NXP has noted the information from the ministry of Interior based on the claims that the University of Nijmegen made on March 12th 2008 regarding the specific use of MIFARE Classic chips for access management applications.
Although MIFARE Classic is predominantly used in public transport infrastructure, there are a considerable number of installations using the chip technology also in access management implementations. NXP confirms that MIFARE Classic encryption is not supplied for electronic passports.
NXP takes these concerns very serious and we are closely looking into this. We are also informing the system integrators which we know may have designed systems using MIFARE Classic chip technology about the recent developments so that they can review their systems together with their customers.
Access management measures for buildings and properties are – even more than in other applications – formed as end-to end systems comprising multiple layers. Depending on the specific security requirements of the respective facility, access management systems are complemented by additional measures on site, such as security personnel, camera surveillance or other means to detect suspicious activities.
NXP would like to point out, that in practice the assessment of costs versus security that is selected by system integrators and their customers vary greatly. Many systems use for example pin codes, magnetic stripe cards or 125 KHz long range contactless cards without any encryption. These access management schemes are often deemed sufficient to meet the requirements of the total system. We are reaching out to system integrators to closely review their systems in light of latest developments, in light of the assets that are protected and in relation to other protection in place. This way they can establish whether their systems can remain as they are, or whether these would require an upgrade.
NXP is the industry leader in contactless and security, and presents with the MIFARE portfolio the largest and most competitive offering, which has become the industry’s choice.
This wide range of chips offers varying degrees of functionality, performance, security and strength of encryption, so that system integrators can choose the appropriate solution in terms of chip security and back end system to address their requirements. MIFARE Classic provides a benchmark in cost competitiveness as well as proven contactless performance, while the recently announced MIFARE Plus (samples available in Q4 2008) enables an optimal future-proof migration path when necessary. Both, MIFARE Plus and our high-end product MIFARE DESFireEV1 offer strong AES encryption and are targeted to receive the internationally recognized Common Criteria certification.
NXP continues to monitor the situation, evaluates its products and security measures, and remains open to discussions with all interested parties.
MIFARE Application Directory:
MIFARE based smart cards are being used in an increasingly broad range of applications (including transport ticketing, access management, e-payment, road tolling, and loyalty applications). While all of these applications could be stored on one single card, at least for the short term, it is more likely that people will have several different MIFARE based smart cards in their wallets.
To maintain the speed and convenience of MIFARE‘s tap-and-go operation, the MIFARE Application Directory (MAD) defines common data structures for card application directory entries, allowing terminals to identify the right card (and the right memory sector within the card) without the need to perform a comprehensive search through all of the cards’ memories until the appropriate application is found.
Started in 1995, we have more than 600 registered applications worldwide benefiting from the MIFARE Application Directory today.
A typical example is when a person has MIFARE based smart cards for both access management to his office and public transport fare collection. With the MAD, when the cardholder wants to enter his office, the access management terminal identifies the two cards and is able to choose the correct one very quickly, simply by checking the MAD.
The MAD standard uses registered Application IDentifiers (AIDs) in sector 0×00 (and sector 0×10 if applicable) of the card’s memory to enable identification of all registered card applications. Terminal software can then take advantage of this feature using these sector pointers instead of physical sector addresses.
Advantages of MIFARE Certification:With an ever increasing number of companies producing components based on MIFARE, certification is vital for successful implementation. Tendering parties can rely on the fact that certified card products from any supplier will work correctly with any certified terminal/reader from another supplier. As a certified manufacturer, you demonstrate your commitment to MIFARE and to quality and reliability so your customers can fully trust you and your products.
The MIFARE Certification Institute:As Certification Institute, the RFID Testlab of AIT – Austrian Institute of Technology, former Arsenal Research, offers reliable functional testing and certification of smart card systems based on MIFARE from a technically competent, and above all, independent partner. The experience and results gained will be integrated into further standards development by national and international committees, making the MIFARE Certification Institute a major contributor to the worldwide compatibility of these systems.RFID Testlab, a department of AIT mobility division, is located in Vienna, Austria. For more than a decade, the RFID Testlab has been a recognized specialist in the field of electronic components, units and devices. During this time, the RFID Testlab has gathered considerable expertise and know-how, which makes it a valuable partner for both manufacturers and users, based on accreditation according to EN 45001 as an independent test lab. As an experienced and competent partner, the RFID Testlab can assist from the development phase to manufacture, as well as providing testing and consulting services.