From Wikipedia, the free encyclopedia

Jump to: navigation, search

MIFARE is the NXP Semiconductors-owned trademark (a spin-off company formed out of Philips Semiconductors) of the reputedly most widely installed contactless smartcard, or proximity card, technology in the world with (according to the producer) over 1 billion smart card chips and 10 million reader modules sold[1]. The patented technology is owned by NXP Semiconductors, with its Headquarters in Eindhoven, the Netherlands and main business sites in Nijmegen, the Netherlands and Hamburg, Germany.

The MIFARE proprietary technology is based upon the ISO/IEC 14443 Type A 13.56 MHz contactless smart card standard.


[edit] Variants

The technology is embodied in both cards and readers (also referred to as a Proximity Coupling Device).

The MIFARE name covers four different kinds of contactless cards :

MIFARE Ultralight
low-cost ICs that employ the same protocol as MIFARE Classic, but without the security part and slightly different commands
MIFARE Ultralight C
the first low-cost ICs for limited-use applications that offer the benefits of an open 3DES cryptography
MIFARE Classic (Standard)
employ a proprietary high-level protocol instead of ISO/IEC 14443-4, with an NXP proprietary security protocol for authentication and ciphering.
drop-in replacement for MIFARE Classic with certified security level (AES 128 based)
are smartcards that comply to ISO/IEC 14443-4 with a mask-ROM operating system from NXP.
are NXP Semiconductors brand names for smartcards that comply to ISO/IEC 14443-4.

[edit] MIFARE Classic (Standard)

The MIFARE Classic card is fundamentally just a memory storage device, where the memory is divided into segments and blocks with simple security mechanisms for access control. They are ASIC based and have limited computational power. Thanks to their reliability and low cost, those cards are widely used for electronic wallet, access control, corporate ID cards, transportation or stadium ticketing.

The MIFARE Classic 1k offers 1024 bytes of data storage, split into 16 sectors; each sector is protected by two different keys, called A and B. They can be programmed for operations like reading, writing, increasing value blocks, etc.). MIFARE Classic 4k offers 4096 bytes split into forty sectors, of which 32 are same size as in the 1K with eight more that are quadruple size sectors. MIFARE Classic mini offers 320 bytes split into five sectors. For each of these card types, 16 bytes per sector are reserved for the keys and access conditions and can not normally be used for user data. Also, the very first 16 bytes contain the serial number of the card and certain other manufacturer data and are read only. That brings the net storage capacity of these cards down to 752 bytes for Classic 1k, 3440 bytes for Classic 4k, and 224 bytes for Mini.

The simplicity of the basic cards means that they are inexpensive, which is largely the reason for their success in large-scale deployments, such as Oyster card.

The MIFARE Classic encryption Crypto-1 can be broken in about twelve seconds on a laptop[2], if approx. 50 bits of known (or chosen) key stream are available. This attack reveals the key from sniffed transactions under certain (common) circumstances and/or allows an attacker to learn the key by challenging the reader device.

The attack proposed in[3] recovers the secret key in about 40ms on a laptop. This attack requires just one (partial) authentication attempt with a legitimate reader.

Additionally there are a number of attacks that work directly on a card and without the help of a valid reader device[4]. These attacks have been acknowledged by NXP[5].

[edit] MIFARE Ultralight

The MIFARE Ultralight has only 512 bits of memory (i.e. 64 bytes), without security. The memory is provided in 16 pages of 4 bytes.

This card is so inexpensive it is often used for disposable tickets such as the Football World Cup 2006.

[edit] MIFARE Ultralight C

Introduced at CarteS 2008, MIFARE Ultralight C is part NXP's low-cost MIFARE offering (disposable ticket). With 3DES, MIFARE Ultralight C uses a widely adopted standard, enabling easy integration in existing infrastructures. The integrated 3DES authentication provides an effective countermeasure against counterfeit of tickets (ticket cloning).

