4 Byte and 7 Byte UID offering for MIFARE Classic™, MIFARE Plus™, SmartMX™ and licensed products (Questions and Answers)
 
Background
In Q2 2010 NXP customers have been informed of important updates on the IDs of MIFARE Classic and related products.

Mifare DESFire EV1 2K Cards in Berlin,ISO MIFARE DESFire EV1 2K Cards with Magnetic Stripe,Mifare DESFire EV1 2K Blank White Cards,

Unique 4 Byte IDs will be discontinued. Customers will have the choice to purchase either products with unique 7 Byte IDs (our recommended) option or 4 Byte IDs, which are not globally unique any more.
This lists common questions and our answers on the topic.

What is a unique identifier number and what is it used for?
ISO/IEC 14443 Type A defines a Unique IDentifer to be used for card selection and activation. The standard defines single, double and triple size UIDs which correspondingly consist of 4, 7 and 10 Byte. In many contactless systems, the UID is not only used for card activation but also as a logical reference i.e. in a background system to the card itself.
What is the difference between a 4 byte UID and a 4 byte NUID?
A 4 byte UID is an identifier which has been assigned by the card manufacturer using a controlled database. This database ensures that a single identifier is not used twice. In contradiction, a 4 byte NUID (Non-Unique IDentifier) is an identifier which may be assigned to more then one contactless chip over the production time of a product so that more then one card with the same identified may be deployed into one particular contactless system.
MIFARE Classic is a fundamentally flawed product, which has been hacked by several research groups. Why does NXP even extend its lifecycle by providing 7 Byte UID solutions for it?
The security of systems does not rely on the security of a smart card IC alone. Many MIFARE Classic based systems have been secured by countermeasures until a migration to stronger security is possible.
Would this situation not be a big opportunity to discontinue MIFARE Classic and provide more secure solutions to the market?
For applications that require a higher level of security, we recommend to migrate from MIFARE Classic to MIFARE Plus or MIFARE DESFire EV1 with 7B UIDs.

Visibility on end of life of 4 Byte UID based products
Is only MIFARE Classic 1K concerned?

No, the 4 B UID issue affects all ISO/IEC 14443 Type A products including MIFARE Classic products (MIFARE Classic 1k and MIFARE Classic 4k), MIFARE Plus as well as all MIFARE Classic implementations on NXP‘s SmartMX and JCOP products. The 4 B UID issue also affects Infineon Technologies and NXP’s MIFARE licensees.

Quantity of unique numbers left over?
The exact quantity can only be estimated as NXP is not aware of quantity of unique numbers left over at Infineon; in any case, we expect the market will run out of 4 Byte unique IDs end of 2010 this will affect NXP and MIFARE licensees as well as Infineon.

Communication plan of NXP towards the market regarding the need to change to 7 Bytes UID
Towards system integrators (SIs)

Yes, NXP has been in close contact with leading SIs from week 12 2010 onwards. The message is that the market will run out of 4 Byte unique IDs by the end of 2010. Our default successor product is based on 7 Byte unique IDs. Our recommendation is to move to 7 Byte unique IDs.

Towards public transport operators (PTOs)?
Yes, NXP is in close contact with selected PTOs in alignment with the respective SIs. Same message and recommendation as for system integrators.

What will be the timing of the planned communication?
We are distributing a customer letter to the wider MIFARE eco-system in May 2010 In addition, we are running several roadshows, trainings and webinars in 2010

Communication plan of NXP towards the market regarding the need to change to 7 Bytes UID
What will NXP do to educate the market?

We have planned a very active communication including several roadshows, trainings and webinars in 2010. We are engaging with leading SIs, PTOs, reader manufacturers, card makers, banks and handset makers.

Focused on MIFARE Classic only?
4 B UID issue affects all MIFARE Classic products. Therefore, the communication will be focused on the whole MIFARE Classic portfolio.

Focused on MIFARE Classic 1K only?
No, communication will be focused on whole MIFARE Classic portfolio.

