You have searched the Contactless World blog archives for mifare. If you are unable to find anything in these search results, you can try with different search query


Mifare emulation

Mifare is definitely the most used contactless chip in the world. I’ve already covered main topics on Mifare on my previous posts. You can find it everywhere; it has been used billions of times, hacked, cloned and it is still the most popular chip in the world.

If any software product has this much of popularity in its class, the need for running it on different platforms is a must. That is what NXP did years ago. Now almost all dual interface chips -including SIM cards- have the option for running mifare as an emulation.

What is mifare emulation? Mifare emulation is actually an application running on the chip operating system. It emulates the mifare classic operating system by providing the exact same hardware and software functionality. Once it has been installed, it responds exactly like a native mifare chip to the readers transmitting mifare commands. Dual interface chips have the contact interface and mifare emulation automatically utilizes this interface. This brings the ability to personalize the mifare emulation applet over the contact interface, which is simply impossible on a native mifare chip.

It is of course very useful to have the mifare functionality on other platforms, but it has some drawbacks as well:

  • First, it has the exact same security problem with the native mifare. But this is something you must have considered while using mifare classic, so it can be skipped.
  • Mifare emulation applet is generally slower than native mifare chip while responding the mifare commands. You need to consider this if you must use native mifare chips and mifare emulation at the same time.
  • You may have to re-configure the readers if they are set to work only with native mifare classic chips.

Another tip is that some vendor’s implementation does not allow to read the Mifare UID from contact interface. This is a great barrier for personalization where you will need the UID for key diversification.

Mifare emulation applets provide an API for accessing the mifare blocks over the contact interface during run time. This way, you get the chance to update the data stored in the mifare blocks during another contact transaction.

DesFire has also been implemented as an emulation and Mifare Plus is also announced to be released next in 2011/2012.

NXP and Gemalto sign licensing agreement for adding Mifare to UICC

Today, Gemalto announced that Gemalto and NXP signed a licensing agreement for adding Mifare to Gemalto’s SIM products.

Gemalto is clearly the global market leader in providing banking smart cards. What else? Gemalto also has an OTA platform for mobile network operators. Gemalto is a member of Open Handset Alliance -the organization behind Android, which officialy announced the NFC support very short time ago. They even acquired the Mifare4Mobile team from NXP two years ago. Well, putting them all together, we can say that they have “the whole package” for an NFC ecosystem.

Without a doubt, transport ticketing is the killer application for NFC and Mifare is the strongest player for hosting the transport ticketing applications. All the mifare classic hacks couldn’t change this. NXP announced that 4 byte UIDs reached the end and they will start non-unique 4 byte UIDs or 7 byte UIDs for Mifare Classic.

So adding a mifare emulation applet on top of Gemalto’s current product range means only one thing; mifare based ticketing systems have a clear path for an NFC project. Gemalto can provide an end-to-end solution for transport operators, regulatory authorities, or even to banks for running a mifare based application via mobile phones.

Again; the only missing part is still the lack of handsets with NFC support!

Mifare Plus, a migration chip to more secure times

After the infamous Mifare hack, there’s been a lot of talk on Mifare Classic chips. Some governments even issued laws for banning Mifare Classic in the future for using some specific purposes.

So what did NXP do? Actually NXP was already aware of the upcoming issues and was working on next generation of Mifare. There has been two outputs of this study, as fas as I know. One of them is Mifare Plus and the other is Mifare EV1, which is to be announced soon.

What is Mifare Plus and how does it overcome the security issue? More importantly, how does it help to migrate the current installation of devices working with Mifare Classic only? I think NXP did a great job to respond to the security and migration questions with Mifare Plus.

Mifare Plus is actually the update of Crypto1 to AES while the memory organization of the chip remaining the same. Mifare Plus comes with 4 security levels, each of them having a different authentication levels.

  • Level 0 is the personalization level.
  • Level 1 is Mifare Classic level, where the chip acts exactly as Mifare Classic. This level helps start issuing more secure cards while the reader infrastructure is still the same.
  • Level 2 is only valid for Mifare Plus X cards, I will come to that later.
  • And Level 3 is where good old Crypto1 ends its journey and AES is being used for authentication.

