summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xpaper/RFID.bib671
-rw-r--r--paper/easycard.tex1161
2 files changed, 1262 insertions, 570 deletions
diff --git a/paper/RFID.bib b/paper/RFID.bib
new file mode 100755
index 0000000..9d173f7
--- /dev/null
+++ b/paper/RFID.bib
@@ -0,0 +1,671 @@
+@INPROCEEDINGS{WIPR,
+author = {Yossef Oren and Martin Feldhofer},
+title = {{A Low-Resource Public-Key Identification Scheme for RFID Tags and Sensor Nodes}},
+booktitle = {Second {ACM} Conference on Wireless Network Security, {WiSec}},
+year = {2009},
+}
+
+@INPROCEEDINGS {irrupt,
+author = {Luca Henzen and Flavio Carbognani and JPA and Sean O'Neil and Wolfgang Fichtner},
+title = {VLSI implementations of the cryptographic hash functions MD6 and irRUPT},
+booktitle = {IEEE ISCAS},
+year = {2009},
+}
+
+@INPROCEEDINGS {th1,
+author = {Avoine, G. and Dysli, E. and Oechslin, P.},
+title = {Reducing Time Complexity in {RFID} Systems},
+booktitle = {Selected Areas in Cryptography (SAC)},
+year = {2005},
+}
+
+@INPROCEEDINGS {Avoine2005,
+author = {Gildas Avoine and Philippe Oechslin},
+title = {{RFID Traceability: A Multilayer Problem}},
+booktitle = {{Financial Cryptography}},
+year = {2005},
+}
+
+@inproceedings {Avoine2007,
+ author = {Gildas Avoine and Levente Butty\'{a}n, Tam\'{a}s Holczer Istv\'{a}n Vajda},
+ title = {{Group-Based Private Authentication}},
+ booktitle = {{International Workshop on Trust, Security, and Privacy for Ubiquitous Computing}},
+ year = {2007}}
+
+@inproceedings{Bailey2007,
+ author = {Daniel Bailey and Dan Boneh and Eu-Jin Goh and Ari Juels},
+ title = {{Covert Channels in Privacy-Preserving Identification Systems}},
+ booktitle = {{ACM Computer and Communications Security Conference (CCS)}},
+ year = {2007}
+ }
+
+@INPROCEEDINGS {th3,
+author = {Batina, L. and Guajardo, J. and Kerins, T. and Mentens, N. and Tuyls, P. and Verbauwhede, I.},
+title = {Public Key Cryptography for {RFID}-Tags},
+booktitle = {Workshop on {RFID} Security (RFIDSec)},
+year = {2006},
+}
+
+@INPROCEEDINGS {th4,
+author = {Bauer, M. and Fabian, B. and Fischmann, M. and Gurses, S.},
+title = {Emerging Markets for {RFID} Traces},
+booktitle = {arXiv.org},
+year = {2006},
+}
+
+@INPROCEEDINGS {th5,
+author = {Bellare, M.},
+title = {New Proofs for {NMAC} and {HMAC}: Security Without Collision-Resistance},
+booktitle = {Cryptology ePrint Archive},
+year = {2006},
+}
+
+@INPROCEEDINGS {th6,
+author = {Biham, E. and Shamir, A.},
+title = {Differential Cryptanalysis of {DES}-like Cryptosystems},
+booktitle = {Journal of Cryptology},
+year = {1991},
+}
+
+@INPROCEEDINGS {th7,
+author = {Biryukov, A. and Wagner, D.},
+title = {Slide Attacks},
+booktitle = {International Workshop on Fast Software Encryption},
+year = {1999},
+}
+
+@INPROCEEDINGS {th8,
+author = {Blum, A. and Kalai, A. and Wasserman, H.},
+title = {Noise-tolerant Learning, the Parity Problem, and the Statistical Query Problem},
+booktitle = {Journal of the ACM},
+year = {2003},
+}
+
+@INPROCEEDINGS {th9,
+author = {Bogdanov, A. and Knudsen, L.R. and Leander, G. and Paar, C. and Poschmann, A. and Robshaw, M.J.B. and Seurin, Y. and Vikkelsoe, C.},
+title = {{RESENT}: An Ultra-Lightweight Block Cipher},
+booktitle = {Workshop on Cryptographic Hardware and Embedded Systems (CHES)},
+year = {2007},
+}
+
+@INPROCEEDINGS {DST40,
+author = {Bono, S. and Green, M. and Stubblefield, A. and Juels, A. and Rubin, A. and Szydlo, M.},
+title = {Security Analysis of a Cryptographically-Enabled {RFID} Device},
+booktitle = {USENIX Security Symposium},
+year = {2005},
+}
+
+@INPROCEEDINGS {Buttyan2006,
+ author = {Levente Butty\'{a}n, Tam\'{a}s Holczer Istv\'{a}n Vajda},
+ title = {{Optimal Key-Trees for Tree-Based Private Authentication}},
+ booktitle = {{Workshop on Privacy Enhancing Technologies (PET)}},
+ year = {2006},
+}
+
+@INPROCEEDINGS {th12,
+author = {Cate, F. and Staten, M.},
+title = {The Value of Information-Sharing},
+booktitle = {Council of Better Business Bureau White Paper},
+year = {2000},
+}
+
+@INPROCEEDINGS {th13,
+author = {Courtois, N. and Meier, W.},
+title = {Algebraic Attacks on Stream Ciphers with Linear Feedback},
+booktitle = {EUROCRYPT},
+year = {2003},
+}
+
+@INPROCEEDINGS {th14,
+author = {Courtois, N.T. and Nohl, K. and O'Neil, S.},
+title = {Algebraic Attacks on the {Crypto-1} Stream Cipher in {MiFare Classic} and {Oyster} Cards},
+booktitle = {Cryptology ePrint Archive},
+year = {2008},
+}
+
+@INPROCEEDINGS {th15,
+author = {Damgard, I. and Ostergaard, M.},
+title = {RFID Security: Tradeoffs between Security and Efficiency},
+booktitle = {Cryptology ePrint Archive},
+year = {2006},
+}
+
+@INPROCEEDINGS {th16,
+author = {Diaz, C. and Seys, S. and Claessens, J. and Preneel, B.},
+title = {Towards Measuring Anonymity},
+booktitle = {Privacy Enhancing Technologies Workshop (PET)},
+year = {2002},
+}
+
+@INPROCEEDINGS {th17,
+author = {EPCGlobal.},
+title = {Class 1 Generation 2 {UHF} Air Interface Protocol Standard v1.0.9.}},
+year = {2005},
+}
+
+@INPROCEEDINGS {th18,
+author = {Fabian, B. and Guenther, O. and Spiekermann, S.},
+title = {Security Analysis of the Object Name Service for {RFID}},
+booktitle = {International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing},
+year = {2005},
+}
+
+@INPROCEEDINGS {th19,
+author = {Feistel, H.},
+title = {Block Cipher Cryptographic System},
+booktitle = {US Patent 3,798,359},
+year = {1971},
+}
+
+@INPROCEEDINGS {th20,
+author = {Feldhofer, M. and Dominikus, S. and Wolkerstorfer, J.},
+title = {Strong Authentication for {RFID} Systems using the {AES} Algorithm},
+booktitle = {Workshop on Cryptographic Hardware and Embedded Systems (CHES)},
+year = {2004},
+}
+
+@INPROCEEDINGS {th21,
+author = {Feldhofer, M. and Rechberger, C.},
+title = {A case against currently used hash functions in {RFID} protocols},
+booktitle = {Workshop on {RFID} Security (RFIDSec)},
+year = {2006},
+}
+
+@INPROCEEDINGS {th22,
+author = {Filiol, E.},
+title = {A New Statistical Testing for Symmetric Ciphers and Hash Functions},
+booktitle = {International Conference on Information and Communications Security (ICICS)},
+year = {2002},
+}
+
+@INPROCEEDINGS {Gilbert2005,
+author = {Henri Gilbert and Matthew Robshaw and Herv\'{e} Sibert},
+title = {{An Active Attack Against HB+ - A provably Secure Lightweight Authentication Protocol}},
+booktitle = {IEE Electronic Letters},
+year = {2005},
+}
+
+@INPROCEEDINGS {th24,
+author = {Golebiewski, Z. and Majcher, K. and Zagorski, F. and Zawada, M.},
+title = {Practical Attacks on HB and HB+ Protocols},
+booktitle = {Cryptology ePrint Archive},
+year = {2008},
+}
+
+@misc {Helion2007,
+ author = {Helion Technology},
+ title = {{High Performance AES (Rijndael) cores for Xilinx FPGA}},
+ howpublished = {{\em www.heliontech.com/downloads/aes\_xilinx\_helioncore.pdf}},
+ year = {2007},
+}
+
+@misc {HelionSHA1_2009,
+ author = {Helion Technology},
+ title = {{SHA-1 Hashing Cores}},
+ howpublished = {\url{http://www.heliontech.com/sha1.htm}},
+ year = {2009},
+}
+
+
+@misc {Helion2009,
+ author = {Helion Technology},
+ title = {{RSA and Modular Exponentiation Cores}},
+ howpublished = {\url{www.heliontech.com/modexp.htm}},
+ year = {2009},
+}
+
+@INPROCEEDINGS {th27,
+author = {Holcomb, D. and Burleson, W. and Fu, K.},
+title = {Initial {SRAM} state as a fingerprint and source of true random numbers for {RFID} tags},
+booktitle = {Conference on {RFID} Security},
+year = {2007},
+}
+
+@INPROCEEDINGS {Hopper2001,
+ author = {Nicholas J. Hopper and Manuel Blum},
+ title = {{A Secure Human-Computer Authentication Scheme}},
+ booktitle = {ASIACRYPT},
+ year = {2001},
+}
+
+@INPROCEEDINGS {Israsena2006,
+author = {Pasin Israsena},
+title = {{Securing Ubiquitous and Low-cost RFID Using Tiny Encryption Algorithm}},
+booktitle = {International Symposium on Wireless Pervasive Computing},
+year = {2006},
+}
+
+@misc{Hulton2008,
+ author = {David Hulton},
+ title = {{Personal communication from Pico Computing}},
+ year = {2008}}
+
+@INPROCEEDINGS {th30,
+author = {Juels, A.},
