Recently, in response to media reports on "China's 140 million IC card storage security risks: mastering the number of technologies that can be changed", our reporter interviewed different vendors and analysts in the industry chain. Li Zhizhong, a consultant at CCID Consulting's Semiconductor Industry Research Center, said in an interview: "In fact, this matter is not as serious as media promotion, users do not have to panic." The reason is because the security of contactless applications is end-to-end. System-based security requires the overall consideration of chip vendors, system integrators, card issuers, etc., depending on the needs of the entire application system, from the chip, the background and other aspects of the overall consideration, not just rely on the card or the chip itself.
Non-contact IC cards, ie RF cards or proximity cards, have successfully combined RFID technology to solve the problem of passive and contactless, which is a breakthrough in the field of electronic devices. The non-contact smart card is divided into two parts: the system area (CDF) and the user area (ADF). The system area is used by card manufacturers, system developers, and card issuers. The user area is used to store data about the cardholder.
The media report "MIFARE algorithm is cracked, once the criminals break through this technology," you can freely modify the information in your card, for example, if you recharge 10 yuan, he can change it to 1000 yuan or 10,000 yuan, or even more. ''The statement, Ning, the sales and marketing director of NXP's smart identification products in Greater China, stressed: "This argument is untenable. Colleagues in the intelligent identification industry agree that the security of contactless applications is multi-layered. The problem is that the cracking of the MIFARE classic chip security algorithm is limited to the chip level and does not involve other aspects of the application system. Once the data stored on the card is rewritten or cloned, the system will find it. In addition, there has not been a crack event since the MIFARE went public. Or threaten system security. According to his estimation, there are currently more than 1 billion contactless smart cards in use worldwide, but there has not been a cracking incident.
.jpg)
"So far, we have never received a complaint about the tampering of the balance of Yangchengtong." After receiving the report, the relevant person of the Guangzhou Municipal Communications Commission also said that Guangzhou Yangchengtong has been put into trial operation since December 30, 2001. The circulation has exceeded 7.8 million, and the daily credit card consumption exceeded 3 million. Although Yangchengtong Company sometimes receives complaints that it is impossible to swipe the card, the phenomenon that the card balance has been maliciously altered has not appeared.
So, how do smart card manufacturers view this news? When this reporter followed the interview with a local smart card manufacturer technical director, his views coincided with NXP Lu Ning, he also stressed: "Smart card application is usually a distributed computer system, it consists of multiple subsystems Each subsystem has a specific function. System security consists of front-end operation, front-end verification, background verification, background verification, and system fraud control. Designers must reverse-think when designing a system, that is, what security may exist in the system Vulnerabilities, how these security vulnerabilities can be controlled. At the same time, security must be the overall security of the system, not a subsystem or component security."
In addition to bus cards, MIFARE technology is widely used in access card applications. Access control measures for entering buildings or homes are more complex than other applications. They are composed of end-to-end systems with multiple levels of security. Access control systems are often deployed with additional security measures, such as security personnel, surveillance cameras, or other measures to monitor suspicious activity, depending on the specific security needs of each facility. While MIFAER products have different functions, performance, security, and coding strengths, system integrators can choose the right solution based on chip security, back-end systems, and their needs. For applications with higher security requirements such as access control, more secure chips are often used, such as NXP's Plus, DESFire EV1 and Smart MX products. Jonathan Collins of ABI Research once said: "NXP's MIFAR technology has helped drive the use of contactless smart cards in bus ticketing, payment and access control. Plus is upgrading the existing deployment and application to the existing MIFARE contactless bus system plan. The new level of security and increased security provide a path that is already in place.†Plus not only uses strong AES encoding, but NXP will also obtain Common Criteria certification.
To ensure system-level security for access control applications, users can consider the following two solutions:
1. Only use the unique serial number of the card through the whitelist or blacklist, and pass the admission control through the background system. This system does not use the security of the card to store data. Since the serial number of the card is globally unique, it does not exist. The possibility of being copied or cracked. This is the current solution for most access control.
2. Use the data saved by the card + the unique serial number of the card. Through discussions with most access control system vendors, the keys of the cards in their systems are distributed, and the card storage data itself is encrypted. The readers authenticate the cards through the SAM card and also include the white list. And blacklists, this system is more secure than the first one described above, and there is no possibility of copying and cracking.
However, Lu Ning also stressed: "Because there are many domestic and foreign manufacturers in the domestic market to provide products based on the same MIFARE classic chip technology. In addition, we can not rule out the use of MIFARE by a few access control system suppliers to create a copy or crack. Vulnerabilities. In the access control system, there are also many customers who use other technologies with lower security performance, or some chips have security vulnerabilities. For example, the serial number is not unique, and the card data is completely unprotected. These systems may exist. Security breaches require careful analysis by customers."
He also said that if the contactless application unit needs more detailed security details, it can contact NXP Intelligent Identification Department to obtain relevant technical support.
In addition, from another perspective, it is not feasible to crack the chips in the contactless application and benefit from it because it is costly.
Saidi Li Zhizhong said: "Anyone must consider cost input and benefit output when doing things. Whether it depends on motivation and profit, the cost of non-contact IC card is less than two yuan, and it is stored by users in public transportation applications. The amount is also very small, the meaning of cracking is not great, so don't worry about the personal card being cracked." He also said that he did not hear that there was a crack in the country.
The technical director of the smart card manufacturer also shares the same view: "The cracking of the security algorithm of the MIFARE classic chip does not mean that it should not be used anymore. We understand that the security of everything is relative. For an application system Safety is a comparison between the cost of maintaining safety, the cost of destroying safety, and the cost of being destroyed. That is to say, safety means that the cost of maintaining safety must be far less than the cost of destroying safety, and it is destructive. The cost must be far more than the vandals can benefit. The MIFARE Classic Chip is a very popular contactless card that is competitive with lower prices, a wide range of sources, and can be used in multiple sizes. The classic chip provides a dynamic encryption mechanism, supplemented by the security guarantee of the entire system. People who are not familiar with the security design of smart card applications usually focus on the card itself or its algorithm, and the qualified smart card application designer must use the memory card. Take strong measures in the card structure design and other subsystems to strengthen the integrity of the system, and vice versa An unqualified designer, even if he uses the safest card in the world, his system is designed to have security holes."
However, although the contactless card is already very high, for the purpose of preventing the problem, the non-contact application unit should pay attention to improving the system security. NXP Lvning gave the following 11 recommendations:
1. Key distribution 2, data encryption, unique serial number 3 for binding cards in encryption, white list/black list/grey list 4, maintenance card on/out status 5, decentralized authentication data 6, set transaction counter on card 7 Check the physical form of the card. 8. Scroll the key 9. If the device allows it, change the key 10 frequently and use a metal envelope (shielded relay attack).
11. Migration to alternative products (DESFire EV1 or Plus)
Appendix: Principle of contactless smart card http://hi.baidu.com/dirac/blog/item/322d35cecf4b9a3ab700c800.html/cmtid/0de34b604e90714deaf8f811
Stainless Steel Milk Pot manufacturer in China
Our Milk Pot are made of high grade Stainless Steel,conducts heat better,it boiling more quickly than inferior tin products.Easy to clean,won't stain,peel,or pit like others!Unlike enamel coated pans,this won't peel and it won't pit or scatch easily.All of milk pots need to do inspection before shipment to ensure your total satisfaction!
Milk Pot
Milk Pot,Mini Milk Pot,Stainless Steel Milk Pot,Ceramic Milk Pot
Jiangmen Yuesheng Metal Products Co., Ltd. , https://www.bestgain-hk.com