The German Federal Office for Information Security has awarded the MIFARE Plus contactless smart card its Common Criteria EAL 4+ certification.
MIFARE Plus has also proven successful in independent security reviews conducted by leading cryptography experts from the Ruhr-Universitat in Germany and the Katholieke Universiteit Leuven in Belgium which executed a thorough security and privacy assessment of the architecture of MIFARE Plus.
On hearing that MIFARE Plus has achieved the highest possible level of trust and privacy for secure transactions in contactless smart card applications, Universal Smart Cards declared it was ‘extremely pleased'.
USC acknowledges that the security features of MIFARE Plus have been independently validated by three different institutions following extensive testing.
MIFARE Plus technology features 128-bit Advanced Encryption Standard (AES) and supports migration from existing MIFARE Classic implementations.
The contactless microcontroller IC offers an upgrade path for system integrators and operators wishing to implement additional layers of security to their automatic fare collection, access management and micro-payment installations.
USC say the independent third party validation of MIFARE Plus offers customers a high degree of certainty that the technology is providing advanced security. The Common Criteria certification validates correct implementation of the promised security features, evaluates attack resistance and allows systems integrators to assess the security quality of similar products.
A security expert at the Federal Office for Information Security in Germany said that for newly built contactless smart card installations they ‘strongly recommend' Common Criteria certified products, preferably those based on AES encryption.
A spokesman for Ruhr-Universitat said that despite extensive and careful analysis they had not identified any security weakness with practical relevance.
He said Ruhr-Universitat considered the MIFARE Plus architecture to be secure if all security mechanisms were activated as recommended in the MIFARE Plus documentation.
And a spokesman for Katholieke Universiteit Leuven said they believed that the MIFARE Plus architecture was a solid design based on a detailed analysis of the security, privacy and feasibility requirements.
He said the solutions proposed took into account the severe constraints offered by the contactless environment. In spite of those constraints, the MIFARE Plus architecture allowed applications to be deployed in areas such as access control and transportation and offered a level of security and privacy that was state of the art.
USC add that MIFARE Plus chips comprise a number of additional privacy features which, when used optimally in the infrastructure, provide a system that prevents individuals from being identified and tracked by others.
Migration planning is made easier as MIFARE Plus supports the pre-issuance of new cards, co-existence of current and new cards, and software-based infrastructure upgrades.