A Mifare version of the University Card
For some time, there has been pressure to produce a contactless version of the University Card. This pressure has two main sources:  An increasing need for door access-control systems. The existing University Card has a TDSi strip, which is used for door access. However, TDSi is no longer considered a totally secure technology and as such is capable of being duplicated. It is also a proprietary system only available from one supplier, which has caused problems for the university in the past, and limits the options available to a department or college who do not wish to issue their own cards. Contactless cards are more convenient to use, likely to last longer due to undergoing less wear and tear and offer higher security. They may also cost less.  A growing interest in cashless payment systems (electronic purses). Examples are departmental photocopying, college dining, student laundries and any other application with frequent low-value transactions. Some colleges use the smartchip on the existing University Card (available on request) for this kind of application. Many suppliers will suggest contactless card systems for cashless payment systems. Anyone wishing to install such a system is encouraged to consider the associated risks carefully. A contactless version of the University Card therefore seeks to provide the following: –multiple suppliers, both of cards and of application systems –higher security–greater flexibility to support departmental and college requirements We have been actively looking at the options for at least two years and no ideal solution exists for the university, given the available technology and the nature of the university. This paper presents a suggested solution that should address the most urgent requirements quickly, and still leave some flexibility for the future.

The Mifare chip
The most widely used contactless chip is the Mifare A chip, developed by NXP, who have licenced many suppliers to produce both chips and readers. Two of the Colleges already have Mifare systems installed, successfully using them for door access control and cashless payments. Chips are usually embedded into cards like the University Card, although other forms are available (e.g. key fobs). An long aerial is also embedded into the card, which powers the chip when the card is held in the electromagnetic field emitted by a card reader. When powered, the chip can respond to the reader e.g. to provide data to a door access-control application. The chip has 16 data sectors, the first of which contains a unique id set at manufacture and unchangeable thereafter. Applications may use this id, or may write their own information into one of the other sectors. Each sector has two keys and configurable access conditions controlling read, write, increment and decrement. This allows, for example, one key with limited rights to be widely circulated, while the other key is given greater rights and kept private.

Security is an improvement over the existing TDSi system for two reasons. First, it is much more difficult to forge a MIFARE card than it is to forge a TDSi swipe strip. Second, communication between chip and reader is encrypted, although with a proprietary algorithm, rather than a simple encoding of the number. However, the encryption will use a key that is likely to be known to a large number of readers. Mifare chips and TDSi strips cannot co-exist on the same card, because of the embedded aerial. Introducing a Mifare version of the card will mean that some cardholders will need to carry two university cards, as the large investment in TDSi across the university cannot simply be abandoned. The card office already issues two different types of card (with and without contact smartchip) according to need, and can build on the
existing infrastructure to cope with issuing the appropriate technology and number of cards to each cardholder.

Applications
Possible applications for a Mifare card include:
–door access
–cashless payment (for photocopying, dining, laundry etc)
–library borrowing
–computer login
Some applications simply use the unique MIFARE card ID e.g. by programming a door reader to only open the door for certain known card IDs. This approach then requires local management of information about which card ID belongs to which person, as with the existing TDSi installations. Other applications work in the same way but write their own ID into a different sector of the card. This approach works well for door access and library borrowing. Applications like an electronic purse will store additional data, such as a purse balance, on the card. This will require at least one sector and at least one supplier uses three sectors for this purpose. It should be emphasised at this point that Mifare cards are only moderately secure, and really only appropriate for lowvalue transactions. Any cashless payment system should have some kind of audit mechanism in place.

Approaches to allocating the card sectors
The University Card database knows of over 200 organisations within the university, including Colleges, departments, faculties and others, and there are only 16 sectors on a Mifare chip, one of which is reserved for the unique id. Allocation by application type The card office could reserve some sectors for door access, others for electronic purses, others for library borrowing and so on. At least some suppliers insist on using the same sectors for an application across an entire system, although they can configure exactly which sectors on installation. However, there will then very likely be clashes between departments and colleges. For example, a college dining purse and a departmental photocopying purse might both try to use the same sectors on the card: only one will be able to work. This will make the University Card less useful for those people with multiple affiliations, and therefore less attractive for local administrators to use if they want a cashless payment system. Allocation by Mifare Application Directory The University is not the first organisation to find limits in the simple division of 16 sectors on a Mifare chip. A protocol exists called the Mifare Application Directory, where applications are registered on a worldwide directory and given an Application ID (AID). The first sector on the chip is written with a look-up table of AIDs and sectors. So an application may use e.g. sector 3 on one card, and sector 7 on another, depending on what other applications are already there. MAD is a great deal more complex to administer and suppliers are reluctant to support it for a variety of reasons. Those given include:
–Reader software must be more complex.
–It is easy to locate valuable information on the card.
–In principle, third party suppliers may edit the MAD look up table on the card, and any mistake on their part could permanently lock out all applications on the card, not just that run by the third party.

At least one supplier will support MAD ‘if it is a condition of the tender’, and others have made positive noises. In order to issue a Mifare University Card correctly, the card office would have to be able to write the MAD look up table. Given the concerns over third-party supplier access, it would make sense for it to control the look up table entirely. This would mean the card office would have to be involved in the initial set up of cards for each application. However, using MAD would support the complex combinations of department and college affiliations and avoid clashes between similar applications run in different organisations. In summary, to divide the card by application type risks clashes between different parts of the university, while to use the MAD risks lack of support by suppliers and creates much more work for the card office.

Recommendation
The most urgent perceived need for contactless cards is in door access control. This is most easily supported by reading an id from a single fixed sector. In principle, the same id (e.g. the unique Mifare id) could be used to open doors in multiple organisations, with building managers downloading lists of ids from the card office in the same way as those managing existing TDSi systems. However, the same fixed-sector approach cannot be used for applications that need to store data on the card without drastically reducing the flexibility and usefulness of the card. It is necessary to compromise between the ease of setting up individual applications and the widespread ease of use of the card. The card office will reserve the first few sectors on the card for university card information and other university-wide identifiers as agreed with their suppliers (e.g. staff number, student number, UL id, CRSid). Departments and colleges will be encouraged to use the unique Mifare id and/or this information where possible to support the applications they would like to use. Door access and library borrowing can certainly both be supported in this way. Local administration of card information should work in the same way as for the existing TDSi systems. We have already planned work this year to improve the circulation of id and revocation information to support TDSi system managers, and this can be extended to support Mifare ids. If a college or department wishes to use the University card for an application that needs to store additional information on the card, that application will have to use the MAD. In these cases, suppliers will have to work with the card office to set up new applications. The card office will manage the MAD and only the card office will be able to write to the MAD lookup table. The card office will also generate and control the keys for each sector. ‘Read’ keys for the sectors containing card information and university-wide identifiers will be made available to local administrators on request.