- MIFARE
-
MIFARE is the NXP Semiconductors-owned trademark of a series of chips widely used in contactless smart cards and proximity cards. According to the producers, billions of smart card chips and many millions of reader modules have been sold.[1] The technology is owned by NXP Semiconductors (spin off from Philips Electronics in 2006) with its headquarters in Eindhoven, the Netherlands, and main business sites in Nijmegen, the Netherlands, and Hamburg, Germany.
The MIFARE name covers proprietary technologies based upon various level of the ISO/IEC 14443 Type A 13.56 MHz contactless smart card standard.
Contents
Variants
The technology is embodied in both cards and readers (also referred to as a Proximity Coupling Device which is suitable to use).
The MIFARE name (derived from the term MIkron Fare Collection System) covers seven different kinds of contactless cards:
- MIFARE Classic
- employ a proprietary protocol compliant to ISO/IEC 14443-3 Type A, with an NXP proprietary security protocol for authentication and ciphering.
- MIFARE Ultralight
- low-cost ICs that employ the same protocol as MIFARE Classic, but without the security part and slightly different commands
- MIFARE Ultralight C
- the first low-cost ICs for limited-use applications that offer the benefits of an open Triple DES cryptography
- MIFARE DESFire
- are smart cards that comply to ISO/IEC 14443-4 Type A with a mask-ROM operating system from NXP.
- MIFARE DESFire EV1
- includes AES encryption.
- MIFARE Plus
- drop-in replacement for MIFARE Classic with certified security level (AES 128 based)
- MIFARE SAM AV2
- secure access module that provides the secure storage of cryptographic keys and cryptographic functions
MIFARE Classic
The MIFARE Classic card is fundamentally just a memory storage device, where the memory is divided into segments and blocks with simple security mechanisms for access control. They are ASIC-based and have limited computational power. Thanks to their reliability and low cost, those cards are widely used for electronic wallet, access control, corporate ID cards, transportation or stadium ticketing.
The MIFARE Classic 1K offers 1024 bytes of data storage, split into 16 sectors; each sector is protected by two different keys, called A and B. They can be programmed for operations like reading, writing, increasing value blocks, etc.). MIFARE Classic 4K offers 4096 bytes split into forty sectors, of which 32 are same size as in the 1K with eight more that are quadruple size sectors. MIFARE Classic mini offers 320 bytes split into five sectors. For each of these card types, 16 bytes per sector are reserved for the keys and access conditions and can not normally be used for user data. Also, the very first 16 bytes contain the serial number of the card and certain other manufacturer data and are read only. That brings the net storage capacity of these cards down to 752 bytes for Classic 1k, 3440 bytes for Classic 4k, and 224 bytes for Mini. It uses an NXP proprietary security protocol for authentication and ciphering.
The MIFARE Classic encryption Crypto-1 can be broken in about 200 seconds on a laptop,[2] if approx. 50 bits of known (or chosen) key stream are available. This attack reveals the key from sniffed transactions under certain (common) circumstances and/or allows an attacker to learn the key by challenging the reader device.
The attack proposed in[3] recovers the secret key in about 40 ms on a laptop. This attack requires just one (partial) authentication attempt with a legitimate reader.
Additionally there are a number of attacks that work directly on a card and without the help of a valid reader device.[4] These attacks have been acknowledged by NXP.[5] In April 2009 new and better card-only attack on MIFARE Classic has been found. It was first announced at the Rump session of Eurocrypt 2009.[6] This attack will be presented in July 2009 at SECRYPT 2009 conference.[7] The full description of this latest and fastest attack to date can also be found in the IACR preprint archive.[8] The new attack improves by a factor of more than 10 all previous card-only attacks on MiFare Classic, has instant running time, and it does not require a costly precomputation. The new attack allows to recover the secret key of any sector of MiFare Classic card via wireless interaction, within about 300 queries to the card. It can then be combined with the nested authentication attack in the Nijmegen Oakland paper to recover subsequent keys almost instantly. Both attacks combined and with the right hardware equipment such as Proxmark3, one should be able to clone any MIFARE Classic card in not more than 10 seconds. This is much faster than previously thought.
