On March 7, 2008 researchers and students of the Digital Security group of the Radboud
University Nijmegen have discovered a serious security flaw in a widely used type of 
contactless smartcard, also called RFID tag. It concerns the "Mifare Classic" RFID card 
produced by NXP (formerly Philips Semiconductors). Earlier, German researchers Karsten 
Nohl en Henryk Plötz pointed out security weaknesses of this cards. Worldwide around 
1 billion of these cards have been sold.
This type of card is used for the Dutch `ov-chipkaart' [the RFID card for public transport 
throughout the Netherlands] and public transport systems in other countries (for instance 
the subway in London and Hong Kong). Mifare cards are also widely used as company cards to 
control access to buildings and facilities. All this means that the flaw has a broad impact. 
Because some cards can be cloned, it is in principle possible to access buildings and 
facilities with a stolen identity. This has been demonstrated on an actual system. In many 
situations where these cards are used there will be additional security measures; it is 
advisable to strengthen these where possible.
The Digital Security group found weaknesses in the authentication mechanism of the Mifare 
Classic. In particular:

   1. The working of the CRYPTO1 encryption algorithm has been reconstructed in detail.
   2. there is a relatively easy method to retrieve cryptographic keys, which does not rely 
      on expensive equipment.

Combining these ingredients we succeeded on mounting an actual attack, in which a Mifare 
Classic access control card was successfully cloned. In situation where there are no additional 
security measures, this would allow unauthorised access by people with bad intentions.