There are 2 types of Mifare Plus chips; S and X. With Mifare Plus S, you can only utilize the AES alghoritm and MAC’ing while X comes with much more features like encryption of exchanged data and proximity check. X is an export controlled product. With Mifare Plus X, there is the option of using both Crypto1 and AES at the Security Level 2.

Another big update of Mifare Plus is the 7 bytes unique id. Since the 4 byte unique ids are almost at the end of its limit, Mifare Plus chips has 7 bytes unique ids. Mifare Plus also has a very important implementation; now you can read and write multiple blocks instead of one at a time. This will dramatically improve the trransaction speed, if implemented correctly. The last of the updates is that Mifare Plus supports random uid, which responds to again some security issues.

I think that Mifare Plus is a very solid product for migrating from Mifare Classic to a more secure platform with minimal infrastructure updates. If you need more features that this you can go for Mifare DesFire which provides much more flexibility in terms of file integrity and flexibility.

my-d move from Infineon against NXP’s Mifare Ultralight

Contactless chips for limited use have been popular in public transportation for some years. NXP, just like in mifare case, has been leading this market with mifare ultralight. Ultralight chips have limited memory and no crypto support, but have OTP (one time programmable) memory area which is perfect for enabling the restriction the limited use of the ticket. Later on NXP developed a next generation of Ultralight, which is called Ultralight C. Ultralight C supports 3DES in addition to its elder brother Ultralight. Good.

Of course, Ultralight is not the only product in the market. Infineon, as one of the strongest players in the semi-conductor manufacturers have a great product as a competitor to NXP’s Ultralight family called my-d move. my-d move is a member of my-d family of Infineon and has 128 bytes of memory for application and supports 32 bit password for authentication. It also supports password re-try counter feature against brute force attacks. Unlike Ultralight C, my-d move does not have any keys stored in the chip, but has a secure code which is written at the time of issuing the chip. Secure code is authenticated at the time of using the chip along with the password.

One great future of my-d move is, just like Mifare Ultralight, the support for NFC Type 2 Tag Operations. This practically means that my-d move can interact with NFC devices like handsets or other contactless readers. This opens a whole new world for these products. Infineon positions the product as a limited use media like single trip ticket for transportation or event ticketing. Imagine tickets for a rock music event being formatted by a cell phone on an over-the-air service. my-d move and Ultralight opens a gate for enabling projects like this. You can create the ticket with a mobile phone and then send the ticket data to central host over GPRS/3G connection of the mobile handset. You can also validate/invalidate tickets via NFC handsets. Great opportunity. One great addition to this would be the usage of the ticket for buying a drink inside the event. Or think of voting for polls displayed on kiosks with contactless readers and people voting and identifying themselves with the contactless ticket.

Basicly, my point is that these chips are great for any type of ticketing, not limited to limited use for transportation.

Mifare classic the legend

It’s quite common nowadays to talk about security leaks of mifare classic chips. It’s easy to “hack” the chip, clone it, read the contents of it without knowing the keys, and so on; the list goes on like this. Even the license holder NXP is recommending to migrate to mifare plus. Well not good for any product!

These words definitely don’t sound good, however there’s the fact that a huge number of mifare chips (more than one billion, according to unofficial sources of mine) are already being used for systems mainly transportation and access control. Many of these applications do not require anything more than reading a unique id. When it’s transportation or e-purse, it’s authenticating a few sectors and updating the purse balance.

Mifare was developed by an Austrian company called Micron. It was specifically designed for transportation and the name was chosen accordingly: Micron Fare Collection, which was Mi-Fare. The chip was very fast and providing a good level of security required for access control and transport ticketing environment. The memory structure is not flexible enough for today’s complex mechanisms but back then, I think it was more than enough.

Basically, mifare operating system has 16 sectors of secure memory protected by two 48 bit keys stored in the chip. Each sector has 4 blocks for storing data. Each block has 16 bytes of data storage. Each sector has one block reserved for keys and access conditions. Although not recommended, you can even use the keys as data storage.

I think the strength of mifare platform comes mainly from off-the-shelf readers and components widely available on the market. Today, designing a mifare application, developing it on readers and formatting the cards is quite a standardized process. You can find virtually unlimited number of products and companies providing mifare based application and systems. The “security” rules are also very well defined and documented.

