Frequently Asked Questions (MF3ICD40) 12. October 2011

FAQs on the security of MIFARE DESFire™ MF3ICD40

Q: What is a Power Analysis as undertaken by University of Bochum?


A: Power Analysis is a technique to reconstruct the secret key used during a cryptographic computation in a device (e.g. smart card) by monitoring its power consumption. In some sense this attack is similar to sensing the vibrations of window glasses with a laser in order to listen into a conversation happening inside the room. Power Analysis attacks are well known in the industry and commonly tested for in Common Criteria certified products such as MIFARE DESFire EV1.

Q: What is needed to perform a Power Analysis on a smart card? How long does it take to carry out this attack successfully?


A: Equipment-wise, the test bench for performing a Power Analysis attack typically requires a high-end oscilloscope, an appropriate card reader, a custom-made device for measuring the power consumption, and a PC for controlling the measurement as well as doing the analysis. In addition, custom-made software needs to be developed which can perform a cryptographic and statistical analysis of the data according to the theory of differential power analysis. The foundations of this theory are well established, but they need to be tailored to each case. Typically, it takes a long time to perform this attack for the first time on a new system, but following trials will be much faster. It is difficult to give a concrete time; the attack can take from a week to many months for the first step, and from a day to many weeks for the second step.

Q: Can anybody do this now, based on the research of the Bochum University?


A. No, this attack still requires the expertise of experts as well as special equipment. And it still will take several hours to a few days to replicate the attack, depending on the quality of the measurement. The University of Bochum disclosed their results in a very responsible manner. Anyone who wants to replicate the attack based on the Bochum paper still needs to set up the attack including the first, very time-consuming steps. Nobody will be able to break the MF3ICD40 within seven hours if he has not invested a substantial amount of time and money to figure out the initial steps.

Q: Press reports indicate that it is impossible to detect a hacked card. Is this true?


A: No. A non-invasive side-channel attack such as the DPA does not leave traces on the manipulated card itself, but a card subjected to such an attack can get flagged in the back-end system. Transport operators typically have sophisticated security systems installed that constantly reconcile transactions and check balances to detect manipulated data on a card. Suspicious cards will be black- or grey-listed, which means they are disabled or marked for alarms and further investigations. Examples in Taiwan (

http://www.taipeitimes.com/News/taiwan/archives/2011/09/28/2003514388

) and the Netherlands prove the effectiveness of such systems, resulting in the identification and arrest of the fraudsters.

Q: Are MIFARE DESFire Emulations or other MIFARE DESFire products also affected by this attack?


A: No, this attack was performed on a very specific hardware platform, the MF3ICD40, and as such provides no indications whether other platforms or implementations may be vulnerable. Other products such as the MIFARE DESFire EV1 or NXP’s SmartMX secure microcontrollers have a higher level of security and are certified to withstand DPA attacks. The University of Bochum even tested their attack scheme against the MIFARE DESFire EV1 and stated clearly that they were not able to break the card.

Q: Are contactless bank cards also affected?

A: No. The discontinued MF3ICD40 chip was not designed to be nor is used in contactless banking applications. The NXP SmartMX secure microcontroller chips used in Mastercard PayPass and Visa PayWave are designed and certified with Common Criteria EAL5+ to withstand the Differential Power Analysis attack performed.

Q: What exactly is the MF3ICD40 chip? What is its security level?


A: The MF3ICD40 is a chip used in the first MIFARE DESFire product. It was introduced in 2002 and was designed to have a good level of security, but it was not designed to have the highest levels of resistance against side channel attacks, and it was not certified accordingly. Its successor product – the MIFARE DESFire EV1 – is designed to withstand side channel attacks as certified by the Common Criteria certification process.

Q: Why did NXP continue to market the MF3ICD40?


A: As soon as NXP developed and introduced the successor to the MF3ICD40, NXP stopped actively marketing the MF3ICD40 and recommended that its customers should migrate to the more secure MIFARE DESFire EV1. When we heard about the attack in April 2011, we informed key customers and potential new customers about possible vulnerabilities in the MF3ICD40. A migration, however, can take several months due to the complexity of the systems. Therefore, in the interest of our customers, we continued selling MF3ICD40 chips to customers in the process of migrating, or to customers that decided to continue using the MF3ICD40 solution.

Based on their own assessments, customers continuing with the old solution decided that their MF3ICD40 systems, in combination with additional layers of security and implemented countermeasures, still provided a secure and reliable solution. This is because the security of a system does not just rely on the smart card alone. The system integrator selects a particular chip based on its required level of security and cost as only one of the elements within the multiple layers of end-to-end security implemented. These layers of security complement each other, forming a total system that delivers the required level of security.

Q: When did NXP know of the MF3ICD40 attack and what did you do about it?


A: We learned of the attack in April 2011 when researchers from Bochum informed us about their intention to publish their findings in an upcoming conference. We have been assessing various implications of the vulnerabilities and are in close contact with key system integrators to support migration to MIFARE DESFire EV1. NXP is also in direct contact with the research group and has evaluated their attacks. Although not all vulnerabilities in MF3ICD40-based infrastructures can be fixed short-term, we identified countermeasures to make the attacks more difficult in order to strengthen the end-to-end security of existing designs, shared these with our key partners and continue to do so. At the same time, NXP continues to work with its partners to migrate the rest of MF3ICD40 installations to MIFARE DESFire EV1. This migration process started in 2010 as a part of normal product lifecycle management, before the researchers’ results in April 2011.

Q: Was the vulnerability the main reason to discontinue the MF3ICD40 product?


A: NXP announced the discontinuation of MF3ICD40 in June 2010 – several months before the company was informed of the vulnerability. Originally launched in 2002, the MF3ICD40 reflected the standard and market requirement at the time. We take an evolutionary approach in our product lifecycle management, constantly improving our existing products. While the underlying product platform is upgraded in terms of its performance and security needs foreseeable in the future, at the same time we ensure that the current infrastructures in the field can adopt the new product without major upgrade. In this way, our customers can take advantage of the new technology within the new product with minimum or no additional investment into the infrastructure.

In 2008, the MIFARE DESFire EV1 product family was launched, integrating a number of technology innovations at NXP and supporting our ambition to create a product line which includes industry-leading security features. The MIFARE DESFire EV1 is backward compatible with existing MF3ICD40 infrastructures, enabling a seamless future-proof migration path.