Safe smart cards

Question

I am building some project (for University) where I want to control access for some areas of building with smart cards. I will do it with Mifare Classic. But I know that it is not very secure. For ~24$ there are chineese cards and everyone can clone it. So I have question, which cards are better for these purposes like control access, payments etc? I mean cards which I can write and read some data. I ask for some technologies connected with this topic.

Answer 1

NXP has recently made available an SDK for working with their Desfire EV1 cards. These cards are quite secure with encryption based on AES 128.

Apply key diversification to create per-tag encryption keys.

Answer 2

Question you asked about "I can write and read some data"

New upcoming trend is slowly moving towards CIPURSE products, which has file system based on ISO 7816-4 and communication based on ISO 14443 - 3.

This can be used for usecases like - Transport Ticketing - Facility Access - MicroPayment - etc.,

CIPURSE card best suites your use case. For more information you can visit http://www.osptalliance.org/

Answer 3

Only the old Mifare classic are broken. Try the new Mifare Plus or Mifare Desfire. These cards offer better cryptography and anti relay-attack features that the old Mifare misses.

Answer 4

I support to stay away from Mifare Classic. I conclude from this, that you are looking for a contactless card, so the following options can be considered:

• Any T=CL card using ISO 14443, e. g. models used for passports and ID cards. Manufacturers typically have ICAO certification mentioned
• Any card certified according to Common Criteria
• Closest match: Felica card (used extensively for payment in Hong-Kong under the name "Octopus")

Cloning is typically not an issue, since you either can't read out all the necessary data or it is only delivered in encrypted form.