You can still use the existing hash functions securely. According to my own analysis, SHA0 requires 108 rounds to be secure and SHA1 requires 104 rounds. Of course SHA0/SHA1 provides only 80-bit security and MD4/MD5 only 64-bit security, so you are better off using the 128-bit secure SHA2-256 or the 256-bit secure SHA2-512, but you have to use 96 rounds for the SHA2-256 to be secure and 104 rounds for the SHA2-512 to be secure. The point is that you are perfectly safe if you hash every block with any of the SHA functions or with MD5 twice. For the MD4 to be secure you have to hash each block three times. Whirlpool also needs 12 rounds to be secure, 10 is not enough.
The 1000-time speed difference between hardware and software makes any RFID or smartcard implementing VEST impossible to clone with software-based smartcards - any normal reader would simply time-out way before the emulator could respond. Even a cheap low-end 1MHz RFID chip would require an impossible 1GHz software smartcard to emulate it. FPGAs won't help either - reprogramming logic makes them inherently big, at least 5x5mm in size, plus the heavy power consumption... Of course, those who want to manufacture their own ASIC chips are welcome to spend $1mln+ on cloning a passport!
Slashdot Mirror
You can still use the existing hash functions securely. According to my own analysis, SHA0 requires 108 rounds to be secure and SHA1 requires 104 rounds. Of course SHA0/SHA1 provides only 80-bit security and MD4/MD5 only 64-bit security, so you are better off using the 128-bit secure SHA2-256 or the 256-bit secure SHA2-512, but you have to use 96 rounds for the SHA2-256 to be secure and 104 rounds for the SHA2-512 to be secure. The point is that you are perfectly safe if you hash every block with any of the SHA functions or with MD5 twice. For the MD4 to be secure you have to hash each block three times. Whirlpool also needs 12 rounds to be secure, 10 is not enough.
They could easily make RFID and contact smartcards unclonable by simply using a cipher that is slow in software but small and fast in hardware such as VEST - http://en.wikipedia.org/wiki/VEST or http://www.ecrypt.eu.org/stream/vestp2.html
The 1000-time speed difference between hardware and software makes any RFID or smartcard implementing VEST impossible to clone with software-based smartcards - any normal reader would simply time-out way before the emulator could respond. Even a cheap low-end 1MHz RFID chip would require an impossible 1GHz software smartcard to emulate it. FPGAs won't help either - reprogramming logic makes them inherently big, at least 5x5mm in size, plus the heavy power consumption... Of course, those who want to manufacture their own ASIC chips are welcome to spend $1mln+ on cloning a passport!
/me sighs
When will they learn to use proper ciphers???