Key features:

  • Fully ISO / IEC 14443 A 1-3 compliant (including Anti-collision)
  • 1536 bits (192 bytes) EEPROM memory
  • Protected data access via 3-pass 3DES authentication
  • Memory structure as in MIFARE Ultralight (pages of 4 byte)
  • Backwards compatibility to MIFARE Ultralight due to compatible command set
  • 16 bit one-way counter
  • Unique 7 bytes serial number (UID)

Key applications for MIFARE Ultralight C are Public Transportation, Event Ticketing, Loyalty and NFC Forum Tag Type 2.

[edit] MIFARE ProX, SmartMX

MIFARE ProX and SmartMX are microprocessor based cards. The hardware does nothing on its own, it has to be programmed with dedicated software - an operating system. Most of the time, the microprocessor is coupled to a co-processor dedicated to fast cryptographic computations (e.g., Triple DES, AES, RSA, etc.). These cards are capable of executing complex operations that are as secure and fast as operations on contact based cards. Both are, in fact, also available as a contact based card, or with multiple interfaces, and offer a high degree of flexibility. These cards are capable of supporting a range of both proprietary and open operating systems, including the Java CardTM operating system (JCOP).

Depending on the installed software, the card can be used for almost any kind of application. This kind of card is mostly used where a high level of security is required (e.g., secure travel documents, electronic passports, payment cards, etc.), and is certified by independent parties such as Common Criteria. The hardware of the SmartMX is Common Criteria certified at EAL5+ by the Bundesamt für Sicherheit in der Informationstechnik, BSI, which means that it is highly resistant to tampering such as, for instance, reverse engineering attacks, fault/glitch attacks, or power analysis attacks. Each operating system on top of the hardware requires its own certification in order for the entire product to be certified.

[edit] MIFARE DESFire

The MIFARE DESFire is another NXP microprocessor platform, based on a similar core as MIFARE ProX/SmartMX, with more hardware and software security features than the standard MIFARE Classic chips. It is sold already programmed with a general purpose software (the DESFire operating system) that offers a simple directory structure with files, similar to what is typically found on smart cards. DESFire cards are sold on four variants. One with Triple-DES only and 4Kbyte of storage and three with AES having storage capacity of 2, 4 and 8 KB (see DESFire EV1). The AES variants also have additional security features, i.e. CMAC. It is using a standards compliant (ISO/IEC 14443-4) protocol.[6] The card is based on a 8051 processor with 3DES and AES crypto accelerator, making really fast transactions possible.

The maximal read/write distance between card and reader is 10 cm (4 inches), but actual distance depends on the field power generated by the reader and its antenna size.

[edit] MIFARE DESFire EV1

(previously called DESFire8)

New evolution of DESFire card, broadly backwards compatible. Available with 2KB, 4 KB and 8KB NV-Memory. Other features include

  • Support for random ID
  • Support for 128-bit AES
  • Common Criteria certified at level EAL 4+

DESFire EV1 has been publicly announced in November 2006.

[edit] MIFARE Plus

MIFARE Plus is a replacement card for the MIFARE Classic. It provides an easy upgrade of existing infrastructures toward high security. The applicative data management is identical to the MIFARE Classic, however the security management requires the modification of the installed reader base. Other features include

  • 2Kbytes or 4Kbytes of memory
  • 7 or 4 bytes UID. Optional supporting random UID
  • Support for 128-bit AES
  • Common Criteria certified at level EAL 4+
  • MIFARE Plus S for simple migration or MIFARE Plus X with many eXpert commands
  • Security upgrade with cards in the field.

It differs from DESFire EV1 in not being as flexible as the latter.

