-------- Original Message --------
Subject: Re: [Politech] Who's liable for "smart card" security breaches?
Date: Fri, 15 Jul 2005 23:28:12 -0700
From: Hal Murray <hmurray@private>
To: declan@private
CC: Richard M. Smith <rms@private>, Hal Murray
<hmurray@private>
Feeding >RFID crack< to google gets some interesting answers.
I don't remember seeing this mentioned in Politech (or anywhere else):
The RFID/DST scheme has been cracked. Press Release is dated 29-Jan-2005.
http://rfidanalysis.org/
http://www.jhu.edu/news_info/news/home05/jan05/rfid.html
It's used by:
150 million vehicle immobilizer keys (including 2005 Fords)
Exxon Mobil Speedpass
seven million cryptographically-enabled keychain tags
10,000 locations worldwide
That scheme uses 40 bit keys. Obviously weak by today's standards.
But it's shipping on 2005 Fords so somebody obviously didn't do their
homework.
They used a bank of FPGAs to speed up brute force key search.
2 weeks to find a key when running on 10 very fast PCs.
16 FPGSs got 5 keys in well under 2 hours.
(Doesn't look critical, but probably lots of fun and a good way to get grad
students working on the project.)
The FAQ mentions lack of public scrutiny. That seems to confirm my
security-by-obscurity feelings for the new RFID-CC scheme.
--
The suespammers.org mail server is located in California. So are all my
other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited
commercial e-mail to my suespammers.org address or any of my other
addresses.
These are my opinions, not necessarily my employer's. I hate spam.
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Sat Jul 16 2005 - 23:32:11 PDT