MIFARE and handling of UIDs

NXP Semiconductors would like to raise your attention concerning the consumption of unique identifier numbers (UIDs) with length of 4 Byte (B) for its MIFARE Classic smart card ICs and emulations.
With the accumulated and estimated global demand of MIFARE Classic ICs from NXP and its licensees we expect that the market will run out of 4 Byte unique IDs. Successor products are being offered with 7 Byte UID as the recommended option and products with 4 Byte identifiers.

Info Content
Keywords Single Size UID, Double Size UID, 4 Byte UID, 7 Byte UID, SNR, NUID, FNUID, ONUID
Abstract This document shows the use of UIDs in contactless smartcard systems. It indicates recommendations about the Random ID, mixed use of 4 byte and 7 byte UIDs in the same system, and it describes the options how to upgrade 4 byte UID systems to accept 7 byte UID smart cards.

This is the use of UIDs in contactless smartcard systems. It indicates recommendations about the use of Random ID, the mixed use of 4 byte (single size) and 7 byte (double size) UIDs in the same system, and it describes the options how to upgrade 4 byte UID systems to use 7 byte UID smart cards.
Note: A UID is not a “serial number”, but a unique identifier. There is no recommendation how to turn the array of bytes into an integer.
Note: “UID” is a common expression, defined in the ISO/IEC 14443-3. In some case the UID is even not unique (like RID or NUID, see below).
Note: The 4 byte UID is called “Single Size UID”, too. The 7 byte UID is called “Double Size UID”, too. The 10 byte UID is called “Triple Size UID”, too.

MIFARE and ISO/IEC 14443 UIDs

The use of UIDs according to the ISO/IEC 14443 is described. Fig 1 shows the three different UID sizes defined in ISO/IEC 14443-3 as they are used during the anti-collision and selection procedure.

mifare 1k uid,Mifare Classic 1K S50 Cards Exporter,RFID Printing cards,Mifare 1k printed card,Mifare Classic 1K S50 pre-printed Cards

(1)BCC=Block Check Character, it is calculated as exclusive-or over the 4 previous bytes.
(2)CT=Cascade Tag, to indicate a following cascade level.
Fig 1. UIDs according to ISO/IEC 14443

Fig 2 shows the Anticollision sequence, which is a mandatory part of the card activation sequence. It automatically selects a single PICC with 4 byte UID (= Single Size UID), 7 byte UID (= Double Size UID) or 10 byte UID (= Triple Size UID).

Mifare Classic 1K S50 UID,RFID Mifare Classic 1K S50 Cards,Mifare Classic 1K S50 Cards Exporter,Mifare Classic 1K printing Cards,RFIDMifare 1K printed Cards

(3) CT =Cascade Tag
(4) CL = Cascade Level
Fig 2. Anticollision sequence

Cascade Level 1
in the Cascade Level 1 the PCD sends the Anticollision command CL1 (0×93) and the PICC returns:either the 4 byte UID (UID0…UID4) and one byte BCC, or a Cascade Tag (CT) followed by the first 3 byte of the UID (UID0…UID2) and one byte BCC.
The CT (0×88) indicates that the UID is not yet complete, and another Cascade Level has to follow.
Note: The UID0 byte of a 4 byte UID must not be 0×88.
The CL1 then must be selected, using the Select command CL1 (0×93). The PICC returns its SAK CL1, which indicates:
whether the UID is complete or not, and (if so), the type of card (for details refer to [1] and [2]), and whether the card supports T=CL.

Cascade Level 2
If the UID is not yet complete, the PCD continues with an Anticollision CL2 command (0×95), and the PICC returns: either the last 4 bytes of the Double Size UID (UID3…UID6) and one byte BCC,or a Cascade Tag (CT) followed by the next 3 bytes of the Triple Size UID (UID3…UID5) and one byte BCC.
The CT (0×88) indicates that the UID is not yet complete, and another Cascade Level has to follow.
Note: The UID3 byte of a 7 byte or 10 byte UID must not be 0×88.
The CL2 then must be selected, using the Select command CL2 (0×95). The PICC returns its SAK CL2, which indicates:
whether the UID is complete or not, and (if so),the type of card (refer to [1] and [2]), and whether the card supports T=CL.

