Identifying mifare card in wallet application

[hinko kocevar]

I’m building an E-wallet application using mifare classic 1k cards. At the counter credot is bought an uploaded to the card, at the remote location credit is subtracted and card value updated.

Is there a way to determine if a presented card at the remote location belongs to my application, without keeping the UID in a shared database between the counter and remote?

If I understand correctly, one needs to authenticate the card before any data can be read out(except UID). If my software at remote location tries to authenticate a card that is not part of my application I’m affraid I might ruin that card. Is this conclusion true?

In other words I would like to determine if the presented card at remote location belongs to my application without keeping a record of issued cards. I would like to just read/find a certain value in some data block and be able to tell if that is a card I can work with.

---

+ 0  |  - 0

[TapLinx Support]

Hi Hinko,

Yes, you need to authenticate to a sector before you can read the data blocks. If the authentication fails, it could be another card, but it also could be a simple read error. I would not base the test only on the UID of the card. Specially, for 4-byte UIDs the UID is not unique anymore and the UID can be counterfeited easily.

You must distinguish between retrieving the UID in the anti-collision procedure of the card reader and reading the UID from first data block in sector 0 after authenticating. If you really need the UID to know, you should always read the UID from first data block.

In your case I would use a one-way-function like a hash or a MAC function, put the UID and some other information you only know as input and save the hash in a data block. If you can authenticate it is a strong indication of trust. If the hash value can also be verified, you can accept the card as yours.

The TapLinx team

---

+ 0  |  - 0

[hinko kocevar]

Thank you for explaining.

Actually I would like to ignore UID since the remote location has no information about valid / my UIDs.

I was affraid that if I authenticate with a wrong key (in case of some 3rd party card not, for my application) then the block would be locked forever. If I understand your reply correctly this is not the case; authentication will simply fail.

---

+ 0  |  - 0

[TapLinx Support]

Hi Hinko,

Yes, if an authentication with a wrong key will fail, no data is changed on the card. Changing of data (also a key value) needs a read and a write operation and this requires a valid authentication before.

The TapLinx team

---

+ 0  |  - 0

[hinko kocevar]

Thank you for explaining!

---

+ 0  |  - 0

[Author]

Posts