A Secure Design on Mifare Classic Cards for Ensuring Contactless Payment and Control Services

2022;
: cc. 22 - 28

1Gebze Technical University
2Konfides Information Technologies
3Beykent University

Today, various contactless smart cards are used to protect our personal information and to perform secure and fast transactions. Many contactless smart card applications are becoming commonplace, from corporate access control cards to electronic passports and financial payment. There is a wide variety of smart cards on the market that differ in size, chasis, memory, computing power, and even the security features they provide. Although MIFARE Classic cards, which are used in many areas due to their price performance, meet certain security and functional needs, the weaknesses of these cards have made the applications and systems they are used in question. The aim of this study is to introduce a new design on MIFARE Classic contactless cards that will eliminate the basic shortcomings with minimum impact, and to perform high-security payment transactions using these cards, which do not support high-security payment transactions in their basic design. By using flexible data organization and storage scheme, their sector structure can be used for different purposes. The proposed new design includes derivation of critical card data by using card- specific information which ensures that the keys that provide access to the sectors of card are different on all cards; protection of card information through a certificate mechanism; usage of a new data structure with mirroring and redundancy methods to ensure data integrity and provide a server-side authentication mechanism for online transactions. It is possible that the proposed new design will pave the way for the secure use of MIFARE Classic cards in new generation payment and control systems.

  1. SO/IEC 14443. Identification cards - Contactless integrated circuit(s) cards - Proximity cards (2001). Available at: https://www.iso.org/standard/28729.html
  2. K. Finkenzeller, (2010). RFID Handbook: Fundamentals and Applications in Contactless Smart Cards, Radio Frequency Identification   and    Near-Field    Communication.    (3rd    ed.) DOI:10.1002/9780470665121
  3. K. Finkenzeller, (2003). RFID Handbook: Fundamentals and Applications in Contactless Smart Cards and Identification. (2nd ed.) DOI:10.1002/0470868023
  4. B. B. Gupta and S. Narayan, (2020). “A survey on contactless smart cards and payment system: technologies, policies, attacks and countermeasures”, Journal of Global Information Management (JGIM), 28(4), pp. 135-159. DOI: 10.4018/JGIM.2020100108
  5. Mifare         Classic          Family.          Available          at: https://www.mifare.net/en/products/chip-card-ics/mifare-classic/ (Accessed: 23 March 2022).
  6. F. D. Garcia, G. D. Koning Gans, R. Muijrers, P. V. Rossum, R. Verdult, R. W. Schreur, and B. Jacobs, “Dismantling MIFARE classic”, in Proc. European symposium on research in computer security, 2008, pp. 97-114. DOI: 10.1007/978-3-540-88313-5_7
  7. G. D. Koning Gans, J. H. Hoepman, and F.D.  Garcia,  “A practical attack on the MIFARE Classic”, in Proc. International Conference on Smart Card Research and Advanced Applications, 2008, pp. 267-282. DOI: 10.1007/978-3-540- 85893-5_20
  8. W. H. Tan, “Practical attacks on  the  Mifare  Classic.  M.S. thesis”, Imperial College London, 2009. Available at: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.739.1 658&rep=rep1&type=pdf  (Accessed: 23 March 2022).
  9. K. Nohl, and H. Plotz, “MIFARE: Little Security, Despite Obscurity”. Presented at 24th Congress of the Chaos Computer Club       in                 Berlin,  2007.          Available   at: https://www.youtube.com/watch?v=QJyxUvMGLr0 (Accessed: 23 March 2022).
  10. F. D. Garcia, P. Van Rossum, R. Verdult, and R. W. Schreur, “Wirelessly pickpocketing a Mifare Classic card”, in Proc. 30th IEEE Symposium on Security and Privacy, 2009, pp. 3-15. DOI: 10.1109/SP.2009.6
  11. K. E. Mayes and C. Cid, (2010). “The mifare classic story”, Information Security Technical Report, 15(1), 8-12. DOI: 10.1016/j.istr.2010.10.009