Cascade Level 3
If the UID is not yet complete, the PCD continues with an Anticollision CL3 command (0×97), and the PICC returns:the last 4 bytes of the Triple Size UID (UID3…UID6) and one byte BCC.
The CL3 then must be selected, using the Select command CL3 (0×97). The PICC returns its SAK CL3, which indicates:the type of card (refer to [1] and [2]), and whether the card supports T=CL.
Single Size UID

The single size UID contains 4 bytes. As shown in Table 1, the value of the UID0 byte defines how those 4 bytes shall be interpreted.
Table 1. Assignment of Single Size UIDs
POR = Power on reset

 
UID0 [Hex] Definition Range
08 RID: UID1, UID2 and UID3 are dynamically generated during or after each Power-On-Reset (POR). appr. 16 million
x0… x7 Proprietary use (i.e. used for MIFARE) appr. 2.1 billion
x9…xE Proprietary use (i.e. used for MIFARE) appr. 1.6 billion
xF Fixed number, non-unique appr. 268 million
88 Cascade Tag -
x8, except 88, 08 RFU appr. 235 million

Note: Single Size UIDs do not have a manufacturer code.
Note: The use of Single Size UIDs (unique ones) might end soon, since the number of usable IDs is limited to approximately 3.7 billion pieces only.

Random ID (RID)
A single size UID with UID0 = 0×08 indicates a Random Identifier. The Random ID (RID) is dynamically generated, when the PICC powers up. Deselecting a PICC does not reset the RID, but a field reset does.
Note: RID is always limited to 4 bytes.
Note: Depending on the PICC implementation, a UID (i.e. Double Size UID) may be retrieved from the card by proprietary means after the PICC is selected with its RID.

Fixed but non-unique ID (FNUID)
The 4 byte UIDs with UID0 = xFh are fixed identifiers (like unique ones), but the same UID might be used for several PICCs, so that contactless systems cannot rely on the uniqueness of such a PICC identifier. These UIDs are called FNUID in the following.
The probability to have 2 PICCs on one PCD at the same time with the same FNUID is still extremely low.
However, it might create conflicts, if the contactless system uses the UID not only for the card activation but also as a logical reference to the PICC. There is a proposal how to handle this in chapter 3.2.

Re-used UID (ONUID)
The very old Single Size UIDs will be re-used, which means the same UID might be used for several PICCs, so that contactless systems cannot rely on the uniqueness of such a PICC identifier. These ID are called ONUID in the following.
The probability to have 2 PICCs on one PCD at the same time with the same ONUID is still extremely low.
However, it might create conflicts, if the contactless system uses the UID not only for the card activation but also as a logical reference to the PICC. There is a proposal how to handle this in chapter 3.2.
 
Double Size UID
Double Size UIDs always contain a manufacturer code in the UID0. With the double size UIDs each manufacturer can theoretically use up to 2.8 *1014 UIDs.

Manufacturer Code
In double and triple size UIDs the UID0 contains the manufacturer code which indicates the manufacturer of the PICC as shown in Table 2.
Table 2. Manufacturer Code

UID0 [Hex] Definition
81 … FE not allowed
04 NXP Semiconductors, formerly Philips Semiconductors

 

Unique ID ranges for Double Size UIDs
Double Size UIDs always contain a manufacturer code in the UID0.
Note: Due to the content of Double Size UIDs of MIFARE products the best diversification can typically be found in the UID1 and UID2.

Triple Size UID
Triple Size UIDs always contain a manufacturer code in the UID0.
Currently there is no PICC using a triple size UID. However, according to ISO/IEC 14443 it is mandatory that every PCD supports Triple size UIDs.