+title = {{RFID} Security and Privacy: A Research Survey},
+booktitle = {Manuscript},
+year = {2005},
+}
+
+@INPROCEEDINGS {JuelsWeis2005,
+ author = {Ari Juels and Stephen Weis},
+ title = {{Authenticating Pervasive Devices with Human Protocols}},
+ booktitle = {Advances in Cryptology (CRYPTO)},
+ year = {2005},
+}
+
+@INPROCEEDINGS {th32,
+author = {Juels, A. and Weis, S.},
+title = {Defining Strong Privacy for {RFID}},
+booktitle = {Cryptology ePrint Archive},
+year = {2006},
+}
+
+@INPROCEEDINGS {th33,
+author = {Lim, C.H. and Kwon, T.},
+title = {Strong and Robust {RFID} Authentication Enabling Perfect Ownership Transfer},
+booktitle = {International Conference on Information and Communications Security (ICICS)},
+year = {2006},
+}
+
+@INPROCEEDINGS {th34,
+author = {Luby, M. and Rackoff, C.},
+title = {How to Construct Pseudorandom Permutations and Pseudorandom Functions},
+booktitle = {SIAM Journal on Computing},
+year = {1988},
+}
+
+@INPROCEEDINGS {th35,
+author = {Matsui, M.},
+title = {Linear cryptanalysis method for {DES} cipher},
+booktitle = {EUROCRYPT},
+year = {1993},
+}
+
+@INPROCEEDINGS {th36,
+author = {Maurer, U.},
+title = {A simplified and generalized treatment of {Luby-Rackoff} pseudorandom permutation generators},
+booktitle = {EUROCRYPT},
+year = {1992},
+}
+
+@INPROCEEDINGS {th37,
+author = {Merkle, R.C.},
+title = {Secrecy, authentication, and public key systems},
+booktitle = {Stanford Ph.D. thesis},
+year = {1979},
+}
+
+@INPROCEEDINGS {th38,
+author = {Molnar, D. and Soppera, A. and Wagner, D.},
+title = {A Scalable, Delegatable Pseudonym Protocol Enabling Ownership Transfer of {RFID} Tags},
+booktitle = {Selected Areas in Cryptography (SAC)},
+year = {2005},
+}
+
+@INPROCEEDINGS {Molnar2004,
+ author = {David Molnar and David Wagner},
+ title = {{Privacy and Security in Library RFID: Issues, Practices, and Architectures}},
+ booktitle = {{ACM Computer and Communications Security Conference (CCS)}},
+ year = {2004},
+}
+
+@inproceedings{Gilbert2008,
+ author = {Henri Gilbert and Matthew J.B. Robshaw and Yannick Seurin},
+ title = {{HB\#: Increasing the Security and Efficiency of HB+}},
+ booktitle = {{EuroCrypt}},
+ year = {2008}
+}
+
+@INPROCEEDINGS {Munilla2007,
+author = {J. Munilla and A. Peinado},
+title = {{HB-MP: A Further Step in the HB-family of Lightweight Authentication Protocols}},
+booktitle = {{Computer Networks: The International Journal of Computer and Telecommunications Networking}},
+year = {2007},
+}
+
+@INPROCEEDINGS {th41,
+author = {Naor, M. and Reingold, O.},
+title = {On the Construction of Pseudo-Random Permutations: {Luby-Rackoff} Revisited},
+booktitle = {Journal of Cryptology},
+year = {1999},
+}
+
+@INPROCEEDINGS {th42,
+author = {Nguyen Duc, D. and Park, J. and Lee, H. and Kim, K.},
+title = {Enhancing Security of {EPCglobal} {Gen-2} {RFID} Tag against Traceability and Cloning},
+booktitle = {Symposium on Cryptography and Information Security},
+year = {2006},
+}
+
+@INPROCEEDINGS {th43,
+author = {Nohara, Y. and Inoue, S. and Baba, K. and Yasuura, H.},
+title = {Quantitative Evaluation of Unlinkable {ID} Matching Schemes},
+booktitle = {Workshop on Privacy in the Electronic Society},
+year = {2006},
+}
+
+@INPROCEEDINGS {Nohl2008,
+ author = {Karsten Nohl and David Evans},
+ title = {{Hiding in Groups: On the Expressiveness of Privacy Distributions}},
+ booktitle = {{International Information Security Conference (SEC)}},
+ year = {2008},
+}
+
+@techreport {saponas2006,
+ author = {T. Scott Saponas and Jonathan Lester and Carl Hartung and Tadayoshi Kohno},
+ title = {{Devices That Tell On You: The Nike+iPod Sport Kit}},
+ institution = {{University of Washington}},
+ year = {2006},
+ number = {2006-12-06}}
+}
+
+@INPROCEEDINGS {Nohl2006,
+author = {Karsten Nohl and David Evans},
+title = {{Quantifying Information Leakage in Tree-Based Hash Protocols}},
+booktitle = {{International Conference on Information and Communications Security (ICICS)}},
+year = {2006},
+}
+
+@inproceedings {Huang2008,
+ author = {Xu Huang},
+ title = {{Quantifying Information Leakage in RFID Systems}},
+ booktitle = {{10th International Conference on Advanced Communication Technology}},
+ year = {2008},
+}
+
+@INPROCEEDINGS {Mifare,
+author = {Karsten Nohl and David Evans and Starbug and Henryk Pl\"{o}tz},
+title = {Reverse-Engineering a Cryptographic {RFID} Tag},
+booktitle = {USENIX Security Symposium},
+year = {2008},
+}
+
+@INPROCEEDINGS {th47,
+author = {O'Neil, S.},
+title = {Algebraic Structure Defectoscopy},
+booktitle = {Cryptology ePrint Archive},
+year = {2007},
+}
+
+@INPROCEEDINGS {th48,
+author = {O'Neil, S.},
+title = {{EnRUPT}---First all-in-one symmetric cryptographic primitive},
+booktitle = {The State of the Art of Stream Ciphers (SACS)},
+year = {2008},
+}
+
+@INPROCEEDINGS {th49,
+author = {Odlyzko, A.},
+title = {Privacy, Economics, and Price Discrimination on the Internet},
+booktitle = {International Conference on Electronic Commerce},
+year = {2003},
+}
+
+@INPROCEEDINGS {Ohkubo2003,
+author = {Miyako Ohkubo and Koutarou Suzuki and Shingo Kinoshita},
+title = {{Cryptographic Approach to ``Privacy-Friendly'' Tags}},
+booktitle = {{RFID Privacy Workshop}},
+year = {2003},
+}
+
+@INPROCEEDINGS {th51,
+author = {Patarin, J. and Montreuil, A.},
+title = {Benes and Butterfly Schemes Revisited},
+booktitle = {International Conference on Information Security and Cryptology (ICISC)},
+year = {2005},
+}
+
+@INPROCEEDINGS {th52,
+author = {Preneel, B. and Leekwijck, W.V. and Linden, L.V. and Govaerts, R.e. and Vandewalle, J.},
+title = {Propagation Characteristics of Boolean Functions},
+booktitle = {EUROCRYPT},
+year = {1990},
+}
+
+@INPROCEEDINGS {th53,
+author = {Rieback, M. and Crispo, B. and Tanenbaum, A.},
+title = {{RFID Guardian}: A Battery-Powered Mobile Device for {RFID} Privacy Management},
+booktitle = {Australasian Conference on Information Security and Privacy},
+year = {2005},
+}
+
+@INPROCEEDINGS {th54,
+author = {Saarinen, M.O.},
+title = {Chosen-{IV} Statistical Attacks on {eSTREAM} Stream Ciphers},
+booktitle = {ECRYPT},
+year = {2006},
+}
+
+@INPROCEEDINGS {Satoh2005,
+ author = {Akashi Satoh and Tadanobu Inoue},
+ title = {{ASIC-Hardware-Focused Comparison for Hash Functions MD5, RIPEMD-160, and SHS}},
+ booktitle = {{International Symposium on Information Technology}},
+ year = {2005},
+}
+
+@INPROCEEDINGS {th56,
+author = {Schneier, B. and Kelsey, J.},
+title = {Unbalanced Feistel Networks and Block-Cipher Design},
+booktitle = {Fast Software Encryption (FSE)},
+year = {1996},
+}
+
+@INPROCEEDINGS {th57,
+author = {Serjantov, A. and Danezis, G.},
+title = {Towards an Information Theoretic Metric for Anonymity},
+booktitle = {Privacy Enhancing Technologies Workshop (PET)},
+year = {2002},
+}
+
+@INPROCEEDINGS {th58,
+author = {Shannon, C.},
+title = {A Mathematical Theory of Communication},
+booktitle = {Bell System Technical Journal},
+year = {1948},
+}
+
+@INPROCEEDINGS {th59,
+author = {Shannon, C.E.},
+title = {Communication Theory of Secret Systems},
+booktitle = {Bell Systems Technical Journal},
+year = {1949},
+}
+
+@INPROCEEDINGS {th60,
+author = {Soos, M. and Castelluccia, C.},
+title = {Secret Shuffling: A Novel Approach to {RFID} Private Identification},
+booktitle = {Workshop on {RFID} Security (RFIDSec)},
+year = {2007},
+}
+
+@INPROCEEDINGS {th61,
+author = {Soto, J.},
+title = {Randomness Testing of the Advanced Encryption Standard Finalist Candidates},
+booktitle = {NIST},
+year = {2000},
+}
+
+@INPROCEEDINGS {th62,
+author = {Staake, T. and Thiesse, F.e.e. and Fleisch, E.},
+title = {Extending the EPC Network - The Potential of {RFID} in Anti-Counterfeiting},
+booktitle = {Symposium on Applied Computing},
+year = {2005},
+}
+
+@INPROCEEDINGS {th63,
+author = {Wang, X. and Yin, Y.L. and Yu, H.},
+title = {Finding Collisions in the Full {SHA-1}},
+booktitle = {CRYPTO},
+year = {2005},
+}
+
+@INPROCEEDINGS {th64,
+author = {Wang, X. and Yu, H.},
+title = {How to Break {MD5} and Other Hash Functions},
