Mifare Plus X 2K Full Colour Printing Cards,ISO Mifare Plus X 2K Card,Mifare Plus X 2K Proximity Contactless Cards,

Security level 0:
Security level 0 is the initial delivery configuration of the PICC. The card can be operated either using the backwards compatibility protocol or the ISO/IEC 14443-4 protocol.

In this level, the card can be personalized including the programming of user data as well as CRYPTO1 and/or AES keys. In addition, the originality function can be used.

The following mandatory AES keys must be written, using the Write Perso command before the PICC can be switched to security level 1 or security level 3 (for L3 card).

Security level switching is performed using the Commit Perso command:
-Card Configuration Key.
-Card Master Key.
-Level 2 Switch Key (for L1 card).
-Level 3 Switch Key (for L1 card).

Using the originality function, it is possible to verify that the chip is a genuine NXP Semiconductors MIFARE Plus.

Security level 1:
Security level 1 offers the same functionality as a MIFARE Classic 1K and MIFARE Classic 4K using the backwards compatibility protocol.

Furthermore, an optional AES authentication is available in this level without affecting the MIFARE Classic 1K and MIFARE Classic 4K functionality. The authenticity of the card can be proven using strong cryptographic means with this additional functionality.

The timings may differ from the MIFARE Classic 1K and MIFARE Classic 4K products.

Using the originality function, it is possible to verify that the chip is a genuine NXP Semiconductors MIFARE Plus.

Security level 2:
Security level 2 also offers the functionality of a MIFARE Classic 1K and MIFARE Classic 4K using the backwards compatibility protocol. The significant difference compared to security level 1 is that an AES authentication is mandatory and that the CRYPTO1 keys are derived for each session using the results from the AES authentication, rather than being constant for a specific sector.

The timings may differ from the MIFARE Classic 1K and MIFARE Classic 4K products.

In security level 2, the following keys are assigned to each sector:
-Two AES keys (key A and key B) these keys are also used in security level 3 two CRYPTO1 keys (key A and key B) these keys are also used in security level 1.
-The access conditions are set in the sector trailer as in MIFARE Classic 1K and MIFARE Classic 4K.
Using the originality function, it is possible to verify that the chip is a genuine NXP Semiconductors MIFARE Plus.

Security level 3:
The operation in security level 3 is solely based on the ISO/IEC 14443-4 protocol layer. The usage of the backwards compatibility protocol is not possible.

In security level 3, a mandatory AES authentication between PICC and reader is conducted, where two keys are generated as a function of the random numbers from the PICC and the reader as well as of the shared key.

These two session keys are used to secure the data which is exchanged on the interface between the card and reader. One of the two keys is used to ensure the confidentiality of the command and the response while the other key ensures the integrity of the command and the response.

The reader can decide which security needs to be used in the communication between PICC and reader. In the simplest case, all commands are secured by a MAC, such that the PICC will only accept commands from the authenticated reader. Any message tampering is detected by verifying the MAC. All responses are appended by a MAC to prove to the reader that neither the command nor the response have been compromised.

If performance is the highest priority, the card can be configured to omit the MAC for read commands. The card then accepts read commands without knowing whether they are authentic. However, there is a mechanism to prove to the reader that the read response is resulting from the unmodified read command that it sent.

Other commands, like write commands, always need to have a MAC appended to ensure that no memory changes are carried out without proving the authenticity of the command.

The reader can decide for each command whether a MAC is included in the response. When the appropriate MAC is received, due to linked MACs the reader knows that the command and commands before it were properly executed.

All commands between two consecutive First Authenticate commands belong to one transaction and the MACing mechanism assures integrity of the whole transaction.

If the MAC on read responses is omitted, the integrity of all read responses within one session can still be verified by including a MAC on one read response before issuing the next First or Following Authenticate command.

If performance matters more than confidentiality of the transaction, each data block in a sector can be configured to allow or disallow sending/receiving plain data.