Fact-checked by Grok 2 weeks ago

Crypto-1

Crypto-1 is a developed by for use in the Classic family of contactless smart cards, providing mutual authentication and data confidentiality through a 48-bit symmetric key mechanism. It operates as a based on a single 48-bit (LFSR) with a specific primitive polynomial of degree 48, outputting one bit per clock cycle to generate a keystream for encrypting communications between the card and reader. The cipher was designed for low-power RFID applications, such as public transportation ticketing (e.g., London's , Netherlands' , and Boston's ) and systems, where Classic cards store data in 16 sectors, each protected by two 48-bit s (A and B) that control read/write permissions. in Crypto-1 follows a challenge-response : the reader sends a 32-bit , the card responds with an encrypted 32-bit nonce using the shared key, and subsequent data exchanges are XORed with the keystream derived from both nonces. The implementation is highly efficient, requiring approximately 400 two-input equivalents, making it suitable for embedded hardware in passive RFID tags operating at 13.56 MHz. Despite its widespread deployment—estimated in billions of cards—Crypto-1's secrecy was compromised through reverse-engineering efforts combining physical chip analysis (via optical and delayering) and cryptanalytic tracing, fully disclosing its internal structure by . Key vulnerabilities include a weak 16-bit in the , enabling nested attacks, and linear weaknesses in the filter function that allow algebraic recovery of the internal state with modest computational resources (e.g., brute-force search in under 50 minutes using FPGAs). These flaws have led to practical attacks, such as dark-side attacks exploiting unencrypted reader-card handshakes and offline recovery via tables, rendering legacy Classic systems insecure for high-stakes applications. NXP responded by introducing hardened variants and successors like Plus and DESFire, which incorporate stronger ciphers such as .

Overview

Description

Crypto-1 is a proprietary and developed by for securing low-cost RFID systems. It was designed to enable between a reader and a , such as a , in applications requiring secure wireless communication. The protocol operates within resource-constrained environments, prioritizing simplicity and efficiency for embedded devices. At its core, Crypto-1 employs a 48-bit secret key to initialize its internal state. Keystream generation relies on a 48-bit linear feedback shift register (LFSR) with a nonlinear output filter, which produce pseudorandom bits through algebraic operations over GF(2). The output keystream consists of 1 bit per clock cycle, filtered nonlinearly from the register states to ensure unpredictability. This design integrates with a challenge-response mechanism, where challenges are encrypted using the generated keystream to verify authenticity. Following successful , the shifts to encrypting subsequent commands and exchanges, protecting in the communication channel. It finds primary application in systems like Classic cards for and ticketing.

Applications

Crypto-1 is primarily deployed in the Classic family of RFID contactless smart cards, which were launched by Semiconductors (now ) in 1994 for applications in and micropayments. These cards utilize Crypto-1 as a to provide and in short-range communications. Notable implementations include public transportation systems such as London's , the Boston MBTA's , and the ' OV-chipkaart, as well as various systems like hotel key cards and campus identification badges. In these systems, Crypto-1 enables secure, contactless transactions by protecting data exchange between the card and reader during fare collection or entry authorization. The cipher is integrated into cards compliant with the ISO/IEC 14443 Type A standard, which supports proximity communication at 13.56 MHz with a typical read range of up to 10 cm. This standard facilitates interoperability in global RFID ecosystems, allowing MIFARE Classic cards to function in diverse reader infrastructures without proprietary modifications. Within MIFARE Classic cards, Crypto-1 secures individual memory sectors, each of which is protected by a unique 48-bit key for read and write operations, ensuring that only authorized readers can access or modify stored data such as user balances or access permissions. This sector-based protection model supports segmented data management, where different applications on the same card can use independent keys. By 2008, over 200 million MIFARE Classic cards were in active use worldwide, representing approximately 85% of the market and establishing Crypto-1 as one of the most extensively deployed RFID mechanisms. Cumulative exceeded 3.5 billion units by the mid-2010s, underscoring its widespread adoption in transit and access systems despite subsequent security enhancements in newer card variants.

