Higher Education sector moving from Mifare to DESFire?

Thursday, 3rd September, 2015

A why? Simply 2 reasons, usability and security. Thanks for reading.

A bit more detail? Okay.

Firstly we need to look at the chips themselves.  Both chips are used as tokens in variety of circumstances, usually within an ID card of some type.  They are manufactured by NXP.  When Mifare was developed it was a huge step forward over the previous card types as it allowed both reading and writing to the chip.

Usability:

The memory in a Mifare chip is split into sectors, 16 on a 1k card, each with 4 blocks.  The first 2 blocks on the first sector are used as a directory for what applications are in what sector.  Think of it as an index for a filing cabinet. The 4k cards have 40 sectors with 32 having 4 blocks and 8 having 16 blocks.  When an application is loaded onto the card it takes up the required number of sectors until the memory becomes full. So if a complex access control system takes up 6 sectors, an electronic purse takes 5 and transport application needs 6, they won’t all fit on a 1k card.

DESFire has a flexible file system whereby up to 28 applications can run simultaneously and each application can have up to 16 files. This means that if there are spaces left by some applications, others can use them.

The practical result for this is that a University can use their ID cards for more applications and get a faster communication between the card and the reader.  Students then only need a single ID card for use across a whole cashless campus solution, access control systems, transport, gym memberships etc.

Security:

As you can imagine, when dealing with electronic purses, access control or any systems where proof of identity is vital, the security required is paramount.  When a smartcard is presented to a reader for any system and encrypted dialogue happens between them and it is in the encryption area that the Mifare DESFire cards differ.

Both systems use what is called a Public Key Infrastructure (PKI) to keep the encryption secure. PKI is used in many scenarios now.  What it means is that if something securely, I send you a key which will make it secure.  However, I don’t want you to have my key as then you would be able to get into anything that I am trying to keep secure. Consequently I need 2 keys, one that I’m happy for you to have and one that I keep myself.  Both are needed to open the lock.

In an encryption scenario, these keys are often referred to as the A and B keys. The A and B keys are related to each other using an algorithm and it is the complexity of the algorithm which makes DESFire more secure.

Mifare uses a Crytpo1 stream cipher as its’ keystream.  A pseudo random number is generated by the A key and the B key is arrived at by applying this to a number sent to the reader.  At the time of development this was considered to be highly secure and it was for the technology available at the time. However, in 2008 the Mifare encryption was broken by researchers at Radboud University in Nijmegen in the Netherlands. Although a university research department was needed to achieve this, once the knowledge of how to do it was out and with the inevitable march of technology it quickly became apparent that this encryption could not be considered secure in the long term.

The encryption used on the DESFire cards is predominantly 256 Bit AES encryption (Although TripleDES is also available, we would advise the AES option as the most secure). AES stands for Advanced Encryption Standard and the 256 Bit refers to length of the key used.  This standard has been adopted by the US military and it is estimated that at the projected technology improvements, will remain secure until at least the year 2030.

DESFire cards are now being used as the Oyster card in London, replacing the Mifare card originally used. This and similar mass adoption around the world has made them much more economically viable option for those looking for a secure smartcard solution.

So, it is simply usability and security that are causing the Higher Education sector to migrate to DESfire cards, but if it means that the various systems are more easily used and the systems and all the students and staff are much more secure for the next 15 years, it’s an obvious choice to make.

If you need any advice on how to migrate to DESFire cards or an overview of your own smartcard solutions please call us on 0113 273 0300 or email solutions@ait.co.uk