MIFARE#MIFARE DESFire EV1

MIFARE products are embedded in contactless and contact smart cards, smart paper tickets, wearables and phones.{{Cite web |date=2016-08-18 |title=NXP and RioCard Launch New MIFARE® Wearable for Multimodal Transport in Rio {{!}} MIFARE |url=https://www.mifare.net/nxp-and-riocard-launch-new-mifare-wearable-for-multimodal-transportation-in-rio/ |access-date=2023-09-22 |website=MIFARE {{!}} The leading brand of contactless IC products}}{{Cite web |title=NXP Advances Security for Contactless Single Use Applications with MIFARE Ultralight AES |url=https://www.nxp.com/pages/:NW-NXP-ADVANCES-SECURITY-FOR-CONTACTLESS |access-date=2023-09-22 |website=nxp.com}}

The MIFARE brand name (derived from the term MIKRON FARE collection and created by the company Mikron) covers four families of contactless cards:

; MIFARE Classic: Employs a proprietary protocol compliant with parts 1–3 of ISO/IEC 14443 Type A, with an NXP proprietary security protocol for authentication and ciphering.{{Citation needed|date=April 2023}}

Subtypes: MIFARE Classic EV1 (other subtypes are no longer in use).

; MIFARE Plus: Drop-in replacement for MIFARE Classic with certified security level (AES-128 based) and is fully backwards compatible with MIFARE Classic.{{Citation needed|date=April 2023}}

Subtypes: MIFARE Plus S, MIFARE Plus X, MIFARE Plus SE and MIFARE Plus EV2.

; MIFARE Ultralight: Low-cost ICs that are useful for high volume applications such as public transport, loyalty cards and event ticketing.

Subtypes: MIFARE Ultralight C, MIFARE Ultralight EV1, MIFARE Ultralight Nano and MIFARE Ultralight AES.

; MIFARE DESFire: Contactless ICs that comply with parts 3 and 4 of ISO/IEC 14443-4 Type A with a mask-ROM operating system from NXP. The DES in the name refers to the use of a DES, two-key 3DES, three-key 3DES and AES encryption; while Fire is an acronym for Fast, innovative, reliable, and enhanced.

Subtypes: MIFARE DESFire EV1, MIFARE DESFire EV2, MIFARE DESFire EV3, MIFARE DESFire EV3C and MIFARE DESFire Light.

; MIFARE DUOX: Contactless ICs that implement an ISO/IEC 14443-4 file system and secure messaging similar to MIFARE DESFire EV2/EV3, but with added support for public-key authentication. Unlike DESFire, DUOX chips no longer support the deprecated DES algorithm. The supported authentication key types are 128-bit AES, 256-bit AES and 256-bit elliptic-curve cryptography (ECC) with X.509 public-key certificate handling.

There is also the MIFARE SAM AV2 contact smart card. This can be used to handle the encryption in communicating with the contactless cards. The SAM (Secure Access Module) provides the secure storage of cryptographic keys and cryptographic functions.

The MIFARE Classic IC is a basic memory storage device, where the memory is divided into segments and blocks with simple security mechanisms for access control. They are ASIC-based and have limited computational power. Due to their reliability and low cost, those cards are widely used for electronic wallets, access control, corporate ID cards, transportation or stadium ticketing. It uses an NXP proprietary security protocol (Crypto-1) for authentication and ciphering.{{Citation needed|date=April 2023}}

MIFARE Classic encryption has been compromised; see below for details.{{Citation needed|date=April 2023}}

The MIFARE Classic with 1K memory offers 1,024 bytes of data storage, split into 16 sectors; each sector is protected by two different keys, called A and B. Each key can be programmed to allow operations such as reading, writing, increasing value blocks, etc. MIFARE Classic with 4K memory offers 4,096 bytes split into forty sectors, of which 32 are the same size as in the 1K with eight more that are quadruple size sectors. MIFARE Classic Mini offers 320 bytes split into five sectors. For each of these IC types, 16 bytes per sector are reserved for the keys and access conditions and can not normally be used for user data. Also, the very first 16 bytes contain the serial number of the card and certain other manufacturer data and are read-only. That brings the net storage capacity of these cards down to 752 bytes for MIFARE Classic with 1K memory, 3,440 bytes for MIFARE Classic with 4K memory, and 224 bytes for MIFARE Mini.{{Citation needed|date=April 2023}}

{{Outdated as of|2013|12|31|topic=smartphone types}}

The Samsung TecTile NFC tag stickers use MIFARE Classic chips. This means only devices with an NXP NFC controller chip can read or write these tags. At the moment BlackBerry phones, the Nokia Lumia 610 (August 2012{{cite web|title=nfc tags|url=http://www.nfc-phones.org/nfc-tags/|website=Nfc-phones.org|access-date=5 August 2012|archive-date=5 August 2012|archive-url=https://web.archive.org/web/20120805060128/http://www.nfc-phones.org/nfc-tags/|url-status=dead}}), the Google Nexus 4, Google Nexus 7 LTE and Nexus 10 (October 2013{{cite web|title=nfc tags|url=http://www.nfcbrief.com/2012/11/nexus-4-and-10-incompatible-with-mifare.html|website=Nfcbrief.com|access-date=11 August 2013|archive-date=21 August 2013|archive-url=https://web.archive.org/web/20130821083621/http://www.nfcbrief.com/2012/11/nexus-4-and-10-incompatible-with-mifare.html|url-status=dead}}) can't read/write TecTile stickers.{{Citation needed|date=April 2023}}

MIFARE Plus is a replacement IC solution for the MIFARE Classic.

It is less flexible than a MIFARE DESFire EV1 contactless IC.

MIFARE Plus was publicly announced in March 2008 with first samples in Q1 2009.