MIFARE Plus has been publicly announced in March 2008 with availability of first samples in Q1 2009.[7]

MIFARE Plus, when used in older transportation systems that do not yet support AES on the reader side, still leaves an open door to attacks. Though it helps to mitigate threats from attacks that broke the Crypto-1 cipher through the weak random number generator, it does not help against attacks that do not take into account the weak random number generator. Such attacks are the brute force attacks and cryptoanalytic attacks.[8]

[edit] History

  • 1994 — MIFARE Classic 1k contactless technology introduced.
  • 1996 — First transport scheme in Seoul using MIFARE Classic 1k.
  • 1997 — MIFARE PRO with Triple DES coprocessor introduced.
  • 1999 — MIFARE PROX with PKI coprocessor introduced.
  • 2001 — MIFARE UltraLight introduced.
  • 2002 — MIFARE DESFire introduced, microprocessor based product.
  • 2004 — MIFARE DESFire SAM introduced, secure infrastructure counterpart of MIFARE DESFire.
  • 2006 — MIFARE DESFire EV1 is announced as the first product to support 128-bit AES
  • 2008 — MIFARE Plus is announced as a drop-in replacement for MIFARE Classic based on 128-bit AES
  • 2008 — MIFARE Ultralight C is introduced as paperticket IC featuring Triple DES Authentication

MIFARE was developed by Mikron; the name stands for MIkron FARE-collection System. It was acquired by Philips in 1998. Mikron licensed the MIFARE technology to Atmel in the US, Philips in the Netherlands, and Siemens in Germany.

After the Philips acquisition, Hitachi contracted MIFARE license with Philips which was introduced for the development of the contactless smartcard solution for NTT IC telephone card which started in 1999 and finished in 2006.

In the NTT contactless IC telephone card project, three parties joined: Tokin-Tamura-Siemens, Hitachi (Philips-contract for technical support), and Denso (Motorola-only production). NTT asked for two versions of chip, i.e. wired-logic chip (like Mifare Classic) with small memory and big memory capacity. Hitachi developed only big memory version and cut part of the memory to fit for the small memory version. In 2008 NXP licenced to Renasas (formerly Hitachi)Mifare Plus and DESfire.

Siemens (now Infineon Technologies )developed a wired-logic 1K byte chip based on MIFARE technology with some modifications including microprocessors with MIFARE emulations.

Motorola tried to develop MIFARE-like chip for wired-logic version but finally gave up. The project expected one million cards per month for start, but that fell to 100,000 per month just before they gave up the project.

[edit] Security of MIFARE Classic

The encryption used by the card uses a key that is only 48 bits long.[9]

A presentation by Henryk Plötz and Karsten Nohl[10] at the Chaos Communication Congress in December 2007 described a partial reverse-engineering of the algorithm used in the MIFARE Classic chip. Abstract and slides[11] and a video[12] are available online. A paper that describes the process of reverse engineering this chip was published at the August 2008 USENIX security conference.[13]

In March 2008 the Digital Security research group of the Radboud University Nijmegen made public that it was able to clone and manipulate the contents of a MIFARE Classic card[14]. For demonstration they used the Proxmark device, a 125kHz / 13.56MHz research instrument. The schematics and software are released under the free GNU General Public License by Jonathan Westhues in 2007. They demonstrate it is even possible to perform card-only attacks using just an ordinary stock-commercial NFC reader in combination with the libnfc library.

The Radboud University published three scientific papers concerning the security of the MIFARE Classic:

In response to these attacks it was stated by the Dutch Minister of Home Affairs and Kingdom Relations that they will investigate whether the introduction of the Dutch Rijkspas can be brought forward from Q4 of 2008. link (Dutch).

NXP tried to stop[15] the publication of the second article through a preliminary injunction. The judge has ruled that publishing this scientific article falls under the principle of freedom of expression and that in a democratic society it is of great importance that the results of scientific research can be published.

Both independent research results are confirmed and taken very seriously by the manufacturer NXP, whose statement about the attacks can be found here. After the lawsuit, NXP shows respect in the security section of the official MIFARE website to the courtesy of the Radboud University Nijmegen which gave them an early warning in the line with responsible disclosure.

Note: cards that do not support the proprietary MIFARE Classic protocol are not affected by these particular attacks.