History

Development

Crypto-1 was developed in the early by Semiconductors, the predecessor to , as a core component of the product line for contactless RFID systems. Introduced alongside the MIFARE Classic series in 1994, the was designed to enable secure, affordable and data protection in resource-constrained environments. The primary motivations for Crypto-1's design centered on creating a lightweight suitable for battery-less, low-power transponders that operate via with readers. This addressed the need for mass-market applications such as ticketing and , where cost and simplicity were paramount over advanced security features, allowing implementation with approximately 400 two-input equivalents for minimal hardware footprint. The cipher was initially embedded in the microcontrollers of Classic 1K and 4K cards, which provided 1 and 4 kilobytes of memory, respectively, facilitating widespread adoption in proximity-based systems. During development, Crypto-1 was maintained as a proprietary "" algorithm, with no public specifications released to preserve its and hardware obfuscation. Key design choices, such as the 48-bit key length, prioritized cost-efficiency and hardware simplicity over higher margins, under the assumption that the physical proximity required for RFID interactions would limit practical attacks. This approach enabled low production costs, positioning cards at around 0.5 euros each, far below alternatives employing stronger ciphers like .

Publication and Disclosure

The Crypto-1 , integral to the Classic contactless smart cards, was developed by Semiconductors (now ) and maintained under proprietary secrecy since the cards' introduction in 1994, with no cryptographic during this 14-year period. This approach relied on security by obscurity, a practice that became central to subsequent debates following the cipher's exposure. The full algorithm was first publicly disclosed through the presentation of the paper "Dismantling MIFARE Classic" at the 13th European Symposium on Research in (ESORICS 2008) in Malaga, , by a team of researchers from Radboud University's Digital Security Group in the , including Flavio D. Garcia and Roel Verdult. The team achieved this by reverse-engineering the via side-channel attacks on exposed MIFARE Classic chips, extracting its complete structure after months of analysis starting in 2007. Prior to publication, NXP sought to suppress the research through legal action, filing for a in a district on July 10, 2008, against Radboud University and its dean Bart Jacobs to prevent release of the details; the denied the on July 18, 2008, citing freedom of scientific expression and ruling that the potential harm did not outweigh . This ruling intensified discussions on the risks of and the value of open security analysis. In the aftermath, NXP faced mounting pressure from the research community and affected systems worldwide, leading to the of a partial for the MIFARE Classic in , which detailed the card's and but omitted full internals of the Crypto-1 , now publicly known. This marked a partial shift from complete secrecy to limited transparency, though the company continued to emphasize to more secure alternatives amid ongoing vulnerabilities. The events underscored a broader transition in RFID security from closed to scrutinized designs, influencing industry practices for proprietary algorithms.

Technical Description

Architecture

Crypto-1 features a hybrid design centered on a 48-bit linear feedback shift register (LFSR) that maintains the internal state, combined with a nonlinear filter function to generate the keystream and introduce essential nonlinearity. The LFSR operates with a primitive generating polynomial of degree 48, defined as x^{48} + x^{43} + x^{39} + x^{38} + x^{36} + x^{34} + x^{33} + x^{31} + x^{29} + x^{24} + x^{23} + x^{21} + x^{19} + x^{13} + x^{9} + x^{7} + x^{6} + x^{5} + 1, featuring taps at bits 0, 5, 6, 7, 9, 13, 19, 21, 23, 24, 29, 31, 33, 34, 36, 38, 39, and 43 (0-indexed from the least significant bit). This configuration ensures a maximum period of $2^{48} - 1, providing a long sequence before repetition. The LFSR advances synchronously on each clock cycle at approximately 106 kHz, shifting the bits toward the output end while computing the new input bit as the XOR of the tapped positions to maintain in the evolution. The then processes subsets of the 48-bit to produce one keystream bit per cycle, using nonlinear applied to selected groups of four bits, consisting of five such producing intermediate bits that are combined by a further nonlinear to yield a output that resists linear approximations and attacks. This ensures the overall keystream is nonlinear despite the linear . In operation, the full 48-bit LFSR state serves as the core component, clocked uniformly to evolve the without asynchronous elements. For , the reader and card derive a shared from a 48-bit master key, initializing the LFSR with concatenated key and values (including the card's unique ) in a mutual challenge-response compliant with ISO 9798-2, where the generates encrypted responses to verify legitimacy.

