UID for access control

Question

I am using Mifare Ultralight C to make a access control system. The method I am using is based on the UID of the card. I can read the UID by NFC Reader (SeeedStudio shield on Arduino UNO) However, the UID is not reliable since there are writable UID card out there in the market. So I think that I should secure the connection by 3DES authentication and then block the reading from 0x00 which is from the first serial number byte. Is it the correct way to implement access control?

Answer 1

You cannot block read access to the UID. The UID is an immanent part of the anticollision/tag enumeration phase of ISO 14443 so the tag will always reveal that information. Moreover, Ultralight C permits read/write protection only from page 3 to the end of the memory.

What you could do is the following:

1. Use the UID to identify the tag.

2. Derive a tag-specific key based on a master key and the tag's UID.

   K_tag = f_{key_derivation}(UID_tag, K_master)

3. Use that key K_tag as 3DES key for the Ultralight C authentication.

4. Protect (read and write) the whole data memory of the tag.
5. Possibly store some additional authentication information on the tag (e.g. a signature over the UID). However, you should keep in mind that after authentication read operations are neither encrypted nor integrity protected. This means that an attacker could potentially retrieve the data stored on a tag by listening into the communication between a legit tag and a legit reader. Moreover, an attacker might be able to authenticate with a legit tag and then intercept any further read commands to return manipulated data. Basically this means that you should refrain from storing any non-integrity-protected permission information on such a tag.

And finally: MIFARE Ultralight C is certainly not meant to be used for access control!