{{cite press release

| url = http://www.nxp.com/news/content/file_1418.html

| title = NXP introduces new security and performance benchmark with MIFARE Plus

| publisher = NXP

| date = 1 March 2008}}

MIFARE Plus, when used in older transportation systems that do not yet support AES on the reader side, still leaves an open door to attacks. Though it helps to mitigate threats from attacks that broke the Crypto-1 cipher through the weak random number generator, it does not help against brute force attacks and crypto analytic attacks.{{cite web|url=https://www.blackhat.com/presentations/bh-usa-08/Nohl/BH_US_08_Nohl_Mifare.pdf |title=BlackHat '08 : MIFARE – Little Security, despite Obscurity |website=Blackhat.com |access-date=9 February 2016}}

During the transition period from MIFARE Classic to MIFARE Plus where only a few readers might support AES in the first place, it offers an optional AES authentication in Security Level 1 (which is in fact MIFARE Classic operation). This does not prevent the attacks mentioned above but enables a secure mutual authentication between the reader and the card to prove that the card belongs to the system and is not fake.

In its highest security level SL3, using 128-bit AES encryption, MIFARE Plus is secured from attacks.{{citation needed|date=August 2018}}

MIFARE Plus EV1 was announced in April 2016.

{{citation

| url = https://www.mifare.net/wp-content/uploads/2016/04/MIFARE-Plus-EV1-leaflet_LR.pdf

| title = NXP MIFARE Plus EV1

| publisher = NXP

}}

New features compared to MIFARE Plus X include:

; Sector-wise security-level switching: The choice of crypto algorithm used in the authentication protocol can be set separately for each sector. This makes it possible to use the same card with both readers that can read MIFARE Classic products (with sectors protected by 48-bit CRYPTO1 keys, "Security Level 1") and readers that can read MIFARE Plus products (with sectors protected by 128-bit AES keys, "Security Level 3"). This feature is intended to make it easier to gradually migrate existing MIFARE Classic product-based installations to MIFARE Plus, without having to replace all readers at the same time.

; ISO 7816-4 wrapping: The card can now be accessed in either the protocol for MIFARE (which is not compliant with the ISO 7816-4 APDU format), or using a new protocol variant that runs on top of ISO 7816-4. This way the cards become compatible with NFC reader APIs that can only exchange messages in ISO 7816-4 APDU format, with a maximum transfer data buffer size of 256 bytes.

; Proximity check: While the protocol for MIFARE Classic tolerated message delays of several seconds, and was therefore vulnerable to relay attacks, MIFARE Plus EV1 now implements a basic "ISO compliant" distance-bounding protocol. This puts tighter timing constraints on the permitted round-trip delay during authentication, to make it harder to forward messages to far-away cards or readers via computer networks.

; Secure end-2-end channel: Permits AES-protected over-the-air updates even to Crypto1 application sectors (SL1SL3 mix mode).

; Transaction MAC: The card can produce an additional message-authentication code over a transaction that can be verified by a remote clearing service, independent of the keys used by the local reader during the transaction.

The MIFARE Plus EV2 was introduced to the market on 23 June 2020.

{{citation

| url = https://www.mifare.net/nxp-delivers-enhanced-security-for-new-and-legacy-smart-city-services-with-mifare-plus-ev2-ic/

| title = NXP MIFARE Plus EV2

| date = 23 June 2020

| publisher = NXP

}} It comes with an enhanced read performance and transaction speed compared to MIFARE Plus EV1.

{{citation

| url = https://www.nxp.com/products/rfid-nfc/mifare-hf/mifare-plus/mifare-plus-ev2-secure-ic-for-contactless-smart-city-services:MFPEV2

| title = NXP MIFARE Plus EV2

| publisher = NXP

}}

New features compared to MIFARE Plus EV1 include:

; Transaction Timer: To help mitigate man-in-the-middle attacks, the Transaction Timer feature, which is also available on NXP's MIFARE DESFire EV3 IC, makes it possible to set a maximum time per transaction, so it's harder for an attacker to interfere with the transaction.

The MIFARE Ultralight has only 512 bits of memory (i.e. 64 bytes), without cryptographic security. The memory is provided in 16 pages of 4 bytes. Cards based on these chips are so inexpensive that they are often used for disposable tickets for events such as the 2006 FIFA World Cup.

It provides only basic security features such as one-time-programmable (OTP) bits and a write-lock feature to prevent re-writing of memory pages but does not include cryptography as applied in other MIFARE product-based cards.

MIFARE Ultralight EV1[http://www.mifare.net/files/8413/5167/2490/MIFARE_Ultralight_EV1_.pdf] {{dead link|date=February 2016}} introduced in November 2012 the next generation of paper ticketing smart card ICs for limited-use applications for ticketing schemes and additional security options.{{cite web |first=Ken |last=Shirriff |title=Inside the tiny chip that powers Montreal subway tickets |date=June 2024 |url=http://www.righto.com/2024/06/montreal-mifare-ultralight-nfc.html}} It comes with several enhancements above the original MIFARE Ultralight:

• 384 and 1024 bits user memory product variants
• OTP, lock bits, configurable counters for improved security
• Three independent 24-bit one-way counters to stop reloading
• Protected data access through 32-bit password
• ECC originality check. However, the purpose of it "during (pre-)personalization is to protect customer investments by identifying mass penetration of non-NXP originated MIFARE Ultralight AES ICs into an infrastructure. As individual signatures can still be copied, it does not completely prevent hardware copy or emulation of individual MIFARE Ultralight AES ICs."{{cite web |url=https://www.nxp.com/docs/en/data-sheet/MF0AES(H)20.pdf |title=MF0AES(H)20 : MIFARE Ultralight AES contactless limited-use IC |date=28 March 2023 |website=Nxp.com |access-date=24 April 2025 }}

Introduced at the Cartes industry trade show in 2008, the MIFARE Ultralight C IC is part of NXP's low-cost MIFARE product offering (disposable ticket). With Triple DES, MIFARE Ultralight C uses a widely adopted standard, enabling easy integration in existing infrastructures. The integrated Triple DES authentication provides an effective countermeasure against cloning.{{citation needed|date=August 2018}}

Key applications for MIFARE Ultralight C are public transportation, event ticketing, loyalty and NFC Forum tag type 2.

It was introduced in 2022.