+booktitle = {EUROCRYPT},
+year = {2005},
+}
+
+@INPROCEEDINGS {Weis2003,
+ author = {Stephen Weis and Sanjay Sarma and Ronald Rivest and Daniel Engels},
+ title = {{Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems}},
+ booktitle = {{International Conference on Security in Pervasive Computing}},
+ year = {2003},
+}
+
+@INPROCEEDINGS {th66,
+author = {Wolkerstorfer, J.},
+title = {Is Elliptic-Curve Cryptography Suitable to Secure {RFID} Tags?},
+booktitle = {Workshop on {RFID} and Lightweight Crypto},
+year = {2005},
+}
+
+@INPROCEEDINGS {RFID-CC,
+author = {Thomas Heydt-Benjamin and Daniel Bailey and Kevin Fu and Ari Juels and Tom O'Hare},
+title = {{Vulnerabilities in First-Generation RFID-enabled Credit Cards}},
+booktitle = {{International Conference on Financial Cryptography and Data Security}},
+year = {2007},
+}
+
+@INPROCEEDINGS {Poovendran2001,
+ author = {Radha Poovendran and John S. Baras},
+ title = {{An Information-Theoretic Approach for Design and Analysis of Rooted-Tree-Based Multicast Key Management Schemes}},
+ booktitle = {IEEE Transactions on Information Theory},
+ year = {2001},
+}
+
+@INPROCEEDINGS {hikari-estimate,
+author = {David Hulton, {Pico Computing}},
+title = {personal communication},
+}
+
+@article{citeulike:1890146,
+ abstract = {A cryptographic implementation is proposed for access control in a situation where users and information items are classified into security classes organized as a rooted tree, with the most privileged security class at the root. Each user stores a single key of fixed size corresponding to the user's security class. Keys for security classes in the subtree below the user's security class are generated from this key by iterative application of one-way functions. New security classes can be defined without altering existing keys. The scheme proposed here is based on conventional cryptosystems (as opposed to public key cryptosystems).},
+ address = {Amsterdam, The Netherlands, The Netherlands},
+ author = {Sandhu, Ravinderpal S.},
+ citeulike-article-id = {1890146},
+ citeulike-linkout-0 = {http://portal.acm.org/citation.cfm?id=46998},
+ citeulike-linkout-1 = {http://dx.doi.org/10.1016/0020-0190(88)90099-3},
+ citeulike-linkout-2 = {http://linkinghub.elsevier.com/retrieve/pii/0020-0190(88)90099-3},
+ day = {29},
+ doi = {10.1016/0020-0190(88)90099-3},
+ issn = {00200190},
+ journal = {Information Processing Letters},
+ month = {February},
+ number = {2},
+ pages = {95--98},
+ posted-at = {2009-12-09 11:55:57},
+ priority = {0},
+ publisher = {Elsevier North-Holland, Inc.},
+ title = {Cryptographic implementation of a tree hierarchy for access control},
+ url = {http://dx.doi.org/10.1016/0020-0190(88)90099-3},
+ volume = {27},
+ year = {1988}
+}
+
+@INPROCEEDINGS{proxmark,
+ booktitle = {\url{http://www.proxmark.org/}},
+ title = {{PROXMARK III} community}
+}
+
+@MISC{openpcd-legic-note,
+ url = {\url{http://wiki.openpcd.org/index.php?title=ISO14443&oldid=1657#LEGIC_RF}},
+ title = {Article ``{ISO14443}'' in the OpenPCD wiki, section ``{LEGIC RF}'', revision as of 15:12, 30 July 2008}
+}
+
+@MISC{iso14443f,
+ title = {{ISO 14443 Part 2 Amendment 1}},
+ note = {DRAFT 2nd P-DAM BALLOT TEXT}
+}
+
+@MISC{reversing-crc,
+ author = {Martin Stigge and Henryk Pl\"{o}tz and Wolf M\"{u}ller and Jens-Peter Redlich},
+ title = {Reversing CRC--Theory and Practice},
+ year = {2006},
+ owner = {henryk},
+ timestamp = {2008-08-13},
+ url = {http://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2006-05/SAR-PR-2006-05_.pdf}
+}
+
+@INPROCEEDINGS{openpcd,
+ author = {Milosch Meriac and Henryk Pl\"{o}tz and Harald Welte},
+ booktitle = {\url{http://www.openpcd.org}},
+ title = {{OpenPCD, OpenPICC RFID} projects}
+}
+
+@INPROCEEDINGS {chip-reversing-25c3,
+ author = {Karsten Nohl and Starbug},
+ title = {Chip Reverse Engineering},
+ booktitle = {25C3},
+ year = {2008},
+}
+
+@INPROCEEDINGS {rfid-25c3,
+ author = {Henryk Pl\"{o}tz and Karsten Nohl},
+ title = {Analyzing {RFID} Security},
+ booktitle = {25C3},
+ year = {2008},
+}
+
+@INPROCEEDINGS {librfid-22c3,
+ author = {Harald Welte and Milosch Meriac},
+ title = {{RFID} - overview of protocols, librfid implementation and passive sniffing},
+ booktitle = {22C3},
+ year = {2005},
+}
+
+@INPROCEEDINGS {OpenMRTD,
+ author = {Harald Welte},
+ title = {{OpenMRTD} project homepage},
+ booktitle = {\url{http://openmrtd.org/}}
+}
+
+@INPROCEEDINGS {dect-26c3,
+ author = {Erik Tews and Karsten Nohl},
+ title = {{DECT (Part II)} - What has changed in {DECT} security after one year},
+ booktitle = {26C3},
+ year = {2009},
+}
+
+@INPROCEEDINGS {OpenBSC-HAR,
+ author = {Harald Welte},
+ title = {{OpenBSC} - Running your own {GSM} network},
+ booktitle = {HAR conference},
+ year = {2009},
+}
+
+@INPROCEEDINGS {beacon-25c3,
+ author = {Milosch Meriac and Ciro Cattuto and Aestetix},
+ title = {Mining social contacts with active {RFID}},
+ booktitle = {25C3},
+ year = {2008},
+}
+
+@INPROCEEDINGS {beacon-hope,
+ author = {The openamd project},
+ title = {Tracking visitors of the {HOPE} conference},
+ booktitle = {\url{http://amd.hope.net/}},
+}
+
+@INPROCEEDINGS {karsten-thesis,
+ author = {Karsten Nohl},
+ title = {Implementable Privacy for {RFID} Systems},
+ booktitle = {University of Virginia {PhD} Thesis},
+ year = {2008},
+}
+
+@INPROCEEDINGS {gsm-blackhat,
+ author = {Karsten Nohl},
+ title = {Attacking phone privacy},
+ booktitle = {{BlackHat US}},
+ year = {2010},
+}
+
+@INPROCEEDINGS {mifare-attack-esorics,
+ author = {Flavio Garcia and Gerhard de Koning Gans and Ruben Muijrers and
+Peter van Rossum and Roel Verdult and Ronny Wichers Schreur and Bart Jacobsl},
+ title = {Dismantling MIFARE Classic},
+ booktitle = {{ESORICSS}},
+ year = {2008},
+} \ No newline at end of file
diff --git a/paper/easycard.tex b/paper/easycard.tex
index c87b3dd..ebaaf83 100644
--- a/paper/easycard.tex
+++ b/paper/easycard.tex
@@ -1,570 +1,591 @@
-\documentclass[a4paper]{article}
-\usepackage[english]{babel}
-\usepackage{graphicx}
-\usepackage{subfigure}
-\pagestyle{plain}
-
-\usepackage{url}
-
-\setlength{\oddsidemargin}{0in}
-\setlength{\evensidemargin}{0in}
-\setlength{\topmargin}{0in}
-\setlength{\headheight}{0in}
-\setlength{\headsep}{0in}
-\setlength{\textwidth}{6.5in}
-\setlength{\textheight}{9.5in}
-%\setlength{\parindent}{0in}
-\setlength{\parskip}{0.05in}
-
-\begin{document}
-
-\title{Security analysis of the EasyCard payment card in Taiwan}
-\author{Harald Welte $<$laforge@gnumonks.org$>$}
-\date{UNRELEASED (September XX, 2010}
-\maketitle
-
-\begin{abstract}
-The EasyCard system, established in 2001, is the most popular store-valued card % FIXME: "store-valued"? Meinten Sie: "stored-value"?
-in Taiwan. With more than 18 million issued cards, it is the predominant means
-of paying for public transportation services in the capital Taipei.
-
-In 2010, use of the EasyCard was extended beyond transportation. Card holders
-can now pay in all major convenience stores and major retail companies like
-Starbucks or even SOGO.
-
-However, the system is still using the MIFARE Classic RFID transponder
-technology, whose very limited security-by-obscurity proprietary encryption
-system (CRYPTO1) has been broken years ago.
-
-This document analyzes the results of combining the practical attacks
-on the MIFARE Classic CRYPTO1 system in the context of the EasyCard payment
-system.
-\end{abstract}
-
-\tableofcontents
-
-\section{Foreword}
-
-This document is the result of my personal research on the EasyCard
-system. It was done out of my personal interest in security research
-on information technology. No competitor of the EasyCard corporation,
-or other business or political stakeholder ever encouraged, supported or
-funded this work in any way.
-
-The result of this research is presented to the general public in the
-hope it will make people re-consider the amount of trust they place
-in proprietary systems that provide no evidence of their security,
-and no option for the general public or the scientific community to
-validate it.
