KSEC Tagbase

Our RFID & NFC Knowledge Base

Version 1.3.1

Mifare 4K

Mifare 4K Cards,  ISO Standard Mifare 4K Smart Cards High Quality with Low Prices. Mifare ISO 14443A Module Blank White PVC Cards,MIFARE 4K  Full Color Offset Printing Cards, MIFARE 4K Silk Screen Printing Cards,  Mifare Classic contactless card with 4K bytes EEPROM that complies with ISO 14443A .

MIFARE Classic 4K opens up many new service opportunities by enabling public transport authorities to implement multi-modal systems. It might be used for a combination of contactless e-commerce and e-business applications on one single MIFARE smart card.

From May 2010 onwards, a MIFARE Classic 4K variant is also available with a 7 Byte UID. For future outlook regarding the 4 Byte UIDs see 4-7Byte UID.

Key applications:
Public transportation.
Access management.
Key features:
4 Kbyte EEPROM (3480 Byte free available).
Unique serial number (4 Byte and 7 Byte).
40 securely separated sectors supporting multi-application.
32 sectors consist of 4 blocks with a length of 16 Byte:8 sectors consist of 16 blocks with a length of 16 Byte,2 x 48 bit keys per sector for key hierarchy.
Access conditions free configurable based on 2 keys.
Number of single write operations: 100.000.
Data retention: 10 years.

Block description (Mifare Classic 4K S70):
The MF1ICS70 chip consists of the 4 Kbytes EEPROM, the RF-Interface and the Digital Control Unit. Energy and data are transferred via an antenna, which consists of a coil with a few turns directly connected to the MF1IC 70. No further external components are necessary.

RF-Interface (Mifare Classic 4K S70):
-Clock Regenerator.
-Power On Reset.
-Voltage Regulator.

Anticollision (Mifare Classic 4K S70): Several cards in the field may be selected and operated in sequence.

Authentication (Mifare Classic 4K S70): Preceding any memory operation the authentication procedure ensures that access to a block is only possible via the two keys specified for each block.

Control & Arithmetic Logic Unit (Mifare Classic 4K S70): Values are stored in a special redundant format and can be incremented and decremented ? EEPROM-Interface.

Crypto unit (Mifare Classic 4K S70): The CRYPTO1 stream cipher of the MF1ICS70 is used for authentication and encryption of data exchange.

EEPROM (Mifare Classic 4K S70): 4 Kbytes are organised in 32 sectors with 4 blocks each and 8 sectors with 16 blocks each. One block contains 16 bytes. The last block of each sector is called “sector trailer”, which contains two seet keys and programmable access conditions for each sector.

Communication principle (Mifare Classic 4K S70):
The commands are initiated by the reader and controlled by the Digital Control Unit of the MF1ICS70 according to the access conditions valid for the corresponding sector.

Request standard/all (Mifare Classic 4K S70):
After Power On Reset (POR) of a card it can answer to a request command – sent by the reader to all cards in the antenna field – by sending the answer to request code (ATQA according to ISO/IEC 14443A).

Anticollision loop (Mifare Classic 4K S70):
In the anticollision loop the serial number of a card is read. If there are several cards in the operating range of the reader, they can be distinguished by their unique serial numbers and one can be selected (select card) for further transactions. The unselected cards return to the standby mode and wait for a new request command.

Select card (Mifare Classic 4K S70):
With the select card command the reader selects one individual card for authentication and memory related operations. The card returns the Answer To Select (ATS) code (=18h), which determines the type of the selected card.

Three pass authentication (Mifare Classic 4K S70):
After selection of a card the reader specifies the memory location of the following memory access and uses the corresponding key for the three pass authentication procedure. After a successful authentication all memory operations are encrypted.

Memory operations (Mifare Classic 4K S70):
After authentication any of the following operations may be performed:
-Read block.
-Write block.
-Decrement: Decrements the content of a block and stores the result in a temporary internal data-register.
-Increment: Increments the content of a block and stores the result in the data-register.
-Restore: Moves the content of a block into the data-register.
-Transfer: Writes the content of the temporary internal data-register to a value block.

Data integrity (Mifare Classic 4K S70):
Following mechanisms are implemented in the contactless communication link between reader and card to ensure very reliable data transmission:
-16 bits CRC per block.
-Parity bits for each byte.
-Bit count checking.
-Bit coding to distinguish between “1″, “0″, and no information.
-Channel monitoring (protocol sequence and bit stream analysis).

Three pass authentication sequence (Mifare Classic 4K S70):
1.The reader specifies the sector to be accessed and chooses key A or B.
2.The card reads the secret key and the access conditions from the sector trailer. Then the card sends a random number as the challenge to the reader (pass one).
3.The reader calculates the response using the secret key and additional input. The response, together with a random challenge from the reader, is then transmitted to the card (pass two).
4.The card verifies the response of the reader by comparing it with its own challenge and then it calculates the response to the challenge and transmits it (pass three).
5.The reader verifies the response of the card by comparing it to its own challenge.

After transmission of the first random challenge the communication between card and reader is encrypted.

