A website dedicated to contactless payment systems

After the infamous Mifare hack, there’s been a lot of talk on Mifare Classic chips. Some governments even issued laws for banning Mifare Classic in the future for using some specific purposes.

So what did NXP do? Actually NXP was already aware of the upcoming issues and was working on next generation of Mifare. There has been two outputs of this study, as fas as I know. One of them is Mifare Plus and the other is Mifare EV1, which is to be announced soon.

What is Mifare Plus and how does it overcome the security issue? More importantly, how does it help to migrate the current installation of devices working with Mifare Classic only? I think NXP did a great job to respond to the security and migration questions with Mifare Plus.

Mifare Plus is actually the update of Crypto1 to AES while the memory organization of the chip remaining the same. Mifare Plus comes with 4 security levels, each of them having a different authentication levels.

• Level 0 is the personalization level.
• Level 1 is Mifare Classic level, where the chip acts exactly as Mifare Classic. This level helps start issuing more secure cards while the reader infrastructure is still the same.
• Level 2 is only valid for Mifare Plus X cards, I will come to that later.
• And Level 3 is where good old Crypto1 ends its journey and AES is being used for authentication.

There are 2 types of Mifare Plus chips; S and X. With Mifare Plus S, you can only utilize the AES alghoritm and MAC’ing while X comes with much more features like encryption of exchanged data and proximity check. X is an export controlled product. With Mifare Plus X, there is the option of using both Crypto1 and AES at the Security Level 2.

Another big update of Mifare Plus is the 7 bytes unique id. Since the 4 byte unique ids are almost at the end of its limit, Mifare Plus chips has 7 bytes unique ids. Mifare Plus also has a very important implementation; now you can read and write multiple blocks instead of one at a time. This will dramatically improve the trransaction speed, if implemented correctly. The last of the updates is that Mifare Plus supports random uid, which responds to again some security issues.

I think that Mifare Plus is a very solid product for migrating from Mifare Classic to a more secure platform with minimal infrastructure updates. If you need more features that this you can go for Mifare DesFire which provides much more flexibility in terms of file integrity and flexibility.

Gemalto announced that Gemalto joined the Open Handset Alliance. I  find this a very good news for the NFC world.

Android platform was an initiative by the Open Handset Alliance. Almost all of the researches point out that Android will be one of the most popular mobile operating systems of (very near) future. Android runs not only on mobile phones but a range of mobile devices varying from netbooks to internet tablets. I believe Android will penetrate into more devices like running on  embedded systems.

So what does Gemalto’s joining to Open Handset Alliance mean in terms of contactless systems? First of all, Gemalto is the first and only company on secure payment and identification technology in the alliance. Gemalto is clearly the biggest company that has the expertise on the application level security for payment/identification chips, which I believe will boost the NFC implementation on Android OS. Gemalto has all the necessary know how and sources for developing a generic NFC API for Android which will encourage handset manufacturers for more handsets supporting NFC. On the application level, this will lead the huge Android developer community to implement many NFC applications – and not only payment.

Since it’s now widely believed that next generation iPhone will have some kind of contactless interface, now almost all major mobile platforms (Symbian- of course, iPhone and now Android) will have native support for NFC.