-
-This paper is also directed at the legislator and the regulatory authorities,
-in the hope that it will help them to produce better rules and requirements on
-the technology designed for and used by operators of security relevant systems
-such as banking.
-
-\section{Introducing the EasyCard}
-
-FIXME
-
-\section{Published security research on MIFARE Classic}
-
-FIXME: Summarize the existing research on mifare classic systems
-
-\section{Published tools for MIFARE Classic attacks}
-
-\subsection{Crapto1}
-\subsection{libnfc}
-\subsection{MFOC}
-\subsection{MFCUK}
-
-\section{Analyzing the EasyCard}
-
-A new, genuine EasyCard was obtained from one of the EasyCard vending machines
-in a Taipei MRT station.
-
-As it is public knowledge that the EasyCard system is based on MIFARE
-technology, any MIFARE-compatible RFID reader (PCD, Proximity Coupling Device)
-can be used to establish a physical communications link according to ISO
-14443-1 and -2, as well as performing the anti-collision procedure according
-to ISO 14443-3.
-
-The author has used the OpenPCD RFID reader to do this, and has confirmed that
-the EasyCard in fact is a card with ISO 14443-3 compatible anti-collision
-procedure. The ATQA response also looks like that of a standard MIFARE Classic
-transponder.
-
-\subsection{Attempting to use standard keys}
-
-As some users of MIFARE Classic systems only use some sectors of a card, but
-not all, an attempt was made to authenticate to any of the sectors using the
-manufacturer-programmed standard keys. However, none of the card sectors were
-using those standard keys.
-
-This also means that we could not use the key recovery method described in
-FIXME, where keys of all other sectors are recovered based on the knowledge of
-they key of at least one different sectors.
-
-\subsection{Recovering the MIFARE CRYPTO1 keys}
-
-Since none of the sector keys was known, the publicly available MFCUK (MiFare
-Classic Universal toolKit) implementation of the ``Dark Side'' attack (Nicolas T.
-Courtois) was used as a card-only attack.
-
-All that was required was the MFCUK Free Software, as well as a RFID
-reader as supported by libnfc. Compatible readers are widely available,
-among them one for EUR 30 from \url{http://www.touchatag.com/e-store}.
-
-Using the MFCUK key recovery tool, the A and B keys for all sectors have
-been recovered within FIXME. This attack can definitely be optimized
-by using special-purpose hardware such as the Proxmark, which gives
-hard-realtime control over the communication with the EasyCard.
-
-Furthermore, the key recovery can be optimized based on known-plaintext that is
-common to all cards.
-
-\subsection{Dumping the content of the EasyCard}
-
-Once the sector keys have all been recovered, the full content of the EasyCard
-can be dumped using any RFID reader supporting MIFARE Classic. The author
-chose to use the same reader that was used for the MFCUK key recovery combined
-with the nfc-mfclassic program (part of libnfc).
-
-A full dump of the newly-purchased, unused EasyCard revealed the following
-content:
-
-\begin{verbatim}
-0000000 a193 c031 88c3 0004 ba46 1214 1051 1004
-0000010 140e 0100 0207 0308 0409 1008 0000 0000
-0000020 0000 0000 0000 0000 0000 0000 0000 0000
-0000030 211a ccd0 f399 7708 008f 6ac6 53bf cf08
-0000040 ff02 0300 0000 059f 804c c926 0171 3601
-0000050 0000 1000 1027 0027 64de 0001 0000 bb00
-0000060 f1d6 b4e8 0012 0000 0000 6400 0064 6900
-0000070 2e64 f724 bd57 7708 008f 8917 3d48 5dcd
-0000080 0190 0000 fe6f ffff 0190 0000 ff00 ff00
-0000090 0190 0000 fe6f ffff 0190 0000 ff00 ff00
-00000a0 0000 0000 0000 0000 0000 0000 0000 0000
-00000b0 0d3d 782b 33cd 7708 008f 2411 4ce7 ea3f
-00000c0 0001 0005 0000 0000 0000 0000 0000 0000
-00000d0 0000 0000 0000 0000 0000 0000 0000 0000
-00000e0 0000 0000 0000 0000 0000 0000 0000 0000
-00000f0 2fb1 511f 85b4 7708 008f 8dc8 eef5 2850
-0000100 0000 0000 0000 0000 0000 0000 0000 0000
-0000110 0000 0000 0000 0000 0000 0000 0000 0000
-0000120 0000 0000 0000 0000 0000 0000 0000 0000
-0000130 4587 96bd 1f22 7708 008f 47ce 7619 1558
-0000140 0000 0000 0000 0000 0000 0000 0000 0000
-0000150 0000 0000 0000 0000 0000 0000 0000 0000
-0000160 0000 0000 0000 0000 0000 0000 0000 0000
-0000170 5583 7616 749e 7708 008f 9bf3 c129 8eb6
-0000180 0c00 0400 0044 0000 0000 0000 0000 4c00
-0000190 0200 2200 0022 0000 0000 0000 0200 0000
-00001a0 0000 0005 0000 0000 0000 0000 0000 0000
-00001b0 af5f 6aeb 3a2c 7708 008f c039 7a1d d248
-00001c0 0000 0000 0000 0000 0000 0000 0000 0000
-00001d0 0000 0000 0000 0000 0000 0000 0000 0000
-00001e0 0000 0000 0000 0000 0000 0000 0000 0000
-00001f0 aebf 906e f2bd 7708 008f e3e7 988f aaaa
-0000200 0000 0000 0000 0000 0000 0000 0000 0000
-0000210 0000 0000 0000 0000 0000 0000 0000 0000
-0000220 0000 0000 0000 0000 0000 0000 0000 0000
-0000230 ec9f 8bc6 4b89 7708 008f 53b0 2571 9e66
-0000240 0000 0000 0000 0000 0000 0000 0000 0000
-0000250 0000 0000 0000 0000 0000 0000 0000 0000
-0000260 0000 0000 0000 0000 0000 0000 0000 0000
-0000270 edc5 c17c 8a36 7708 008f 9a58 b6d9 5a8b
-0000280 0000 0000 0000 0000 0000 0000 0000 0000
-0000290 0000 0000 0000 0000 0000 0000 0000 0000
-00002a0 0000 0000 0000 0000 0000 0000 0000 0000
-00002b0 40f7 60bf 4b8a 7708 008f 3a00 c93a 63e8
-00002c0 0000 0000 0000 0000 0000 0000 0000 0000
-00002d0 0000 0000 0000 0000 0000 0000 0000 0000
-00002e0 0000 0000 0000 0000 0000 0000 0000 0000
-00002f0 b50a 9f96 d2e3 7708 008f 4855 7cdb 7dff
-0000300 0000 0000 0000 0000 0000 0000 0000 0000
-0000310 0000 0000 0000 0000 0000 0000 0000 0000
-0000320 0000 0000 0000 0000 0000 0000 0000 0000
-0000330 4c06 3ebc e595 7708 008f 9a5b 001b d14a
-0000340 0000 0000 0000 0000 0000 0000 0000 0000
-0000350 0000 0000 0000 0000 0000 0000 0000 0000
-0000360 0000 0000 0000 0000 0000 0000 0000 0000
-0000370 3fb0 45ce 6f6b 7708 008f c0bf adb0 d662
-0000380 0000 0000 0000 0000 0000 0000 0000 0000
-0000390 0000 0000 0000 0000 0000 0000 0000 0000
-00003a0 0000 0000 0000 0000 0000 0000 0000 0000
-00003b0 3320 9074 e84c 7708 008f 0094 85d5 7aaa
-00003c0 8000 c926 0071 0000 0000 0000 0064 0064
-00003d0 0000 0000 0000 0000 0000 0000 0000 0000
-00003e0 0000 0000 0000 0000 0000 0000 0000 0000
-00003f0 ea02 0bda b62a 7708 008f 0000 0000 0000
-\end{verbatim}
-
-\subsection{Re-engineering the on-card data format}
-
-When the author started his research, there was no pre-existing public
-knowledge on the data format used by the EasyCard system. As such,
-significant time was spent analyzing it.
-
-The card was subsequently used to perform a number of transactions such as
-use of public transportation and purchase of goods in stores.
-
-After each transaction, again a full dump of the card contents was made,
-and the difference to the previous dump analyzed carefully. No particular
-tools have been used for analysis. Most of the work relied on hex-dumps
-of the card content and using the {\tt diff} utility to visualize differences
-between two consecutive versions.
-
-During the analysis, it was quickly revealed that there are four
-distinctive sets of changes that can be associated with a transaction:
-\begin{itemize}
-\item The card balance, stored as MIFARE value block
-\item The transaction log
-\item The transaction log index
-\item The last MRT entry/exit record
-\end{itemize}
-
-Furthermore, a constant header has been identified. It was never changed during
-any of the tested transactions.
-
-The result of this analysis can be found in the next section:
-
-\section{Re-engineered EasyCard Data Format}
-
-\subsubsection{Sector 0 and 1: The header}
-FIXME
-
-\subsubsection{Sector 2: The card balance as value block}
-
-The first two blocks of sector 2 store the current remaining debit account
-balance as a MIFARE Classic VALUE BLOCK. The format of this block is
-documented in the official NXP vendor documentation on the MIFARE chip
-used inside the card.
-
-The value block is decremented every time payment is made with the card.
-
-Given the MIFARE access bits, it is assumed that the RFID readers in public
-transportation as well as stores use key A for this sector, as key A is
-sufficient to read and decrement the VALUE block.
-
-Re-charging the card must happen using authentication with key B, as only
-key B has permissions to increment and/or write to this sector.
-
-\subsubsection{Sector 3 through 5: The transaction log}
-
-Every time a transaction is made with the card, an entry in the transaction log
-on the card itself is generated. Every entry occupies one full 16-byte block.
