Crypto-1
A proprietary stream cipher used exclusively in MIFARE Classic chips. Crypto-1 was reverse-engineered in 2008 and is considered completely broken. Classic chips should be migrated to DESFire or MIFARE Plus for security-sensitive applications.
What Is Crypto-1?
Crypto-1Crypto-1Broken proprietary cipher in MIFARE Classic (reverse-engineered 2008)View full → is a proprietary 48-bit stream cipher developed by NXP Semiconductors (formerly Philips) for the MIFARE Classic family of contactless smart cards. Introduced in the mid-1990s, Crypto-1 was designed to provide mutual authentication and encrypted communication between MIFARE Classic tags and compatible readers. For over a decade it served as the primary security mechanism for millions of transit cards, building access systems, and ticketing deployments worldwide.
How Crypto-1 Works
The cipher uses a 48-bit secret key stored in a protected sector of the tag's memory. During an authenticationauthenticationIdentity verification of NFC tags/readers via passwords or cryptographyView full → handshake, the reader and tag exchange nonces and encrypted challenges. If both sides derive the correct session key, the subsequent data exchange is encrypted using the Crypto-1 stream. Each 16-byte memory sector on a MIFARE Classic chip can store two independent keys (Key A and Key B), along with access control bits that govern read, write, increment, and decrement permissions per block.
The 2008 Compromise
In 2007-2008, academic researchers at Radboud University Nijmegen reverse-engineered the Crypto-1 algorithm from silicon die photographs and published multiple practical attacks. The most significant findings included:
- Key recovery from a single trace: Attackers can extract the 48-bit key by passively eavesdropping on one legitimate reader-tag session.
- Card-only attacks: Without any reader interaction, an attacker with physical access to a MIFARE Classic card can recover all sector keys in minutes.
- Cloning: Once keys are extracted, the entire card can be duplicated onto a blank MIFARE Classic or a programmable "magic" card.
These attacks rendered Crypto-1 fundamentally broken for any security-sensitive application.
Migration Paths
NXP recommends migrating from MIFARE Classic to modern chip families that use AES encryption:
- MIFARE Plus: Drop-in upgrade supporting AES-128 in security level 3, while maintaining backward compatibility with Crypto-1 in level 1.
- MIFARE DESFire EV3: Full ISO 14443ISO 14443Standard for contactless smart cards at 13.56 MHz (Types A and B)View full →-4 support with AES-128, mutual authentication, and transaction MAC.
- NTAG 424 DNA: For consumer and brand-protection applications requiring SUN messages and SDM.
Despite being broken, MIFARE Classic cards with Crypto-1 remain in active use in some legacy systems where replacement costs are prohibitive. New deployments should never rely on Crypto-1 for security.
Related Terms
Related Guides
Pertanyaan yang Sering Diajukan
The NFC glossary is a comprehensive reference of technical terms, acronyms, and concepts used in Near Field Communication technology. It is designed for developers, product managers, and engineers who work with NFC and need clear definitions of terms like NDEF, APDU, anti-collision, and ISO 14443.
Each glossary term is cross-referenced with related NFC chips, standards, and other terms. For example, the term 'AES-128' links to chips that support AES encryption (NTAG 424 DNA, DESFire EV2/EV3), and the term 'ISO 14443' links to all chips compliant with that standard.
Yes. NFCFYI provides glossary definitions in 15 languages including English, Korean, Japanese, Chinese, Spanish, Portuguese, Hindi, Arabic, French, Russian, German, Turkish, Vietnamese, Indonesian, and Thai. Use the language selector in the header to switch languages.