MIFARE Ultralight
The MIFARE Ultralight has only 512 bits of memory (i.e. 64 bytes), without cryptographic security. The memory is provided in 16 pages of 4 bytes.
This card is so inexpensive it is often used for disposable tickets for events such as the Football World Cup 2006.
MIFARE Ultralight C
Introduced at CarteS 2008, MIFARE Ultralight C is part NXP's low-cost MIFARE offering (disposable ticket). With Triple DES, MIFARE Ultralight C uses a widely adopted standard, enabling easy integration in existing infrastructures. The integrated Triple DES authentication provides an effective countermeasure against counterfeit of tickets (ticket cloning).
Key features:
- Fully ISO/IEC 14443 parts 1-3, Type A compliant (including anti-collision)
- 1536 bits (192 bytes) EEPROM memory
- Protected data access via 3-pass Triple DES authentication
- Memory structure as in MIFARE Ultralight (pages of 4 byte)
- Backwards compatibility to MIFARE Ultralight due to compatible command set
- 16 bit one-way counter
- Unique 7 bytes serial number (UID)
Key applications for MIFARE Ultralight C are Public Transportation, Event Ticketing, Loyalty and NFC Forum Tag Type 2.
MIFARE DESFire
The MIFARE DESFire is another NXP microprocessor platform, based on a similar core as SmartMX, with more hardware and software security features than the standard MIFARE Classic chips. It is sold already programmed with a general purpose software (the MIFARE DESFire operating system) that offers a simple directory structure with files, similar to what is typically found on smart cards. MIFARE DESFire cards are sold in four variants: one with Triple-DES only and 4 Kbyte of storage and three with AES having storage capacity of 2, 4 and 8 KB (see MIFARE DESFire EV1). The AES variants also have additional security features, i.e. CMAC. It is using a standards compliant (ISO/IEC 14443-4) protocol.[9] The card is based on a 8051 processor with Triple DES and AES crypto accelerator, making very fast transactions possible. In 2011 it was announced that the security of the card had been broken.[10]
The maximal read/write distance between card and reader is 10 cm (4 inches), but actual distance depends on the field power generated by the reader and its antenna size.
MIFARE DESFire EV1
(previously called DESFire8)
New evolution of MIFARE DESFire card, broadly backwards compatible. Available with 2 KB, 4 KB and 8 KB NV-Memory. Other features include:
- Support for random ID
- Support for 128-bit AES
- Hardware and Operating System is Common Criteria certified at level EAL 4+
MIFARE DESFire EV1 was publicly announced in November 2006.
MIFARE Plus
MIFARE Plus is a replacement card for the MIFARE Classic. It provides an easy upgrade of existing infrastructures toward high security. The applicative data management is identical to the MIFARE Classic, however the security management requires the modification of the installed reader base. Other features include:
- 2 Kbytes or 4 Kbytes of memory
- 7 or 4 bytes UID. Optional supporting random UID
- Support for 128-bit AES
- Common Criteria certified at level EAL 4+
- MIFARE Plus S for simple migration or MIFARE Plus X with many eXpert commands
- Security upgrade with cards in the field.
It differs from MIFARE DESFire EV1 in not being as flexible as the latter.
MIFARE Plus has been publicly announced in March 2008 with availability of first samples in Q1 2009.[11]
MIFARE Plus, when used in older transportation systems that do not yet support AES on the reader side, still leaves an open door to attacks. Though it helps to mitigate threats from attacks that broke the Crypto-1 cipher through the weak random number generator, it does not help against attacks that do not take into account the weak random number generator. Such attacks are the brute force attacks and cryptoanalytic attacks.[12] During the transition period from MIFARE Classic to MIFARE Plus where only a few readers might support AES in the first place, it offers an optional AES authentication in Security Level 1 (which is in fact MIFARE Classic operation). This does not prevent the attacks mentioned above but enables a secure mutual authentication between the reader and the card to prove that the card belongs to the system and is not a fake one.
