Government ID, Smart Cards, Identification and Authentication
CBORD: Securing buildings, transactions, and the bottom line. www.cbord.com

Nohl: NXP making ‘terrible decision’

Thursday, July 10, 2008

Dutch semiconductor manufacturer NXP is making a mistake suing Radboud University Nijmegen in the Netherlands, says Karsten Nohl, a University of Virginia graduate student who worked with others to break the MIFARE cryptographic algorithm. “It’s a terrible decision, there is no legal case to be made,” Nohl says. “This was reverse engineered legally without any help from NXP.”

NXP has sued the university to block details of a security flaw in NXP’s MIFARE Classic contactless smart cards. The MIFARE Classic line of products is possibly the world’s most widely deployed contactless product, used for many transit and physical security applications.

The university had sent its research to NXP for review before publishing it, Nohl says. The university did this to inform NXP of the vulnerability in hopes that the chip manufacturer would remedy the situation and inform users that the systems are weak. In the future researchers might not be as kind and instead just publish the research without letting NXP review it first. While Nohl has just about completed his work on MIFARE, if he were to do any additional work he would probably publish it without pre-informing NXP.

Nohl is planning on releasing his research on MIFARE in August. He has been working with NXP and doesn’t think he will be sued. “I had been invited to meet with and discuss how to make their technology more secure,” he says.

Also, Nohl’s research is more theoretical while the university’s actually shows individuals how to crack the security of the chip, he says. “NXP has no problem with what we have,” he says. “The research isn’t about breaking the card but we describe the method of how the card is broken.”

The hearing to prevent the university from publishing its research was held in Dutch court today, but a decision isn’t expected until next week, Nohl says.

The MIFARE Classic line includes the MIFARE 1K, MIFARE 4K and MIFARE Mini products. They are used worldwide in transit fare collection systems, access control solutions, and government ID systems. Large issuers include transit projects such as London’s Oyster program, The Netherlands’ OV-chipkaart, and Boston’s Charlie Card.

For more information see our previous coverage here[end] 

Related Articles
Smart Card Alliance releases NFC transit report

The Smart Card Alliance Transportation Council has published a white paper examining how the transit industry can best make use of NFC technology.

“One of the major challenges facing transit agencies today is how to capitalize on the ever-growing popularity of mobile phones with a solid mobile strategy,” said Transportation Council Chairman Craig Roberts. “This white paper builds on the knowledge base developed in earlier white papers to foster a greater understanding of NFC technology, explain its role in the transit industry, and shed light on key issues facing the transit industry in developing a mobile strategy.”

read more »
Latest CR80News Magazine available via interactive PDF viewer

AVISIAN Publishing is pleased to announce the release of the interactive version of the fall 2011 issue of CR80News.

The interactive feature allows for a miniature mode that you can thumb through as well as a full screen mode that allows you to read the magazine as if it were sitting in front of you. Even flipping the pages looks great with this new feature.

read more »
Smart Chip Limited receives CMMI certification

Smart Chip Limited, the Indian subsidiary of Morpho, has received the Software Engineering Institute’s certification for the Maturity 3 level of the Capability Maturity Model Integration for Development (CMMI-DEV).

read more »
Jaspersoft, CardSmith enhances the student experience

Jaspersoft announced that CardSmith is using its business intelligence suite to provide campus customers with better decision-making through Web-based reports, dashboards and analysis.

CardSmith embeds Jaspersoft in its Software as a Service (SaaS) transaction solution enabling administrators to create reports that analyze student and consumer behavior. The CardSmith managed service provides educational institutions with campus card services without the incremental IT resource investments.

read more »
Ahmedabad deploys smart cards for bus transit system

India transport operator Ahmedabad Janmarg Ltd. has launched a smart transit card for commuters traveling on the region’s bus system, according to ISO&Agent.

The agency began a six-month trial and August 2010 followed by a soft and silent launch in January 2012. The card is available now for a nonrefundable fee of 25 rupees ($.50 US cents) and allows commuters to travel for up to 100 minutes on one bus, for the minimum fare.

read more »
Cubic responds to Clipper card exploits

Cubic Transportation Systems, distributor of the electronic transit Clipper card, has responded to the recent news of a Ph.D. student in IT Security allegedly breaking the encryption in Clipper and similar transit cards.

read more »

Copyright © 2012, AVISIAN, Inc. All rights reserved.