MIFARE DESFire Credential Overview

At ICT, our aim is to provide the most secure solutions possible. With this in mind, we recommend all sites utilize the MIFARE DESFire card technology. Granted, certain applications may need a different credential, but it’s important to be aware that these may introduce security risks. Unless you’re implementing a DESFire solution, you should also consider adding a second level of authentication. For some more background, we have a great guide on choosing card technology.

At ICT we're committed to providing the highest security solutions for our customers, which is why we're shifting to EV3 for all MIFARE DESFire credentials as of April 2023.

Smart Encryption with MIFARE DESFire

For an industry-leading level of security, we recommend MIFARE DESFire for all sites. This multi-application 13.56MHz smart card uses global open standards for interface and cryptography, including AES-128 and 3DES encryption for hardware. It is compliant with all levels of ISO/IEC 14443A and supports some optional ISO/IEC 7816-4 commands.

With Common Criteria EAL5+ certification (from EV2), cards have the same security level as credit cards and e-Passports. They are also compatible with existing NFC reader infrastructure and offer protection against replay attacks thanks to proximity checks, and are backwards compatible with EV1 and D40.

DESFire has the highest standard of card security currently available, so users can feel assured that their credentials are protected by industry best practices. It is perfect for environments such as municipal, state, federal, or government buildings, or any organization where security and confidentiality are a must.

We recommend giving customers a quick lesson on presenting DESFire credentials, to avoid any potential frustration. It has a shorter read range than older technologies as the cryptographic module on the card requires more energy to operate. This means you cannot simply wave or swipe a card in the general direction of the reader to gain access. It’s worth training people to think of it like contactless payment – just hold the card firmly near the reader until authorized.

DESFire Credential Configuration Programming

There are two ways to program MIFARE DESFire credentials, either standard application configuration or custom application configuration. Credential encoding must match your ICT card reader configuration, so it is critical that the appropriate configuration is ordered for the site to prevent incorrect credential encoding.

Please note: ICT processes all MIFARE DESFire encoded card orders using standard application configuration as default. You need to explicitly specify to order custom application cards.

Standard vs Custom Application

The main differences between standard application and custom application are restrictions to registered site codes with standard application, whereas with custom application you can specify a custom site code or combination of site codes and card numbers. With custom application, there is also no restriction on the format type (number of bits or structure). However, it is typical to encode with the default 34-bit format setting (with 16-bits of card number and 16-bits of facility code).

Standard Application

• Generic key set used by readers and card
• Diversified keys
• Will read on factory defaulted ICT card readers
• Restricted to a Registered Site Code

Custom Application

• Custom key set used by readers and cards
• Diversified keys
• Will not read on factory defaulted ICT readers*
• Requires a configuration card to load the keys into a defaulted card reader
• Freedom to choose custom site/facility code combinations

*The reader must be presented with a customized configuration card that will allow it to read the custom cards.

If required, a MIFARE DESFire credential card can contain both standard application and custom application and associated keys, because they both use different application IDs. This must be specified at time of ordering too.

Additional Documentation

For full instructions on providing your customers with the most secure interoperable system without compromise, refer to the Application Note: AN-315 Understanding MIFARE DESFire Credentials.

This will help you better understand the options and confidently identify which application configuration your site requires. To access this, you will need to have a valid website account.

Ordering Checklist

After reading the Application Note above and deciding on your preferred configuration, you can use this checklist to make sure you are ordering the right DESFire credentials from ICT.

• Specify standard application or custom application
• Specify if credential will be using both standard and custom application
• If choosing custom application, do you require a config card to configure readers