The Security Level (SL) concept of NXP’s MIFARE Plus EV2 IC allows for a step-by-step upgrade of the system’s security by switching only certain applications to a higher security level. The highest security level, SL3, offers support for AES-128 based secure messaging and thus helps to prove authenticity, confidentiality and integrity of transactions.
2. 1EXTERNAL
MIFARE Plus EV2 – SECURITY LEVEL 3 CAPABILITIES
U P G R AD E Y O U R S Y S T EM S S E C U R I T Y
Authenticity,
Confidentiality and
Integrity
based on AES-128
Virtual Card
Concept to be used
in smartphone-
based installations
ISO7816 APDU
format support
• Security Level 3 offers support for AES-128 based secure messaging, to provide authenticity, confidentiality and integrity to every
transaction
• Once a MIFARE Plus EV2 product-based card is switched to SL3, it also offers support for the Virtual Card Architecture concept, which
helps to manage a MIFARE Plus EV2 product-based card in a multi-application environment, designed for e.g. mobile phones performing
contactless transactions, holding more than one “virtual card”
MIFARE Plus EV2 product-based card acts as a single “virtual card”, but supports necessary command infrastructure to be
indistinguishable from a multi-VC mobile phone, maintaining privacy for card holder
• In SL3, the MIFARE Plus EV2 supports ISO7816-4 compliant VC selection (ISOSelect), compliant with Java Card and GlobalPlatform
standards
3. 2EXTERNAL
MIFARE Plus EV2 – SECURITY LEVEL 3 CAPABILITIES
S E C U RE M E S S AG I N G
• Security Level switch is done through an AuthenticateFirst command targeting Block 9003h (SL3SwitchKey)
• A switch to SL3 disables the use of CRYPTO-1 completely
− Data and memory architecture of the card does not change at all – Block/Sector based memory model stays the same
• Initial memory space for CRYPTO-1 keys can now be used as additional user memory (+11 byte per sector)
− AES keys are stored outside the User Memory
• Plain or encrypted data access can be defined per Block
• Transaction management with session keys is possible via AuthenticateFirst and AuthenticateNonFirst
• Several options for read commands
− MAC on command
− MAC on response
− Data encrypted or plain
• Several options for write/value commands
− MAC on command
− MAC on response
− Data is always encrypted
• Additional features (TMAC, Transaction Timer, multi-block read/write, VCA) can be used
4. 3EXTERNAL
MIFARE Plus EV2 – SECURITY LEVEL 3 CAPABILITIES
I S O / I E C 7 8 1 6 -4 V I R T U AL C AR D AR C H I T E C T UR E
• MIFARE Plus EV2 supports ISOSelect and is complaint with Java Card and Global Platform mechanisms
• Using MIFARE Plus EV2 in Security Level 3 and ISO/IEC 7816-4 wrapped communication frames supports mobile operations
VC concept using ISO/IEC 7816-4 compliant selection method
Enables smartphone support in infrastructures
Transit
Pass
Transit
Pass
5. 4EXTERNAL
MORE INFORMATION ABOUT THE TRANSACTION TIMER FEATURE
Item Number Availability
Datasheet - MIFARE Plus EV2 DS5223 NXP DocStore (confidential)
Application Note - MIFARE Plus EV2 Features and Hints AN5762 NXP DocStore (confidential)
Application Note - MIFARE Plus EV2 personalization commands AN5763 NXP DocStore (confidential)
Application Note - Card coil design notes for MIFARE Plus EV2 AN5759 NXP DocStore (confidential)
Application Note - Comparison between MIFARE Plus EV2 and
previous types
AN5760 NXP DocStore (confidential)
Application Note – Originality Signature Validation AN5764 NXP DocStore (confidential)
RFID Discover Software SW1866 NXP DocStore (confidential)
NXP Reader Library (Windows based) SW1717 NXP DocStore (confidential)