Your SlideShare is downloading. ×
0
Mifare cards presentation

Yann ROBERT
Technical expert
18-04-2011
Introduction
In Gemalto, Mifare products are called “Celego”
Mifare 1 K => Celego Mifare 1K
Mifare 4 K => Celego Mifare 4K...
Introduction
ISO 7816-1
7816 1
dimension

Inductive
power
supply

Proximity Transaction
y
(8 to 10cm)

Antenna

E²PROM mem...
Introduction

Specifications
S
ifi i
ISO/IEC 14443-1 : Physical characteristics
ISO/IEC 14443-2 : Radio frequency power an...
Introduction
Memory

Mifare 1 K

Mifare 4 KB

Chip / Size

Serial number
Access condition
Memory
Organization

Mifare 1 KB...
Introduction

Bonding i
B di wires

Antenna
te a

Transparent PVC
Micromodule
White PVC

Card body
C db d
ISO dimensions
Introduction
Reader to card
Type A
Data rate
Modulation
Bit coding

0

1

Card to reader

: 106 kbit/s
: 100% ASK
: Modifi...
Mifare mappings
Mifare 1K Electrical Mapping
Sector Block
Block 0: Manufacturer information (UID,...)
(UID )

0

0
1
2
3

Security block

...
Mifare 4K Electrical Mapping

31
32

39

0
1
2
3
0
..
15

0
..
15

8 sectors of 16 blocks
o

0

0
1
2
3

32 sectors of 4 b...
Mifare Data Block Types
Mifare data blocks exist in 2 formats:
Transparent blocks
Value blocks

: data read or written are...
Mifare security
Each sector is protected by a “Security Block”
Each block in a sector has its own Access Conditions (“AC”)...
Mifare Manufacturer Code Block
Block 0 sector 0 is called the “Manufacturer block”, the content :
is written by the chip m...
Access conditions
Mifare Access Conditions

Access conditions are d fi d
defined:
A
di i
for each block : Mifare 1K and Mifare 4K sectors 0 ...
Mifare Data Block Access Conditions
A.C.
Set
No.

Add

A.C. Set
Selection

Write

AC2 AC1 AC0

Transfer
a se

Transfer

Re...
Mifare Security Block Access Conditions
y
A.C. Set
No.
No

A.C. Set
Selection
.
AC2 AC1 AC0

Key A
Read

Write

AC + B9
Re...
Mifare Access Condition Storage
00 01 02 03 04 05

09

Key A (6 bytes)

Security Block

06 07 08
Access Cond.
(3 bytes)

D...
Access Conditions Definition example

R
Block 0
Block 1
Block 2

Transparent N
Transparent A/B
Value
A/B

W

A

N
N
B

AC2...
Access Conditions Calculation
AC2

AC1

AC0

Block 0

1

1

1

Block 1

0

1

0

Block 2

1

1

0

Block 3

1

0

1

1

1 ...
Mifare weaknesses
Mifare weaknesses
Mifare cryptography is proprietary and has been broken
Key length is small (48 bits)
algorithm is badly ...
Mifare emulation
Mifare emulation on contactless JavaCards
Infineon and NXP propose on some of their smart card chips
to h
t have Mifare 1K...
Mifare emulation on contactless JavaCards
An incompatibility problem may
happen on the “ATS available
ATS
check”
A card wi...
Mifare emulation on contactless JavaCards
WUPA (0x52)
ATQA (0x00 02)

ANTICOLLISION

ANTICOLLISION

SEL: 0x93
NVB: 0x20

C...
www.justaskgemalto.com
Upcoming SlideShare
Loading in...5
×

Mifare cards

2,616

Published on

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,616
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
86
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Mifare cards"