-
-The structure of a transaction log entry is as follows:
-\begin{itemize}
-\item 1 byte Transaction ID
-\item 4 bytes Timestamp
-\item 1 byte Transaction type
-\item 2 bytes Cost charged for transaction
-\item 2 bytes Remaining balance after transaction
-\item 1 byte MRT Station ID
-\item 1 byte Unknown
-\item 2 bytes RFID Reader ID
-\item 2 bytes Unknown
-\end{itemize}
-
-The {\em Transaction ID} is a monotonically increasing value, incrementing with
-each transaction.
-
-The {\em Timestamp} is a 32bit value in the standard UNIX time() format (Seconds
-since January 1st 1970 00:00:00). However, it does not reference UTC but CST.
-
-The {\em Transaction type} indicates the type of transaction. Following codes
-are known:
-\begin{itemize}
-\item {\tt 0x00} Entering MRT station
-\item {\tt 0x11} Leaving MRT station
-\item {\tt 0x80} Re-entering (connecting) MRT station
-\item {\tt 0x20} Purchase of goods in shop
-\item {\tt 0x30} Re-charging the card using an {\em Add value machine}
-\end{itemize}
-
-The {\em Cost} and {\em Remaining balance} fields are unsigned 16bit integer
-values representing the price in NTD (New Taiwan Dollars).
-
-In case of a MRT related transaction, the {\em MRT Station ID} encodes the MRT
-station at which the transaction was performed. By visiting the TRTC (Taiwan
-Rapid Transport Corporation) website, one can see the same numeric identifiers
-being used within the URLs that link from the MRT map to the per-station web
-pages. As such, a full table of MRT station names and corresponding
-identifiers has been compiled and implemented as part of {\tt easytool}.
-
-The {\em RFID Reader ID} is presumed to be a unique identifer for the specific
-RFID Terminal. Subsequent transactions at the same terminal will render
-the same number in this field.
-
-FIXME: Transaction log pointer
-
-\subsubsection{Sector 7: The last MRT entry/exit record}
-
-Block 2 (Offset 0x1e0) contains a record describing the last MRT station
-that was entered using this EasyCard.
-\begin{itemize}
-\item Bytes 0...3 are unknown
-\item Byte 4 contains the MRT station code
-\item Bytes 6...8 are unknown
-\item Bytes 9...12 contain the Timestamp
-\item Bytes 13..15 are unknown
-\end{itemize}
-
-Block 1 (Offset 0xd0) of the same sector contains a record using the same
-structure. However, this record describes the last MRT station that was
-left using this EasyCard.
-
-It is assumed that this information is used by the system to compute both the
-distance (and thus fee) to be paid by the current ride, as well as any
-applicable discount in case a connection is made from MRT into a bus.
-
-\subsubsection{Sector 15: Maximum daily spending}
-
-Block 2 (Offset 0x3e0) contains a record used for keeping track of
-the amount of money spent on a single day. This is needed in order
-to impose a daily spending limit of (currently) NTD 3,000.
-
-The record is structured as follows:
-\begin{itemize}
-\item Bytes 0...10 are unknown (all zero in tested cards)
-\item Byte 11 contains the day of the month
-\item Byte 12 contains an unknown value (0x3d in tested cards)
-\item Byte 13...14 contain the sum of all purchases on the indicated day
-\end{itemize}
-
-If multiple retail store purchases are made on the same day of the month, the
-sum is incremented with every purchase. If an EasyCard terminal in the store
-detects that the current day-of-the-month is different from that stored on the
-card, the sum is re-set and starts new for that day.
-
-\section{Manipulating the EasyCard}
-
-\subsection{Decreasing the Value of the card}
-
-In order to decrease the account balance on the card, the following method
-was tested:
-
-\begin{itemize}
-\item Make a purchase in a retail store that accepts the EasyCard
-\item Find the transaction log entry regarding this purchase and increase the transaction cost by some value. NTD 200 was chosen in this example. Decrease the {\em amount remaining after transaction} field accordingly by the same amount.
-\item Alter the two VALUE blocks in Sector 2 to reflect the subtracted amount. Make sure the backup copies (inverted and non-inverted) are updated, too.
-\item Alter the {\em amount spent per day} in Sector 15 to reflect the increased amount spent.
-\end{itemize}
-
-Payment using the manipulated card was possible without any problem, provided
-that the to-be-paid amount is less than what the card considers the remaining
-balance.
-
-Re-reading the card after the purchase indicates the full success of the
-operation. The purchase has left exactly the same changes in the card like
-it would have with a card that has a genuine lower value. None of the
-erroneously increased (or decreased) numbers had been updated.
-
-This specifically confirms that the vending terminal did not have an online
-connection to a centralized database. In that case, the erroneous values
-on the card would have been corrected and the original value restored.
-
-\subsection{Increasing the value of the card}
-
-The approach works similar to the previous one. First, a purchase in a store
-is being made, preferrably with relatively high value. Later, the transaction
-log record, card balance and amount spent per day fields are modified to make
-this purchase appear cheaper than it actually was. So after purchasing an item
-with 1000 NTD, the card will look like only 100 NTD were spent for the purchase,
-giving an extra balance of 900 NTD to the attacker.
-
-\subsection{Bypassing the maximum daily spending of NTD 3000}
-
-As the sum of all purchases on a given day-of-the-month is stored in Sector 15,
-there are two methods of evading the per-day payment limit:
-\begin{itemize}
-\item Simply zero-out the amount of money spent today, or
-\item simply alter the day-of-the-month field to a different day.
-\end{itemize}
-Both options might cause problems in case the terminal does consistency checks
-with the transaction log. So it would be wise for an attacker to also modify
-all purchases in the transaction log to appear as if they were made on a
-previous day.
-
-\section{Mistakes of the EasyCard Corporation}
-
-Based on this research as well as publicly known information on the
-EasyCard Corporation, we can identify a series of mistakes with cumulative
-effect.
-
-\subsection{Deploying old technology}
-
-The Taipei Smart Card corporation (predecessor to the EasyCard Company) was
-established in 2000, and it took until June 2002 to deploy the first EasyCard
-system.
-
-The underlying Mifare Classic product was launched in 1994, and thus already
-relatively old and outdated technology at that time.
-
-It was publicly documented by NXP that the security of the system is based on a
-{\em proprietary, symmetric, 48bit cipher}. Symmetric 48-bit encryption
-was definitely no longer state-of-the-art in the year 2000. At that time,
-the popular web-browser Netscape Navigator (used e.g. for web-based online
-banking) had already introduced support for symmetric 128bit ciphers.
-
-\subsection{Deploying proprietary security technology}
-
-There are two concepts of achieving security in any system: {\em Security by
-design} and {\em Security by obscurity}.
-
-In the former systems, security is achieved by using well-designed systems
-that have undergone public peer review and have been subject to cryptanalysis.
-As a result, the system is secure because it has undergone the review and
-scrutiny of the international community of cryptographers and security experts.
-
-So, despite making all details of the system, particularly the cryptographic
-algorithms open, an attacker is not able to circumvent the system's security.
-
-A system relying on {\em Security by obscurity} is only secure because
-nobody knows the details of how it works. As soon as this information
-has either leaked or recovered e.g. using reverse engineering techniques,
-the system is broken.
-
-FIXME: Link to Bruce Schneier
-
-\subsection{Not reacting to academic research in the field}
-
-Starting in 2007, researchers have published a variety of attacks on
-the CRYPTO-1 cipher and MIFARE Classic system. For a list of related
-publications, see the bibliography of this paper.
-
-\subsection{Not reacting to public availability of MIFARE attack tools}
-
-Following-up the scientific publications, tools implementing practical
-attacks on MIFARE Classic have been developed and published. Such
-tools implement a variety of attacks, including card-only key-recovery
-attacks.
-
-\subsection{No upgrade to more secure cards as they become available}
-
-In the same year the EasyCard was first deployed (2002), the supplier of the
-MIFARE Classic system has already been shipping a much more secure system
-called DESfire. The improvements include: 112-bit key length, and the use
-of the internationally verified and audited DES algorithm in its 3DES variant.
-
-Despite its availability for 8 years since 2002, the EasyCard corporation has
-apparently never updated their system to a more secure card like the DESfire
-card.
-
-Based on the authors experience with the RFID card market, the price difference
-of DESfire compared to MIFARE Classic has been on the order of USD 1 per card
-from 2006 on.
-
-So, in order to save USD 1 per each issued card, the EasyCard corporation has
-artificially kept down the security level of their system, not catching
-up with state-of-the-art commercially available technology.
-
-\subsection{Extending EasyCard to generic payment outside public transport}
-
-The security of any system always has to be analyzed in the context of the
-threat model, i.e. what can an attacker gain from compromising the system.
-
-As the key derivation of the EasyCard is not (yet?) broken, it is thus
-currently not possible to completely manufacture forged cards. However,
-technically, cards can be re-charged without making actual payment for it.
-
-As far as cards are only used for public transportation, the incentive
-for fraudulent use is relatively small and contained. Also, the amount
-of money for each transaction is relatively small.
-
-Thus, while the author would still disagree, it might be the case that
-the business risk analysis inside EasyCard Corporation would have deemed the
-risk of fraud in the public transport sector as acceptable.
-
-When such a card is used as an electronic payment system in stores where
-goods of much higher value can be purchased, the threat model is quite
-different, though.
-
-The 2010 introduction of the EasyCard as means of payment in retail
-stores -- while still relying on known-broken, 16 year old technology --
-can thus only be seen as ignorant and incompetent.
-
-It does not help that EasyCard corporation has to provide a full refund
-and keep all deposits in a bank trust. It also doesn't help that fraudulent
-use is detected using analysis of the transaction data long after it happened.
-
-EasyCard fraud is simple to perform and will inevitably happen. Somebody
-has to pay for the losses incurred due to fraud. Even if such losses
-only reflect themselves in increased transaction fees for retail stores, in the
-end it will be the consumer who pays them indirectly due to higher prices
-including such fees.