MIFARE SAM AV2
MIFARE SAMs (Secure access modules) have been designed to provide the secure storage of cryptographic keys and cryptographic functions for terminals to access the MIFARE products securely and to enable secure communication between terminals and host (backend). SAMs are available from NXP Semiconductors in the contact-only module (PCM 1.1) as defined in ISO/IEC 7816-2 and the HVQFN32 format.[citation needed]
Key features:
- Compatible with MIFARE portfolio solutions
- Supports MIFARE, 3DES and AES cryptography
- Key diversification
- Secure download and storage of keys
- 128 key entries
- ISO 7816 baud rate up to 1.5 Mbit/s
- X-mode functionality
Integrating a MIFARE SAM AV2 in a contactless smart card reader enables a state of the art reader design which integrates any high-end cryptography features and the support of crypto authentication and data encryption / decryption.[citation needed] The SAM offers functionality to store keys securely, and performing authentication and encryption of data between the contactless card and the SAM and the SAM towards the backend. Next to a classical SAM architecture the MIFARE SAM AV2 supports the X-mode which allows a fast and convenient contactless terminal development by connecting the SAM to the microcontroller and reader IC simultaneously.[citation needed]
MIFARE SAM AV2 offers AV1 mode and AV2 mode where in comparison to the SAM AV1 the AV2 version includes Public Key Infrastructure (PKI), Hash functions like SHA-1, SHA-224, and SHA-256. It supports MIFARE Plus and a secure host communication. Both modes provide the same communication interfaces, cryptographic algorithms (Triple-DES 112-bit and 168-bit key, MIFARE Crypto1, AES-128 and AES-192, RSA with up to 2048-bit keys), and X-mode functionalities.[citation needed]
History
- 1994 — MIFARE Classic 1k contactless technology introduced.
- 1996 — First transport scheme in Seoul using MIFARE Classic 1k.
- 1997 — MIFARE PRO with Triple DES coprocessor introduced.
- 1999 — MIFARE PROX with PKI coprocessor introduced.
- 2001 — MIFARE UltraLight introduced.
- 2002 — MIFARE DESFire introduced, microprocessor based product.
- 2004 — MIFARE DESFire SAM introduced, secure infrastructure counterpart of MIFARE DESFire.
- 2006 — MIFARE DESFire EV1 is announced as the first product to support 128-bit AES
- 2008 — MIFARE Plus is announced as a drop-in replacement for MIFARE Classic based on 128-bit AES
- 2008 — MIFARE Ultralight C is introduced as paperticket IC featuring Triple DES Authentication
- 2010 — MIFARE SAM AV2 is introduced as secure key storage for readers AES, Triple DES, PKI Authentication
MIFARE was developed by Mikron; the name stands for MIkron FARE-collection System. It was acquired by Philips in 1998. Mikron sourced silicon from Atmel in the US, Philips in the Netherlands, and Siemens in Germany.
After the Philips acquisition, Hitachi contracted MIFARE license with Philips which was introduced for the development of the contactless smart card solution for NTT's IC telephone card which started in 1999 and finished in 2006.
Motorola tried to develop MIFARE-like chip for wired-logic version but finally gave up. The project expected one million cards per month for start, but that fell to 100,000 per month just before they gave up the project.
In the NTT contactless IC telephone card project, three parties joined: Tokin-Tamura-Siemens, Hitachi (Philips-contract for technical support), and Denso (Motorola-only production). NTT asked for two versions of chip, i.e. wired-logic chip (like MIFARE Classic) with small memory and big memory capacity. Hitachi developed only big memory version and cut part of the memory to fit for the small memory version. In 2008 NXP licenced MIFARE Plus and MIFARE DESFire to Renesas Technology. In 2010 NXP licenced MIFARE to Gemalto.[13] In 2011 NXP licenced Oberthur[14] to use MIFARE on SIM cards. These licencees are developing Near Field Communication products.
Infineon Technologies(formerly Siemens) took a licence from Mikron in 1994 and developed and today produces various dervatives based on MIFARE technology including 1K memory and various microcontrollers with MIFARE emulations, including devices for use in USIM with Near Field Communication.
