Authentication with Mifare Classic Cards Might Be Impossible?
by Cory on April 27, 2019 5:03 PM
I spent a long time looking about how to authenticate users using the RFID cards I have. I don't know how, but there's people saying that Mifare cards and the authentication on them is easily broken, so you need to add another layer on top of it.
I thought I was supposed to use RSA or some hashing function (HMAC, SHA?) to sign data and save it on the card, but I couldn't connect the dots to see how to use the signing to do secure authentication. Basically, you have to know that anyone can just copy and dump everyrthing stored on your card. So even if there was signed data on the card, they could just do a complete copy and authenticate that way.
I found some papers about authentication methods. Like this one. It explains how to do everything and stuff, but it made two assumptions that confused me. The first was that the card itself would have to generate a random number and then present it to the reader. That's no problem. I dug into the MFRC522 library and they had a function to make the PCD generate a 10 byte random number, so I could work around that. But the second one is that the card needed to store a 128 bit secret key on the tag. "Secret" as in, no one can read it ever. That's not the case here. All of the card's data can be read since the mifare keyA/B stuff is apparently not secure.
So I found another random post on the mifare forums that say there are rfid cards that have special security features to store a secret tag and generate a random number. But the basic 1k/Classic line of cards doesn't do that, meaning they shouldn't be used for anything important. Well shit, I just bought a 100 pack of cards last week...
Anyway, long term, I don't think I want to use these cards anyway because the range isn't long enough. I don't want to badge into my room; I want to walk up to the door and have it unlock because i'm standing < 5 feet away and have it relock after a certain time of me being > 5 feet away.
So I guess I should start looking for arduino things that can read a car key fob. It's not looking good though, because understandably, no one really wants people to be able to easily interact with car keys.
This is a pain in the ass. >:(
This Thought is part of RFID Door Unlocker
You know how nice cars like Mercedes or Tesla automatically unlock when you get close to them with the key fob? Let's do that but for my apartment front door.