[edit] Considerations for System Integration

The security of, e.g., public transport systems against fraud relies on many components, of which the MIFARE card is just one. Typically, to minimize costs, system integrators will chose a relatively cheap card such as MIFARE Classic and concentrate the security efforts in the back office. Additional encryption on the card, transaction counters, and other methods known in cryptography are then required to make cloned cards useless, or at least to enable the back office to detect fraud should a card be compromised, and put it on a blacklist. Systems that work with online readers only (i.e., readers with a permanent link to the back office) are easier to protect than systems that have offline readers as well, for which real-time checks are not possible and blacklists cannot be updated as frequently.

[edit] See also

[edit] Other places that use Mifare Technology



[edit] References

  1. ^ NXP (2009-01-17). "MIFARE is the leading industry standard for contactless". NXP. http://www.nxp.com/products/identification/mifare/classic/index.html. 
  2. ^ Courtois, Nicolas T.; Karsten Nohl; Sean O'Neil (2008-04-14). "Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards". Cryptology ePrint Archive. http://eprint.iacr.org/2008/166. 
  3. ^ Garcia, Flavio D.; Gerhard de Koning Gans; Ruben Muijrers; Peter van Rossum, Roel Verdult; Ronny Wichers Schreur; Bart Jacobs (2008-10-04). "Dismantling MIFARE Classic". 13th European Symposium on Research in Computer Security (ESORICS 2008), LNCS, Springer. http://www.cs.ru.nl/~flaviog/publications/Dismantling.Mifare.pdf. 
  4. ^ Garcia, Flavio D.; Peter van Rossum; Roel Verdult; Ronny Wichers Schreur (2009). "Wirelessly Pickpocketing a Mifare Classic Card". 30th IEEE Symposium on Security and Privacy (S&P 2009), IEEE. http://www.cs.ru.nl/~flaviog/publications/Pickpocketing.Mifare.pdf. 
  5. ^ Third and fourth bullet points under "MIFARE Classic vulnerabilities" at http://mifare.net/security/mifare_classic.asp
  6. ^ Some ISO7816-4 commands are used by DESFire EV1, including a prioprietary method to wrap native DESFire commands into a ISO 7816 APDU.
  7. ^ NXP (2008-03-10). NXP introduces new security and performance benchmark with MIFARE Plus. Press release. http://www.nxp.com/news/content/file_1418.html. 
  8. ^ https://www.blackhat.com/presentations/bh-usa-08/Nohl/BH_US_08_Nohl_Mifare.pdf
  9. ^ "MIFARE Classic 1K specification". 2009-02-22. http://mifare.net/products/smartcardics/mifare_standard1k.asp. 
  10. ^ Karsten Nohl homepage at the University of Virginia
  11. ^ Nohl, Karsten; Henryk Plötz. "Mifare: Little Security, Despite Obscurity". Chaos Communication Congress. http://events.ccc.de/congress/2007/Fahrplan/events/2378.en.html. 
  12. ^ Nohl, Karsten (2007-12-28). "24C3 - Mifare security - #2378". Chaos Communication Congress. http://video.google.com/videoplay?docid=4252367680974396650&hl=en. 
  13. ^ Nohl, Karsten; David Evans (2008-08-01). "Reverse-Engineering a Cryptographic RFID Tag". Proceedings of the 17th USENIX Security Symposium. http://www.usenix.org/events/sec08/tech/nohl.html. 
  14. ^ Digital Security Group (2008-03-12). "Security Flaw in Mifare Classic". Radboud University Nijmegen. http://www.ru.nl/ds/research/rfid/. 
  15. ^ Arnhem Court Judge Services (2008-07-18). "Pronunciation, Primary Claim". Rechtbank Arnhem. http://zoeken.rechtspraak.nl/ResultPage.aspx?snelzoeken=t&searchtype=ljn&ljn=BD7578. 

[edit] Further reading

[edit] External links

Personal tools