-
-\section{Proposed Changes / Improvements}
-
-The author of this paper argues that use of the current EasyCard system
-should immediately be restricted to payment for public transportation,
-and the decision to authorize it as form of payment in retail stores
-as of April 1st, 2010 reverted.
-
-A new system, based on state-of-the-art technology and algorithms
-and the {\em Security by Design} principle should be developed. Such
-a system should go through independent, open academic review.
-
-The approval of such a system, or technical security requirements for
-such a system should not be within EasyCard itself, but should be
-made by a regulatory authority, consulted by independent technical experts
-in the field.
-
-A changing roll-over to the new system can be made by starting to issue
-the new cards using a more secure RFID system whenever new EasyCards are
-bought. Whenever a consumer wants to re-charge their card, the old MIFARE
-Classic based card should be retracted and a new, more secure card be issued.
-Existing EasyCards can be circulated in the system for a grace period.
-
-Depending on the technical details of the existing deployed RFID
-reader/terminal base in public transportation and retail stores, either
-a software-only update is sufficient or replacement hardware has to be
-introduced.
-
-EasyCard corporation should be liable for the complete system
-upgrade/transition cost, as the fault of the system can only be blamed
-on them.
-
-\section{Credits}
-
-The author of this paper expresses his gratitude to the many people
-involved in trying to uncover the weaknesses of proprietary and ultimately
-insecure RFID systems worldwide.
-
-\begin{description}
-\item[Milosch and Brita Meriac]
- for their great work on OpenPCD and OpenPICC
-\item[Henryk Ploetz, Karsten Nohl, starbug]
- for their work on MIFARE, Crypto1 and tiresome research into all kinds of proprietary snake-oil
-\item[Jonathan Westhues]
- for designing and openly publishing the Proxmark
-\item[Nethemba]
- for the Open Source implementation of the nested key attack in MFOC
-\item[Roel Verdult]
- for his research on RFID security at Radboud University and libnfc
-\item[Nicolas T. Courtois]
- for his {\em darkside} paper
-\item[Andrei Costin ]
- for his Open Source implementation of the darkside paper (MFCUK)
- \url{http://andreicostin.com/}
-\end{description}
-
-
-\section{Bibliography}
-%1. [WPMCC09] - "Wirelessly Pickpocketing a Mifare Classic Card"
-%2. [ESO08] - "2008-esorics.pdf"
-%3. [ESOSL08] - "2008-esorics-slides-updated.pdf"
-%4. [KON08] - "2008-koning-thesis.pdf"
-%5. [VER08] - "2008-verdult-thesis.pdf"
-%6. [PATMC] - "A Practical Attack on the MIFARE Classic.pdf"
-%7. [NCOURFIDSEC09] - "mifare_courtois_rfidsec09.pdf"
-%8. [MFCLTRB09] - "MifareClassicTroubles.ppt"
-%9. [TEEP08] - "p2008-teepe-classic_mistakes.pdf"
-%10. [RFIDSANJ] - "RFID Attacks_WCA_San_Jose.pdf"
-%11. [ROSS] - "rossum-mifare.pdf"
-%12. [PLOTZ08] - "SAR-PR-2008-21_.pdf"
-%13. [ROSSSASG] - "SASG35_Peter_v_Rossum_Mifare.pdf"
-%14. [DARK2009] - "THE DARK SIDE OF SECURITY BY OBSCURITY and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
-
-\end{document}
+\documentclass[a4paper]{article}
+\usepackage[english]{babel}
+\usepackage{graphicx}
+\usepackage{subfigure}
+\pagestyle{plain}
+
+\usepackage{url}
+
+\setlength{\oddsidemargin}{0in}
+\setlength{\evensidemargin}{0in}
+\setlength{\topmargin}{0in}
+\setlength{\headheight}{0in}
+\setlength{\headsep}{0in}
+\setlength{\textwidth}{6.5in}
+\setlength{\textheight}{9.5in}
+%\setlength{\parindent}{0in}
+\setlength{\parskip}{0.05in}
+
+\begin{document}
+
+\title{Security analysis of the EasyCard payment card in Taiwan}
+\author{Harald Welte $<$laforge@gnumonks.org$>$}
+\date{UNRELEASED (September XX, 2010)}
+\maketitle
+
+%%%%%%%%%%%%%%%%%%%
+\begin{abstract}
+One of Asia's most popular electronic payment systems uses insecure technology.
+The EasyCard system, established in 2001, is the most popular store-valued card
+in Taiwan. With more than 18 million issued cards, it is the predominant means
+of paying for public transportation services in the capital Taipei.
+
+In 2010, use of the EasyCard was extended beyond transportation. Card holders
+can now pay in all major convenience stores and major retail companies like
+Starbucks or even SOGO [TODO: Starbuck ist keine Retailer und SOGO ist kein bekannter Begriff].
+
+Despite the large fraud potential, the EasyCard system uses the MIFARE Classic RFID transponder
+technology, whose proprietary encryption cipher CRYPTO1 relied on obscurity and was quickly broken~\cite{mifare-attack-esorics} after the cipher was revealed~\cite{mifare}.
+
+This document analyzes the results of combining the practical attacks
+on the MIFARE Classic CRYPTO1 system in the context of the EasyCard payment
+system.
+\end{abstract}
+
+\tableofcontents
+
+%%%%%%%%%%%%%%%%%%%
+\section{Disclaimer}
+
+This document is the result of independent research on the EasyCard
+system. It was done out of personal interest in security technology and to create awareness about the risks of everyday technology.
+No competitor of the EasyCard corporation,
+or other business or political stakeholder ever encouraged, supported or
+funded this work in any way.
+
+The result of this research is presented to the general public in the
+hope it will make people re-consider the amount of trust they place
+in proprietary systems that provide no evidence of their security,
+and no option for the general public or the scientific community to
+validate it.
+
+This paper is also directed at the legislator and the regulatory authorities,
+in the hope that it will help them to produce better rules and requirements on
+the technology designed for and used by operators of security relevant systems
+such as banking.
+
+%%%%%%%%%%%%%%%%%%%
+\section{Introducing the EasyCard}
+
+FIXME
+
+%%%%%%%%%%%%%%%%%%%
+\section{Published security research on MIFARE Classic}
+
+FIXME: Summarize the existing research on mifare classic systems
+
+%%%%%%%%%%%%%%%%%%%
+\section{Published tools for MIFARE Classic attacks}
+
+\subsection{Crapto1}
+\subsection{libnfc}
+\subsection{MFOC}
+\subsection{MFCUK}
+\subsection{CryptoMiniSat}
+FIXME: summarize results (12 seconds per key), state that attack applied to Mifare DESfire, Mifare Plus in Classic emulation mode
+
+%%%%%%%%%%%%%%%%%%%
+\section{Analyzing the EasyCard}
+
+A new, genuine EasyCard was obtained from one of the EasyCard vending machines
+in a Taipei MRT station.
+
+As it is public knowledge that the EasyCard system is based on MIFARE
+technology, any MIFARE-compatible RFID reader (PCD, Proximity Coupling Device)
+can be used to establish a physical communications link according to ISO
+14443-1 and -2, as well as performing the anti-collision procedure according
+to ISO 14443-3.
+
+The author has used the OpenPCD RFID reader to do this, and has confirmed that
+the EasyCard in fact is a card with ISO 14443-3 compatible anti-collision
+procedure. The ATQA response also looks like that of a standard MIFARE Classic
+transponder.
+
+\subsection{Attempting to use standard keys}
+
+As some users of MIFARE Classic systems only use some sectors of a card, but
+not all, an attempt was made to authenticate to any of the sectors using the
+manufacturer-programmed standard keys. However, none of the card sectors were
+using those standard keys.
+
+This also means that we could not use the key recovery method described in
+FIXME, where keys of all other sectors are recovered based on the knowledge of
+they key of at least one different sectors.
+
+\subsection{Recovering the MIFARE CRYPTO1 keys}
+
+Since none of the sector keys was known, the publicly available MFCUK (MiFare
+Classic Universal toolKit) implementation of the ``Dark Side'' attack (Nicolas T.
+Courtois) was used as a card-only attack.
+
+All that was required was the MFCUK Free Software, as well as a RFID
+reader as supported by libnfc. Compatible readers are widely available,
+among them one for EUR 30 from \url{http://www.touchatag.com/e-store}.
+
+Using the MFCUK key recovery tool, the A and B keys for all sectors have
+been recovered within FIXME. This attack can definitely be optimized
+by using special-purpose hardware such as the Proxmark, which gives
+hard-realtime control over the communication with the EasyCard.
+
+Furthermore, the key recovery can be optimized based on known-plaintext that is
+common to all cards.
+
+\subsection{Dumping the content of the EasyCard}
+
+Once the sector keys have all been recovered, the full content of the EasyCard
+can be dumped using any RFID reader supporting MIFARE Classic. The author
+chose to use the same reader that was used for the MFCUK key recovery combined
+with the nfc-mfclassic program (part of libnfc).
