MIFARE: Difference between revisions

MIFARE is the NXP Semiconductors (a spin-off company formed out of Philips Semiconductors)-owned trademark of the reputedly most widely installed contactless smartcard, or proximity card, technology in the world with (according to the producer) over 1 billion smart card chips and 10 million reader modules sold^[1]. The patented technology is owned by NXP Semiconductors, with its Headquarters in Eindhoven, the Netherlands and main business sites in Nijmegen, the Netherlands and Hamburg, Germany.

The MIFARE proprietary technology is based upon the ISO/IEC 14443 Type A 13.56 MHz contactless smart card standard.

Variants

The technology is embodied in both cards and readers (also referred to as a Proximity Coupling Device which is suitable to use).

The MIFARE name covers four different kinds of contactless cards :

MIFARE Ultralight

low-cost ICs that employ the same protocol as MIFARE Classic, but without the security part and slightly different commands

MIFARE Ultralight C

the first low-cost ICs for limited-use applications that offer the benefits of an open 3DES cryptography

MIFARE Classic (Standard)

employ a proprietary high-level protocol instead of ISO/IEC 14443-4, with an NXP proprietary security protocol for authentication and ciphering.

MIFARE Plus

drop-in replacement for MIFARE Classic with certified security level (AES 128 based)

MIFARE DESFire

are smartcards that comply to ISO/IEC 14443-4 with a mask-ROM operating system from NXP.

MIFARE ProX, SmartMX

are NXP Semiconductors brand names for smartcards that comply to ISO/IEC 14443-4.

MIFARE Classic (Standard)

The MIFARE Classic card is fundamentally just a memory storage device, where the memory is divided into segments and blocks with simple security mechanisms for access control. They are ASIC based and have limited computational power. Thanks to their reliability and low cost, those cards are widely used for electronic wallet, access control, corporate ID cards, transportation or stadium ticketing.

The MIFARE Classic 1k offers 1024 bytes of data storage, split into 16 sectors; each sector is protected by two different keys, called A and B. They can be programmed for operations like reading, writing, increasing value blocks, etc.). MIFARE Classic 4k offers 4096 bytes split into forty sectors, of which 32 are same size as in the 1K with eight more that are quadruple size sectors. MIFARE Classic mini offers 320 bytes split into five sectors. For each of these card types, 16 bytes per sector are reserved for the keys and access conditions and can not normally be used for user data. Also, the very first 16 bytes contain the serial number of the card and certain other manufacturer data and are read only. That brings the net storage capacity of these cards down to 752 bytes for Classic 1k, 3440 bytes for Classic 4k, and 224 bytes for Mini.

The simplicity of the basic cards means that they are inexpensive, which is largely the reason for their success in large-scale deployments, such as Oyster card.

The MIFARE Classic encryption Crypto-1 can be broken in about twelve seconds on a laptop^[2], if approx. 50 bits of known (or chosen) key stream are available. This attack reveals the key from sniffed transactions under certain (common) circumstances and/or allows an attacker to learn the key by challenging the reader device.

The attack proposed in^[3] recovers the secret key in about 40ms on a laptop. This attack requires just one (partial) authentication attempt with a legitimate reader.

Additionally there are a number of attacks that work directly on a card and without the help of a valid reader device^[4]. These attacks have been acknowledged by NXP^[5]. In April 2009 new and better card-only attack on MiFare Classic has been found. It was first announced at the Rump session of Eurocrypt 2009 ^[6]. This attack will be presented in July 2009 at SECRYPT 2009 conference ^[7]. The full description of this latest and fastest attack to date can also be found in the IACR preprint archive ^[8]. The new attack improves by a factor of more than 10 all previous card-only attacks on MiFare Classic, has instant running time, and it does not require a costly precomputation. The new attack allows to recover the secret key of any sector of MiFare Classic card via wireless interaction, within about 300 queries to the card. It can then be combined with the nested authentication attack in the Nijmegen Oakland paper to recover subsequent keys almost instantly. Both attacks combined and with the right hardware equipment such as proxmark3, one should be able to clone any MiFare Classic card in not more than 10 seconds. This is much faster than previously thought.

MIFARE Ultralight

The MIFARE Ultralight has only 512 bits of memory (i.e. 64 bytes), without security. The memory is provided in 16 pages of 4 bytes.

This card is so inexpensive it is often used for disposable tickets such as the Football World Cup 2006.

MIFARE Ultralight C

Introduced at CarteS 2008, MIFARE Ultralight C is part NXP's low-cost MIFARE offering (disposable ticket). With 3DES, MIFARE Ultralight C uses a widely adopted standard, enabling easy integration in existing infrastructures. The integrated 3DES authentication provides an effective countermeasure against counterfeit of tickets (ticket cloning).