Key Schedule and Initialization

In Crypto-1, key diversification generates a unique 48-bit sector key from a 48-bit master key through a that incorporates the card's 4-byte (UID) to ensure per-card uniqueness and mitigate risks from key sharing across devices. This approach binds the derived keys to the hardware-specific UID, making it difficult for cloned cards without the original UID to authenticate successfully. The process follows a three-pass challenge-response protocol compliant with ISO 9798-2, establishing a shared session for . The reader begins by transmitting an authentication command that specifies the target sector and the type (A or B, both 48-bit). The card generates and sends a 32-bit (denoted as N_t) in response, which serves as the initial challenge. The reader then encrypts and transmits its own 32-bit nonce (N_r) along with a of the card's nonce, using the emerging session keystream; the card verifies this and replies with an encrypted of the reader's nonce to complete . This exchange ensures both parties possess the correct sector without directly transmitting it. Initialization of the cipher uses the 32-bit card as an (), combined with the sector to set the internal registers. The 48-bit is loaded into the LFSR according to a fixed bit (e.g., key bit 0 to LFSR 47, and subsequent bits to other fixed locations). The initial for the session is obtained by clocking the LFSR 32 times while shifting in the 32-bit card bits sequentially; a similar process incorporates the reader's after to synchronize the . The component draws from this LFSR for output generation. Reverse-engineering has revealed the specific bit used in this loading to prepare the starting . The LFSR and are thus loaded in tandem to prepare for keystream production. Session key generation produces a temporary keystream from the initialized registers, clocked forward to encrypt subsequent messages via bitwise XOR. This keystream evolves with each by incorporating fresh , ensuring uniqueness per session and resistance to replay attacks through nonce non-repetition. The process binds the session to the specific authentication exchange, limiting exposure if intercepted.

Stream Generation

The stream generation in Crypto-1 relies on a 48-bit linear feedback shift register (LFSR) whose state is updated each clock cycle to produce the internal sequence, with a nonlinear filter applied to generate the output keystream bits. The LFSR advances by shifting its contents one position to the left, replacing the least significant bit with a feedback bit computed as the parity (XOR) of specific state bits defined by the primitive feedback polynomial g(x) = x^{48} + x^{43} + x^{39} + x^{38} + x^{36} + x^{34} + x^{33} + x^{31} + x^{29} + x^{24} + x^{23} + x^{21} + x^{19} + x^{13} + x^9 + x^7 + x^6 + x^5 + 1. This polynomial ensures a maximum period of $2^{48} - 1 states, providing a long pseudorandom sequence from the initial key-derived state. The keystream bit z_k at each step k is produced by a two-layer nonlinear filter function f applied to 20 selected bits from the current LFSR state, specifically at odd positions starting from bit 9: z_k = f(r_{k+9}, r_{k+11}, r_{k+13}, \dots, r_{k+47}), where r denotes the LFSR bits. The first layer consists of five functions on disjoint 4-bit subsets of these 20 bits—two using the truth table encoded as $0x26c7 and three using $0x0dd3—yielding five intermediate bits. These five bits then feed into a second-layer with truth table $0x4457c3b3, producing the final keystream bit z_k. This structure introduces nonlinearity to decorrelate the linear LFSR output from the keystream, aiming to enhance . In encryption mode, the generated keystream is XORed bit-by-bit with data, such as commands or read/write payloads, typically processed in 8-byte blocks to maintain compatibility. The tag and reader synchronize their LFSR states during , ensuring matching keystreams for confidentiality in subsequent operations. Theoretically, Crypto-1 generates one keystream bit per clock cycle of the LFSR, but practical throughput is constrained by the underlying ISO/IEC 14443 RFID 's data rate of approximately 106 kbps.

