Forum / MIFARE general topics and applications / What Mifare Tag should I use?
Tagged: Classic, Encryption, scancounter
-
Hello,
I have developed a system to let me enter my house with a Mifare Classic Card. I want to secure the system before I start using it.
The system works as follow I wrote an id on the card and reading it at the entry. The id is saved backend and therefor save.
How can I avoid that anybody scans my card ?
Can I somehow use an encryption so that my id is sent encrypted ?
Is there a possibility to set a counter on the card every time the card is scanned and then easily check that at the entry ?
If in that case the Mifare Classic would be insufficient, what tag should I use ?
Kind Regards,
Eric Goerens
+ 0 | - 0
Hi Eric,
The data on a MIFARE Classic are protected with a key. It is a six-byte key which is stored in the last block of a sector. This key is used for the encryption of the communication at the reader.
To be honest, the MIFARE Classic is not the MIFARE product with the highest security features anymore. If you want to protect your goods with high security, I recommend using the MIFARE DESFire EV1 or EV2. This product uses AES 128 bit for encryption and decryption and is the today security standard.
To protect scanning the communication between reader and card, use encryption. I would not recommend only using the card UID as entrance token. The UID can be manipulated. You should read a data block on Classic or read data from a file on a DESFire in encrypted communication mode. If someone steals the MIFARE DESFire, the keys on it are protected, it cannot be read. But with the stolen card the thief can enter your property. You must change the keys in this case.
The TapLinx team
+ 1 | - 0
Thank you TapLinx Team,
How does MIFARE DESFire exactly work ?
Where's the primary difference between EV1 and EV2 ?
What files do you mean on the DESFire ?
Is there an existing tutorial about using MIFARE DESFire?
Kind Regards,
Eric
+ 0 | - 0
Hi Eric,
Both cards have a different memory architecture. The MIFARE Classic uses blocks of 16 bytes, combined in sectors. The MIFARE DESFire allows you to create “applications” (which behaves like directories). Inside of an application you create files. Such files can be binary data files, backup files, value files and record files. The MIFARE DESFire architecture concept allows it to create different applications on the card where each application has its own set of files, keys and security protection. For instance, one application can be an access system, another one can be a transport ticket etc. It is not possible for the access system owner to access files of the transport ticket and vice versa.
One remark: if you use Android devices, you can use the TapLinx SDK to create apps with communicate with a MIFARE DESFire EV1 or EV2 easily. TapLinx encapsulate all cipher and protocol methods for you. Of course, you can also implement your software on a microcontroller or PC, but in this case, you must implement the crypto and protocol methods by yourself. In this case you will need datasheets which are not available for public. So, you need to sign a NDA with us. For using TapLinx no NDA is required.
The MIFARE DESFire EV2 has some more features than the MIFARE DESFire EV1. But for a basic usage you can focus on a EV1. The EV2 supports the EV1 commands.
The public datasheet of the MIFARE DESFire EV1:
https://www.nxp.com/docs/en/data-sheet/MF3ICDX21_41_81_SDS.pdf?pspll=1
The TapLinx SDK:
https://www.mifare.net/en/products/tools/taplinx/
The TapLinx application note contains a chapter where the MIFARE DESFire is shortly explained.
The TapLinx team
+ 0 | - 0
Hello TapLinx Team,
Thank you for your detailed explanation.
I am currently using the MFRC522-Reader with that Library .
There are reader available which support MIFARE DESFire. These reader are connected per USB. Would they work ? I think I will not have the possibility to edit/write specific files on the card.
I want to use MIFARE DESFire but have the concern that I need to build my own reader. Are there reader with software provided to use DESFire or should I develop my own software and use a standard reader. If it would be necessary to develop own software I would also sign a NDA.
Kind Regards,
Eric Goerens
+ 0 | - 0
Hi Eric,
Unfortunately, without any effort you will not get a reasonable system and the higher the security requirements, the higher the effort in implementation. The question is, what is the effort you want to spend? Please let me make a short list of pros and cons.
MIFARE Classic:
Pros:
- No cipher implementation on reader side required.
- Encryption is handled in reader hardware.
- Simple memory architecture, only 16 bytes memory blocks combined to sectors.
- Only a couple of commands needed, ReadBinary, WriteBinary and if the memory block is prepared as “value block” Increment, Decrement and ReadValue.
Cons:
- Reader hardware must be a NXP product because of proprietary cipher (CRYPTO1).
- Used cipher CRYPTO1 cannot guarantee high security anymore.
MIFARE DESFire EV1, MIFARE DESFire EV2
Pros:
- Uses strong AES128 cipher and DES, 2K3DES, 3K3DES for compatibility.
- Uses a flexible “multi-user” architecture.
- An already “card in operation” can be used (if the card issuer does not prohibit it explicitly).
- Any reader hardware can be used (in contrast to MIFARE Classic).
- Provide a rich set of commands for several file types and card management.
Cons:
- Reader side must implement ciphers and CMAC and CRC functions for MIFARE DESFire protocol handling.
- Implementation of security functions and protocols needs knowledge of NDA material from NXP (except TapLinx SDK for Android).
The TapLinx team
+ 0 | - 0
Hello TapLinx,
Thank you for the list this helped me a lot.
Due to the security I will take the DESFire.
With whom I need to get in touch for further information?
Kind Regards,
Eric Goerens
+ 0 | - 0
Hi Eric,
For MIFARE DESFire datasheets you can write to me, I forward your NDA request to a colleague.
My address: taplinx@nxp.com
Kind regards,
The TapLinx team
+ 0 | - 0
-
AuthorPosts
Viewing 8 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic.