System level security measures for MIFARE installations

Security recommendations on design contactless card systems such that they are better resilient against attacks and that the impact of attacks, if they were to succeed.

Key diversification
The principle of key diversification is that no two cards will hold the same key or keyset. Every card has a UID and this UID can be used to determine the key / keyset to be used.
Except for the smallest systems it is unpractical for the terminal to hold a list of all the keys / keysets of all cards. Hence the key / keysets must be calculated from the UID. This is normally done by a process as illustrated in Fig 1.
Mifare 4K Card,Mifare 4K Proximity Contactless Cards,Mifare 4K Contactless Smart Cards,NXP S70 Card,Mifare 4K RFID Cards,Mifare 4K Proximity Cards,NXP Mifare 4K printed cards

Fig 1. Principle of key diversification

The terminal holds a Master Key. The UID and other information concatenated and encrypted and the result is the diversified key. There are various cryptographic ways to do the key diversification operation. See [2] for the ways that the MIFARE SAM (Secure Application Module) performs key diversification. Even if your system does not deploy SAMs at the moment, it can be beneficial to use the same algorithm as the SAMs do, since this algorithm has been cryptographically verified, and it allows introducing SAMs later without having to change the keys on the card.
If each card holds a keyset (consisting of multiple keys for multiple purposes), the process in Fig 1 is carried out for each of those keys in the keyset (except e.g. a key to retrieve the UID, see section 5.4).
The resulting key / keyset is written on the cards during the personalization step, after the personalization station has read out the UID of the card.
The terminal first reads the UID and then calculates the diversified key / keyset it needs for the operation. Then this key / keyset is used to set up the secure communication to the card.

Fraud detection
There are many ways of fraud detection which we cannot discuss here in any detail. In general it will come down to bringing together all transaction logs from all terminals and then detecting anomalies. Examples include: cards which suddenly get a higher balance without having been recharged with a value, cards which are used at two places within a time that does not allow for physical transportation of the cards between those places. Various system integrators have developed a variety of sophisticated algorithms for this.
Alternatively, when fraud becomes massive then it will become known. When fraud becomes massive then many people are involved and it is unlikely that no information will leak out.

When blacklists or whitelists are used, the terminals are designed to hold a list with either all UIDs that are authorized for the system (in case of whitelisting) or all UIDs which have to be blocked (in case of blacklisting) or a combination of both.
The system of whitelisting is more restrictive. However it is only usable in small systems. In larger systems, e.g. in an AFC system with millions of cards a whitelisting system would lead to an amount of data that terminals cannot handle.
The blacklists or whitelists must be updated after fraud has been detected. Terminals which are online can receive this information immediately after detection. Terminals which are normally off line must be put online at some time (e.g. terminals in busses get updated when the bus gets into the garage). Alternatively blacklists and whitelists can be distributed via other media, e.g. in a hotel the updates for the lists can be coded on the guest cards and be taken over by the terminal in the door when the guest presents the card.
A blacklist or whitelist system can be complemented with an “alarmlist”. This list will have UIDs which should trigger an alarm. Not only will the terminal potentially block the operation, but it will also give an alarm, e.g. to a guard who can arrest the fraudster.

MAC over content and UID
A MAC is short for Message Authentication Code. It is a cryptographic calculation over, in this case, the data on the card that is to be protected concatenated with the UID of the card. This MAC is calculated by the terminal and the result is written onto the card.
When a terminal gets presented a card, it reads all the relevant data as well as the UID and the MAC. It will first calculate a MAC over the relevant data and the UID and compare the result with the MAC that was read from the card. If they do not match the terminal will block the operation and could trigger an alarm if so desired.
The key which is used for the MAC calculation can also be a diversified key. It does not harm, however the importance of it is less than with the keys on the card. When an attacker would even be able to obtain all data and the MAC, a good MAC algorithm has as property that it is impossible to derive the key from those pieces of data. If a diversified key is used, then in the terminal the point of attack will not be the diversified key used for the MAC, but the master key from which the diversified key is calculated. When that is obtained, the attacker can himself calculate all required diversified keys.