Cryptanalysis

Initial Breaks

The initial major cryptanalytic breaks of Crypto-1 occurred in , led by researchers from the Digital Security group at , including Flavio D. Garcia and Peter van Rossum. These attacks exploited weaknesses in the and the stream cipher's structure, combining protocol manipulations with offline computations to recover the full 48-bit keys. The methods relied on or interacting with the card during to obtain traces, followed by efficient key recovery algorithms that revealed the cipher's internal state. One key approach was the nested , which used repeated authentication sessions to induce protocol "faults" by interrupting or timing out communications, allowing recovery of partial keystreams from the nonlinear feedback (NLFSR) component. This was combined with targeting the (LFSR), where approximations of the filter function enabled reconstruction of the LFSR state from observed bits. By correlating outputs from both registers, the full internal state could be recovered offline in under a minute on standard hardware, with the attack requiring only a few authentication traces obtained via side-channel means such as electromagnetic emissions or power consumption leaks during card-reader interactions. The full disclosure came in the publication "Dismantling MIFARE Classic" by Garcia et al., detailing two complementary s: the nested method, which involved precomputing tables for partial states (taking 4-8 hours once) and recovering keys in about 2 minutes using roughly 4096 sessions, and a pure linear that avoided precomputation, cracking keys in under 40 milliseconds with tables of about 2^19 entries each. The overall complexity for key search was approximately 2^20 operations, exploiting correlations between the linear and nonlinear parts of the . These techniques allowed complete key recovery without physical tampering, using only interactions. Practically, the attacks enabled cloning of MIFARE Classic cards using inexpensive equipment, such as a Proxmark3 reader costing around $200, by on legitimate authentications and performing offline analysis. This was demonstrated live at the 25th (25C3) in December 2008, where researchers showed real-time card cloning, highlighting vulnerabilities in widespread applications like ticketing and . The breaks underscored Crypto-1's insecurity, as even brief proximity to a card during use sufficed for compromise.

Subsequent Attacks

Following the initial breaks of Crypto-1 in 2008–2009, researchers developed attacks targeting patched and hardened variants of Classic cards, which incorporated mitigations such as diversified and removal of exploitable parity bits. In , Ding et al. presented a card-only on patched Classic implementations, such as the 2.0, using a combination of algebraic and differential techniques. The derives equations from observed keystream bits during authentication attempts and solves them using SAT solvers and algorithms, recovering the 48-bit key despite the use of random, unpredictable . Computation time ranged from 2 to 15 minutes on a standard PC after collecting 10–20 hours of traces via repeated interactions, demonstrating practicality against implementations that fixed earlier nonce predictability issues. In 2015, and Verdult extended ciphertext-only to hardened Classic variants, including the EV1 revision, which eliminated known implementation flaws like leaked error codes and parity bits. Their approach exploits structural weaknesses in the Crypto-1 filter function through algebraic techniques and differential analysis, reducing the effective search space from 2^{48} to approximately 2^{30} operations when one sector is known (often obtainable via default keys or ). The attack requires only wireless on legitimate authentications and achieves full recovery in about 5 minutes on a single-core consumer , confirming the persistence of core vulnerabilities even in updated . Subsequent computational advances further accelerated key recovery for standard MIFARE Classic cards. Between 2010 and 2012, optimizations to nested attacks—building on the foundational 2009 method—leveraged to reduce offline computation times from minutes to seconds in favorable cases, enabling faster exploitation of nonce correlations during multi-sector authentications. By , Tezcan demonstrated a GPU-accelerated exploiting leaked parity bits in non-hardened cards, achieving key recovery in under 5 hours on a single GTX 970 GPU; for hardened variants lacking such leaks, the time extended to about 7 hours when assuming partial key knowledge. These improvements highlight how scaled existing cryptanalytic primitives, making attacks viable on commodity hardware. In 2024, Philippe Teuwen disclosed new vulnerabilities in the FM11RF08S chip, a Classic-compatible variant using Crypto-1, including a that compromises all user-defined keys and a static encrypted issue. The backdoor attack requires physical access to the card for a few minutes and allows full key recovery without prior knowledge, affecting variants like 0590 and 0598. Optimizations to nested attacks using the backdoor reduce recovery time by a factor of six. This finding, as of August 2024, underscores ongoing risks in legacy and compatible implementations.