The MIFARE DESFire (MF3ICD40) was introduced in 2002 and is based on a core similar to SmartMX, with more hardware and software security features than MIFARE Classic. It comes pre-programmed with the general-purpose MIFARE DESFire operating system which offers a simple directory structure and files. They are sold in four variants: One with Triple-DES only and 4 KiB of storage, and three with AES (2, 4, or 8 kiB; see MIFARE DESFire EV1). The AES variants have additional security features; e.g., CMAC. MIFARE DESFire uses a protocol compliant with ISO/IEC 14443-4.Some ISO/IEC 7816-4 commands are used by MIFARE DESFire EV1, including a proprietary method to wrap native MIFARE DESFire commands into an ISO/IEC 7816 APDU. The contactless IC is based on an 8051 processor with 3DES/AES cryptographic accelerator, making very fast transactions possible.

The maximal read/write distance between card and reader is {{convert|10|cm|in|1}}, but the actual distance depends on the field power generated by the reader and its antenna size.

In 2010, NXP announced the discontinuation of the MIFARE DESFire (MF3ICD40) after it had introduced its successor MIFARE DESFire EV1 (MF3ICD41) in late 2008. In October 2011 researchers of Ruhr University Bochum{{cite web

| url = http://it.slashdot.org/story/11/10/10/1850230/

| title = German Researchers Crack Mifare RFID Encryption

| work = Slashdot

| date = 10 October 2011

| access-date=9 February 2016

}} announced that they had broken the security of MIFARE DESFire (MF3ICD40), which was acknowledged by NXP{{cite web

|url=http://mifare.net/technology/security/mifare-desfire-d40/

|archive-url=https://archive.today/20130221220435/http://mifare.net/technology/security/mifare-desfire-d40/

|url-status=dead

|archive-date=21 February 2013

|title=Security of MF3ICD40

|website=Mifare.net

|access-date=9 February 2016

}} (see MIFARE DESFire security).

First evolution of MIFARE DESFire contactless IC, broadly backwards compatible. Available with 2 KiB, 4 KiB, and 8 KiB non-volatile memory. Other features include:{{Cite web|url=https://www.thalesgroup.com/en/markets/digital-identity-and-security/gemalto-website-has-moved-thales|title=Gemalto's web site has moved (May 2020)|website=thalesgroup.com}}

• Support for random ID
• Support for 128-bit AES
• Hardware and operating system are Common Criteria certified at level EAL 4+

MIFARE DESFire EV1 was publicly announced in November 2006.{{citation needed|date=November 2011}}

The second evolution of the MIFARE DESFire contactless IC family, broadly backwards compatible.{{cite web|url=http://www.mifare.net/index.php?cID=3119 |title=Mifare |website=Mifare |date=2 June 2014|access-date=9 February 2016}}

New features include:

• MI smart App enabling to offer or sell memory space for additional applications of 3rd parties without the need to share secret keys
• Transaction MAC to authenticate transactions by 3rd parties
• Virtual Card Architecture for privacy protection
• Proximity check against relay attacks

MIFARE DESFire EV2 was publicly announced in March 2016 at the IT-TRANS event in Karlsruhe, Germany

The latest evolution of the MIFARE DESFire contactless IC family, broadly backward compatible. New features include:

• ISO/IEC 14443 A 1–4 and ISO/IEC 7816-4 compliant
• Common Criteria EAL5+ certified for IC hardware and software
• NFC Forum Tag Type 4 compliant
• SUN message authentication for advanced data protection within standard NDEF read operation
• Choice of open DES/2K3DES/3K3DES/AES crypto algorithms
• Flexible file structure: hosts as many applications as the memory size supports
• Proof of transaction with card generated MAC
• Transaction Timer mitigates risk of man-in-the-middle attacks

MIFARE DESFire EV3 was publicly announced on 2 June 2020.

The DESFire EV3C card has all the features of the DESFire EV3, plus it can also emulate a MIFARE Classic 1K card. Some DESFire files can be mapped to a MIFARE Classic 1K memory layout, which offers a migration route for existing users on MIFARE Classic that gradually want to move to DESFire.

MIFARE SAMs are not contactless smart cards. They are secure access modules designed to provide the secure storage of cryptographic keys and cryptographic functions for terminals to access the MIFARE products securely and to enable secure communication between terminals and host (backend). MIFARE SAMs are available from NXP in the contact-only module (PCM 1.1) as defined in ISO/IEC 7816-2 and the HVQFN32 format.{{citation needed|date=March 2011}}

Integrating a MIFARE SAM AV2 in a contactless smart card reader enables a design that integrates high-end cryptography features and the support of cryptographic authentication and data encryption/decryption.{{citation needed|date=March 2011}} Like any SAM, it offers functionality to store keys securely and perform authentication and encryption of data between the contactless card and the SAM and the SAM towards the backend. Next to a classical SAM architecture, the MIFARE SAM AV2 supports the X-mode which allows a fast and convenient contactless terminal development by connecting the SAM to the microcontroller and reader IC simultaneously.{{citation needed|date=March 2011}}

MIFARE SAM AV2 offers AV1 mode and AV2 mode where in comparison to the SAM AV1 the AV2 version includes public key infrastructure (PKI), hash functions like SHA-1, SHA-224, and SHA-256. It supports MIFARE Plus and secure host communication. Both modes provide the same communication interfaces, cryptographic algorithms (Triple-DES 112-bit and 168-bit key, MIFARE products using Crypto1, AES-128 and AES-192, RSA with up to 2048-bit keys), and X-mode functionalities.{{citation needed|date=March 2011}} The MIFARE SAM AV3 is the third generation of NXP's Secure Access Module, and it supports MIFARE ICs as well as NXP's UCODE DNA, ICODE DNA and NTAG DNA ICs.

{{citation

| url = https://www.nxp.com/products/rfid-nfc/mifare-hf/mifare-sam/mifare-sam-av3:MIFSAMAV3

| title = NXP MIFARE SAM AV3

| publisher = NXP

}}

A cloud-based platform that digitizes MIFARE product-based smart cards and makes them available on NFC-enabled smartphones and wearables. With this, new Smart City use cases such as mobile transit ticketing, mobile access and mobile micropayments are being enabled.

