5

Why do DESFire cards and Mifare Plus cards offer a Random UID feature? What risks should it mitigate or what features should it offer?

Section in document: NXP Semiconductors N.V., Application note AN10927, MIFARE product and handling of UIDs, 2018-07-05, section 2.1.1 "Random ID (RID)"

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86

1 Answers1

1

The random UID feature means that the UID is new every time it is powered on, which means every time it is used. To randomise the UID means that everytime the card is used, a new UID is recorded. This each activity of the card cannot be linked to the user. The chain of activity cannot be traced to the card.

RID is optional and should be used to protect privacy. In case RID is enabled, there is a defined and confidential way to retrieve the UID for each product.

Source: https://www.nxp.com/docs/en/application-note/AN10927.pdf

The TSF shall ensure that non authorized subjects are unable to determine whether any operation of the TOE were caused by the same user.

source: https://www.commoncriteriaportal.org/files/epfiles/0944b_pdf.pdf

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • But if I understand correctly, the reader can still read the actual UID from the card, even if random UIDs are used. –  May 26 '18 at 16:00
  • Yes, but why is that relevant? Do you mean a fixed UID? If so, please cite a source. – schroeder May 26 '18 at 16:07
  • According to the Mifare Plus SE datasheet: "During personalization, the PICC can be configured to support Random ID in security level 3. The user can configure whether Random ID or fixed UID shall be used. The retrieval of the UID in this case can be done using the Virtual Card Support Last command or **by reading out block 0.** –  May 26 '18 at 16:14
  • 1
    And this would be relevant because according to your answer, using a Random UID should prevent revealing a static UID. If the reader can read my static UID anyways, what is the purpose behind this? –  May 26 '18 at 16:15
  • Why do you think that there is also a static UID when the random UID feature is used? Please refer to 2.1 table 1 on page 5 of the first link I provided above – schroeder May 26 '18 at 17:16
  • According to the documents, block 0 is the UID, but it is *either* the static or random, depending on configuration. Random UIDs start with `08`. – schroeder May 26 '18 at 17:24
  • The way the official datasheet is written it sounds differently, but I'm just going to believe this is the way it actually happens. I will award the bounty in 20 hours when it's possible –  May 26 '18 at 17:30
  • Your question is "why is it offered?" and "What risks should it mitigate?" The documentation answers that. Your other questions about *how* to read it are another issue. – schroeder May 26 '18 at 20:00