Security with RFID/NFC at 13.56 MHz

The standard RFID ISO/IEC 14443-A cards have an UID with a length of 4 bytes, so there are 4,200 millions of different UIDs.

Besides, the A or B key has a length of 6 bytes. That means there are 2.8·10¹⁴ different possible passwords.

These numbers, along with the three pass authentication and the data integrity mechanisms, demonstrate RFID/NFC is a pretty secure technology.

FAQs:

Q: Can I change the UID in a given card? A: No, it is impossible. The block number 0, where the UID is stored, has read-only access. There are security reasons to do so: if the block number 0 could be written, it would be possible to duplicate or forge cards.

Q: I heard that lately there are 7-byte UID cards, so there could exist a 7-byte UID card with the same beginning UID than the standard 4-byte UID card. So the UID is not so "unique". Is that true? A: Yes, the manufacturers started producing cards with a UID of 7 bytes and there could be a 7-byte UID with its first 4 bytes equal than the ones in a standard 4-byte card.

Q: So can I consider a 4-byte UID card as unique or not? A: No, but there is just one possibility among thousands of millions that you find another card like yours.

Q: Can I order or select a specific UID for my card? A: No, the cards' UIDs are set in a random way.

Q: I do not know/remember the key for a certain block, can I read or write in that block? A: No, it is not possible to access a block unless we have authenticated us in it. All cards are provided with both A and B keys by default (0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF). If the user changes them, he must remember the change. The only thing we can do without the keys of a card is to read its UID and ATQ.

Q: Are the RFID ISO/IEC 14443-A/Mifare® standards a 100% secure system? A: No. Any security system has bugs that can be hacked. Besides, there are "security enhancers" integrated chips for RFID/NFC that Libelium does not implement.

Q: Does Libelium recommend its RFID/NFC module for electronic money exchange? A: No. The RFID/NFC module by Libelium is not intended for payment applications but for control of usage.

Q: Should I change the key to the cards? A: Yes, you should if it is possible that someone is interested in reading or changing the stored information. Setting a new key is a quick process and will ensure only the authorized agents can read or write the data. Avoid sharing or losing this information.

We advise to set a random key. As a tip, it would be an even more secure system if each card has its own key (maybe depending on its own UID).

Since each sector can have different access keys, note it is possible to store public data in certain sectors and private, protected data in other sectors. One example:

  • sector 2: personal, general info (key only known by all the institutions of the city council)

  • sector 3: city's transport info (key only known by the bus company)

  • sector 4: city's library info (key only known by the library)

  • sector 5: city's gym (key only known by the gym)

  • ...

On the other hand, if your system is just going to read UIDs, there is no point in changing keys.