{{citation

| url = https://www.nxp.com/products/rfid-nfc/mifare-hf/mifare-2go:MIFARE2GO

| title = NXP MIFARE 2GO

| publisher = NXP

}}

File:MiFare Byte Layout.png

• 1994 – MIFARE Classic IC with 1K user memory introduced.
• 1996 – First transport scheme in Seoul using MIFARE Classic with 1K memory.
• 1997 – MIFARE PRO with Triple DES coprocessor introduced.
• 1997 – MIFARE LIGHT with 384Bit user memory introduced.
• 1999 – MIFARE PROX with PKI coprocessor introduced.
• 2001 – MIFARE Ultralight introduced.
• 2002 – MIFARE DESFire introduced, microprocessor based product.
• 2004 – MIFARE SAM introduced, secure infrastructure counterpart of MIFARE DESFire.
• 2006 – MIFARE DESFire EV1 is announced as the first product to support 128-bit AES.
• 2008 – MIFARE4Mobile industry Group is created, consisting of leading players in the Near Field Communication (NFC) ecosystem.
• 2008 – MIFARE Plus is announced as a drop-in replacement for MIFARE Classic based on 128-bit AES.
• 2008 – MIFARE Ultralight C is introduced as a smart paper ticketing IC featuring Triple DES Authentication.
• 2010 – MIFARE SAM AV2 is introduced as secure key storage for readers AES, Triple DES, PKI Authentication.
• 2012 – MIFARE Ultralight EV1 introduced, backward compatible to MIFARE Ultralight but with extra security.
• 2014 – MIFARE SDK was introduced, allowing developers to create and develop their own NFC Android applications.
• 2014 – NXP Smart MX2 the world's first secure smart card platform supporting MIFARE Plus and MIFARE DESFire EV1 with EAL 50 was released.
• 2015 – MIFARE Plus SE, the entry-level version of NXP's proven and reliable MIFARE Plus product family, was introduced.
• 2016 – MIFARE Plus EV1 was introduced, the proven mainstream smart card product compatible with MIFARE Classic in its backward compatible security level.
• 2016 – MIFARE DESFire EV2 is announced with improved performance, security, privacy and multi-application support.
• 2016 – MIFARE SDK is rebranded to TapLinx, with additional supported products.
• 2018 – MIFARE 2GO cloud service was introduced, allows to manage MIFARE DESFire and MIFARE Plus (in SL3) product-based credentials onto NFC-enabled mobile and wearable devices.
• 2020 – MIFARE DESFire EV3 is announced{{Cite web|title=NXP Introduces MIFARE DESFire EV3 IC, Ushers in New Era of Security and Connectivity for Contactless Smart City Services {{!}} NXP Semiconductors – Newsroom|url=https://media.nxp.com/news-releases/news-release-details/nxp-introduces-mifare-desfire-ev3-ic-ushers-new-era-security-and/|access-date=3 June 2020|website=media.nxp.com}}
• 2020 – MIFARE Plus EV2 was introduced, adding SL3 to support MIFARE 2GO, EAL5+ certification & Transaction Timer to help mitigate man-in-the-middle attacks.
• 2022 – MIFARE Ultralight AES was introduced.
• 2023 – MIFARE DESFire EV3C with MIFARE Classic compatibility introduced
• 2024 – MIFARE DUOX with public-key cryptography introduced

The MIFARE product portfolio was originally developed by Mikron in Gratkorn, Austria. Mikron was acquired by Philips in 1995.{{cite web

| url=https://www.telecompaper.com/news/philips-semiconductors-acquires-mikron--59203

| title=Philips Semiconductors Acquires Mikron

| date=2 June 1995| website=Telecompaper.com

| access-date=17 February 2017

}} Mikron sourced silicon from Atmel in the US, Philips in the Netherlands, and Siemens in Germany.{{citation needed|date=November 2011}}

Infineon Technologies (then Siemens) licensed MIFARE Classic from Mikron in 1994{{cite web|url=http://www.telecompaper.com/news/siemens-and-mikron-agree-licensing-deal--22439 |title=Siemens And Mikron Agree Licensing Deal |website=Telecompaper.com |date=7 April 1994 |access-date=9 February 2016}} and developed both stand alone and integrated designs with MIFARE product functions. Infineon currently produces various derivatives based on MIFARE Classic including 1K memory (SLE66R35) and various microcontrollers (8 bit (SLE66 series), 16 bit (SLE7x series), and 32 bit (SLE97 series) with MIFARE implementations, including devices for use in USIM with Near Field Communication.{{cite web|url=http://www.infineon.com/cms/en/corporate/press/news/releases/2007/INFAIM200711-015.html |title=Infineon Adds Security and Convenience to SIM Cards for NFC Applications – Infineon Technologies |website=Infineon.com |date=1 November 2007|access-date=9 February 2016}}

Motorola tried to develop MIFARE product-like chips for the wired-logic version but finally gave up. The project expected one million cards per month for start, but that fell to 100,000 per month just before they gave up the project.{{cite web|url=http://news.cnet.com/2100-1001-204306.html |title=Motorola sets smart card targets – CNET |website=News.cnet.com |date=1 October 1997|access-date=9 February 2016}}

In 1998 Philips licensed MIFARE Classic to Hitachi{{cite web |url=http://www.smartcard.co.uk/members/newsletters/1998/feb98.pdf |title=Smart Card News |date=1 February 1998 |volume=7 |website=Smartcard.co.uk |issue=2 |access-date=9 February 2016 |archive-date=2 November 2013 |archive-url=https://web.archive.org/web/20131102015139/http://www.smartcard.co.uk/members/newsletters/1998/feb98.pdf |url-status=dead }} Hitachi licensed MIFARE products for the development of the contactless smart card solution for NTT's IC telephone card which started in 1999 and finished in 2006.{{citation needed|date=November 2011}} In the NTT contactless IC telephone card project, three parties joined: Tokin-Tamura-Siemens, Hitachi (Philips-contract for technical support), and Denso (Motorola-only production).{{citation needed|date=November 2011}} NTT asked for two versions of chip, i.e. wired-logic chip (like MIFARE Classic) with small memory and big memory capacity. Hitachi developed only big memory version and cut part of the memory to fit for the small memory version.