Legacy and Replacements

Security Statements

In response to the 2008 cryptanalysis revealing vulnerabilities in Crypto-1, NXP Semiconductors opposed the publication of the research, arguing it would enable criminal exploitation of security systems. A Dutch court ruled in favor of the researchers at Radboud University, permitting publication on grounds of freedom of speech and noting that any damage stemmed from the chip's design flaws rather than disclosure. Attacks published in 2015, including ciphertext-only on hardened Classic EV1 cards, demonstrated persistent weaknesses in Crypto-1 despite hardware updates. Further vulnerabilities were exposed in August 2024 through analysis of a static encrypted variant in Classic cards, allowing efficient key recovery. NXP positions Crypto-1-based cards as suitable only for low-risk legacy applications and recommends migration to AES-based alternatives like DESFire for modern deployments. As of 2025, NXP's product literature emphasizes deprecation of Crypto-1 for new designs due to demonstrated breaks enabling unauthorized access.

Migration Recommendations

NXP Semiconductors recommends transitioning away from the vulnerable Crypto-1 algorithm in Classic cards to more robust alternatives, primarily DESFire and Plus variants, which incorporate AES-128 or 3DES for , , and secure messaging. These solutions support seamless upgrades in existing infrastructures, such as public transit and , by maintaining in initial security levels while enabling a shift to higher protection through over-the-air updates or sector-wise migrations. DESFire, in particular, offers multi-application flexibility and EAL5+ certification, making it suitable for diverse deployments requiring long-term security. Instead, MIFARE Plus serves as a practical bridge, allowing operation in a Classic-compatible mode initially before upgrading to AES-128, with features like transaction-oriented anti-tear protection to prevent during concurrent reads. Key best practices for migration emphasize robust reader-side to diversify session keys across devices, preventing widespread compromise from single key leaks, alongside mandatory protocols using longer, unpredictable nonces to thwart replay and nesting attacks. System operators are advised to phase out legacy Crypto-1 cards progressively, aligning with broader timelines for quantum-resistant cryptography in critical infrastructures by 2030, as outlined in strategies. In the , regulatory pressures under GDPR further accelerate this shift by mandating enhanced data protection and privacy in RFID systems, promoting alternatives that support secure data transmission and minimize unauthorized tracking risks. For applications, NXP's NTAG series provides a lightweight, cost-effective option with AES-128 support and compatibility with Forum standards, facilitating integration in low-security scenarios like while encouraging upgrades from insecure deployments. Significant challenges arise in large-scale implementations, particularly public transit networks where millions of legacy cards are in circulation, requiring dual-mode readers and gradual card replacements to maintain service continuity without disrupting daily operations for billions of users.

