NXP MIFARE Plus scores high in independent security reviews

SINGAPORE: NXP Semiconductors announced that its MIFARE Plus contactless smart card CPU IC (MF1PLUSx0y1) has been awarded Common Criteria EAL 4+ certification by the German Federal Office for Information Security (Ref.: BSI-DSZ-CC-0586-2009).

In addition, MIFARE Plus has proven successful in independent security reviews conducted by leading cryptography experts from the Ruhr-Universität in Germany and the Katholieke Universiteit Leuven in Belgium, which executed a thorough security and privacy assessment of the architecture of MIFARE Plus.

“NXP is striving to ensure that our products such as the MIFARE Plus microcontroller IC provide customers with the highest possible level of trust and privacy for secure transactions in contactless smart card applications,” said Henri Ardevol, general manager, Secure Transactions, NXP Semiconductors.

“We’re very pleased that the security features of MIFARE Plus have been independently validated by three different institutions following extensive testing. Since the release in mid 2009 we have worked with over 300 partner companies worldwide to adopt MIFARE Plus while the product is already being shipped in millions.”

MIFARE Plus technology features 128-bit Advanced Encryption Standard (AES) and supports migration from existing MIFARE ClassicTM implementations. The contactless microcontroller IC offers an upgrade path for system integrators and operators wishing to implement additional layers of security to their automatic fare collection, access management and micro-payment installations.

The independent third-party validation of MIFARE Plus offers NXP’s customers a high degree of certainty that the technology is providing advanced security. The Common Criteria certification validates correct implementation of the promised security features, evaluates attack resistance and allows systems integrators to assess the security quality of similar products.

“For newly built contactless smart card installations we strongly recommend Common Criteria-certified products, preferably those based on AES encryption”, said Dipl.-Ing. Harald Kelter, security expert, Federal Office for Information Security in Germany.

Working with leading universities in the area of IT security and cryptography has enabled NXP to tap into the latest cryptographic research and validate the technologies’ security features.

“Despite extensive and careful analysis, we have not identified any security weakness with practical relevance,” said Prof. Dr.-Ing. Chris tof Paar of the Ruhr-Universität Bochum. “We consider the MIFARE Plus architecture to be secure if all security mechanisms are activated as recommended in the MIFARE Plus documentation. The CC evaluation of the card further supports our belief that NXP has succeeded in designing a very secure contactless authentication and storage system.”

“Based on our study, we believe that the MIFARE Plus architecture is a solid design, which is based on a detailed analysis of the requirements including security, privacy and feasibility“, said Prof. Dr. Ir. Bart Preneel of the Katholieke Universiteit Leuven. “The solutions proposed take into account the severe constraints offered by the contactless environment. In spite of these constraints, the MIFARE Plus architecture allows to deploy applications in areas such as access control and transportation that offer a level of security and privacy that is state of the art.”

Security, performance, privacy and ease of use are at the heart of MIFARE Plus. It is – next to MIFARE DESFireTM EV1 – the only contactless smart card technology to offer strong AES encryption for authentication, integrity and confidentiality.

Furthermore, MIFARE Plus chips comprise a number of additional privacy features which, when used optimally in the infrastructure, provide a system that prevents individuals from being identified and tracked by others. Finally, migration planning is made easier as MIFARE Plus supports the pre-issuance of new cards; co-existence of current and new cards; and software based infrastructure upgrades.