SmartMX2 — unleash secure multi-applications without compromise
-IntegralSecurity™ architecture for attack protection & CC EAL6+
-High-performance CPU with enhanced 8/32-bit instruction set
-Power-efficient, high-speed crypto coprocessors (RSA/ECC, DES/AES)
-Optimized ISO/IEC 14443 interface also enables small antenna dimensions
-Easy transport convergence with MIFARE DESFire™ EV1, MIFARE Plus™, and MIFARE™ Classic

Strength of the Cryptographic Algorithm: The Mifare Crypto-1 algorithm is proprietary and has not been published. However the work undertaken by Karsten Nohl (University of Virginia), Starbug and Henryk Plötz in so far as they have released their results is very informative giving the block diagram below reproduced from their presentation.

Smart Card & Identity
In addition to this drawing they have also released further information about the RNG which is a 16 bit LFSR with characteristic polynomial, X16 + X14 + X13 + X11 + 1 The RNG is seeded by the time delay between power on and the reception of message data from the contactless card reader. As they point out this is rather easy to control but they also noticed by intercepting messages between the card and reader that there were already repeats of the random number used as part of the authentication protocol and which is also input to the main 48 bit LFSR. This main LFSR has 16 feedback taps defined by its characteristic polynomial and apparently 20 taps are used for the key stream output function. sequence (e.g. High order X48, has an even number of taps, etc) which reduces the possibilities.> In subsequent discussion the authors have also commented that the exclusive OR input with the secret key and tag ID is not quite as simple as shown in the slide. When a cryptographic algorithm is widely available one suspects it is only a matter of time before it gets into the public domain either due to a malevolent employee or by a reverse engineering attack on the chip. This has happened in many other cases such as in the GSM world and the DVD protection algorithm. Public attacks on the Internet swiftly followed. It is believed that counterfeit Mifare chips are already available from China, the companies concerned would need to have reverse engineered the chip in order to produce such copies.

Key Exhaustion Attack: The design of cryptographic algorithms is normally based on the assumption that knowledge of the algorithm is assumed. In other words the algorithm itself is adequately strong and that the security depends on obtaining the secret cryptographic keys. Assuming there is no flaw in the algorithm or its implementation then the security of the scheme falls down to key exhaustion. Key exhaustion would require an emulation of the algorithm where all the keys in the key space are tested one by one using matching plain text and cipher text. Alternatively the keys in the key space can be tested one by one against a valid implementation of the algorithm (e.g. an authentic card). The first condition requires the algorithm to be known as per the above comments and for the key space to be practically realisable. The Mifare algorithm uses a 48 bit key, this gives a total key space of 2^48 or approximately 3 with fourteen noughts. With today’s processing power this would not be deemed adequate by experts in the field. The single DES algorithm with its 56 bit key has long since been dismissed (it has been practically exhausted in 10 hours) in favour of triple DES with an effective key length of 112 bits (in practice it can be attacked with slightly less effort but still insurmountable). Today anything much less than a 96 bit key would not be deemed secure against such an exhaustion attack. An alternative approach would be to take a valid card and literally try each key in turn from the key space. This would require a card select followed by a login process. Just assuming this could be done in say 10 mS then an attack would take, 2^48 X 10 mS = 89194 years. This attack is clearly not viable.

Access

State-of-the-art access management
-Uses Common Criteria certified versions of MIFARE DESFire EV1, MIFARE Plus, and SmartMX
-Easy to design-in, with NXP reader ICs, dedicated SAMs, and reference designs
-Proven in high-profile installations
-Recommended by SRLabs and BSI
-Ready for multi-applications, including micro payment and logical access