Idesco key diversification flexibly enhances security

Key diversification is a powerful security capability MIFARE added to its DESFire technology.

Key diversification is a powerful security capability MIFARE added to its DESFire technology. Like previous MIFARE keyed security features, key diversification requires system integrators and vendors who deploy it to address management of their security keys. That is why Idesco’s security key management service will begin offering customers a range of options for also managing diversified security keys. They will be able to program and manage their keys themselves with a coding tool, or purchase programmed readers and transponders from Idesco, to avoid learning DESFire key programming and management. Best of all, customers purchasing key diversified readers and transponders from Idesco will remain free to source them from other MIFARE® DESFire suppliers. Key diversification will be a configurable parameter in all Idesco DESFire readers, giving both system integrators and sensitive sites the maximum freedom to optionally deploy it as a future security enhancement.

How does Key Diversification strengthen DESFire security?

In general, all DESFire readers and transponders are coded to recognize each other by sharing identical, highly-specific strings of characters called, security keys. These shared keys are what let transponders and readers recognize each other (i.e. mutual authentication). The result is no foreign DESFire reader could read your site’s transponders – so they can never be cloned. Continuous additional encryption further protects your readers’ and transponders’ conversations, thereby defeating skimming and side-hack attempts.

Key diversification expands this security by protecting individual transponders with their own, unique security key. As a result, readers’ authentications of every transponder are also unique. The statistical impossibility of deciphering a shared DESFire key (i.e. by skimming repeated transactions) becomes pointless with key diversification: a shared DESFire key no longer commands a transponder to share its contents – only its unique security key.