Mifare Data Encryption Guide

TL;DR

Encrypting data on Mifare cards is vital for security. This guide covers best practices using AES encryption, key management, and secure communication protocols to protect sensitive information stored on these cards.

1. Understanding Mifare Card Types & Encryption Capabilities

Different Mifare card types have varying levels of built-in security features. Classic 1K/4K cards offer limited encryption options (DES/3DES), while newer DESFire EV1/EV2 and Plus SLx cards support AES, which is significantly stronger.

• Classic: Avoid storing sensitive data directly on these cards if possible. If unavoidable, use 3DES with strong key management.
• DESFire EV1/EV2: These are the preferred choice for secure applications due to AES support and robust security features.
• Plus SLx: Offers a good balance of security and cost-effectiveness with AES encryption capabilities.

2. Choosing an Encryption Algorithm

AES (Advanced Encryption Standard) is the recommended algorithm for Mifare cards supporting it. Specifically, AES-128 is commonly used.

• AES-128: Provides a strong level of security with 128-bit encryption keys.
• Key Size: Larger key sizes (e.g., AES-256) offer increased security but may require more processing power and storage space.

3. Secure Key Management

The most critical aspect of Mifare card encryption is secure key management. Compromised keys render the entire system vulnerable.

• Key Generation: Use a cryptographically secure random number generator to create unique AES keys for each application or set of cards.
• Key Storage: Never store keys directly on the Mifare card itself. Store them securely in a Hardware Security Module (HSM) or a trusted environment with restricted access.
• Key Diversification: Derive multiple keys from a single master key using a Key Derivation Function (KDF). This limits the impact of a compromised key.

4. Implementing AES Encryption on DESFire Cards

DESFire cards require specific commands to manage keys and perform encryption/decryption operations.

4.1 Key Setup

1. Create a Key: Use the CREATE KEY command with appropriate key number, key type (AES), and key version.

   00 A4 04 00 07 A0 00 00 01 23 00 00 80 00

2. Load Key: Use the LOAD KEY command to securely load the AES key into the card’s memory.

   00 A4 04 00 07 A0 00 00 02 23 01 80 00

4.2 Data Encryption/Decryption

1. Encrypt: Use the ENCipher command with the key number and data to be encrypted.

   00 A4 04 00 07 A0 00 00 03 23 02 80 00

2. Decrypt: Use the DECipher command with the key number and encrypted data to decrypt it.

   00 A4 04 00 07 A0 00 00 03 23 03 80 00

5. Secure Communication Protocols

Protect the communication channel between your reader and the Mifare card to prevent eavesdropping or man-in-the-middle attacks.

• Mutual Authentication: Implement mutual authentication protocols (e.g., using ISO/IEC 7816-4) to verify both the card’s identity and the reader’s authenticity.
• TLS/SSL: Use Transport Layer Security (TLS) or Secure Sockets Layer (SSL) for communication over networks.

6. Data Integrity Checks

Ensure data hasn’t been tampered with during storage or transmission.

• Message Authentication Codes (MACs): Use MAC algorithms (e.g., HMAC-SHA256) to generate a tag that verifies the integrity of the encrypted data.
• Checksums: Implement checksums to detect accidental errors during transmission or storage.

7. Regular Security Audits

Conduct regular security audits and penetration testing to identify vulnerabilities in your Mifare card system.

• Vulnerability Scanning: Scan for known weaknesses in the hardware, software, and communication protocols.
• Penetration Testing: Simulate real-world attacks to assess the effectiveness of your security measures.