MIFARE DESFire EV2 has a longer read range than MIFARE DESFire EV1, but unless your system provider has updated their software to support EV2, that is the only new feature you will be able to enjoy today.
Since EV1 and EV2 use the same very secure AES-128 encryption, it is safe and reasonable to purchase EV1 cards now, configured to work with your existing system and readers. If, or when, applications that support the new security and multi-application features of EV2 are made available for your institution, the upgrade to EV2 cards can be made at that time. The way things are going, it could be a while.
NXP manufactures the family of MIFARE 13.56 MHz contactless smart card Integrated Circuit (IC) chips that are widely used around the world for transit and other types of payments, general identification and physical access. MIFARE Classic was introduced in the mid-1990s and continues to sell in very large quantities, but it was not designed with robust security features which could withstand the increase in computing power that the last 20 years have seen. MIFARE Classic has been very useful and inexpensive, but it was notoriously hacked in 2007. As a more secure successor, the MIFARE DESFire chip was introduced in 2003, but it too was soon considered vulnerable to attack. In response, NXP introduced the much more secure MIFARE Plus, but it didn’t really catch on in North America. The MIFARE DESFire EV1 chip has been NXP’s first widely distributed, really secure chip, incorporating AES data encryption on the card and during communication with a reader. MIFARE Plus EV2 was introduced recently, incorporating a similar security level to DESFire EV1.
The Quest for the Latest Version
Technology changes so rapidly that it usually makes sense to purchase the most recent version of any technology product. When NXP announced MIFARE DESFire EV2 in 2013, institutions and enterprises that were planning to upgrade to contactless smart cards began to look for this latest model. However, things move slowly in the card world. Card manufacturers had begun to build DESFire EV1 cards around 2010 and sales of EV1 were just taking off when NXP made its EV2 new-product announcement. Following a similar lag between product announcement and production, DESFire EV2 cards are just now starting to roll off production lines in significant quantities.
EV1 VS EV2
MIFARE DESFire EV2 cards have many significant advantages over EV1. Two are of immediate interest, the remainder will be in the future for most users.
1. Longer read range, depending on the reader power and antenna design. This can make a transaction seem faster, since the card begins to read sooner, while it is still moving toward the reader.
2. Backward compatibility with MIFARE DESFire EV1. This means that an institution can purchase EV1 cards now and upgrade to EV2 when they become available from their system provider. Or they can purchase EV2 cards now that are compatible with their existing EV1 readers, if they are available.
The remaining new EV2 features depend on support by applications with which they are used.
1. Rolling keysets, so encryption keys can be replaced in the event of a compromise, without having to touch every issued card.
2. Key management for separate applications – this allows the card issuer to give or sell application areas on the cards to 3rdparties for their own use, which they can secure with their own keys without having knowledge of the card Master Key.
3. Proximity check - the card can confirm to the reader that it is indeed near that reader and not a remote data stream from a hacker.
4. Additional features which enhance security and utility in multi-application environments.
What’s Available, and When?
Card manufacturers that sell blank or custom programmed cards are beginning to ship EV2 cards. Some of the larger companies that make cards and readers for door access are not producing EV2 cards yet – e.g., HID and Allegion, though their readers can read EV2 cards programmed with EV1 data. Similarly, some commercial programming systems are able to encode EV2 cards, but only with EV1 data. Islog is one commercially available encoding software that does support EV2 encoding. There are rumors of other manufacturers developing this capability. And, despite the fact that EV2 is supposed to be backwards-compatible with EV1, some readers will not recognize EV2 cards.
If you have some extra time, you can buy EV2 cards from your favorite card supplier, use a 3rdparty programmer to encode them with EV1 data that matches your readers, and you will immediately notice a longer read range than EV1 cards. However, if you want to use the new features of EV2 such as rolling keys and the ability to provision additional services without sharing the master key in already deployed cards, you will have to use software that has integrated the MISmartApp that NXP developed for programming EV2 cards. Such software would typically be written by the company that provides the application and readers for each specific use. As of March, 2018, there are no security or financial transaction application providers that offer products with commercial, off-the-shelf support for MIFARE DESFire EV2.