-1

We know mifare Classic has been broken.

My question is, say I store encrypted data (using some out of band RSA encryption) instead of plain data on Mifare Classic card. And also store a signature over this data on the card.

Does this make Mifare Classic secure?

user2568508
  • 111
  • 2
  • I am not aware of a single secure RFID product. All of the mifiare variants are obviously vulnerable, a simple Google search can reveal this. – rook Nov 25 '13 at 17:30
  • 1
    Why bother using a mifare card then? Why not just use a standard card? – NULLZ Dec 05 '13 at 05:20

1 Answers1

2

Security of RSA + signature is not dependent on the storage medium and should be just fine in plain text.

So, if properly done, it should be fine.

domen
  • 1,040
  • 10
  • 23
  • Hi, that's not what I meant. I know security of RSA and signature can't be compromised if properly done. My question was if I store my data this way on the card - e.g., in essense don't rely on security provided by Mifare Classic. Will my card be still secure? Maybe there will be other ways to compromise the security of my card, even in the situation when plain text is encrypted and signed with proper crypto system such as RSA. – user2568508 Sep 26 '13 at 16:06
  • One point to keep in mind is public key is slow. On a smartcard you have to ensure that when you use it, the data transfer between terminal and the card is fast. – Jor-el Sep 26 '13 at 16:10
  • @user2568508 can you explain then please? The way I understand - you don't rely on Mifare's protections, therefore treat it as any other plain data storage. – domen Sep 26 '13 at 16:17
  • I am afraid not to have miscomunication here seems it is going in that direction but anyway. Mifare Classic was broken: http://en.wikipedia.org/wiki/MIFARE#Security_of_MIFARE_Classic.2C_MIFARE_DESFire_and_MIFARE_Ultralight. It's security algorithm etc. So one could think to use some adhoc encryption means to maintain security on a Classic card, e.g. like I described. You would encrypt data using secure mechanism and store it on card. Now even card is insecure and someone could read its contents, you would still be secure since data is encrypted using RSA. Did you get the point? – user2568508 Sep 26 '13 at 17:32
  • but I am not sure if what I described in my question is enough. Maybe someone can find other way to compromise card security even though I used RSA. So I hope someone may clarify on this topic... – user2568508 Sep 26 '13 at 17:33