The deal with Hitachi was upgraded in 2008 by NXP (by then no longer part of Philips) to include MIFARE Plus and MIFARE DESFire to the renamed semiconductor division of Hitachi Renesas Technology.{{cite web|url=http://www.nxp.com/news/press-releases/2008/11/renesas-and-nxp-announce-licensing-agreement-on-mifare-contactless-technology.html |title=NXP Semiconductors :: Media Center |website=Nxp.com |access-date=9 February 2016}}

In 2010 NXP licensed MIFARE products to Gemalto. In 2011 NXP licensed Oberthur to use MIFARE products on SIM cards. In 2012 NXP signed an agreement with Giesecke & Devrient to integrate MIFARE product-based applications on their secure SIM products. These licensees are developing Near Field Communication products{{Cite web|url=https://www.thalesgroup.com/en/markets/digital-identity-and-security/gemalto-website-has-moved-thales|archive-url=https://web.archive.org/web/20101206130027/http://www.gemalto.com/press/archives/2010/2010-11-25_NXP_Gemalto_MIFARE_License_en.pdf|url-status=dead|title=Gemalto's web site has moved (May 2020)|archive-date=6 December 2010|website=thalesgroup.com}}{{cite web|url=http://www.nxp.com/news/content/file_1818.html |title=NXP Semiconductors :: Media Center |website=Nxp.com |access-date=9 February 2016}}

The encryption used by the MIFARE Classic IC uses a 48-bit key.{{cite web

|title=MIFARE Classic 1K specification

|url=http://mifare.net/products/smartcardics/mifare_standard1k.asp

|date=2 February 2009}}{{dead link|date=November 2016 |bot=InternetArchiveBot |fix-attempted=yes }}

A presentation by Henryk Plötz and Karsten Nohl{{cite web |author=Karsten Nohl |url=http://www.cs.virginia.edu/~kn5f/ |title=Karsten Nohl, PhD: University of Virginia, C.S. Dept |website=Cs.virginia.edu |access-date=9 February 2016 |archive-date=4 February 2020 |archive-url=https://web.archive.org/web/20200204014629/http://www.cs.virginia.edu/~kn5f/ |url-status=dead }} at the Chaos Communication Congress in December 2007 described a partial reverse-engineering of the algorithm used in the MIFARE Classic chip.{{cite web

| title = Mifare: Little Security, Despite Obscurity

| url = https://events.ccc.de/congress/2007/Fahrplan/events/2378.en.html

| first = Karsten | last = Nohl |author2=Henryk Plötz

| date = 10 January 2008

| publisher = Chaos Communication Congress

}} A paper that describes the process of reverse engineering this chip was published at the August 2008 USENIX security conference.{{cite journal

| url = http://www.usenix.org/events/sec08/tech/nohl.html

| title = Reverse-Engineering a Cryptographic RFID Tag

| first = Karsten | last = Nohl |author2=David Evans

| journal = Proceedings of the 17th USENIX Security Symposium

| date= 1 August 2008}}

In March 2008 the Digital Security{{cite web|url=http://www.ru.nl/ds/ |title=Digital security – Digital Security |website=Ru.nl |date=8 July 2015 |access-date=9 February 2016}} research group of the Radboud University Nijmegen made public that they performed a complete reverse-engineering and were able to clone and manipulate the contents of an OV-Chipkaart which is using MIFARE Classic chip.{{cite web

| url = https://www.cs.ru.nl/~flaviog/publications/Security_Flaw_in_MIFARE_Classic.pdf

| title = Security Flaw in Mifare Classic

| author = Digital Security Group

| publisher = Radboud University Nijmegen

| date = 1 March 2008

| access-date = 19 July 2020

| archive-date = 13 May 2021

| archive-url = https://web.archive.org/web/20210513153719/https://www.cs.ru.nl/~flaviog/publications/Security_Flaw_in_MIFARE_Classic.pdf

| url-status = dead

}} For demonstration they used the Proxmark3 device, a 125 kHz / 13.56 MHz research instrument.{{cite web | url = http://www.proxmark.org | title = Proxmark | access-date = 25 January 2011}} The schematics and software are released under the free GNU General Public License by Jonathan Westhues in 2007. They demonstrate it is even possible to perform card-only attacks using just an ordinary stock-commercial NFC reader in combination with the libnfc library.

The Radboud University published four scientific papers concerning the security of the MIFARE Classic:

• A Practical Attack on the MIFARE Classic{{cite web|url=https://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf|title=A Practical Attack on the MIFARE Classic|website=RU.nl|access-date=6 July 2017|archive-date=22 April 2022|archive-url=https://web.archive.org/web/20220422044935/http://www.cs.ru.nl/~flaviog/publications/Attack.MIFARE.pdf|url-status=dead}}
• Dismantling MIFARE Classic{{cite web|url=https://www.cs.ru.nl/~flaviog/publications/Dismantling.Mifare.pdf|title=Dismantling MIFARE Classic|website=RU.nl|access-date=6 July 2017|archive-date=8 August 2017|archive-url=https://web.archive.org/web/20170808204848/http://www.cs.ru.nl/~flaviog/publications/Dismantling.Mifare.pdf|url-status=dead}}
• Wirelessly Pickpocketing a MIFARE Classic Card{{cite web|url=https://www.cs.ru.nl/~flaviog/publications/Pickpocketing.Mifare.pdf|title=Wirelessly Pickpocketing a MIFARE Classic Card|website=RU.nl|access-date=6 July 2017|archive-date=2 January 2022|archive-url=https://web.archive.org/web/20220102193453/http://www.cs.ru.nl/~flaviog/publications/Pickpocketing.Mifare.pdf|url-status=dead}}
• Ciphertext-only Cryptanalysis on Hardened MIFARE Classic Cards{{cite web|url=http://cs.ru.nl/~rverdult/Ciphertext-only_Cryptanalysis_on_Hardened_Mifare_Classic_Cards-CCS_2015.pdf|title=Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards|website=RU.nl|access-date=25 September 2017}}

