In the recent days reports have been published in the press that the MIFARE Plus chip has been hacked. This is not correct and probably based on a misunderstanding.

Highest security level = Advanced Encryption Standard

The MIFARE Plus, which will be introduced end 2008, can be operated in multiple security levels. The highest security level uses state-of-the-art AES (Advanced Encryption Standard) encryption based on a 128-bit key length. AES has been analyzed extensively and is now the new world benchmark in encryption standards, as was the case with its predecessor, the Data Encryption Standard (DES). On May 26th 2002, AES became an effective standard adopted among others by the US government and published by the National Institute of Standards and Technology (NIST) as a Federal Information Processing Standard (FIPS) after a 5-year standardization process.

The crypto architecture of MIFARE Plus will be reviewed by multiple independent parties and the chip itself is targeted to receive Common Criteria certification. In its highest security level, MIFARE Plus is not using any part of the compromised Crypto1 algorithm which is utilized in MIFARE Classic.

Lowest security level = Crypto1 for easy migration

In order to speed up and ease the migration process for existing infrastructures based on MIFARE Classic, the MIFARE Plus chip on its lowest security level will be backwards compatible with MIFARE Classic.

Securely switch cards in the field to a higher security level

Cards using chips in this lowest security level can be switched to a higher security level after issuance. Once the command for this one-way switch has been given, the card will from then on only operate in that higher security level and cannot be switched back to a lower security level.
The switch itself is protected by an AES key that shall be different for each card, so switching to a higher level cannot be done unless this AES-secured key is known.

When making the switch from a lower to a higher security level, the system can check whether the card contents are consistent and valid, and it can correct the data on the card if this is not case. So even a card that has been tampered on the lower security level can be corrected before actually being used at the higher level.

Why does MIFARE Plus still support Crypto1?

The advantage of supporting Crypto1 in the lowest security level becomes apparent when considering possible migration scenarios.

Small systems can be upgraded immediately
Small systems with all the intelligence in a central data center can prepare a switch immediately and fairly easy to a card with higher security, such as MIFARE DESFire. In this case the upgrade consists of modification of the applied software.

Complex systems require a phased approach
Complex systems, with many off-line readers and Secure Access Modules (SAM) in the readers that hold the keys will need a much longer upgrade time. It may be necessary that SAMs will need to be physically replaced in every single reader. The logistics of this process will take a considerable amount of time. This is seen as preparatory work before a software upgrade can take place to support the new media type.

Upgrade readers first ...
When upgrading to MIFARE DESFire or to any other currently existing card IC, issuance of new cards and gradual replacement of old cards can only start from the moment when the last reader in the system has been upgraded to support the new card. In case there is a requirement for gradual outphasing of existing cards, readers must support both the current as well as the new media type.

... or upgrade on the go with MIFARE Plus?
When upgrading a MIFARE Classic-based infrastructure to MIFARE Plus, the issuance of MIFARE Plus cards can start from the moment that cards can be delivered and appropriate card personalization is established. After issuance, those cards will then start to work on the lowest security level (=backwards compatible to MIFARE Classic). Once all readers have been upgraded to work with the higher security level of MIFARE Plus, the cards in the field can be switched as well to the higher security level without re-issuance. This can result in a much quicker transition of the infrastructure to start operation exclusively on the required higher security level.

Conclusion

MIFARE Plus has not been hacked. Depending on the characteristics of each system, the support of Crypto1 in the lowest security level of MIFARE Plus could enable an easier, less costly and faster completion of the migration to a higher security level.

The system integrator needs to make the trade off on the best scenario. Note that immediately introducing MIFARE Plus on the highest security level is possible as well and no Crypto1 will be ever used here at all. In such cases, like with migrating to MIFARE DESFire, the roll out of new cards can only start after all readers have been upgraded to support MIFARE Plus in its highest AES level.