Impact on MIFARE Plus
Impact on 4 B UID version of MIFARE Plus?
As MIFARE Plus also covers a 4 B UID option during the migration period, we will inform our customers regarding the end of life of MIFARE Plus with 4 B UID.
Will all 8 possible versions remain available?
Yes, all current MIFARE Plus versions remain available; however we focus on specific high runners and we will inform the market about the end of life of MIFARE Plus with 4 B UID

Is any simplification of MIFARE Plus range now foreseen?
We focus on specific high runners; these are
-MIFARE Plus S 2K 7 B UID
-MIFARE Plus X 4K 7 B UID
-MIFARE Plus S 2K 4 B UID (only during short migration period, then 4B ID or 7 B UID)
-MIFARE Plus X 2K 4 B UID (only during short migration period, then 4B ID or 7 B UID)
For those products we keep buffer stocks for immediate supply; others will be delivered with longer lead times.

Impact on MIFARE Plus
Given the UID choices for MIFARE Plus will most operators not just choose 4 Byte UIDs by default?
NXP is clearly recommending MIFARE Plus with 7 B UID;
MIFARE Plus ICs with 4 BUID are being offered only during the relatively short migration period, where backwards compatibility is necessary.
A migration to higher security level on the system side should always be used to enable the acceptance of 7 B UIDs.
After the migration our default product offering is 7 B UIDs. We inform the market about the end of life of MIFARE Plus with 4 B UID, which is also expected around end of 2010.

Scheduled availability for MIFARE Classic 7 B UID
MIFARE Classic 1K with 7 B UID
The product is commercially released since May 2010. In addition, we will launch an improved version with respect to read range and personalization options in H1 2011 ,these personalization options will allow our customers to optimize their stock handling and to reduce the probability of problems with existing reader infrastructure.

MIFARE Classic 4K with 7 B UID
Same schedule as for MIFARE Classic 1K 7 B UID
Impact on MIFARE Implementations NXP SmartMX ICs
Is the SmartMX dual-interface controller only available with 4B UID?

No. The SmartMX family has been and will remain to be available with 7B UID when not ordering a MIFARE Classic emulation.
Will the actual SmartMX controller family been developed towards 7B UID for MIFARE CLASSIC ?
Yes, the actual SmartMX controller family based on CMOS14 will be extended to also support the 7Byte UID for MIFARE Classic. The target release schedule is in Q1 2011 including CC certification.

Will the next generation of dual interface chips have a 7 B UID for MIFARE Classic emulation?
Yes, the next generation of dual interface is called P60 and the chips will have a 7 B UID option for MIFARE Classic emulation. The target release schedule is in Q2 2011 including CC certification.

Will the actual SmartMX controller family be available with 4 B NUIDs?
Yes, the actual SmartMX controller family are available with 4 B UIDs out of the so-called xF range (4 B FNUID) from Q4 2010 onwards.

How is the “xFh” range split for created FNUID numbers between suppliers? How to avoid that NXP and e.g. another competitor delivers same 4 Byte UIDs at same time?
There is an arrangement between NXP and Infineon to split the numbers in the F range, not to collide between the two companies. However, it is important to mention that the F Range is by definition not unique and therefore the contactless system must be able to cope with the non-uniqueness. There are contactless systems that do not use the UID as a unique identifier but just to select the card.

Impact on Fast Pay ICs
Is NXP’s Fast Pay product affected by the 4B UID issue?
No, Fast Pay uses 7B UID and is therefore not affected.

Impact for products from 3rd parties
On pure contactless transport chip from Infineon Technologies
NXP has aligned the use of 4 B UID ranges with Infineon Technologies.
On implementations of NXP licensees?
NXP has aligned the use of 4 B UID ranges with its MIFARE licensees.
Implications for other NXP smart card ICs
Are MIFARE Ultralight, MIFARE Ultralight C, MIFARE DESFire, MIFARE DESFire EV1 and MIFARE Plus (7 B UID version) ICs also affected by the 4 B UID issue?
No, the above mentioned contactless ICs from NXP have 7 B UIDs and are not affected by the depletion of the 4 B UIDs.
Impact on reader infrastructure
Is the existing reader infrastructure able to support 7 B UID?