Security of MIFARE Classic
The encryption used by the MIFARE Classic card uses a key that is only 48 bits long.[15]
A presentation by Henryk Plötz and Karsten Nohl[16] at the Chaos Communication Congress in December 2007 described a partial reverse-engineering of the algorithm used in the MIFARE Classic chip. Abstract and slides[17] are available online. A paper that describes the process of reverse engineering this chip was published at the August 2008 USENIX security conference.[18]
In March 2008 the Digital Security[19] research group of the Radboud University Nijmegen made public that they performed a complete reverse-engineering and were able to clone and manipulate the contents of a MIFARE Classic card.[20] For demonstration they used the Proxmark device, a 125 kHz / 13.56 MHz research instrument.[21] The schematics and software are released under the free GNU General Public License by Jonathan Westhues in 2007. They demonstrate it is even possible to perform card-only attacks using just an ordinary stock-commercial NFC reader in combination with the libnfc library.
The Radboud University published three scientific papers concerning the security of the MIFARE Classic:
- A Practical Attack on the MIFARE Classic
- Dismantling MIFARE Classic
- Wirelessly Pickpocketing a Mifare Classic Card
In response to these attacks, the Dutch Minister of the Interior and Kingdom Relations stated that they would investigate whether the introduction of the Dutch Rijkspas could be brought forward from Q4 of 2008[22][dead link].
NXP tried to stop the publication of the second article by requesting a preliminary injunction. However, the injunction was denied, with the court noting that, "It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does informing society about serious issues in the chip, because it allows for mitigating of the risks."[23][24]
Both independent research results are confirmed by the manufacturer NXP.[25]
Cards that do not support the proprietary MIFARE Classic protocol are not affected by these particular attacks[citation needed].
Considerations for systems integration
The security of, e.g., public transport systems against fraud relies on many components, of which the MIFARE card is just one. Typically, to minimize costs, systems integrators will choose a relatively cheap card such as MIFARE Classic and concentrate the security efforts in the back office. Additional encryption on the card, transaction counters, and other methods known in cryptography are then required to make cloned cards useless, or at least to enable the back office to detect fraud should a card be compromised, and put it on a blacklist. Systems that work with online readers only (i.e., readers with a permanent link to the back office) are easier to protect than systems that have offline readers as well, for which real-time checks are not possible and blacklists cannot be updated as frequently.
See also
- RFID
- Physical security
- NFC
Other places that use MIFARE technology
Transportation
Card name Locality Details Tarjeta Bip! Chile (Santiago de Chile) Metro de Santiago, Transantiago, http://www.tarjetabip.cl Istanbulkart Turkey (Istanbul) MIFARE DESFire EV1 - Buses, ferry boats, metro, light metro, trams and overground trains KentKart Turkey (Izmir) Metro, bus, passenger ship KGS Card Turkey Toll Highways, KGS (acronym for Contactless Card Toll System), MIFARE Classic 1K, MIFARE Plus 2K (in Classic compatibility mode) Muzekart Turkey MIFARE Classic 1K, MIFARE Plus 2K Etalons Latvia MIFARE Ultralight 512 bytes Moscow Metro Russia (Moscow) Ultralight disposable ticket Touch 'n Go Malaysia Mybi, T-money, Upass South Korea Cívica Colombia (Medellin) ETS Blue Canada (Edmonton, Alberta) EMcard Slovakia Used by almost every public transport system in Slovakia and some in Czech Republic. In most cases only referred to as BCK - Bezkontaktná cipová karta (contactless smart card) RATB Activ Romania (Bucharest) ORCA Card USA (Seattle, Washington) In Karta Czech republic (Prag) (www.cd.cz) opencard Czech republic (Prag) Go-To Card USA (Minneapolis, Minnesota) Clipper card USA (San Francisco Bay Area, California) MIFARE DESFire; replacing TransLink, which used a Motorola Card. http://clippercard.com Breeze card USA (Atlanta MARTA, Georgia) MIFARE Ultralight and Classic. http://www.breezecard.com/ Oyster card England (London) migrating from MIFARE Classic