In response to these attacks, the Dutch Minister of the Interior and Kingdom Relations stated that they would investigate whether the introduction of the Dutch Rijkspas could be brought forward from Q4 of 2008.{{cite web | url = http://www.rijksoverheid.nl/documenten-en-publicaties/kamerstukken/2008/10/31/antwoord-op-kamervragen-over-de-beveiliging-van-de-chip-pas.html | title = Dutch Page | access-date = 24 March 2012 | archive-url = https://web.archive.org/web/20131102125151/http://www.rijksoverheid.nl/documenten-en-publicaties/kamerstukken/2008/10/31/antwoord-op-kamervragen-over-de-beveiliging-van-de-chip-pas.html | archive-date = 2 November 2013 | url-status = dead }}

NXP tried to stop the publication of the second article by requesting a preliminary injunction. However, the injunction was denied, with the court noting that, "It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does inform society about serious issues in the chip because it allows for mitigating of the risks."{{cite web

| url = http://zoeken.rechtspraak.nl/ResultPage.aspx?snelzoeken=t&searchtype=ljn&ljn=BD7578

| title = Pronunciation, Primary Claim

| author = Arnhem Court Judge Services

| publisher = Rechtbank Arnhem

| date = 18 July 2008

| access-date = 13 January 2009

| archive-date = 15 February 2012

| archive-url = https://web.archive.org/web/20120215225402/http://zoeken.rechtspraak.nl/ResultPage.aspx?snelzoeken=t&searchtype=ljn&ljn=BD7578

| url-status = dead

}}{{cite news|url=http://www.thestandard.com/news/2008/07/18/judge-denies-nxps-injunction-against-security-researchers |title=Judge denies NXP's injunction against security researchers |access-date=13 February 2010 |date=1 July 2008|work=The Standard|url-status=dead |archive-url=https://web.archive.org/web/20090105205323/http://www.thestandard.com/news/2008/07/18/judge-denies-nxps-injunction-against-security-researchers |archive-date=5 January 2009 }}

Both independent research results are confirmed by the manufacturer NXP.{{cite web | url = http://www.mifare.net/technology/security/ | title = mifare.net :: Security | access-date = 25 January 2011}} These attacks on the cards didn't stop the further introduction of the card as the only accepted card for all Dutch public transport the OV-chipkaart continued as nothing happened[http://www.id-nee.nl/03-7%20OVchipkaart%20hoofdtekst.htm#voorbereidinggaatgewoondoor] {{webarchive|url=https://web.archive.org/web/20120608164142/http://www.id-nee.nl/03-7%20OVchipkaart%20hoofdtekst.htm#voorbereidinggaatgewoondoor|date=8 June 2012}} but in October 2011 the company TLS, responsible for the OV-Chipkaart announced that the new version of the card will be better protected against fraud.{{cite web|url=http://webwereld.nl/nieuws/108161/nieuwe-ov-chip-gaat-fraude-tegen.html |title=Nieuwe OV-chip gaat fraude tegen – Webwereld |website=Webwereld.nl |access-date=9 February 2016}}

The MIFARE Classic encryption Crypto-1 can be broken in about 200 seconds on a laptop from 2008,{{cite web

| last = Courtois | first = Nicolas T. |author2=Karsten Nohl |author3=Sean O'Neil

| url = http://eprint.iacr.org/2008/166| title = Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards

| publisher = Cryptology ePrint Archive | date = 1 April 2008}} if approx. 50 bits of known (or chosen) keystream are available. This attack reveals the key from sniffed transactions under certain (common) circumstances and/or allows an attacker to learn the key by challenging the reader device.

Another attack recovers the secret key in about 40 ms on a laptop. This attack requires just one (partial) authentication attempt with a legitimate reader.{{cite web |last1=Garcia |first1=Flavio D. |first2=Gerhard |last2=de Koning Gans |first3=Ruben |last3=Muijrers |first4=Peter |last4=van Rossum |first5=Roel |last5=Verdult |first6=Ronny Wichers |last6=Schreur |first7=Bart |last7=Jacobs |url=https://www.cs.ru.nl/~flaviog/publications/Dismantling.Mifare.pdf |title=Dismantling MIFARE Classic |publisher=13th European Symposium on Research in Computer Security (ESORICS 2008), LNCS, Springer |date=4 October 2008 |access-date=19 July 2020 |archive-date=23 February 2021 |archive-url=https://web.archive.org/web/20210223113847/https://www.cs.ru.nl/~flaviog/publications/Dismantling.Mifare.pdf |url-status=dead }}

Additionally, there are a number of attacks that work directly on a card and without the help of a valid reader device.{{cite web| last = Garcia| first = Flavio D.| author2 = Peter van Rossum| author3 = Roel Verdult| author4 = Ronny Wichers Schreur| url = https://www.cs.ru.nl/~flaviog/publications/Pickpocketing.Mifare.pdf| title = Wirelessly Pickpocketing a Mifare Classic Card| publisher = 30th IEEE Symposium on Security and Privacy (S&P 2009), IEEE| date = 1 March 2009| access-date = 19 July 2020| archive-date = 2 January 2022| archive-url = https://web.archive.org/web/20220102193453/http://www.cs.ru.nl/~flaviog/publications/Pickpocketing.Mifare.pdf| url-status = dead}} These attacks have been acknowledged by NXP.[http://mifare.net/security/mifare_classic.asp]{{dead link|date=February 2016}}

In April 2009 new and better card-only attack on MIFARE Classic has been found. It was first announced at the rump session of Eurocrypt 2009.{{cite web

| last = Courtois| first = Nicolas T. |

url = http://eurocrypt2009rump.cr.yp.to/7870fc6d38647a661145594ef0c33015.pdf |

title = Conditional Multiple Differential Attack on MIFARE Classic |

publisher = Slides presented at the rump session of Eurocrypt 2009 conference | date = 2 April 2009}}