RF interface (Mifare Classic 4K S70):
The RF-interface is according to the standard for contactless smart cards ISO/IEC14443A.

The carrier field from the reader is always present (with short pauses when transmitting), because it is used for the power supply of the card.
For both directions of data communication there is only one start bit at the beginning of each frame. Each byte is transmitted with a parity bit (odd parity) at the end. The LSB of the byte with the lowest address of the selected block is transmitted first. The maximum frame length is 163 bits (16 data bytes + 2 CRC bytes = 16 * 9 + 2 * 9 + 1 start bit).

Memory organization (Mifare Classic 4K S70):
The 4 kByte EEPROM memory is organised in 32 sectors with 4 blocks and in 8 sectors with 16 blocks. One block consists of 16 bytes. In the erased state the EEPROM cells are read as a logical “0″, in thwritten state as a logical “1″.

Manufacturer block (Mifare Classic 4K S70):
This is the first data block (block 0) of the first sector (sector 0). It contains the IC manufacturer data. Due to security and system requirements this block is write rotected after having been programmed by the IC manufacturer at production.

Data blocks(Mifare Classic 4K S70):
Sectors 0..31 contain 3blocks and sectors 32..39 contain 15blocks for storing data. (Sector 0 contains only two data blocks and the read-only manufacturer block).
The data blocks can be configured by the access bits as:
read/write blocks for e.g. contactless access control or value blocks for e.g. electronic purse applications, where additional commands like increment and decrement for direct control of the stored value are provided.
An authentication command has to be carried out before any operation in order to allow
further commands.

Value Blocks (Mifare Classic 4K S70):
The value blocks allow to perform electronic purse functions (valid commands: read, write, increment, decrement, restore, transfer).The value blocks have a fixed data format which permits error detection and correction and a backup management. A value block can only be generated through a write operation in the value block format:
A value block can only be generated through a write operation in the value block format:
Value: Signifies a signed 4-byte value. The lowest significant byte of a value is stored in the lowest address byte. Negative values are stored in standard 2!as complement format. For reasons of data integrity and security, a value is stored three times, twice non-inverted and once inverted.
Adr: Signifies a 1-byte address, which can be used to save the storage address of a block, when implementing a powerful backup management. The address byte is stored four times, twice inverted and non-inverted. During increment, decrement, restore and transfer operations the address remains unchanged. It can only be altered via a write command.

Sector trailer (Mifare Classic 4K S70):
Each sector has a sector trailer. Due to the memory configuration of the MF1ICS70 this sector trailer is located in block 3 of each sector in the first two kByte of the NV-memory respectively in block 15 of each sector in the upper 2 kByte of the 4 kByte NV-memory.
Each sector trailer holds the secret keys A and B (optional), which return logical “0″ when read and the access conditions for the four blocks of that sector, which are stored in bytes 6…9. The access bits also specify the type (read/write or value) of the data blocks.
If key B is not needed, the last 6 bytes of the sector trailer can be used as data bytes.Byte 9 of the sector trailer is available for user data. For this byte the same access rights as for byte 6, 7 and 8 apply.
All keys are set to FFFFFFFFFFFFh at chip delivery.

Memory access (Mifare Classic 4K S70):
Before any memory operation can be carried out, the card has to be selected and authenticated as described previously.The possible memory operations for an addressed block depend on the key used and the access conditions stored in the associated sector trailer.

Access conditions (Mifare Classic 4K S70):
The access conditions for every data block and sector trailer are defined by 3 bits, which are stored non-inverted and inverted in the sector trailer of the specified sector.
The access bits control the rights of memory access using the secret keys A and B. The access conditions may be altered, provided one knows the relevant key and the current access condition allows this operation.
Remark: With each memory access the internal logic verifies the format of the access conditions. If it detects a format violation the whole sector is irreversible blocked.
Remark: In the following description the access bits are mentioned in the non-inverted mode only.
The internal logic of the MF1ICS70 ensures that the commands are executed only after an authentication procedure or never.

Access conditions for the sector trailer (Mifare Classic 4K S70):
Depending on the access bits for the sector trailer (block 3) the read/write access to the keys and the access bits is specified as ‘never’, “key A”, “key B” or key A|B’ (keyA keyB).
On chip delivery the access conditions for the sector trailers and key A are predefined as transport configuration. Since key B may be read in transport configuration, new cards
must be authenticated with key A. Since the access bits themselves can also be blocked, special care should be taken during personalization of cards.

Access conditions for data blocks (Mifare Classic 4K S70):
Depending on the access bits for data blocks (blocks 0…2) the read/write access is specified as ‘never’, ‘key A’, ‘key B’or ‘key A|B’ (key A or keyB). The setting of the relevant access bits defines the application and the corresponding applicable commands.
-Read/write block: The operations read and write are allowed.
-Value block: Allows the additional value operations increment, decrement, transfer and restore. In one case (’001′) only read and decrement are possible for non-rechargeable card. In the other case (’110′) recharging is possible by using key B.
-Manufacturer block: The read-only condition is not affected by the access bits setting!
-Key management: In transport configuration key A must be used for authentication.