+
+A full dump of the newly-purchased, unused EasyCard revealed the following
+content:
+
+\begin{verbatim}
+0000000 a193 c031 88c3 0004 ba46 1214 1051 1004
+0000010 140e 0100 0207 0308 0409 1008 0000 0000
+0000020 0000 0000 0000 0000 0000 0000 0000 0000
+0000030 211a ccd0 f399 7708 008f 6ac6 53bf cf08
+0000040 ff02 0300 0000 059f 804c c926 0171 3601
+0000050 0000 1000 1027 0027 64de 0001 0000 bb00
+0000060 f1d6 b4e8 0012 0000 0000 6400 0064 6900
+0000070 2e64 f724 bd57 7708 008f 8917 3d48 5dcd
+0000080 0190 0000 fe6f ffff 0190 0000 ff00 ff00
+0000090 0190 0000 fe6f ffff 0190 0000 ff00 ff00
+00000a0 0000 0000 0000 0000 0000 0000 0000 0000
+00000b0 0d3d 782b 33cd 7708 008f 2411 4ce7 ea3f
+00000c0 0001 0005 0000 0000 0000 0000 0000 0000
+00000d0 0000 0000 0000 0000 0000 0000 0000 0000
+00000e0 0000 0000 0000 0000 0000 0000 0000 0000
+00000f0 2fb1 511f 85b4 7708 008f 8dc8 eef5 2850
+0000100 0000 0000 0000 0000 0000 0000 0000 0000
+0000110 0000 0000 0000 0000 0000 0000 0000 0000
+0000120 0000 0000 0000 0000 0000 0000 0000 0000
+0000130 4587 96bd 1f22 7708 008f 47ce 7619 1558
+0000140 0000 0000 0000 0000 0000 0000 0000 0000
+0000150 0000 0000 0000 0000 0000 0000 0000 0000
+0000160 0000 0000 0000 0000 0000 0000 0000 0000
+0000170 5583 7616 749e 7708 008f 9bf3 c129 8eb6
+0000180 0c00 0400 0044 0000 0000 0000 0000 4c00
+0000190 0200 2200 0022 0000 0000 0000 0200 0000
+00001a0 0000 0005 0000 0000 0000 0000 0000 0000
+00001b0 af5f 6aeb 3a2c 7708 008f c039 7a1d d248
+00001c0 0000 0000 0000 0000 0000 0000 0000 0000
+00001d0 0000 0000 0000 0000 0000 0000 0000 0000
+00001e0 0000 0000 0000 0000 0000 0000 0000 0000
+00001f0 aebf 906e f2bd 7708 008f e3e7 988f aaaa
+0000200 0000 0000 0000 0000 0000 0000 0000 0000
+0000210 0000 0000 0000 0000 0000 0000 0000 0000
+0000220 0000 0000 0000 0000 0000 0000 0000 0000
+0000230 ec9f 8bc6 4b89 7708 008f 53b0 2571 9e66
+0000240 0000 0000 0000 0000 0000 0000 0000 0000
+0000250 0000 0000 0000 0000 0000 0000 0000 0000
+0000260 0000 0000 0000 0000 0000 0000 0000 0000
+0000270 edc5 c17c 8a36 7708 008f 9a58 b6d9 5a8b
+0000280 0000 0000 0000 0000 0000 0000 0000 0000
+0000290 0000 0000 0000 0000 0000 0000 0000 0000
+00002a0 0000 0000 0000 0000 0000 0000 0000 0000
+00002b0 40f7 60bf 4b8a 7708 008f 3a00 c93a 63e8
+00002c0 0000 0000 0000 0000 0000 0000 0000 0000
+00002d0 0000 0000 0000 0000 0000 0000 0000 0000
+00002e0 0000 0000 0000 0000 0000 0000 0000 0000
+00002f0 b50a 9f96 d2e3 7708 008f 4855 7cdb 7dff
+0000300 0000 0000 0000 0000 0000 0000 0000 0000
+0000310 0000 0000 0000 0000 0000 0000 0000 0000
+0000320 0000 0000 0000 0000 0000 0000 0000 0000
+0000330 4c06 3ebc e595 7708 008f 9a5b 001b d14a
+0000340 0000 0000 0000 0000 0000 0000 0000 0000
+0000350 0000 0000 0000 0000 0000 0000 0000 0000
+0000360 0000 0000 0000 0000 0000 0000 0000 0000
+0000370 3fb0 45ce 6f6b 7708 008f c0bf adb0 d662
+0000380 0000 0000 0000 0000 0000 0000 0000 0000
+0000390 0000 0000 0000 0000 0000 0000 0000 0000
+00003a0 0000 0000 0000 0000 0000 0000 0000 0000
+00003b0 3320 9074 e84c 7708 008f 0094 85d5 7aaa
+00003c0 8000 c926 0071 0000 0000 0000 0064 0064
+00003d0 0000 0000 0000 0000 0000 0000 0000 0000
+00003e0 0000 0000 0000 0000 0000 0000 0000 0000
+00003f0 ea02 0bda b62a 7708 008f 0000 0000 0000
+\end{verbatim}
+
+\subsection{Re-engineering the on-card data format}
+
+When the author started his research, there was no pre-existing public
+knowledge on the data format used by the EasyCard system. As such,
+significant time was spent analyzing it.
+
+The card was subsequently used to perform a number of transactions such as
+use of public transportation and purchase of goods in stores.
+
+After each transaction, again a full dump of the card contents was made,
+and the difference to the previous dump analyzed carefully. No particular
+tools have been used for analysis. Most of the work relied on hex-dumps
+of the card content and using the {\tt diff} utility to visualize differences
+between two consecutive versions.
+
+During the analysis, it was quickly revealed that there are four
+distinctive sets of changes that can be associated with a transaction:
+\begin{itemize}
+\item The card balance, stored as MIFARE value block
+\item The transaction log
+\item The transaction log index
+\item The last MRT entry/exit record
+\end{itemize}
+
+Furthermore, a constant header has been identified. It was never changed during
+any of the tested transactions.
+
+The result of this analysis can be found in the next section:
+
+
+\section{Re-engineered EasyCard Data Format}
+
+\subsubsection{Sector 0 and 1: The header}
+FIXME
+
+\subsubsection{Sector 2: The card balance as value block}
+
+The first two blocks of sector 2 store the current remaining debit account
+balance as a MIFARE Classic VALUE BLOCK. The format of this block is
+documented in the official NXP vendor documentation on the MIFARE chip
+used inside the card.
+
+The value block is decremented every time payment is made with the card.
+
+Given the MIFARE access bits, it is assumed that the RFID readers in public
+transportation as well as stores use key A for this sector, as key A is
+sufficient to read and decrement the VALUE block.
+
+Re-charging the card must happen using authentication with key B, as only
+key B has permissions to increment and/or write to this sector.
+
+\subsubsection{Sector 3 through 5: The transaction log}
+
+Every time a transaction is made with the card, an entry in the transaction log
+on the card itself is generated. Every entry occupies one full 16-byte block.
+
+The structure of a transaction log entry is as follows:
+\begin{itemize}
+\item 1 byte Transaction ID
+\item 4 bytes Timestamp
+\item 1 byte Transaction type
+\item 2 bytes Cost charged for transaction
+\item 2 bytes Remaining balance after transaction
+\item 1 byte MRT Station ID
+\item 1 byte Unknown
+\item 2 bytes RFID Reader ID
+\item 2 bytes Unknown
+\end{itemize}
+
+The {\em Transaction ID} is a monotonically increasing value, incrementing with
+each transaction.
+
+The {\em Timestamp} is a 32bit value in the standard UNIX time() format (Seconds
+since January 1st 1970 00:00:00). However, it does not reference UTC but CST.
+
+The {\em Transaction type} indicates the type of transaction. Following codes
+are known:
+\begin{itemize}
+\item {\tt 0x00} Entering MRT station
+\item {\tt 0x11} Leaving MRT station
+\item {\tt 0x80} Re-entering (connecting) MRT station
+\item {\tt 0x20} Purchase of goods in shop
+\item {\tt 0x30} Re-charging the card using an {\em Add value machine}
+\end{itemize}
+
+The {\em Cost} and {\em Remaining balance} fields are unsigned 16bit integer
+values representing the price in NTD (New Taiwan Dollars).
+
+In case of a MRT related transaction, the {\em MRT Station ID} encodes the MRT
+station at which the transaction was performed. By visiting the TRTC (Taiwan
+Rapid Transport Corporation) website, one can see the same numeric identifiers
+being used within the URLs that link from the MRT map to the per-station web
+pages. As such, a full table of MRT station names and corresponding
+identifiers has been compiled and implemented as part of {\tt easytool}.
+
+The {\em RFID Reader ID} is presumed to be a unique identifer for the specific
+RFID Terminal. Subsequent transactions at the same terminal will render
+the same number in this field.
+
+FIXME: Transaction log pointer
+
+\subsubsection{Sector 7: The last MRT entry/exit record}
+
+Block 2 (Offset 0x1e0) contains a record describing the last MRT station
+that was entered using this EasyCard.
+\begin{itemize}
+\item Bytes 0...3 are unknown
+\item Byte 4 contains the MRT station code
+\item Bytes 6...8 are unknown
+\item Bytes 9...12 contain the Timestamp
+\item Bytes 13..15 are unknown
+\end{itemize}
+
+Block 1 (Offset 0xd0) of the same sector contains a record using the same
+structure. However, this record describes the last MRT station that was
+left using this EasyCard.
+
+It is assumed that this information is used by the system to compute both the
+distance (and thus fee) to be paid by the current ride, as well as any
+applicable discount in case a connection is made from MRT into a bus.
+
+\subsubsection{Sector 15: Maximum daily spending}
+
+Block 2 (Offset 0x3e0) contains a record used for keeping track of
+the amount of money spent on a single day. This is needed in order
+to impose a daily spending limit of (currently) NTD 3,000.
+
+The record is structured as follows:
+\begin{itemize}
+\item Bytes 0...10 are unknown (all zero in tested cards)
+\item Byte 11 contains the day of the month
+\item Byte 12 contains an unknown value (0x3d in tested cards)
+\item Byte 13...14 contain the sum of all purchases on the indicated day
+\end{itemize}
+
+If multiple retail store purchases are made on the same day of the month, the
+sum is incremented with every purchase. If an EasyCard terminal in the store
+detects that the current day-of-the-month is different from that stored on the
+card, the sum is re-set and starts new for that day.
+
+
+\section{Manipulating the EasyCard}
+
+\subsection{Decreasing the Value of the card}
+
+In order to decrease the account balance on the card, the following method
+was tested:
+
+\begin{itemize}
+\item Make a purchase in a retail store that accepts the EasyCard
+\item Find the transaction log entry regarding this purchase and increase the transaction cost by some value. NTD 200 was chosen in this example. Decrease the {\em amount remaining after transaction} field accordingly by the same amount.