This attack was presented at SECRYPT 2009.{{cite web

| last = Courtois| first = Nicolas T. |

title = The Dark Side of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere, Anytime |

publisher = In SECRYPT 2009 – International Conference on Security and Cryptography, to appear | url = http://www.secrypt.org/ |

date = 7 July 2009 }}

The full description of this latest and fastest attack to date can also be found in the IACR preprint archive.{{cite web

| last = Courtois| first = Nicolas T. |

title = The Dark Side of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere, Anytime |

url = http://eprint.iacr.org/2009/137 |

publisher = IACR Cryptology Preprint Archive |

date = 4 May 2009 }}

The new attack improves by a factor of more than 10 all previous card-only attacks on MIFARE Classic, has instant running time, and does not require a costly precomputation. The new attack allows recovering the secret key of any sector of the MIFARE Classic card via wireless interaction, within about 300 queries to the card. It can then be combined with the nested authentication attack in the Nijmegen Oakland paper to recover subsequent keys almost instantly. Both attacks combined and with the right hardware equipment such as Proxmark3, one should be able to clone any MIFARE Classic card in 10 seconds or less. This is much faster than previously thought.

In an attempt to counter these card-only attacks, new "hardened" cards have been released in and around 2011, such as the MIFARE Classic EV1.{{cite web | url = https://www.mifare.net/wp-content/uploads/2015/03/MIFARE_Classic_EV1.pdf | title = MIFARE Classic EV1 | access-date = 25 September 2017}} These variants are insusceptible for all card-only attacks publicly known until then, while remaining backward compatible with the original MIFARE Classic. In 2015, a new card-only attack was discovered that is also able to recover the secret keys from such hardened variants.{{cite web

| author=Carlo Meijer |author2=Roel Verdult

| url = http://cs.ru.nl/~rverdult/Ciphertext-only_Cryptanalysis_on_Hardened_Mifare_Classic_Cards-CCS_2015.pdf | title = Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards | publisher = 22nd ACM Conference on Computer and Communications Security (CCS 2015), ACM| date = 1 October 2015}}

Since the discovery of this attack, NXP is officially recommending to migrate from MIFARE Classic product-based systems to higher security products.{{cite web | url = https://www.mifare.net/en/products/chip-card-ics/mifare-classic/security-statement-on-crypto1-implementations/ | title = Security Statement on Crypto1 Implementations | date = 12 October 2015 | access-date = 25 September 2017 }}

In November 2010, security researchers from the Ruhr University released a paper detailing a side-channel attack against MIFARE product-based cards.{{cite web|url=http://www.proxmark.org/files/Documents/13.56%20MHz%20-%20MIFARE%20DESFire/Cloning_Cryptographic_RFID_Cards_for_25USD-WISSEC_2010.pdf |title=Cloning Cryptographic RFID Cards for 25$ ? |author1=Timo Kasper |author2=Ingo von Maurich |author3=David Oswald |author4=Christof Paar |website=Proxmark.org |access-date=9 February 2016}} The paper demonstrated that MIFARE DESFire product-based cards could be easily emulated at a cost of approximately $25 in "off the shelf" hardware. The authors asserted that this side-channel attack allowed cards to be cloned in approximately 100 ms. Furthermore, the paper's authors included hardware schematics for their original cloning device, and have since made corresponding software, firmware and improved hardware schematics publicly available on GitHub.{{cite web|url=https://github.com/emsec/ChameleonMini |title=emsec/ChameleonMini: The ChameleonMini is a versatile contactless smartcard emulator compliant to NFC, ISO 14443 and ISO 15693. It has been designed and maintained by the Chair for Embedded Security of the Ruhr-University in Bochum. The freely programmable platform can be used to emulate and virtualize cards (perfect clones including the UID), for practical penetration tests in RFID environments, or serve as a passively operated NFC device, e.g., as an NFC door lock |publisher=GitHub |access-date=9 February 2016}}

In October 2011 David Oswald and Christof Paar of Ruhr-University in Bochum, Germany, detailed how they were able to conduct a successful "side-channel" attack against the card using equipment that can be built for nearly $3,000. Called "Breaking MIFARE DESFire MF3ICD40: Power Analysis and Templates in the Real World",{{cite web|url=https://www.iacr.org/workshops/ches/ches2011/presentations/Session%205/CHES2011_Session5_1.pdf |title=Breaking Mifare DESFire MF3ICD40: Power Analysis and Templates in the Real World |website=Iacr.org |access-date=9 February 2016}} they stated that system integrators should be aware of the new security risks that arise from the presented attacks and can no longer rely on the mathematical security of the used 3DES cipher. Hence, to avoid, e.g. manipulation or cloning of smart cards used in payment or access control solutions, proper actions have to be taken: on the one hand, multi-level countermeasures in the back end allow to minimize the threat even if the underlying RFID platform is insecure," In a statement{{Cite web|url=https://www.mifare.net/en/login/?msg=2&al=/developer/news/|archive-url=https://archive.today/20130221194445/http://www.mifare.net/overview/news/|archive-date=21 February 2013|url-status=dead|title=Login | MIFARE|website=mifare.net|access-date=22 January 2022}} NXP said that the attack would be difficult to replicate and that they had already planned to discontinue the product at the end of 2011. NXP also stated "Also, the impact of a successful attack depends on the end-to-end system security design of each individual infrastructure and whether diversified keys – recommended by NXP – are being used. If this is the case, a stolen or lost card can be disabled simply by the operator detecting the fraud and blacklisting the card, however, this operation assumes that the operator has those mechanisms implemented. This will make it even harder to replicate the attack with a commercial purpose."