Well, there’s been many projects that it was planned that mifare will be phased out. Or mifare is specifically blacklisted as a prerequisite. However, I strongly believe that mifare is quite a successful product and it has made a very good job for deploying contactless systems. If mifare did not exist, I think contactless systems would not be popular as it is today. Of course there are very strong competitors of mifare such as Legic, Calypso and Felica, but mifare is the most popular one among all. I will try to cover the competitors of mifare, which are all stronger than mifare in the security level, but not as much as deployed worldwide as mifare. This is actually the point that I’d like to point out with this post.

It’s quite common nowadays to talk about security leaks of mifare classic chips. It’s easy to “hack” the chip, clone it, read the contents of it without knowing the keys, and so on; the list goes on like this. Even the license holder NXP is recommending to migrate to mifare plus. Well not good for any product!
These words definitely don’t sound good, however there’s the fact that a huge number of mifare chips (more than one billion, according to unofficial sources of mine) are already being used for systems mainly transportation and access control. Many of these applications do not require anything more than reading a unique id. When it’s transportation or e-purse, it’s authenticating a few sectors and updating the purse balance.
Mifare was developed by an Austrian company called Micron. It was specifically designed for transportation and the name was chosen accordingly: Micron Fare Collection, which was Mi-Fare. The chip was very fast and providing a good level of security required for access control and transport ticketing environment. The memory structure is not flexible enough for today’s complex mechanisms but back then, I think it was more than enough.
Basically, mifare operating system has 16 sectors of secure memory protected by two 48 bit keys stored in the chip. Each sector has 4 blocks for storing data. Each block has 16 bytes of data storage. Each sector has one block reserved for keys and access conditions. Although not recommended, you can even use the keys as data storage.
I think the strength of mifare platform comes mainly from off-the-shelf readers and components widely available on the market. Today, designing a mifare application, developing it on readers and formatting the cards is quite a standardized process. You can find virtually unlimited number of products and companies providing mifare based application and systems. The “security” rules are also very well defined and documented.
Well, there’s been many projects that it was planned that mifare will be phased out. Or mifare is specifically blacklisted as a prerequisite. However, I strongly believe that mifare is quite a successful product and it has made a very good job for deploying contactless systems. If mifare did not exist, I think contactless systems would not be popular as it is today. Of course there are very strong competitors of mifare such as Legic, Calypso and Felica, but mifare is the most popular one among all. I will try to cover the competitors of mifare, which are all stronger than mifare in the security level, but not as much as deployed worldwide as mifare. This is actually the point that I’d like to point out with this post.

OSPT Alliance

For long years, Mifare has been the king of public transportation as the ticketing platform. As I already mentioned few times, Mifare has been insanely successful, yet it was proved to be not secure any more. However it still works for may transit operators and NXP made its move to secure it with more products.

Competition against Mifare has been with mainly by Calypso and Felica and now yet there’s another player in the game.

To combat with Mifare, Gisecke&Devrient, Infineon, Inside Secure and Oberthur formed the Open Standart for Public Transport Alliance. (OSPT) What OPST is providing is basically a standards based, cost effective and secure chip platform called CIPURSE for contactless ticketing. Mifare is proprietary, you need to license it from NXP. OSPT suggests that being open and standards based is more secure and cost effective. Unlike Mifare’s cracked proprietary security algorithm, the security layer of the OSPT is AES 128 bit, which is the ultimate security you can get for now.

OSPT has been around for some time and now the SDK has been released. That means ticketing implementations can now officially be started for a new platform. Of course it is not an easy job to start a new platform from scratch but the companies in the alliance already have many customers and connections in the ticketing space and I am sure we will hear an announcement soon with the CIPURSE.

Mobile phone reading data from a watch!

Due to an NFC project I am currently involved in, I have an iCarte dongle from WDI. Luckily, I also happen to have a Mifare watch from LAKS from a previous project.

I was browsing the AppStore and found this great app, iCarte Reader by which you can read and write mifare chips over an iPhone with an iCarte dongle. Since I already have a cool mifare gadget, my LAKS watch, I began to impress my friends by using my iPhone to read and write data to my watch!

This is a true contactless show case for me; my phone and watch exchanging data over the contactless interface. How cool is that!