NXP does not have 100% visibility regarding all installed readers worldwide; nevertheless all NXP reader ICs can handle 4 B, 7B and also 10 B UIDs. The majority of all installations are still based on MIFARE Classic which was supporting 4 B UIDs only until today. Therefore, we assume that most existing infrastructure does not support 7 B UID for MIFARE Classic yet; we assume that from this year onwards, existing infrastructure will migrate to 7 B UID support for MIFARE Classic.
Please keep in mind that all other installations using smart card ICs from NXP such as MIFARE Ultralight, MIFARE Ultralight C, MIFARE DESFire, MIFARE DESFire EV1 and MIFARE Plus (7 B UID version) are already able to cope with 7 B UIDs.

Impact on reader infrastructure
Until when does NXP think that the existing reader infrastructure will be able to support 7 B UID?
NXP does not have 100% visibility regarding all installed readers worldwide. Nevertheless all NXP reader ICs can handle 4 B, 7B and also 10 B UIDs. We assume that from this year onwards, existing reader infrastructure will migrate to 7 B UID support for MIFARE Classic. We assume that this process will take at least until 2015 and may go beyond.
NXP actively contributes to the ISO/IEC 14443 standard which was published in 2001 and strongly recommends and supports to build readers according to that standard.
Every fully ISO/IEC 14443 compliant reader can handle 4 B UIDs, 7 B UIDs and 10 B UIDs.

Impact on reader infrastructure
Which solutions does NXP offer in case systems do not support 7 B UID?

For systems that are not able to support 7 B UIDs, NXP offers the following options to ensure sustainable operation of those MIFARE Classic installations: We will continue to supply MIFARE Classic ICs with 4 Byte non-unique identifiers; these 4 B NUIDs will be based on selected ID ranges out of the old NXP 4 Byte range (4 B ONUID).
Recommendations on how to do the best map of a 7 Byte UID into a 4 Byte ID range are available in an application note which also describes general UID handling topics.
In addition, NXP will offer a downloadable list of the IC identifiers which are used for each reel or wafer. This enables pro-active impact analysis before issuing new cards into contactless systems.
In any case, as uniqueness is often considered to be an important part of a contactless e-ticketing system (e.g.: wrt fare calculation, black listing, etc.). NXP strongly recommends migrating to 7 B UID.

Can a customer get a comprehensive list of already delivered UIDs for his purchased products (including shipment dates?)
No, this is logistically not possible and also not traceable.

When delivering a product with 4Byte OUID (recycled old UID), can the customer then get information when and to whom the respective UID has been issued before?
No, this is logistically not possible and also not traceable.

Can NXP name a local contact for questions from the customer’s field, in the local regions? (Like it was done the other day on the “MIFARE hack” incident
South America Francimar Santos
North America Patrick Comiskey
Asia Pacific Alex Mak
China Bo Zhou
EMEA Jerome Juvin
Impact of “non-unique IDs” to existing systems
What do non-unique IDs mean for the legacy infrastructure?
For the infrastructure, there is no impact as the non-unique ID is still 4 Byte With respect to the full system, there might be the risk that cards using non-unique IDs introduce duplicates in the back-end system and therefore cause problems regarding black listing, fare calculation and card lifecycle management. Precautions have to be taken when introducing 4 B NUIDs into current installations based on 4 B UIDs.

Is this really usable as we state that uniqueness is key?
Yes, uniqueness is an important part of a contactless e-ticketing system (e.g.: wrt fare calculation, black listing, etc.); therefore, NXP strongly recommends to go for 7 B UID; however, the legacy infrastructure will not have completely migrated to 7 B UIDs before the market runs out of unique 4 B UIDs. Therefore, some customers need to use 4B non-unique IDs during this migration period with the according workarounds.
Differences of 4 B UID vs. 7 B UID
Are there any differences between a 4 B UID MIFARE Classic and a 7 B UID MIFARE Classic beyond the card activation (“Anticollision”)?
Yes, there can be differences on system side e.g. in backoffice databases. NXP will publish an Application Note, called “MIFARE and handling of UIDs“ where several of these differences are being addressed.
Impact of the 4 / 7 B ID topic on NFC
Do all NXP NFC IC’s (PN51x, PN53, PN54x and PN65x) support a 7 Byte MIFARE UID ?
Yes, all NXP NFC hardware products can handle the 7 Byte UID. It should be noted however that the PN51x/PN53x SW Drivers only support the 4 Byte UID and the reader application software has to take about the 7 Byte UID. Dedicated application notes and updates of the user manuals will be provided to customers.