UID used in MIFARE products
In the past MIFARE Classic cards were limited to 4 byte UIDs only, i.e. normally every MIFARE Classic related product has used a single size UID only. Due to the limited number of UIDs in the single size range all new MIFARE related products are supporting 7 byte UIDs.
Table 3 indicates which MIFARE product uses which UID.
Table 3. UIDs and MIFARE products
NUID = Non Unique ID, ONUID = Re-used UID, FNUID = Fixed, non-unique UID

Product MIFARE Ultralight (C) MIFARE Classic   MIFARE Plus MIFARE DESFire (EV1) SmartMX
         
  MF0 ICxx MF1 ICS x001 MF1 ICS x009 MF1 Plus MF3 IC Dxx P5 xx
           
    MF1 ICS x007        
Name MIFARE Ultralight, MIFARE 1K, MIFARE 1K, MIFARE Plus S, MIFARE DESFire, MIFARE DESFire EV1 B1 and B4 configuration
  MIFARE 4K MIFARE 4K MIFARE Plus X
  Ultralight C     (2K and 4K)  
Single Size UID - x - x - x
Single Size FNUID - - - - - x
Single Size ONUID - x - x - x
Double Size UID x - x x x -
RID option - - - x1 x -
UID needed for operation - x x x2 - x3
           
UID recommended for key diversification x x x x x x
           

1. MIFARE Plus support RID only in SL3.
2. In SL1 and SL2 only.
3. For the MIFARE Classic emulation.

The Single Size FNUID or ONUID can be used like a Single Size UID – except the fact that identifier of this range will be used multiple times.
RFID is optional and should be used to protect privacy. In case RID is enabled, there is a defined and confidential way to retrieve the UID for each product.

Single Size NUID
The MIFARE Plus card or MIFARE Classic card with Single Size NUID can be activated like a usual Single Size UID card.                                                        Note: There is a very small probability that 2 cards in the PCD field have the same NUID, and therefore cannot be properly selected without the user removing one card.      Note: NUID might be an order option or an option which can be chosen during personalization of the card.

RID
The MIFARE Plus offers the RID in SL3. RID is always 4 bytes only.

UID in the contactless system
In some cases the reader infrastructure might be able to handle Double Size UIDs, but the (background) system can only handle 4 byte UIDs. Or vice versa, the reader infrastructure might not be able to handle Double Size UIDs, but the (background) system needs uniqueness and can handle Double Size UIDs.
In such a case there are at least 5 different options:
Single Size NUID for card activation and for the system,
Single Size NUID for card activation, and Double Size UID for the system,
Double Size UID for card activation, and Single Size NUID for the system,
RID for card activation, and Single Size NUID for the system.
RID for card activation, and Double Size UID for the system.

Single Size NUID for card activation and for the system
The MIFARE Plus card or MIFARE Classic card with Single Size NUID can be activated like a usual Single Size UID card.
Note: There is an extremely small probability that 2 cards in the field have the same NUID, and therefore cannot be properly selected without the user removing one card.
Note: NUID might be an order option or an option which can be chosen during personalization of the card.
There is a probability that the same NUID appears in the system more then once. Either the cards have to be pre-selected e.g. at issuing to avoid such collision in the system, or the system has to be able to deal with these cards in a special way.

System ID
he system could use a 4 byte system ID (see Fig 3), derived from the
high nibble of the UID0 (4 bit)
the low nibble of the GPB used as card counter (4 bit)
the UID1, UID2 and UID3.
Mifare Classic 1K UID,Mifare Classic 1K S50 Cards Exporter,RFID Mifare1K Cards Exporter,RFID Mifare1K Printing Cards,RFID Mifare1K Printed Cards

(1) CCt = CardCounter, to be stored in the GPB of an application sector
(2) GPB = General Purpose Byte (Byte 9 of a Sector Trailer)
Fig 3. How to derive a 4 byte System ID out of a NUID and GPB

This system ID must be created when the card is issued or personalized as shown in Fig 4. The GPB should be stored in a Sector Trailer that is not going to be changed later on. It could be the Sector Trailer of the first sector being used by the application.
Note: This proposal can handle up to 16 cards with the same NUID in the same system.