to MIFARE DESFire EV1[26] ACTION MyWay Australia (Canberra) SmartRider Australia (Perth) MIFARE Classic 1k Myki Australia (Victoria) MIFARE DESFire card TransLink Go card Australia (Brisbane) MIFARE4Mobile ? MIFARE in the NFC mobile services context OV-chipkaart Netherlands Currently being introduced as a single payment system for public transportation in the Netherlands, using a MIFARE Classic card. Charlie Card USA (Boston, Massachusetts) MBTA v. Anderson - Civil case related to the responsible disclosure of flaws in the system Yang Cheng Tong China (Guangzhou) Yikatong China (Beijing) EasyCard Taiwan IndianRailways India MIFARE DESFire cards, Indian railways (five major cities) Cardz Me India (Karnataka) Issued to students in the Indian state of Karnataka by Cardz Middle East Warszawska Karta Miejska Poland (Warsaw) 1K MIFARE Classic cards used on buses, trams, subway and railroad EasyRider England (Nottingham) Nottingham City Transport OPUS card Canada (Montreal) Société de transport de Montréal Green Card Australia (Hobart) RioCard Brazil (Rio de Janeiro) Orovale Brazil (Teresopolis) Viação Dedo de Deus (buses) Bilhete Único Brazil (São Paulo) StrongLink China (Beijing) BuTra Croatia (Osijek) EYCON e-Bus Argentina (Bahía Blanca) 1K MIFARE, planned to be used on buses and taxis. Red Bus Argentina (Córdoba, Mendoza, Salta) 1K MIFARE. SUBE Argentina (Buenos Aires) Resekortet Sweden MIFARE Classic 1K[27] SL Sweden MIFARE Classic 4K. Stockholms lokaltrafik (Stockholm public transit card) Rejsekort Denmark MIFARE Classic 4k Baku metrocard Azerbaijan (Baku) 1K MIFARE Classic, 1K MIFARE Plus S[28] SmartCard Ireland (Dublin) Iarnród Éireann, MIFARE1K (According to FareBot). Institutions
- New College School in Oxford - Building access[citation needed].
- Imperial College London - Staff and student ID access card in London, UK.
- Cambridge University[29] - Student/Staff ID and access card, library card, canteen payments in some colleges[30]
- University of Warwick - Staff and student ID card and separate Eating at Warwick stored value card in Coventry, UK.
- Regent's College, London - Staff and student ID access card in London, UK.
- Bucknell University - Student ID access card in Lewisburg, Pennsylvania.
- University of Alberta - Staff OneCard trial currently underway.
- Northumbria University - Student/Staff building and printer access.
- City University of Hong Kong - Student/Staff building, Library, Amenities Building.
- University of Bayreuth - Student ID card and canteen card for paying.
- University of Ibadan, Nigeria - Student ID card and Examination Verification and Attendance.
- Convenant University, Nigeria - Student ID card and Examination Verification and Attendance.
- Lead City University, Nigeria - Student ID card and Examination Verification and Attendance.
- Hogeschool-Universiteit Brussel, Belgium - Student ID card, canteen card for paying, library and building access.
References
- ^ MIFARE (2009-12-18). "The success of MIFARE". http://www.mifare.net/.
- ^ Courtois, Nicolas T.; Karsten Nohl; Sean O'Neil (2008-04-14). "Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards". Cryptology ePrint Archive. http://eprint.iacr.org/2008/166.
- ^ Garcia, Flavio D.; Gerhard de Koning Gans; Ruben Muijrers; Peter van Rossum, Roel Verdult; Ronny Wichers Schreur; Bart Jacobs (2008-10-04). "Dismantling MIFARE Classic". 13th European Symposium on Research in Computer Security (ESORICS 2008), LNCS, Springer. http://www.cs.ru.nl/~flaviog/publications/Dismantling.Mifare.pdf.
- ^ Garcia, Flavio D.; Peter van Rossum; Roel Verdult; Ronny Wichers Schreur (2009-03-17). "Wirelessly Pickpocketing a Mifare Classic Card". 30th IEEE Symposium on Security and Privacy (S&P 2009), IEEE. http://www.cs.ru.nl/~flaviog/publications/Pickpocketing.Mifare.pdf.
- ^ Third and fourth bullet points under "MIFARE Classic vulnerabilities" at http://mifare.net/security/mifare_classic.asp
- ^ Courtois, Nicolas T. (2009-04-28). "Conditional Multiple Differential Attack on MIFARE Classic". Slides presented at the rump session of Eurocrypt 2009 conference. http://eurocrypt2009rump.cr.yp.to/7870fc6d38647a661145594ef0c33015.pdf.
- ^ Courtois, Nicolas T. (2009-07-07). "The Dark Side of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere, Anytime". In SECRYPT 2009 – International Conference on Security and Cryptography, to appear. http://www.secrypt.org/.