+\item Alter the two VALUE blocks in Sector 2 to reflect the subtracted amount. Make sure the backup copies (inverted and non-inverted) are updated, too.
+\item Alter the {\em amount spent per day} in Sector 15 to reflect the increased amount spent.
+\end{itemize}
+
+Payment using the manipulated card was possible without any problem, provided
+that the to-be-paid amount is less than what the card considers the remaining
+balance.
+
+Re-reading the card after the purchase indicates the full success of the
+operation. The purchase has left exactly the same changes in the card like
+it would have with a card that has a genuine lower value. None of the
+erroneously increased (or decreased) numbers had been updated.
+
+This specifically confirms that the vending terminal did not have an online
+connection to a centralized database. In that case, the erroneous values
+on the card would have been corrected and the original value restored.
+
+\subsection{Increasing the value of the card}
+
+The approach works similar to the previous one. First, a purchase in a store
+is being made, preferrably with relatively high value. Later, the transaction
+log record, card balance and amount spent per day fields are modified to make
+this purchase appear cheaper than it actually was. So after purchasing an item
+with 1000 NTD, the card will look like only 100 NTD were spent for the purchase,
+giving an extra balance of 900 NTD to the attacker.
+
+\subsection{Bypassing the maximum daily spending of NTD 3000}
+
+As the sum of all purchases on a given day-of-the-month is stored in Sector 15,
+there are two methods of evading the per-day payment limit:
+\begin{itemize}
+\item Simply zero-out the amount of money spent today, or
+\item simply alter the day-of-the-month field to a different day.
+\end{itemize}
+Both options might cause problems in case the terminal does consistency checks
+with the transaction log. So it would be wise for an attacker to also modify
+all purchases in the transaction log to appear as if they were made on a
+previous day.
+
+
+\section{Mistakes of the EasyCard Corporation}
+
+Based on this research as well as publicly known information on the
+EasyCard Corporation, we can identify a series of mistakes with cumulative
+effect.
+
+\subsection{Deploying old technology}
+
+The Taipei Smart Card corporation (predecessor to the EasyCard Company) was
+established in 2000, and it took until June 2002 to deploy the first EasyCard
+system.
+
+The underlying Mifare Classic product was launched in 1994, and thus already
+relatively old and outdated technology at that time.
+
+It was publicly documented by NXP that the security of the system is based on a
+{\em proprietary, symmetric, 48bit cipher}. Symmetric 48-bit encryption
+was definitely no longer state-of-the-art in the year 2000. At that time,
+the popular web-browser Netscape Navigator (used e.g. for web-based online
+banking) had already introduced support for symmetric 128bit ciphers.
+
+\subsection{Deploying proprietary security technology}
+
+There are two concepts of achieving security in any system: {\em Security by
+design} and {\em Security by obscurity}.
+
+In the former systems, security is achieved by using well-designed systems
+that have undergone public peer review and have been subject to cryptanalysis.
+As a result, the system is secure because it has undergone the review and
+scrutiny of the international community of cryptographers and security experts.
+
+So, despite making all details of the system, particularly the cryptographic
+algorithms open, an attacker is not able to circumvent the system's security.
+
+A system relying on {\em Security by obscurity} is only secure because
+nobody knows the details of how it works. As soon as this information
+has either leaked or recovered e.g. using reverse engineering techniques,
+the system is broken.
+
+FIXME: Link to Bruce Schneier
+
+\subsection{Not reacting to academic research in the field}
+
+Starting in 2007, researchers have published a variety of attacks on
+the CRYPTO-1 cipher and MIFARE Classic system. For a list of related
+publications, see the bibliography of this paper.
+
+\subsection{Not reacting to public availability of MIFARE attack tools}
+
+Following-up the scientific publications, tools implementing practical
+attacks on MIFARE Classic have been developed and published. Such
+tools implement a variety of attacks, including card-only key-recovery
+attacks.
+
+\subsection{No upgrade to more secure cards as they become available}
+
+In the same year the EasyCard was first deployed (2002), the supplier of the
+MIFARE Classic system has already been shipping a much more secure system
+called DESfire. The improvements include: 112-bit key length, and the use
+of the internationally verified and audited DES algorithm in its 3DES variant.
+
+Despite its availability for 8 years since 2002, the EasyCard corporation has
+apparently never updated their system to a more secure card like the DESfire
+card.
+
+Based on the authors experience with the RFID card market, the price difference
+of DESfire compared to MIFARE Classic has been on the order of USD 1 per card
+from 2006 on.
+
+So, in order to save USD 1 per each issued card, the EasyCard corporation has
+artificially kept down the security level of their system, not catching
+up with state-of-the-art commercially available technology.
+
+\subsection{Extending EasyCard to generic payment outside public transport}
+
+The security of any system always has to be analyzed in the context of the
+threat model, i.e. what can an attacker gain from compromising the system.
+
+As the key derivation of the EasyCard is not (yet?) broken, it is thus
+currently not possible to completely manufacture forged cards. However,
+technically, cards can be re-charged without making actual payment for it.
+
+As far as cards are only used for public transportation, the incentive
+for fraudulent use is relatively small and contained. Also, the amount
+of money for each transaction is relatively small.
+
+Thus, while the author would still disagree, it might be the case that
+the business risk analysis inside EasyCard Corporation would have deemed the
+risk of fraud in the public transport sector as acceptable.
+
+When such a card is used as an electronic payment system in stores where
+goods of much higher value can be purchased, the threat model is quite
+different, though.
+
+The 2010 introduction of the EasyCard as means of payment in retail
+stores -- while still relying on known-broken, 16 year old technology --
+can thus only be seen as ignorant and incompetent.
+
+It does not help that EasyCard corporation has to provide a full refund
+and keep all deposits in a bank trust. It also doesn't help that fraudulent
+use is detected using analysis of the transaction data long after it happened.
+
+EasyCard fraud is simple to perform and will inevitably happen. Somebody
+has to pay for the losses incurred due to fraud. Even if such losses
+only reflect themselves in increased transaction fees for retail stores, in the
+end it will be the consumer who pays them indirectly due to higher prices
+including such fees.
+
+
+\section{Proposed Changes / Improvements}
+
+The author of this paper argues that use of the current EasyCard system
+should immediately be restricted to payment for public transportation,
+and the decision to authorize it as form of payment in retail stores
+as of April 1st, 2010 reverted.
+
+A new system, based on state-of-the-art technology and algorithms
+and the {\em Security by Design} principle should be developed. Such
+a system should go through independent, open academic review.
+
+The approval of such a system, or technical security requirements for
+such a system should not be within EasyCard itself, but should be
+made by a regulatory authority, consulted by independent technical experts
+in the field.
+
+A changing roll-over to the new system can be made by starting to issue
+the new cards using a more secure RFID system whenever new EasyCards are
+bought. Whenever a consumer wants to re-charge their card, the old MIFARE
+Classic based card should be retracted and a new, more secure card be issued.
+Existing EasyCards can be circulated in the system for a grace period.
+
+Depending on the technical details of the existing deployed RFID
+reader/terminal base in public transportation and retail stores, either
+a software-only update is sufficient or replacement hardware has to be
+introduced.
+
+EasyCard corporation should be liable for the complete system
+upgrade/transition cost, as the fault of the system can only be blamed
+on them.
+
+
+\section{Credits}
+
+The author of this paper expresses his gratitude to the many people
+involved in trying to uncover the weaknesses of proprietary and ultimately
+insecure RFID systems worldwide.
+
+\begin{description}
+\item[Milosch and Brita Meriac]
+ for their great work on OpenPCD and OpenPICC
+\item[Henryk Ploetz, Karsten Nohl, starbug]
+ for their work on MIFARE, Crypto1 and tiresome research into all kinds of proprietary snake-oil
+\item[Jonathan Westhues]
+ for designing and openly publishing the Proxmark
+\item[Mate Soos and Karsten Nohl]
+ for their results on exploiting CRYPTO1's statistical wekanesses using SAT solvers
+\item[Nethemba]
+ for the Open Source implementation of the nested key attack in MFOC
+\item[Roel Verdult]
+ for his research on RFID security at Radboud University and libnfc
+\item[Nicolas T. Courtois]
+ for his {\em darkside} paper
+\item[Andrei Costin]
+ for his Open Source implementation of the darkside paper (MFCUK)
+ \url{http://andreicostin.com/}
+\end{description}
+%%%%%%%%%%%%%%%%%%%
+\bibliographystyle{unsrt}
+%\bibliographystyle{splncs}
+{\raggedright
+\bibliography{RFID}
+}
+
+%%%%%%%%%%%%%%%%%%%
+%\section{Bibliography} % FIXME: Merge with LaTex bibliography in RFID.bib
+%1. [WPMCC09] - "Wirelessly Pickpocketing a Mifare Classic Card"
+%2. [ESO08] - "2008-esorics.pdf" %mifare-attack-esorics
+%3. [ESOSL08] - "2008-esorics-slides-updated.pdf"
+%4. [KON08] - "2008-koning-thesis.pdf"
+%5. [VER08] - "2008-verdult-thesis.pdf"
+%6. [PATMC] - "A Practical Attack on the MIFARE Classic.pdf"
+%7. [NCOURFIDSEC09] - "mifare_courtois_rfidsec09.pdf"
+%8. [MFCLTRB09] - "MifareClassicTroubles.ppt"
+%9. [TEEP08] - "p2008-teepe-classic_mistakes.pdf"
+%10. [RFIDSANJ] - "RFID Attacks_WCA_San_Jose.pdf"
+%11. [ROSS] - "rossum-mifare.pdf"
+%12. [PLOTZ08] - "SAR-PR-2008-21_.pdf"
+%13. [ROSSSASG] - "SASG35_Peter_v_Rossum_Mifare.pdf"
+%14. [DARK2009] - "THE DARK SIDE OF SECURITY BY OBSCURITY and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
+
+\end{document} \ No newline at end of file
personal git repositories of Harald Welte. Your mileage may vary