1. EXTERNAL
NXP, THE NXP LOGO AND NXP SECURE CONNECTIONS FOR A SMARTER WORLD ARE TRADEMARKS OF NXP B.V.
ALL OTHER PRODUCT OR SERVICE NAMES ARE THE PROPERTY OF THEIR RESPECTIVE OWNERS. © 2020 NXP B.V.
J U LY 2 0 2 0
Presenter
Daniel Rinner, Product Manager, NXP Semiconductors
Security Level
SL1SL3MixMode
A MIFARE Plus® EV2 KEY FEATURE
VIDEO

2. 1EXTERNAL
ADDING VALUE TO EXISTING INFRASTRUCTURES UNTIL UPGRADING TO SECURITY LEVEL 3
V I A S L1 S L 3M I XM OD E TO S U P P O R T S E AM L ES S C RY P TO -1 & AE S AU T H E N T I C AT I O N
• The SL1SL3MixMode feature allows the card issuer to configure the IC to accept Crypto-1 & AES authentication on card or on sector-per-
sector basis
• Once the SL1SL3MixMode feature is enabled, the card can be managed in a secure end-to-end (E2E) channel while the reader infrastructure
stays as is
− No need to invest into reader infrastructure while still enhancing customer experience
• Allows to manage the MIFARE Plus EV2 product-based card with an NFC enabled mobile phone securely Over-The-Air (OTA), e.g. top-ups
• Eases the migration of contactless cards to higher security (in existing infrastructures) by supporting the restriction of access rights in SL1
and helps to limit fraud by using Transaction Timer and originality checks
• Helps to minimize the total cost of ownership by upgrading only security relevant applications to AES
Enhancing
customer
experience of
legacy Crypto-1
infrastructures
Allows to upgrade
security relevant
applications only
Secure E2E
backend
connection to
manage card

3. 2EXTERNAL
ADDING VALUE TO EXISTING INFRASTRUCTURES UNTIL UPGRADING TO SECURITY LEVEL 3
V I A S L1 S L 3M I XM OD E TO S U P P O R T S E AM L ES S C RY P TO -1 & AE S AU T H E N T I C AT I O N
Crypto-1
Crypto-1
Successful Crypto-1 Transaction
Existing Infrastructure
Successful AES Transaction
Secure Backend connection
AES 128-bit
Backend
AES Key
AES Key
SL1SL3MixMode
SL1SL3MixMode
Service
App
AES 128-bit
Crypto-1 Key
Crypto-1 Key

4. 3EXTERNAL
Security
Level 0
Initial delivery
Security
Level 1
Crypto-1
SL1SL3
MixMode
Crypto-1 & AES
Security
Level 3
AES
Card basis
Card or Sector basis Card or Sector basis
Card or Sector basis
On MIFARE Plus EV2
• SL1SL3MixMode can be enabled by switching the security level of either the full card of each specific sector into SL1SL3MixMode
• To enable sector wise security switching the SectorSwitch byte stored in the MFPConfigurationBlock (B000h) must be changed to Aah
− Change can be applied with a WritePerso during personalization in SL0
• It is recommended to write all AES keys during personalization in SL0 – key 9007h is the SL1SL3SectorSwitchKey
• MIFARE Plus EV2 offers the restricted use of data and value blocks in Crypto-1 by overruling access conditions in the sector trailer
− Exception can be done using value pairs to allow only a decrement operation in SL1, and not an incremental one
− Only by using an AES authentication the content of a value block can be written or incremented
TECHNICAL DETAILS: HOW TO ENABLE THE SL1SL3MIXMODE ON THE CARD
Card basis
Card basisCard basis

5. 4EXTERNAL
MORE INFORMATION ABOUT THE TRANSACTION TIMER FEATURE
Item Number Availability
Datasheet - MIFARE Plus EV2 DS5223 NXP DocStore (confidential)
Application Note - MIFARE Plus EV2 Features and Hints AN5762 NXP DocStore (confidential)
Application Note - MIFARE Plus EV2 personalization commands AN5763 NXP DocStore (confidential)
Application Note - Card coil design notes for MIFARE Plus EV2 AN5759 NXP DocStore (confidential)
Application Note - Comparison between MIFARE Plus EV2 and
previous types
AN5760 NXP DocStore (confidential)
Application Note - Originality Signature Validation AN5764 NXP DocStore (confidential)
RFID Discover Software SW1866 NXP DocStore (confidential)
NXP Reader Library (Windows based) SW1717 NXP DocStore (confidential)

6. NXP, THE NXP LOGO AND NXP SECURE CONNECTIONS FOR A SMARTER WORLD ARE TRADEMARKS OF NXP B.V. ALL OTHER PRODUCT OR SERVICE NAMES ARE THE PROPERTY OF THEIR RESPECTIVE OWNERS. © 2020 NXP B.V.