- ^ Courtois, Nicolas T. (2009-05-04). "The Dark Side of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere, Anytime". IACR Cryptology Preprint Archive. http://eprint.iacr.org/2009/137.
- ^ Some ISO/IEC 7816-4 commands are used by MIFARE DESFire EV1, including a proprietary method to wrap native MIFARE DESFire commands into a ISO/IEC 7816 APDU.
- ^ "German Researchers Crack Mifare RFID Encryption". Slashdot. http://it.slashdot.org/story/11/10/10/1850230/.
- ^ "NXP introduces new security and performance benchmark with MIFARE Plus" (Press release). NXP. 2008-03-10. http://www.nxp.com/news/content/file_1418.html.
- ^ https://www.blackhat.com/presentations/bh-usa-08/Nohl/BH_US_08_Nohl_Mifare.pdf
- ^ http://www.gemalto.com/press/archives/2010/2010-11-25_NXP_Gemalto_MIFARE_License_en.pdf
- ^ http://www.nxp.com/news/content/file_1818.html
- ^ "MIFARE Classic 1K specification". 2009-02-22. http://mifare.net/products/smartcardics/mifare_standard1k.asp.
- ^ Karsten Nohl homepage at the University of Virginia
- ^ Nohl, Karsten; Henryk Plötz. "Mifare: Little Security, Despite Obscurity". Chaos Communication Congress. http://events.ccc.de/congress/2007/Fahrplan/events/2378.en.html.
- ^ Nohl, Karsten; David Evans (2008-08-01). "Reverse-Engineering a Cryptographic RFID Tag". Proceedings of the 17th USENIX Security Symposium. http://www.usenix.org/events/sec08/tech/nohl.html.
- ^ Radboud University Nijmegen Digital Security
- ^ Digital Security Group (2008-03-12). "Security Flaw in Mifare Classic". Radboud University Nijmegen. http://www.ru.nl/ds/research/rfid/.
- ^ "Proxmark". http://www.proxmark.org. Retrieved 2011-01-25.
- ^ "Dutch Page". http://www.minbzk.nl/actueel/110972/veel-chips-in. Retrieved 2011-01-25.
- ^ Arnhem Court Judge Services (2008-07-18). "Pronunciation, Primary Claim". Rechtbank Arnhem. http://zoeken.rechtspraak.nl/ResultPage.aspx?snelzoeken=t&searchtype=ljn&ljn=BD7578.
- ^ "Judge denies NXP's injunction against security researchers". The Standard. 2008-07-18. http://www.thestandard.com/news/2008/07/18/judge-denies-nxps-injunction-against-security-researchers. Retrieved 2010-02-13.
- ^ "mifare.net :: Security". http://www.mifare.net/technology/security/. Retrieved 2011-01-25.
- ^ http://www.nfctimes.com/news/transport-london-discard-mifare-classic-seeks-desfire-sims
- ^ Resekortet i Sverige AB. "RKF-specifikationen - Svensk Kollektivtrafik". http://www.svenskkollektivtrafik.se/Resekortet/Puffar/Annonser-langst-ned-pa-startsida/Kontakt/RKF-specifikationen/.
- ^ LOT ltd. "Integrator's web site (subway solutions)". http://lotgate.com/index.php?option=com_content&view=article&id=9&Itemid=30&lang=en.
- ^ http://www.cl.cam.ac.uk/local/wgb/securityaccess.html
- ^ http://www.clare.cam.ac.uk/academic/handbook/food-drink.html
Further reading
- Dayal, Geeta, "How they hacked it: The MiFare RFID crack explained; A look at the research behind the chip compromise, Computerworld, March 19, 2008.
External links
- MIFARE official website.
- 24C3 Talk about MIFARE Classic Video of the 24C3 Talk presenting the results of reverse engineering the MIFARE Classic family, raising serious security concerns
- Presentation of 24th Chaos Computer Congress in Berlin Claiming that the MIFARE classic chip is possibly not safe
- Demonstration of an actual attack on MIFARE Classic (a building access control system) by the Radboud University Nijmegen.
Categories:- Contactless smart cards
Wikimedia Foundation. 2010.