Which of MIFARE cards support a single block that can be programmed to require a password for writing, but is available to everyone for reading its data? And is such standard eligible on all platforms, specifically iOS. Can it use its NFC chip for doing both mentioned operations on such card?

1 Answers

Michael Roland On Best Solutions

There are quite a few products in the MIFARE product family1 that would allow write-protecting information with an authentication key/password (while at the same time having that information freely readable):

  • MIFARE Ultralight EV1: 32 bit clear-text password verification, password can be used as a write password (free read, "authenticated" write) or as read/write password (only "authenticated" read/write). The password cannot be set for a single block through, it's only possible to set one passwords for all blocks starting at a specific offset. Note that many of NXP's NTAG products also feature these capabilities.
  • MIFARE Ultralight C: Similar capabilities to the above, but with a stronger authentication mechanism using 2-key-TDES.
  • MIFARE Classic: Each sector can have separate keys. You always need keys for reading and writing.
  • MIFARE DESFire EV1: Not organized in blocks but in files. Each file can have multiple keys set for read protection and/or write protection. Hence, you could have a file that's freely readable but requires a key for writing.

Your second requirement, "is such standard eligible on all platforms, specifically iOS", is a bit more complex to answer: First of all, writing to NFC tags is not possible in iOS (except with some jailbreak?) Hence, I would interpret that as: What tags support write-protection and can be read with an iOS device?

iOS devices can only read from NFC Forum tags that already contain an NDEF message. Moreover, since the NFC Forum tag specifications do not (yet?) define a way to have authentication for accessing NDEF data, all data needs to be freely readable.

Hence, all of the above, except probably for MIFARE Classic, can be used. You will need to format the tags to contain an NDEF message.

For instance, you could use a Ultralight C/EV1 tag, store an NDEF message onto it and then set write-protection for the area where the NDEF data is stored (i.e. all pages >= 3). However, only adding write-protection for a specific block won't work. You may be able to craft your NDEF message in a way that the write-protected part sits at the end of the NDEF message at a block boundary of the Ultrlaight tag. Then you could add write protection for only that specific block (and all higher, but unused, blocks). Unfortunately, this opens up for potential manipulations on the size fields for the NDEF message (chopping off that write protected block from the data). Hence, partial write protection of the NDEF message might not be a good idea from a security perspective.

Similarly to the above, you could also use DESFire EV1. When used as an NFC Forum tag, the NDEF message is stored in a single file. Therefore, you could restrict writing to that file with an authentication key.

As iOS can't write to the tags, you will probably use another platform to write updates to the tags. Android, for instance, is capable of sending the low-level commands necessary for authentication to any of the above tags. Similarly, many PC based readers support this (though DESFire usually has better support there).

1) Note that there is other products (even from other manufacturers) as well that provide similar capabilities.