  1. 1. Mifare cards presentation Yann ROBERT Technical expert 18-04-2011
  2. 2. Introduction In Gemalto, Mifare products are called “Celego” Mifare 1 K => Celego Mifare 1K Mifare 4 K => Celego Mifare 4K Celego range describes generic contactless products dedicated to transport and access control Mifare 1K and 4K are compliant with ISO 14443-1, -2, -3 Type A (ISO 14443 -2) Unique and permanent serial number Anti-collision based on ISO 14443-3 Mutual authentication (ISO 9798-2) Encrypted data communication Security management sector per sector
  3. 3. Introduction ISO 7816-1 7816 1 dimension Inductive power supply Proximity Transaction y (8 to 10cm) Antenna E²PROM memory PVC card body Security features Read / Write RF transmissions (encrypted)
  4. 4. Introduction Specifications S ifi i ISO/IEC 14443-1 : Physical characteristics ISO/IEC 14443-2 : Radio frequency power and signal interface ISO/IEC 14443 3 : Initialisation and Anticollision 14443-3 Mifare 1K: • MF1S5009 - Mainstream contactless smart card - 27 July 2010 - NXP Mifare 4K: • MF1S7009 - Mainstream contactless smart card - 26 July 2010 - NXP Mifare 1K and 4K are NOT ISO14443-4 compliant
  5. 5. Introduction Memory Mifare 1 K Mifare 4 KB Chip / Size Serial number Access condition Memory Organization Mifare 1 KB Authentication Data encryption Acces Keys A K Type of data Mifare Ultralight + SRIX512 Back-up mechanism Transaction time Paper ticket & Thin PET card Pure cless memory card Mifare 4 K Mifare 1 Kbytes NXP, Infineon Mifare 4 Kbytes NXP only RF INTERFACE 4 bytes SECURITY Yes Yes 16 sectors * 4 blocks 32 sectors * 4 blocks 8 sectors * 16 blocks Mutual, Mifare 3 passes Yes 2 keys per sector (6 bytes) k t b t ) APPLICATION Data Block Value Blocks: EPurse For value Blocks Low cost application < 100ms Security
  6. 6. Introduction Bonding i B di wires Antenna te a Transparent PVC Micromodule White PVC Card body C db d ISO dimensions
  7. 7. Introduction Reader to card Type A Data rate Modulation Bit coding 0 1 Card to reader : 106 kbit/s : 100% ASK : Modified Miller 0 0 1 Type A Subcarrier : f0/16 = 847 kHz Data rate : 106 kbit/s Subcarrier modulation : OOK Bit coding : Manchester 1 0
  8. 8. Mifare mappings
  9. 9. Mifare 1K Electrical Mapping Sector Block Block 0: Manufacturer information (UID,...) (UID ) 0 0 1 2 3 Security block 1 0 1 2 3 15 0 1 2 3 Data block 1 block 1 sector Mifare 1K = 16 bytes y = 64 bytes = 16 sectors = 1024 bytes = 1Kbytes A block, is the smallest addressable element AC are defined for each block
  10. 10. Mifare 4K Electrical Mapping 31 32 39 0 1 2 3 0 .. 15 0 .. 15 8 sectors of 16 blocks o 0 0 1 2 3 32 sectors of 4 blocks s Sector Block Block 0: Manufacturer information (UID,...) (UID ) Data block y Security block 1 block = 16 bytes Sector 0 to 31 = 64 bytes for each sector Sector S t 32 t 39 = 256 b t f each sector to bytes for h t Mifare 4K = (32 x 64) + (8 x 256) = 2048 + 2048 = 4096 bytes = 4Kb 4Kbytes A block, is the smallest addressable element Sector t S t 0 to 31 : AC are d fi d f each bl k defined for h block Sector 32 to 39: AC are defined for 5 blocks
  11. 11. Mifare Data Block Types Mifare data blocks exist in 2 formats: Transparent blocks Value blocks : data read or written are not interpreted by the card : special format and coding dedicated to purse functions (Increment / Decrement commands) Value format: Value: 4 bytes number in hexadecimal “V4 V3 V2 V1” loaded d t d in l d d and stored i reverse order i th bl k d in the block V1 V2 V3 V4 V1 V2 V3 V4 V1 V2 V3 V4 X X X X X : means complement of X = (X Xor FF) Example: Value = 12 34 56 78 78 56 34 12 87 A9 CB ED 78 56 34 12 FF 00 FF 00
  12. 12. Mifare security Each sector is protected by a “Security Block” Each block in a sector has its own Access Conditions (“AC”) 00 01 02 03 04 05 06 07 08 09 Key A (6 bytes) Access Cond Cond. (3 bytes) Data (1 byte) 10 11 12 13 14 15 B Key B (6 bytes) Security Block format A Authentication with a sector can be done with key A or key B Proprietary symmetric algorithm To access a sector: authentication with Key A or Key B is mandatory a session key is created for the authenticated sector all communication b t ll i ti between th reader and a sector i ciphered with th session k the d d t is i h d ith the i key