Key features:

• Fully ISO / IEC 14443 A 1-3 compliant (including Anti-collision)
• 1536 bits (192 bytes) EEPROM memory
• Protected data access via 3-pass 3DES authentication
• Memory structure as in MIFARE Ultralight (pages of 4 byte)
• Backwards compatibility to MIFARE Ultralight due to compatible command set
• 16 bit one-way counter
• Unique 7 bytes serial number (UID)

Key applications for MIFARE Ultralight C are Public Transportation, Event Ticketing, Loyalty and NFC Forum Tag Type 2.

MIFARE ProX, SmartMX

MIFARE ProX and SmartMX are microprocessor based cards. The hardware does nothing on its own, it has to be programmed with dedicated software - an operating system. Most of the time, the microprocessor is coupled to a co-processor dedicated to fast cryptographic computations (e.g., Triple DES, AES, RSA, etc.). These cards are capable of executing complex operations that are as secure and fast as operations on contact based cards. Both are, in fact, also available as a contact based card, or with multiple interfaces, and offer a high degree of flexibility. These cards are capable of supporting a range of both proprietary and open operating systems, including the Java Card^TM operating system (JCOP).

Depending on the installed software, the card can be used for almost any kind of application. This kind of card is mostly used where a high level of security is required (e.g., secure travel documents, electronic passports, payment cards, etc.), and is certified by independent parties such as Common Criteria. The hardware of the SmartMX is Common Criteria certified at EAL5+ by the Bundesamt für Sicherheit in der Informationstechnik, BSI, which means that it is highly resistant to tampering such as, for instance, reverse engineering attacks, fault/glitch attacks, or power analysis attacks. Each operating system on top of the hardware requires its own certification in order for the entire product to be certified.

MIFARE DESFire

The MIFARE DESFire is another NXP microprocessor platform, based on a similar core as MIFARE ProX/SmartMX, with more hardware and software security features than the standard MIFARE Classic chips. It is sold already programmed with a general purpose software (the DESFire operating system) that offers a simple directory structure with files, similar to what is typically found on smart cards. DESFire cards are sold on four variants. One with Triple-DES only and 4Kbyte of storage and three with AES having storage capacity of 2, 4 and 8 KB (see DESFire EV1). The AES variants also have additional security features, i.e. CMAC. It is using a standards compliant (ISO/IEC 14443-4) protocol.^[9] The card is based on a 8051 processor with 3DES and AES crypto accelerator, making really fast transactions possible.

The maximal read/write distance between card and reader is 10 cm (4 inches), but actual distance depends on the field power generated by the reader and its antenna size.

MIFARE DESFire EV1

(previously called DESFire8)

New evolution of DESFire card, broadly backwards compatible. Available with 2KB, 4 KB and 8KB NV-Memory. Other features include

• Support for random ID
• Support for 128-bit AES
• Common Criteria certified at level EAL 4+

DESFire EV1 was publicly announced in November 2006.

MIFARE Plus

MIFARE Plus is a replacement card for the MIFARE Classic. It provides an easy upgrade of existing infrastructures toward high security. The applicative data management is identical to the MIFARE Classic, however the security management requires the modification of the installed reader base. Other features include

• 2Kbytes or 4Kbytes of memory
• 7 or 4 bytes UID. Optional supporting random UID
• Support for 128-bit AES
• Common Criteria certified at level EAL 4+
• MIFARE Plus S for simple migration or MIFARE Plus X with many eXpert commands
• Security upgrade with cards in the field.

It differs from DESFire EV1 in not being as flexible as the latter.

MIFARE Plus has been publicly announced in March 2008 with availability of first samples in Q1 2009.^[10]

MIFARE Plus, when used in older transportation systems that do not yet support AES on the reader side, still leaves an open door to attacks. Though it helps to mitigate threats from attacks that broke the Crypto-1 cipher through the weak random number generator, it does not help against attacks that do not take into account the weak random number generator. Such attacks are the brute force attacks and cryptoanalytic attacks.^[11]

History

• 1994 — MIFARE Classic 1k contactless technology introduced.
• 1996 — First transport scheme in Seoul using MIFARE Classic 1k.
• 1997 — MIFARE PRO with Triple DES coprocessor introduced.
• 1999 — MIFARE PROX with PKI coprocessor introduced.
• 2001 — MIFARE UltraLight introduced.
• 2002 — MIFARE DESFire introduced, microprocessor based product.
• 2004 — MIFARE DESFire SAM introduced, secure infrastructure counterpart of MIFARE DESFire.
• 2006 — MIFARE DESFire EV1 is announced as the first product to support 128-bit AES
• 2008 — MIFARE Plus is announced as a drop-in replacement for MIFARE Classic based on 128-bit AES
• 2008 — MIFARE Ultralight C is introduced as paperticket IC featuring Triple DES Authentication

MIFARE was developed by Mikron; the name stands for MIkron FARE-collection System. It was acquired by Philips in 1998. Mikron licensed the MIFARE technology to Atmel in the US, Philips in the Netherlands, and Siemens in Germany.

