Crypto-1

Crypto1 is a proprietary encryption algorithm (stream cipher) and authentication protocol created by NXP Semiconductors for its MIFARE Classic RFID contactless smart cards launched in 1994. Such cards have been used in many notable systems, including Oyster card, CharlieCard and OV-chipkaart.

Crypto1

NXP Crypto1
General
Designers	Philips/NXP
First published	October 6, 2008
Cipher detail
Key sizes	48 bits
Security claims	48 bits
Structure	NLFSR, LFSR
Best public cryptanalysis
Garcia, Flavio D.; Peter van Rossum; Roel Verdult; Ronny Wichers Schreur (2009-03-17). "Wirelessly Pickpocketing a Mifare Classic Card" claim that the cipher can be broken "in seconds".

By 2009, cryptographic research had reverse engineered the cipher and a variety of attacks were published that effectively broke the security.^{[1][2][3][4][5]}

NXP responded by issuing "hardened" (but still backwards compatible) cards, the MIFARE Classic EV1. However, in 2015 a new attack rendered the cards insecure,^[6][7] and NXP now recommends migrating away from MIFARE Classic.^[8]

See also: MIFARE § Security

Technical description

Crypto1 is a stream cipher very similar in its structure to its successor, Hitag2. Crypto1 consists of

• a 48-bit linear feedback shift register for the state of the cipher,
• a two-layer 20-to-1 nonlinear function used to generate the keystream, and
• a 16-bit LFSR which is used during the authentication phase as a pseudo random number generator

The usual operation of Crypto1 and Hitag2 ciphers uses nonlinear feedback only during the initialization/authentication stage, switching to operation as a LFSR with a nonlinear output filter (filter generator) for the rest of the communications.

See also

• KeeLoq