References

  1. [1]
    Reverse-Engineering a Cryptographic RFID Tag - USENIX
    We reconstruct the cipher from the widely used Mifare Classic RFID tag by using a combination of image analysis of circuits and protocol analysis. Our analysis ...
  2. [2]
    [PDF] Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic ...
    Abstract. MiFare Crypto 1 is a lightweight stream cipher used in Lon- don's Oyster card, Netherland's OV-Chipcard, US Boston's CharlieCard,.
  3. [3]
    Cryptanalysis of Hardened Mifare Classic Cards - Midnight Blue
    The Classic uses a proprietary stream cipher CRYPTO1 to provide confidentiality and mutual authentication between card and reader. However, once the cipher was ...
  4. [4]
    None
    ### Summary of Crypto-1 as a Stream Cipher and Authentication Protocol
  5. [5]
    [PDF] arXiv:0803.2285v2 [cs.CR] 26 Jun 2008
    Jun 26, 2008 · mifare Classic provides mutual authentication and data secrecy by means of the so called CRYPTO1 stream cipher. This cipher is a proprietary ...
  6. [6]
    The MIFARE Classic story - ScienceDirect.com
    The MIFARE Classic was introduced in 1994 by Philips (now NXP Semiconductors), and is one of the most widely deployed contactless smart cards.The Mifare Classic Story · The Rfid And Smart Card... · Mifare Classic Security...
  7. [7]
    MIFARE Classic - NXP Semiconductors
    Secure MIFARE Classic contactless smart card ICs enable fast, reliable transactions for transit ticketing, access control and micro-payment applications.
  8. [8]
    Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic ...
    MiFare Crypto 1 is a lightweight stream cipher used in Lon- don's Oyster card, Netherland's OV-Chipcard, US Boston's CharlieCard, and in numerous wireless ...
  9. [9]
    [PDF] MIFARE Classic EV1 1K - Mainstream contactless smart card IC for ...
    NXP Semiconductors has developed the MIFARE Classic EV1 contactless IC. MF1S50yyX/V1 to be used in a contactless smart card according to ISO/IEC 14443 Type.<|separator|>
  10. [10]
    [PDF] Security Flaw in MIFARE Classic
    Mar 12, 2008 · The card's memory is divided into sectors, each protected by two cryptographic keys. Proper key management is a subject in its own right.
  11. [11]
    [PDF] Dismantling MIFARE Classic - Semantic Scholar
    MIFARE Classic is a product family from NXP, with over 200 million cards in use, covering 85% of the contactless smart card market. It uses a 48-bit key ...<|separator|>
  12. [12]
    [PDF] Hacking Mifare Classic Cards - Black Hat
    Oct 21, 2014 · More than 3,5 billions cards was produced over the years and more than 200 millions still in use on systems today. Page 8. • In December of 2007 ...
  13. [13]
    Celebrating Innovation: 25 Years of MIFARE and “The New Normal”
    Aug 13, 2019 · MIFARE is an NXP innovation that started with transport ticketing, and now has over 40 applications, used by 1.2 billion people in 750 cities.
  14. [14]
    [PDF] The Fall of a Tiny Star - Flavio D. Garcia
    There was only one option left; to fully reverse-engineer the whole cipher. It was suspected that the Crypto-1 cipher would be similar to the one in the Hitag2 ...
  15. [15]
    Dismantling MIFARE Classic - SpringerLink
    Nohl, K., Evans, D., Starbug, Plötz, H.: Reverse-engineering a cryptographic ... Dismantling MIFARE Classic. In: Jajodia, S., Lopez, J. (eds) Computer ...
  16. [16]
    Security Flaw in Mifare Classic
    Dec 11, 2008 · The manufacturer of the Mifare Classic, NXP, has tried to obtain a court injunction against publication. But the judge ruled against NXP on July ...
  17. [17]
    [PDF] Reverse-Engineering a Cryptographic RFID Tag - USENIX
    our hardware analysis gave us the whole Crypto-1 stream cipher, shown in Figure 2. The cipher is a single 48-bit linear feedback shift register. (LFSR). From ...
  18. [18]
    [PDF] Strengthening Crypto-1 Cipher Against Algebraic Attacks
    Crypto-1 uses a 48-bit LFSR and the generator polynomial of Crypto-1 is as shown in Eq. (1) [3]. g(x) = x48 + x43 + x39 + x38 + x36 + x34 + x33 + x31 + x29.
  19. [19]
    Keystream generation of CRYPTO 1 [1] - ResearchGate
    Download scientific diagram | Keystream generation of CRYPTO 1 [1] from publication: Cryptanalysis and Improving Variety of Weaknesses on MIFARE Classic ...
  20. [20]
    [PDF] AN10922 Symmetric key diversifications - NXP Semiconductors
    Jul 2, 2019 · If the keys are to be diversified per card, it is recommended to use for the diversification input at least the UID of the card concatenated ...
  21. [21]
    A Practical Attack on the MIFARE Classic
    A Practical Attack on the MIFARE Classic. 269 any sector of the memory of the card, provided that we know one memory block within this sector. After ...
  22. [22]
    None
    ### Summary of MIFARE Classic Crypto-1 Authentication Process
  23. [23]
    https://doi.org/10.1007/978-3-540-88313-5_7