RFID Mifare Classic 1K S50 UID,Mifare Classic 1K S50 contactless cards,Mifare Classic 1K contactless cards,Mifare Classic 1K Proximity Cards,RFID Mifare 1K Proximity Cards

(1) This flow requires the personalization process to check all the existing System IDs.
Fig 4. How to create a System ID during card personalization

Double Size UID for card activation, but Single Size NUID for the system
After the card is activated using the Double Size UID, the following proposal can be used to derive a 4 byte NUID out of the 7 byte UID.

Derive NUID out of a Double Size UID
The lower nibble of UID0 must be set to Fh to indicate the non-unique range.
The bit[4] of UID0 shall be set to 0b for compliance reasons.
To generate the 27 bits of the NUID out of the 7 byte UID a CRC calculation shall be done as follows (see Fig 5):
1. Reset the CRC calculator with the standard ISO/IEC 14443 type A preset values: 6363hex.
2.Feed UID0, UID1 and UID2 into the CRC calculator.
3. Result shall be denoted as CRC[3:2]
4. Set NUID[31:29] to CRC[3][7:5] and NUID[23:16] to CRC[2][7:0]
5. Feed UID3, UID4, UID5 and UID6 into the CRC calculator (do not reset the CRC engine before!).
6. Result shall be denoted as CRC[1:0]
7.Set NUID[15:8] to CRC[1][7:0] and NUID[7:0] to CRC[0][7:0]
This mapping ensures that no bit shifting is necessary to build the final NUID from the CRC bytes.

Mifare Classic UID,RFID Mifare Classic 1K S50 Cards Exporter,Mifare Classic 1K S50 Cards Supplier,Mifare Classic 1K chip cards,iso contactless cards

(1) Bit [4..0] of NUID0 must be set to 01111bin.
Fig 5. How to create a single size NUID out of double size UID

RID for card activation, but Single Size NUID for the system
The MIFARE Plus card with RID can be activated like a usual Single Size UID card.
In case RID is enabled, there is a defined and confidential way to retrieve the UID, which then can be used in the (background) system.
If the UID is a Double Size UID, the proposal as shown above can be used to derive a Single Size NUID from the Double Size UID.
RID for card activation, but Double Size UID for the system
The MIFARE Plus card with RID can be activated like a usual Single Size UID card.
In case RID is enabled, there is a defined and confidential way to retrieve the UID, which then can be used in the (background) system.

MIFARE Classic Authentication
MIFARE Classic card requires a 4 byte UID input for the authentication command as shown in Table 4.
Table 4. UID bytes as input for the MIFARE Classic Authentication
Table description (optional)

Product UID Input for Authentication Comments
MF1 ICS x0 4 byte UID 4 byte UID (UID0…UID3)  
MF1 ICS x0 4 byte NUID 4 byte NUID (UID0…UID3)  
MF1 ICS x0 7 byte UID CL2 bytes (UID3…UID6)  
MF 1 Plus 7 byte UID CL2 bytes (UID3…UID6) in SL1 and SL2
MF 1 Plus 4 byte UID 4 byte UID (UID0…UID3) in SL1 and SL2
MF 1 Plus 4 byte NUID 4 byte NUID (UID0…UID3) in SL1 and SL2
MF 1 Plus 4 byte RID not available in SL1 or SL2  
P5 xxx 4 byte UID 4 byte UID (UID0…UID3) in B1 / B4 using MIFARE OS
P5 xxx 4 byte NUID 4 byte NUID (UID0…UID3) in B1 / B4 using MIFARE OS

Key diversification with MIFARE SAM
The key diversification input must not be the RID. In case of NUID, the 4 bytes NUID can be taken as input.