IPVMU Certified | 02/12/14 10:18am
In most ways, they are equal. For example:
- 13.56 MHz transmission
- 3DES Encryption
- ISO14443A or B compliant
- Up to 4Kbyte storage
The real practical difference is not security, but licensing. In order to manufacture cards/readers to work with DESFire credentials, the implementation is standards based (ISO14443) and free. In order to build an iClass solution, one must license the information from HID.
There are products that do both, ie:
Consider this card is made by HID: they don't levy a license fee against themselves for the iClass part, and then use the license-free DESFire standard for the other format.
Inaxsys Security Systems | 02/12/14 08:10pm
I beg to differ, but the question was specifically "which is more secure" (and not "is iClass secure enough"). To that question, there can only be one answer: DESFire.
iClass has been cracked, DESFire has not. This even explains how to do it. This also provides a vast amount of information surrounding iClass' card security.
While they have corrected the security flaw with a new hardware release, there are still massive amounts (millions, maybe?) of iClass readers that share this issue. And their iClass Elite "higher security solution" has been put into question here.
IPVMU Certified | 02/13/14 09:05am
There is another thing that confuses me. Many readers' datasheets mention that they read ISO14443 A & B serial number only ... are all acces control systems function the same way (reading only serial numbers)? the data stored on the application area in the card has no role in access control, is this right?
Inaxsys Security Systems | 02/13/14 10:39am
I'm not sure if you were adressing this question specifically to Brian - sorry if I'm stepping in --
all smart cards (Mifare, DESFire, Mifare Classic, iClass, etc...) are manufactured with an unencrypted, unsecure card serial number or universal ID (UID or CSN) that is on one of the sectors of the card. In general, most smart card readers (and there are MANY out there) will read their technology's CSN. By that I mean that a DESFire reader from most manufacturers will read other manufaturer's DESFire card CSN. The issue with this is that the CSN is NOT secure not encrypted. So if I have the right equipment, I can easily copy your card's CSN and pu it on another card. If you care about security of a facility, this is not the way to go.
Most card readers will not pass though the actual CSN- they will take it and convert it to a standard wiegand format and then output it in a mode that is acceptable to acess control controllers (for example: a CSN could be a long number but when converted by the reader to 26-bit wiegand it would come out as 225:23456 (3-digit site code between 0-255:5 digit card number between 0-65535). So the access control systems are not receiving the card serial number per se, they are receiving a wiegand data number in the bit format that they expect.
If you're considering using the CSN as the unique credential number for a site that has a high level of security (your original question was concerning the level of security between DESFire and iClass...), don't do it. It is extremely easy to acquire and copy the CSN of a card (even of the most secure DESFire format). So don't choose a reader and card format based on its ability to read the CSN, this is not a secure number to use for access control applications.
i am reading this post and i am wondering how this days found DESfire...