? Does it put the future security of smart cards or RFID in jeopardy?

The cracking of a widely used smart card, like those with the Mifare Classic RFID chip, is definitely a cause for concern. It could expose facilities worldwide to malicious access, since 1 billion passes have been distributed outside its original base in the Netherlands.

But the issue goes far beyond the Mifare chip to the security of smart cards and RFID chips in general. The technology definitely has some security chinks in its armor, but it would be premature to say it's in jeopardy because of security issues. The technology is growing in popularity and ease of use, but its security isn't quite mature yet.

Smart cards and RFID chips, on the surface, are supposed to be stronger forms of authentication than, say, user IDs and passwords, which are easy to steal and guess. But on the other hand, the chips on cards also have weaknesses. Over the past two years, several researchers in the UK, Germany and the Netherlands have designed ways to clone chips and cards, steal data from radio signals emanating from RFID chips or break the encryption algorithms on chips. In some cases, they've used homemade devices that can be cheaply constructed from readily available materials.

RFID chips have been criticized heavily as being the most exposed. The chips are now used on credit cards and some U.S. passports, opening up users to potential credit card fraud or identity theft. The issue is that signals from RFID chips frequently aren't encrypted and can be easily captured by readers. Someone with an RFID credit card in their wallet could unwittingly lose his or her account number just by walking past a malicious reader a few feet away.

The other issue with both smart cards and RFID chips is that they can only hold a limited number of encryption keys due to their small size and capacity, making their algorithms susceptible to cracking.

The security issues that need to be resolved are encryption of RFID signals, shielding of RFID signals from malicious access and better encryption of chips on smart cards. Until then, simply cutting out the chips on credit cards could make them inoperable and would invalidate a passport. But despite those challenges, security is still playing catch up as the technology's usage and popularity continues to grow.

Next Steps

Learn more about securing implanted chips and RFID tags.

Prevent hack attacks against smart card systems with these best practices.

This was last published in August 2008

Dig Deeper on Two-factor and multifactor authentication strategies

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.