Overview Security Products Companies Showcases News Links Sign-Up
Information for end users 

Dear MIFARE Classic user,

This letter serves to inform you on the recent reports concerning the security issues of our MIFARE Classic product.

By letters dated from February 2nd and March 13th 2008 we have informed you already on this subject.

By now, NXP Semiconductors has come to the conclusion that three research groups have recently retrieved the algorithm and developed attacks to break keys of MIFARE Classic-enabled cards within seconds. These are the group around Karsten Nohl, who initially presented the reverse engineering of MIFARE Classic chips in December 2007 at the 24th Chaos Computer Congress in Berlin, the IT security specialists from the Radboud University of Nijmegen as well as Nicolas T. Courtois from the University College London. According to our information the respective research groups plan to publish their findings including the algorithm by fall of this year latest. Although we have clearly explained to those parties the potential risks that such a publication would entail, we do not have proof points that these parties will indeed limit the contents of the publication of their scientific research. Consequently, there is a risk of excessive disclosure, including the full algorithm becoming published within the above mentioned timeframe. Therefore, as we did before, we feel it is appropriate to inform you once more about the potential consequences and necessary measures to be taken to minimize the impact of such eventuality for your system infrastructure.

We want to inform you that we are investigating protection scenarios for systems using MIFARE Classic, in which no effective mechanisms to detect fraudulent cards have been implemented. Mindful of the above, we ask you to contact your system integrator for an assessment of your systems. Extensive additional protection mechanisms are recommended, both on how the data on the card is used as well as deploying additional security layers separate from the card.

It is our assessment that for transport ticketing installations, end-to-end security systems can be designed with the MIFARE Classic chip such that the residual risk of fraud not being detected in time can be drastically reduced. Whether or not those scenarios are acceptable in your risk assessment depends on the assets to be protected which only you and your system integrator can determine.

End to end measures should also be applied for access management infrastructures, which are often complemented by additional measures e.g. camera surveillance, security personnel, etc. when valuable assets need to be protected. We recommend that your assessment of the impact of the recent and expected developments takes into account the particular way how the system is implemented and used, its relation to other protection in place, and specifically whether there is a need to prevent unauthorized single time access or access during a limited period of time. Depending on the specific situation in existing MIFARE Classic access management infrastructures, the usage of more sophisticated card ICs may be an alternative to implementing sufficient countermeasures. DESFire EV1 is our recommended solution for new access management implementations where a strong level of security is required to protect against a one time unauthorised access.

NXP is the industry leader in contactless and security, and presents with the MIFARE portfolio the largest and most competitive offering, which has become the industry’s choice. MIFARE Classic provides a benchmark in cost competitiveness as well as proven contactless performance, while the recently announced MIFARE Plus (available in Q4 2008) enables an optimal future-proof migration path when necessary. Both, MIFARE Plus and our new high-end product MIFARE DESFire EV1 offer strong AES encryption and are targeted to receive the internationally recognized Common Criteria certification.

NXP’s expertise is the design and manufacturing of chips; although we do not design end to end security systems, we would be happy to continuously support your system integrator so that the best solutions are reached.

If you would have any questions, please contact us at . If, in addition, you would like to be kept informed about the developments in this matter, please send an email to as well. Additionally, we will be giving updates on the mifare.net website.

 

Sincerely yours
The NXP MIFARE team

 

2008-03-10
NXP introduces new security and performance benchmark with MIFARE Plus
2008-03-07
Germany to 'Touch & Travel' with NFC
2008-03-07
Scholars test peer-to-peer NFC services
more...

Nanjing moves to MIFARE DES...
The citizens of Nanjing, China are no strangers to contactless smart cards: they have been using them since 2001.
City fans support NFC
For football fans, the start of a new season brings new hope, new expectations and new anticipation.
ISIC card brings more benef...
Students in St Petersburg, Russia, can now use their International Student Identity Card (ISIC) on the city's public transport network.
The final whistle
The final whistle of the 2006 FIFA World Cup™ has been blown and Italy went home as champions. With millions of fans descending on Germany to sample the unique atmosphere, the tournament was a huge success.
Olympics spur China’s RFID ...
As host nation for the 2008 Olympic Games, China is busy modernizing many of its infrastructure systems. As part of these developments, Beijing saw the full commercial roll-out of RFID ticketing for its transport network.
more...

SmartCardIndia
Country: (India)
SAHL
Country: (Egypt)
Roxtron
Country: (China)
AZO Consulting Ltd
Country: (United Kingdom)
Image Sales, Inc
Country: (United States)
Now 744 partners in database
more news
back to top
Copyright © 2002-2008 NXP Semiconductors Austria GmbH Styria, All rights reserved
Privacy Policy | Terms of Use | Contact