-11-
v7.0
Security with RFID/NFC at 13.56 MHz
6. Security with RFID/NFC at 13.56 MHz
The standard RFID ISO/IEC 14443-A cards have an UID with a length of 4 bytes, so there are 4,200 millions of different UIDs.
Besides, the A or B key has a length of 6 bytes. That means there are 2.8·10
14
different possible passwords.
These numbers, along with the three pass authentication and the data integrity mechanisms, demonstrate RFID/NFC is a pretty
secure technology.
FAQs:
Q: Can I change the UID in a given card?
A: No, it is impossible. The block number 0, where the UID is stored, has read-only access. There are security reasons to do so:
if the block number 0 could be written, it would be possible to duplicate or forge cards.
Q: I heard that lately there are 7-byte UID cards, so there could exist a 7-byte UID card with the same beginning UID
than the standard 4-byte UID card. So the UID is not so “unique”. Is that true?
A:
Yes, the manufacturers started producing cards with a UID of 7 bytes and there could be a 7-byte UID with its first 4 bytes
equal than the ones in a standard 4-byte card.
Q: So can I consider a 4-byte UID card as unique or not?
A:
No, but there is just one possibility among thousands of millions that you find another card like yours.
Q: Can I order or select a specific UID for my card?
A:
No, the cards’ UIDs are set in a random way.
Q: I do not know/remember the key for a certain block, can I read or write in that block?
A:
No, it is not possible to access a block unless we have authenticated us in it. All cards are provided with both A and B keys by
default (0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF). If the user changes them, he must remember the change. The only thing we can
do without the keys of a card is to read its UID and ATQ.
Q: Are the RFID ISO/IEC 14443-A/Mifare® standards a 100% secure system?
A:
No. Any security system has bugs that can be hacked. Besides, there are “security enhancers” integrated chips for RFID/NFC
that Libelium does not implement.
Q: Does Libelium recommend its RFID/NFC module for electronic money exchange?
A:
No. The RFID/NFC module by Libelium is not intended for payment applications but for control of usage.
Q: Should I change the key to the cards?
A:
Yes, you should if it is possible that someone is interested in reading or changing the stored information. Setting a new
key is a quick process and will ensure only the authorized agents can read or write the data. Avoid sharing or losing this
information.
We advise to set a random key. As a tip, it would be an even more secure system if each card has its own key (maybe
depending on its own UID).