After the Philips acquisition, Hitachi contracted MIFARE license with Philips which was introduced for the development of the contactless smartcard solution for NTT IC telephone card which started in 1999 and finished in 2006.

In the NTT contactless IC telephone card project, three parties joined: Tokin-Tamura-Siemens, Hitachi (Philips-contract for technical support), and Denso (Motorola-only production). NTT asked for two versions of chip, i.e. wired-logic chip (like Mifare Classic) with small memory and big memory capacity. Hitachi developed only big memory version and cut part of the memory to fit for the small memory version. In 2008 NXP licenced Mifare Plus and DESfire to Renesas Technology.

Siemens (now Infineon Technologies )developed a wired-logic 1K byte chip based on MIFARE technology with some modifications including microprocessors with MIFARE emulations.

Motorola tried to develop MIFARE-like chip for wired-logic version but finally gave up. The project expected one million cards per month for start, but that fell to 100,000 per month just before they gave up the project.

Security of MIFARE Classic

The encryption used by the card uses a key that is only 48 bits long.^[12]

A presentation by Henryk Plötz and Karsten Nohl^[13] at the Chaos Communication Congress in December 2007 described a partial reverse-engineering of the algorithm used in the MIFARE Classic chip. Abstract and slides^[14] and a video^[15] are available online. A paper that describes the process of reverse engineering this chip was published at the August 2008 USENIX security conference.^[16]

In March 2008 the Digital Security research group of the Radboud University Nijmegen made public that it was able to clone and manipulate the contents of a MIFARE Classic card^[17]. For demonstration they used the Proxmark device, a 125kHz / 13.56MHz research instrument. The schematics and software are released under the free GNU General Public License by Jonathan Westhues in 2007. They demonstrate it is even possible to perform card-only attacks using just an ordinary stock-commercial NFC reader in combination with the libnfc library.

The Radboud University published three scientific papers concerning the security of the MIFARE Classic:

• A Practical Attack on the MIFARE Classic
• Dismantling MIFARE Classic
• Wirelessly Pickpocketing a Mifare Classic Card

In response to these attacks, the Dutch Minister of the Interior and Kingdom Relations stated that they would investigate whether the introduction of the Dutch Rijkspas could be brought forward from Q4 of 2008. link (Dutch).

NXP tried to stop^[18] the publication of the second article through a preliminary injunction. The judge has ruled that publishing this scientific article falls under the principle of freedom of expression and that in a democratic society it is of great importance that the results of scientific research can be published.

Both independent research results are confirmed and taken very seriously by the manufacturer NXP, whose statement about the attacks can be found here. After the lawsuit, NXP shows respect in the security section of the official MIFARE website to the courtesy of the Radboud University Nijmegen which gave them an early warning in the line with responsible disclosure.

_{Note: cards that do not support the proprietary MIFARE Classic protocol are not affected by these particular attacks.}

Considerations for System Integration

The security of, e.g., public transport systems against fraud relies on many components, of which the MIFARE card is just one. Typically, to minimize costs, system integrators will chose a relatively cheap card such as MIFARE Classic and concentrate the security efforts in the back office. Additional encryption on the card, transaction counters, and other methods known in cryptography are then required to make cloned cards useless, or at least to enable the back office to detect fraud should a card be compromised, and put it on a blacklist. Systems that work with online readers only (i.e., readers with a permanent link to the back office) are easier to protect than systems that have offline readers as well, for which real-time checks are not possible and blacklists cannot be updated as frequently.

