Project · 2024–2026

eACy

An experimental MIFARE Classic-compatible access control prototype using HMACs and synchronized counters for clone detection and anti-replay protection.

CybersecurityMIFARECryptography
Source CodePublic Reference

Why it exists

Traditional access-control deployments based on MIFARE Classic suffer from well-known weaknesses caused by the compromise of CRYPTO1 and by the availability of “magic cards” with rewritable UIDs. eACy was designed as an experimental way to harden these environments without requiring immediate replacement of existing gates or reader infrastructure.

The core idea is to move trust away from the physical tag and into the application protocol. The badge is treated as an untrusted synchronization medium rather than as a secure element. Authentication is based on HMAC values computed over the badge UID and a monotonic counter, allowing the system to detect replay attempts and competing clones.

Project media

eACy prototype architecture and access-control flow
eACy prototype overview and access-control flow.

Architecture

  • Reader module:an ESP8266 + PN532-based module interrogates the badge, validates accepted counter windows and communicates with the backend.
  • Badge:a MIFARE Classic 1K tag stores rolling HMAC values but no secret material, acting only as a synchronization carrier.
  • Backend:stores badge metadata, shared keys and counter state, exposing REST services used by the reader during authentication.

Authentication flow

  • The reader reads the UID and data block from the tag.
  • It checks for a valid HMAC within the allowed resynchronization window.
  • On valid access, the counter is advanced and the backend stores the new state.
  • Previous states are invalidated to reduce replay opportunities.
  • Diverging states can reveal concurrent cloned badges through fork detection.

Security model

The protocol is inspired by HOTP-like counter synchronization. HMAC-SHA256 provides authenticity and integrity, while the monotonic counter gives the system a shared state that cannot be safely reused by cloned badges without creating inconsistencies. The design does not try to make MIFARE Classic cryptographically strong; instead, it limits the trust placed in the card and lets the application layer enforce the meaningful security properties.

Recognition

eACy was awarded as best new proposal at the NeaPolis Innovation Technology Day 2024, an event focused on innovation and technology outreach organized by STMicroelectronics. The project later became the basis for the cybersecurity MSc thesis completed in February 2026.

Links