  24. [24]
    [0803.2285] A Practical Attack on the MIFARE Classic - arXiv
    Mar 15, 2008 · View a PDF of the paper titled A Practical Attack on the MIFARE Classic, by Gerhard de Koning Gans and 2 other authors. View PDF. Abstract ...
  25. [25]
    [PDF] Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards
    Oct 7, 2015 · The Classic uses a proprietary stream cipher crypto1 to provide confidentiality and mutual authentication between card and reader. However ...
  26. [26]
    [PDF] Brute Force Cryptanalysis of MIFARE Classic Cards on GPU
    Figure 1: Structure of CRYPTO1 stream cipher. 1. Short key length: The key size of 48 bits is too small. Although the delay introduced by the com ...
  27. [27]
    Dutch courts OKs publishing how to hack NXP chip | Reuters
    Jul 18, 2008 · Dutch chipmaker NXP had argued it would make it easy for criminals to break into security systems and commit fraud in public transport if the ...
  28. [28]
    https://eprint.iacr.org/2024/1275
  29. [29]
    [PDF] AN12653 - NXP Semiconductors
    May 5, 2021 · This document provides tips for implementing an appropriate level of security in systems using contactless cards. Some of the suggested measures ...Missing: advisory 2010
  30. [30]
    [PDF] NXP MIFARE Plus SE Fact Sheet
    ▻ Anti-tearing mechanism for writing AES keys. ▻ Keys can be stored as MIFARE Crypto1 keys (2 x 48 bits per sector) and AES keys (2 x 128 bits per sector).<|separator|>
  31. [31]
    NXP card under fire - Electronic Payments International
    Aug 1, 2008 · This claim has brought a fierce reaction from Mifare Classics developer, Nether-lands-based NXP Semiconductors, which sought but failed to ...
  32. [32]
    MIFARE DESFire - NXP Semiconductors
    MIFARE DESFire are secure, microcontroller-based ICs using DES, 2K3DES, 3K3DES and AES for data security, used in contactless solutions.Missing: rating insecure
  33. [33]
    MIFARE Plus SE - NXP Semiconductors
    MIFARE Plus SE 1K contactless IC delivers AES-128 security, compatibility with MIFARE Classic, and seamless migration for transportation and access control.
  34. [34]
    MIFARE Plus EV2: Secure IC for Contactless Smart City Services
    The MIFARE Plus EV2 IC is designed to be both a gateway for new Smart City applications and a compelling upgrade, in terms of security and connectivity.
  35. [35]
    [PDF] MIFARE DESFire EV3 contactless multi-application IC
    Jan 11, 2024 · The main characteristics of this device are denoted by its name "DESFire": DES indicates the high level of security using a 3DES or AES hardware ...
  36. [36]
    How to choose RFID MIFARE chip? MIFARE S50? S70? Ultralight C?
    Jul 19, 2022 · MIFARE Classic chips are available in two versions: MIFARE Classic EV1 and MIFARE Classic EV2. The EV2 version offers enhanced security ...
  37. [37]
    [PDF] MIFARE Plus EV2 - NXP Semiconductors
    Aug 9, 2021 · MIFARE Plus EV2 is a secure, high-performance chip with enhanced security, AES encryption, and 70 pF input capacitance for various form factors.
  38. [38]
    MIFARE Plus - NXP Semiconductors
    The MIFARE Plus product family adds security to Smart City services by enabling a seamless migration of contactless infrastructures to higher security.
  39. [39]
    [PDF] MIFARE Ultralight AES contactless limited-use IC
    Mar 28, 2023 · To guarantee that the product is not manipulated during the delivery, NXP has defined three security measures: MF0AES_H_20. All information ...Missing: advisory | Show results with:advisory
  40. [40]
    EU begins coordinated effort for Member States to switch critical ...
    Jun 24, 2025 · EU begins coordinated effort for Member States to switch critical infrastructure to quantum-resistant encryption by 2030.
  41. [41]
    Impact of the new EU privacy regulation on RFID implementations in ...
    May 25, 2018 · There is an undeniable link between GDPR and RFID as the technology has the potential to link a specific purchased item to an individual person.Missing: quantum alternatives
  42. [42]
    NTAG | NFC Tags and Labels - NXP Semiconductors
    NTAG is a contactless technology for high-security/volume applications, used in IoT, with features like a 7-byte UID and AES-128 cryptography.NTAG 210/NTAG 212 · NTAG 424 DNA · NTAG Secure ServicesMissing: alternative MIFARE Classic
  43. [43]
    https://www.idemia.com/citygo-mifare-transport-product-range
  44. [44]
    CityGO MIFARE transport product range - IDEMIA
    They allow easy and cost-efficient migration from traditional paper tickets and magnetic stripe schemes to completely contactless systems. MIFARE Classic® is a ...
  45. [45]
    [PDF] Public Transport Automatic Fare Collection Interoperability
    cost of upgrading and integrating legacy systems. The age of legacy systems and their incumbent technology are key factors in the cost of upgrades. Each ...