Turkey’s first mobile payment application from ​​​​​​​​Garanti Bank & Avea​​​​​​​​​​​​​​​​​​​​

Garanti Bank and Avea announced the mobile payment application at Cartes 2010 and now it is commercially available in Turkey. It is basically an antenna attached to the SIM card on which there is the PayPass application resides.

The SIM card used is the Gemalto’s N-Flex product. Garanti Bank provides the payment application(s) -there more than one, the default one is a pre-paid application, while Avea is the mobile network operator. The SIM comes with a MasterCard pre-paid application, but you are free to apply to more credit cards once you have the SIM activated. The STK menu allows the user to access the applications for activating and deactivating. You can apply for a pay-as-you-go or a post paid SIM. Post paid costs 40 TL (~20 EUR) and the pre-paid one costs 20 TL (~10 EUR)

It’s a smart move from Garanti Bank, which is clearly the market leader on the contactless space in the Turkish market. The pre-installed MasterCard pre-paid application on the SIM is also a nice touch since you do not have to go through the credit card application process. It’s sold through Ave’s distribution network since you have to activate the SIM first. The product is also backed with a bonus balance of 25 TL (~12 EUR) and 100 minutes air time if you apply before the new year. There is a nice video explaining the product to end users on the product’s official web site here. (Only in Turkish)

Another product announcement at Cartes was from Bank Asya, which is almost the same service but specific to mifare based Turkish Toll Payment system for highways.

With the add-on features and the successful start-up campaign, I personally find the product highly innovative based on the current hardware and software available in the market. As a wish, I am hoping these products to build the user acceptance of the mobile payments and make the bridge between the antenna chip to SWP chips.

Embedded contactless reader for PCs from Sony and HID

Sony announced a very good news today for the contactless world. Sony and HID Global forms an alliance to create an embedded contactless reader for PCs. Sony, being one of the pioneers in the contactless technology, will be incorporating with HID, which acquired Omnikey -one of the best PC connected reader manufacturers, for building an embedded contactless reader.

Sony is already an influencer of contactless technology; they own their own contactless chip –Felica– and they are playing a huge role on the NFC area. Needless to say, Sony has huge opportunities on their home entertainment products from Play Station 3 to wide screen TVs and Vaio laptop line up for integrating with NFC based chips.

On the other hand, HID has a wide range of products in identity and security markets. I personally admire the PC connected Omnikey readers a lot, very robust and has a great support in terms of drivers and software.

I believe a contactless reader may eventually become a standard peripheral device for PCs, if this attempt is successfully completed. I can imagine how wide range of applications can be developed once the computers have embedded contactless readers. People can top up or check their balances/transaction history of transportation cards at home, (which is already being done in far east right now) process credit card transactions for shopping online or buy airtime for their NFC handsets. I had personally seen an embedded Felica reader in action on a Sony guy I had a meeting with, so this is not a long run. It just needs the right actors to be involved in the picture.

All contactless readers support both ISO 1443 type A and B, so these readers will support all current contactless chips that are available like Mifare, Calypso, Legic, etc. Of course that will bring a lot of political discussion over software and ownership of the reader IC, but for now let’s cross fingers for Sony and HID!

Fast track at the airport : TAV Passport Card

Passing through airport gates and check in procedures always require a very long time to be spent in the airports. Thanks to contactless devices, that may be history.

Contactless ecosystem and airport check in services has much to offer together. TAV Passport card is no exception in that sense. TAV is the operator of biggest 3 airports in Turkey -and a few more in neighboring countries. They are doing excellent job in running these airports, yet they developed a contactless card for frequent flyers.

TAV Card is a contactless card -mifare 1k- offering:

  • a special gate for fast entrance to airport
  • business check in -regardless from your ticket type
  • free parking at the airport parking area for 30 days/year
  • airport transfers
  • fast passport control at a special gate for TAV card holders
  • discount rates at duty free
  • discount rates at the coffee shops at the airport

It’s a very well designed product for frequent flyers which need speed and convenience on the time they spend at the airport. Contactless devices provide these requirements, so it’s the correct choice to use a contactless card.

Castle POS terminals were used and credits go to Verisoft for developing the whole system.