NXP MIFARE® ULTRALIGHT AES - ONE KEY TO RULE THEM ALL?

In the blog NXP MIFARE® Ultralight C vs. MIFARE® Classic 1k,  I looked at how the 3DES encryption available with NXP’s Ultralight C, provided a significant step-up in security for hotel access control and identity verification. 

But, Ultralight C (we’ll refer to it simply as ULC) is not the ‘ultimate’ in secure access technology, not by a long shot.

In this post, I delve into the security benefits of using NXP MIFARE® AES keycards, particularly in comparison to the ULC. 

A QUICK REMINDER… I’m trying not to get too technical in these posts. 

Afterall, most of the people using RFID keycards day-to-day are the staff and guests of hotels, attractions, and the like. That’s not to say they don’t understand the technology, but they shouldn’t have to. In my opinion, good security should be frictionless and where possible, go unnoticed – especially when you’re on vacation.

Understanding MIFARE® Technology

Before we go into specifics, it's a good reminder to understand what MIFARE® technology actually is. Developed by NXP Semiconductors, MIFARE® is a brand for a series of chips widely used in contactless smart cards and proximity cards. These chips are embedded in cards and readers to facilitate secure, wireless communication for processes like access control, payment systems, and public transportation ticketing.

How did we get here?

The hotel industry is undergoing a significant shift in the advancement of secure access. And, a lot of it seems to have been driven, in part, by a product called the Flipper Zero - a pocket-sized, multi-tool device for geeks (not my words, the words of Flipper). More on this later.

NXP MIFARE Ultralight C: The Starting Point

The MIFARE® Ultralight C, introduced as an entry-level version for simple, low-cost applications like public transportation tickets and event passes, offers basic security features. It operates on a 13.56 MHz frequency and uses a 3DES cryptographic algorithm for security. While 3DES was considered secure at the time of the Ultralight C's introduction, advancements in computational power and security research have exposed vulnerabilities, making it less secure than its modern counterparts. In fact, NXP even suggests that new projects should think otherwise about using its Ultralight C chips.

Enter the NXP Ultralight AES – dubbed by NXP as ‘a new level of trust’.

The Advancement: NXP MIFARE® AES (Advanced Encryption Standard)

In response to the increasing need for enhanced security, NXP developed MIFARE® products incorporating AES, a more robust and secure encryption standard. AES is a symmetric key encryption standard that has become the gold standard in secure data encryption, approved by the National Institute of Standards and Technology (NIST) in the United States.

MIFARE® AES vs ULC - Comparing the Security Benefits

Enhanced Encryption

The most significant difference between the MIFARE® Ultralight C and MIFARE® AES-based keycards is the level of encryption. AES offers a higher level of security than 3DES. It uses longer key lengths (128, 192, and 256 bits) compared to the 112-bit key length in 3DES used by Ultralight C. This longer key length makes AES exponentially harder to crack, offering a more robust defense against brute force attacks.

Resistance to Cryptographic Attacks

AES is not only about longer key lengths; its design is inherently more resistant to cryptographic attacks. Techniques like linear and differential cryptanalysis, which are potential threats to 3DES, are much less effective against AES. As hacking techniques become more sophisticated, the resilience of AES to such attacks is a critical factor in its favor.

Speed and Efficiency

Despite its enhanced security, AES is surprisingly efficient. It's designed to execute quickly and requires less computational power. This means that in practical terms, MIFARE® AES-based keycards can offer both heightened security and faster processing times, enhancing user experience without compromising on safety.

Future-proofed Security

NXP’s implementation of AES in MIFARE® products is not just about current security; it’s also about future-proofing. With the evolving landscape of digital threats, having a system that adheres to a universally accepted standard like AES means it's more adaptable to future security enhancements. Furthermore, AES is used globally across various industries, ensuring compatibility and integration flexibility.

Sector-Specific Tailoring

MIFARE® AES-based keycards offer the ability to tailor security features to specific sectors. For instance, in high-security areas like government buildings, hotels or R&D labs, keycards can utilize the maximum encryption strength of AES. In contrast, less sensitive applications can opt for a lower encryption level, balancing security needs with cost and complexity.

Practical Implications of MIFARE® AES in Various Sectors

Corporate Security

In corporate environments, where access control and data security are paramount, the shift to MIFARE® AES can significantly reduce the risk of unauthorized access and data breaches. The enhanced encryption ensures that even if a card is lost or stolen, the data contained within remains secure.

Event Management

In the context of event management, such as festivals or conferences, MIFARE® AES keycards can provide a secure means of access control, payment, and identity verification, all while maintaining fast processing times to handle large crowds.

Hotel Access

(I’m going a little deeper into this one as those readers in the hotel industry know that ULC and AES are big talking points right now)

Using NXP MIFARE® Ultralight AES keycards for hotel access comes with several benefits, primarily revolving around security, convenience, and technology integration. Here are the key advantages:

I think it’s important at this stage to point out that a large portion (estimated 25%+) of the global hotel market is still using magstripe keycards for access. Magstripe, while a cheap access option, is known for its vulnerabilities – they are easy to clone, don’t employ encryption and have limited data storage. Magstripe cards also wear out fast, so while they are low cost, you’ll find you need more over time. Moving from magstripe to RFID will yield better security improvements than moving from one RFID type to another.

Conclusion

The transition from NXP MIFARE® Ultralight C to AES-based keycards represents a significant leap in security technology. By employing AES, these keycards not only meet current security standards but are also equipped to adapt to future advancements and threats. The question we should ask is, do we really need hotel access keys to offer the same level of encryption as our credit cards? In any case, organizations and industries looking to enhance their security infrastructure, adopting MIFARE® AES-based keycards is, for sure, a forward-thinking move. 

And, don’t worry, despite what you might have read or watched, the chances of someone breaking into your guest’s hotel room with a Flipper Zero is an unlikely scenario. And, with AES encryption deployed it is almost impossible. 

AUTHOR Craig Bennett - General Manager ID&C | March 2024