  13. 13. Mifare Manufacturer Code Block Block 0 sector 0 is called the “Manufacturer block”, the content : is written by the chip manufacturer (NXP Infineon) (NXP, can be read without authenticating with sector 0 can never be modified (write is not allowed) Mifare cards can be ordered with 4 or 7 bytes UID y 00 01 02 03 04 UID (4 bytes) LRC UID (7 bytes) 05 06 07 08 09 10 11 12 13 14 15 08 04 00 XX XX XX XX XX XX XX XX 08 04 00 XX XX XX XX XX XX UID : Unique IDentifier LRC: Longitudinal R d d LRC L it di l Redundancy Ch k on UID Check XX..XX: Chip manufacturer reserved areas Chip information: • 08 : SAK • 04 00 : ATQA
  14. 14. Access conditions
  15. 15. Mifare Access Conditions Access conditions are d fi d defined: A di i for each block : Mifare 1K and Mifare 4K sectors 0 to 31 for 5 blocks : Mifare 4K sectors 32 to 39 Access conditions f each bl k are stored i th sector A diti for h block t d in the t Security Block Access conditions f a data block (transparent or value) ( ) for for the Security Block itself Eight sets of access conditions are available for the four following commands Read / Write / Add / Subtract
  16. 16. Mifare Data Block Access Conditions A.C. Set No. Add A.C. Set Selection Write AC2 AC1 AC0 Transfer a se Transfer Restore Read Subtract Restore A or B A or B 0 0 0 0 A or B 1 0 0 1 A or B never never 2 0 1 0 A or B never never never 3 0 1 1 B never never 4 1 0 0 B never never 5 1 0 1 never never never 6 1 1 0 B B 7 1 1 1 never never B A or B B A or B never A or B A or B A or B never
  17. 17. Mifare Security Block Access Conditions y A.C. Set No. No A.C. Set Selection . AC2 AC1 AC0 Key A Read Write AC + B9 Read Write Key B Read Write 0 0 0 0 never A or B A or B never A or B A or B 1 0 0 1 never A or B A or B A or B A or B A or B 2 0 1 0 never never A or B never A or B never 3 0 1 1 never B A or B never B 4 1 0 0 never B A or B never never B 5 1 0 1 never never A or B never never 6 1 1 0 never never A or B never never never 7 1 1 1 never never A or B never never never B B
  18. 18. Mifare Access Condition Storage 00 01 02 03 04 05 09 Key A (6 bytes) Security Block 06 07 08 Access Cond. (3 bytes) Data (1 byte) AC1 7 6 5 AC2 AC2 4 3 2 Byte 6 1 0 7 6 5 10 11 12 13 14 15 Key B (6 bytes) AC0 AC0 4 3 2 Byte 7 1 0 7 6 5 AC1 4 3 2 Byte 8 ACn: complemented value of AC (AC Xor FF) 1 0
  19. 19. Access Conditions Definition example R Block 0 Block 1 Block 2 Transparent N Transparent A/B Value A/B W A N N B AC2 AC1 AC0 S N N N N B A/B AC n° 7 AC n° 2 n AC n° 6 Key A R W Block 3 Security AC + B9 R W Key B R W N A/B B N N N 1 0 1 1 1 1 1 0 0 AC2 AC1 AC0 AC n° 5 1 0 1
  20. 20. Access Conditions Calculation AC2 AC1 AC0 Block 0 1 1 1 Block 1 0 1 0 Block 2 1 1 0 Block 3 1 0 1 1 1 0 1 0 1 1 1 1 0 0 1 7 6 3 7 4 5 4 AC2 2 1 0 AC1 6 5 AC0 Security Block Access Conditions: 1 0 0 0 0 0 1 0 1 1 0 1 0 1 1 7 1 7 6 5 4 3 2 Byte 6 0 Inversed 6 5 4 3 2 1 0 0 1 0 1 1 1 0 1 Byte 7 0 7 Inversed 6 5 4 3 2 1 Byte 8 Inversed AC1 AC2 AC2 AC0 AC0 AC1 0
  21. 21. Mifare weaknesses
  22. 22. Mifare weaknesses Mifare cryptography is proprietary and has been broken Key length is small (48 bits) algorithm is badly designed It is now possible to make Mifare 1K, 4K clone cards as oduced e ge e a o o a e cards called NXP has introduced a new generation of Mifare ca ds ca ed “MifarePlus”: AES-128 cryptography Certification AEL4+ ISO 14443 -1, -2, -3, -4 compliant
  23. 23. Mifare emulation
  24. 24. Mifare emulation on contactless JavaCards Infineon and NXP propose on some of their smart card chips to h t have Mifare 1K or 4K emulation Mif l ti Mifare zone Mifare Classic protocol EEPROM zone Contactless JavaCard with Mifare emulation ISO14443-4 (T CL) (T=CL) protocol Contactless reader
  25. 25. Mifare emulation on contactless JavaCards An incompatibility problem may happen on the “ATS available ATS check” A card will supports ATS only if it is compliant with ISO14443-4 (T=CL). This is known when the card answers the SAK
  26. 26. Mifare emulation on contactless JavaCards WUPA (0x52) ATQA (0x00 02) ANTICOLLISION ANTICOLLISION SEL: 0x93 NVB: 0x20 CARD ANSWER SELECT SELECT SEL: 0x93 NVB: 0x70 IUD: 0x12345678 BCC: 0x08 CRC_A: CRC A: A23C b8 x x x b7 x x x b6 x 1 0 b5 x x x b4 x x x b3 1 0 0 SELECT ACKNOLEDGE (SAK) Mifare Classic 4K IUD: 12345678 BCC 08 SAK SAK: 20 CRC_A: 70FC b2 x x x b1 x x x Meaning Cascade bit: IUD not complete IUD complete, card compliant with ISO14443-4 IUD complete, card NOT compliant with ISO14443-4 p , p Select AcKnowledge (SAK) coding Card type Mifare Classic 1K ANTICOLLISION Answer Mifare Classic SAK 0x08 (NXP) 0x88 (Infineon) 0x18 SAK values Mifare emulation SAK 0x28 0x38
  27. 27. www.justaskgemalto.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×