In September 2012 a security consultancy Intrepidus{{Cite web|url=http://intrepidusgroup.com/|archive-url=https://web.archive.org/web/20121206021831/http://intrepidusgroup.com/|url-status=dead|title=Site not found · DreamHost|archive-date=6 December 2012|website=intrepidusgroup.com}} demonstrated at the EU SecWest event in Amsterdam,{{cite web |url=http://eusecwest.com/agenda.html |title=EUSecWest Applied Security Conference: Amsterdam, NL |website=Eusecwest.com |access-date=9 February 2016 |archive-url=https://web.archive.org/web/20160305144652/https://eusecwest.com/agenda.html |archive-date=5 March 2016 |url-status=dead }} that MIFARE Ultralight product-based fare cards in the New Jersey and San Francisco transit systems can be manipulated using an Android application, enabling travelers to reset their card balance and travel for free in a talk entitled "NFC For Free Rides and Rooms (on your phone)".{{cite web|url=https://www.youtube.com/watch?v=-uvvVMHnC3c |title=NFC subway hack |via=YouTube |date=2 September 2012|access-date=9 February 2016}} Although not a direct attack on the chip but rather the reloading of an unprotected register on the device, it allows hackers to replace value and show that the card is valid for use. This can be overcome by having a copy of the register online so that values can be analyzed and suspect cards hot-listed. NXP has responded by pointing out that they had introduced the MIFARE Ultralight C in 2008 with 3DES protection and in November 2012 introduced the MIFARE Ultralight EV1{{cite web|url=http://www.mifare.net/products/mifare-smartticket-ics/mifare-ultralight-ev1/|archive-url=https://archive.today/20130221235449/http://www.mifare.net/products/mifare-smartticket-ics/mifare-ultralight-ev1/|url-status=dead|title=mifare.net :: MIFARE Ultralight EV1|date=21 February 2013|archive-date=21 February 2013|website=MIFARE.net|access-date=6 July 2017}} with three decrement only counters to foil such reloading attacks.

For systems based on contactless smartcards (e.g. public transportation), security against fraud relies on many components, of which the card is just one. Typically, to minimize costs, systems integrators will choose a relatively cheap card such as a MIFARE Classic and concentrate security efforts in the back office. Additional encryption on the card, transaction counters, and other methods known in cryptography are then employed to make cloned cards useless, or at least to enable the back office to detect a fraudulent card, and put it on a blacklist. Systems that work with online readers only (i.e., readers with a permanent link to the back office) are easier to protect than systems that have offline readers as well, for which real-time checks are not possible and blacklists cannot be updated as frequently.

Another aspect of fraud prevention and compatibility guarantee is to obtain certification called to live in 1998 ensuring the compatibility of several certified MIFARE product-based cards with multiple readers. With this certification, the main focus was placed on the contactless communication of the wireless interface, as well as to ensure proper implementation of all the commands of MIFARE product-based cards. The certification process was developed and carried out by the Austrian laboratory called Arsenal Research. Today, independent test houses such as Arsenal Testhouse, UL and LSI-TEC, perform the certification tests and provide the certified products in an online database.{{cite web|url=http://arsenal-testhouse.com/certified-mifare-products/|title=Certified Mifare Products – Arsenal Testhouse|website=Arsenal-Testhouse.com|access-date=6 July 2017}}

• Northwest University, South Africa – Student/staff ID, access control, library, student meals, sport applications, payments{{cite web|url=http://www.nwu.ac.za/ |title=North-West University |publisher=NWU |date=2 January 2016|access-date=9 February 2016}}
• Cambridge University{{cite web |url=http://www.cl.cam.ac.uk/local/wgb/securityaccess.html |title=Computer Laboratory: Access and security |website=Cl.cam.ac.uk |access-date=9 February 2016 |archive-date=3 March 2016 |archive-url=https://web.archive.org/web/20160303232336/http://www.cl.cam.ac.uk/local/wgb/securityaccess.html |url-status=dead }} – Student/Staff ID and access card, library card, canteen payments in some colleges{{cite web |url=http://www.clare.cam.ac.uk/academic/handbook/food-drink.html |title=Welcome to Clare College – Clare College Cambridge |website=Clare.cam.ac.uk |access-date=9 February 2016 |archive-date=17 March 2011 |archive-url=https://web.archive.org/web/20110317025217/http://www.clare.cam.ac.uk/academic/handbook/food-drink.html |url-status=dead }}
• The University of Queensland – Staff and student ID, access control, library, copy/print, building access (MIFARE DESFire EV1){{Cite web|url=https://www.pf.uq.edu.au/idcards/index.html|title=** UQ ID Cards are the responsibility of Property and Facilities Division|website=pf.uq.edu.au|access-date=3 June 2018}}

• RFID
• Campus card
• Physical security
• NFC
• Smart card

{{Reflist}}

• Dayal, Geeta, [http://www.computerworld.com/article/2537817/security0/how-they-hacked-it--the-mifare-rfid-crack-explained.html "How they hacked it: The MiFare RFID crack explained; A look at the research behind the chip compromise], Computerworld, 19 March 2008.

• {{official website|http://www.mifare.net/}}
• [https://www.nxp.com/products/rfid-nfc/mifare-hf/mifare-desfire/mifare-desfire-ev3-high-security-ic-for-contactless-smart-city-services:MF3DHx3 Comparison Table] MIFARE DESFire EV1 / EV2 / EV3
• [http://www.nxp.com/smartgovernance NXP in eGovernment]
• [http://dewy.fem.tu-ilmenau.de/CCC/24C3/matroska/24c3-2378-en-mifare_security.mkv 24C3 Talk about MIFARE Classic] Video of the 24C3 Talk presenting the results of reverse engineering the MIFARE Classic family, raising serious security concerns
• [http://video.google.com/videoplay?docid=4252367680974396650&hl=en Presentation of 24th Chaos Computer Congress in Berlin] Claiming that the MIFARE classic chip is possibly not safe
• [http://www.ru.nl/ds/research/rfid/ Demonstration of an actual attack on MIFARE Classic] (a building access control system) by the Radboud University Nijmegen.https://www.mersinliakaryakit.com/

{{NXP Semiconductors}}

{{Authority control}}

Category:Contactless smart cards

Category:Near-field communication

Category:NXP Semiconductors