[hcs-d] Fwd: New Harvard ID Card Announcement
krstic at solarsail.hcs.harvard.edu
Thu Jul 10 13:43:50 EDT 2008
On Jul 10, 2008, at 3:37 AM, Joshua Kroll wrote:
> Yes. A lot of contactless smart cards do this.
No, some cards do it under some circumstances.
> Take for example the recent break of the Dutch MIFARE
MIFARE is a family covering four kinds of cards, only one of which is
broken, and which isn't recommended by the production company, NXP,
for access management in the first place. The remaining three use
> Um, I think FUDing would be suggesting that the cards are designed in
> a way that makes them vulnerable to replay, such as run-of-the-mill
> ISO 14443 passive RFID (note that the standard also allows on-chip
> crypto, as in MIFARE above). Again, if you'd come to Scott Bradner's
> talk, you'll know that the cards "aren't vulnerable to replay"
> although we weren't told anything else. Note that the Princeton and
> Yale systems are in fact passive and they've had problems with this,
> which is why Harvard went with a system that can do
> challenge/response, although in only a limited sense.
Given purely the forwarded announcement, "guessing" that the cards use
broken crypto is FUD; there's no good reason for that assumption. As I
suggested, you _did_ know something other than what's in the
announcement, namely the no-replay property from Scott Bradner's talk.
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org
More information about the hcs-discuss