See also

• RFID
• Physical Security

Other places that use Mifare Technology

Transportation

• Moscow Metro - Moscow, Russia
• Touch 'n Go - Malaysia
• Mybi, T-money, Upass - South Korea
• Opus card - Canada
• ETS Blue - Edmonton, Alberta, Canada
• EMcard - Almost every public transport system in Slovakia and some in Czech Republic. In most cases only reffered as BČK - Bezkontaktná čipová karta (contactless smartcard)
• ORCA Card - Seattle, Washington, USA
• Go-To Card - Minneapolis, Minnesota, USA
• Oyster card - London, England
• Smartrider - Perth, Australia
• Myki - Melbourne, Australia uses the Mifare DESFire card
• Mifare4mobile- MIFARE in the NFC mobile services context
• OV-chipkaart - The Netherlands
• Charlie Card - Boston, Massachusetts, USA
  • MBTA v. Anderson - Civil case related to the responsible disclosure of flaws in the system
• Yang Cheng Tong - Guangzhou, China
• Yikatong - Beijing, China
• EasyCard - Taiwan
• Cardz Middle East's Cardz Me - Issued to students in the Indian state of Karnataka
• Zarząd Transportu Miejskiego - Warsaw, Poland
• EasyRider - Nottingham City Transport, Nottingham, England
• kentkart - İzmir, Turkey
• RioCard - Rio de Janeiro, Brazil
• StrongLink - Beijing, China

Institutions

• Bucknell University - Student ID access card in Lewisburg, Pennsylvania
• New college in Oxford - Building access^{[citation needed]}
• Imperial College London - Staff and student ID access card in London, UK
• University of Alberta - Staff OneCard trial currently underway.

References

1. NXP (2009-01-17). "MIFARE is the leading industry standard for contactless". NXP.
2. Courtois, Nicolas T. (2008-04-14). "Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards". Cryptology ePrint Archive. {{cite web}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
3. Garcia, Flavio D. (2008-10-04). "Dismantling MIFARE Classic" (PDF). 13th European Symposium on Research in Computer Security (ESORICS 2008), LNCS, Springer. {{cite web}}: Unknown parameter |coauthors= ignored (|author= suggested) (help); line feed character in |coauthors= at position 40 (help)
4. Garcia, Flavio D. (2009-03-17). "Wirelessly Pickpocketing a Mifare Classic Card" (PDF). 30th IEEE Symposium on Security and Privacy (S&P 2009), IEEE. {{cite web}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
5. Third and fourth bullet points under "MIFARE Classic vulnerabilities" at http://mifare.net/security/mifare_classic.asp
6. Courtois, Nicolas T. (2009-04-28). "Conditional Multiple Differential Attack on MiFare Classic" (PDF). Slides presented at the rump session of Eurocrypt 2009 conference.
7. Courtois, Nicolas T. (2009-07-07). "The Dark Side of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere, Anytime". In SECRYPT 2009 – International Conference on Security and Cryptography, to appear. {{cite web}}: line feed character in |title= at position 40 (help)
8. Courtois, Nicolas T. (2009-05-04). "The Dark Side of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere, Anytime". IACR Cryptology Preprint Archive. {{cite web}}: line feed character in |title= at position 40 (help)
9. Some ISO7816-4 commands are used by DESFire EV1, including a prioprietary method to wrap native DESFire commands into a ISO 7816 APDU.
10. "NXP introduces new security and performance benchmark with MIFARE Plus" (Press release). NXP. 2008-03-10.
11. https://www.blackhat.com/presentations/bh-usa-08/Nohl/BH_US_08_Nohl_Mifare.pdf
12. "MIFARE Classic 1K specification". 2009-02-22.
13. Karsten Nohl homepage at the University of Virginia
14. Nohl, Karsten. "Mifare: Little Security, Despite Obscurity". Chaos Communication Congress. {{cite web}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
15. Nohl, Karsten (2007-12-28). "24C3 - Mifare security - #2378". Chaos Communication Congress. {{cite web}}: Unknown parameter |coauthor= ignored (|author= suggested) (help)
16. Nohl, Karsten (2008-08-01). "Reverse-Engineering a Cryptographic RFID Tag". Proceedings of the 17th USENIX Security Symposium. {{cite journal}}: Unknown parameter |coauthors= ignored (|author= suggested) (help)
17. Digital Security Group (2008-03-12). "Security Flaw in Mifare Classic". Radboud University Nijmegen.
18. Arnhem Court Judge Services (2008-07-18). "Pronunciation, Primary Claim". Rechtbank Arnhem.

Further reading

• Dayal, Geeta, "How they hacked it: The MiFare RFID crack explained; A look at the research behind the chip compromise, Computerworld, March 19, 2008.

External links

• MIFARE official website.
• NXP MIFARE page including success stories and articles.
• 24C3 Talk about Mifare Classic Video of the 24C3 Talk presenting the results of reverse engineering the Mifare Classic family, raising serious security concerns
• Presentation of 24th Chaos Computer Congress in Berlin Claiming that the mifare classic chip is possibly not safe
• Demonstration of an actual attack on MIFARE Classic (a building access control system) by the Radboud University Nijmegen.
• MIFARE Manufacturer in China.