# AN11909 How to create an Installation IDentifier (IID) Rev. 1.0 — 14 November 2016

**Application note COMPANY PUBLIC** 

# **Document information**

| Info     | Content                                                                                                               |
|----------|-----------------------------------------------------------------------------------------------------------------------|
| Keywords | IID, Installation Identifier, MIFARE Plus, MIFARE Plus EV1, MIFARE DESFire EV2, Virtual Card                          |
| Abstract | This document defines how Installation Identifiers (IIDs) used in the MIFARE Virtual Card architecture are allocated. |



# **IID Allocation for Virtual Card Architecture**

# **Revision history**

| Rev | Date     | Description     |
|-----|----------|-----------------|
| 1.0 | 20161114 | Initial version |

# **IID Allocation for Virtual Card Architecture**

# 1. Symbols and abbreviated terms

IID

AID Application Identifier
CID Card Identifier
IC Integrated Circuit

MAD MIFARE Application Directory

Installation Identifier

NUID Non-Unique ID

PCD Proximity Coupling Device

PICC Proximity Card

PIX Proprietary Application Identifier Extension
RID Registered Application Provider Identifier

UID Unique Identifier
VC Virtual Card

# **IID Allocation for Virtual Card Architecture**

# 2. Introduction

This document describes how to allocate the Installation Identifiers (IID) in the Virtual Card Architecture deployed in MIFARE Plus, MIFARE Plus EV1 and MIFARE DESFire EV2.

Depending on the IC product, the PCD uses different commands for the Virtual Card Architecture in order to express which installation(s) the PCD belongs to. The IID is 16 bytes long and must be unique.

#### MIFARE Plus

The virtual card commands listed here are native commands and only valid for the older version of the MIFARE Plus and not valid for the new evolution any more.

- Virtual Card Support (VCS) Command Code 0x42
- Virtual Card Support Last (VCSL) Command Code 0x4B
- Select Virtual Card Command Code 0x40
- Deselect Virtual Card Command Code 0x48

# MIFARE Plus EV1

The command VCSupportLastISOL3 is intended for VC selection on ISO Layer 3 (ISO/IEC 14443-3), the other two commands are intended for VC selection on ISO Layer 4 (ISO/IEC 14443-4).

In addition to this, the two ISO Layer 4 commands are compliant to ISO/IEC 7816-4 standard.

- VCSupportLastISOL3 Command Code 0x4B
- ISOSelect INS 0xA4
- ISOExternalAuthenticate INS 0x82

# MIFARE DESFire EV2

These two commands operate on ISO Layer 4 (ISO/IEC 14443-4) and are compliant to ISO/IEC 7816-4 standard.

- ISOSelect INS 0xA4
- ISOExternalAuthenticate INS 0x82

# **IID Allocation for Virtual Card Architecture**

# 3. Objectives for the IID assignment process

# 3.1 Uniqueness

The process must yield a unique IID for every installation

# 3.2 Simplicity

The process must be simple, such that people who make installations are encouraged to allocate a unique IID to each installation.

# 3.3 Availability

The allocation process must be obtainable 24/7 "twentyfourseven". At whichever time someone needs an IID, it must be promptly obtainable.

# 3.4 Privacy

There may be resistance against NXP knowing information about which installations exist and who owns them. Therefore privacy is important to avoid that people just allocate some own IID which would no longer be unique.

# **IID Allocation for Virtual Card Architecture**

# 4. The mechanism

# 4.1 Considerations for getting a unique number

The method of IID allocation is self-allocation. NXP just publishes this scheme and everyone can allocate the number without NXP being involved.

For this some source of unique number is needed. The choice is made for a source of unique numbers that NXP generates anyway and which is easily obtainable to the target community. This is the 7-byte UID of a MIFARE Plus, MIFARE DESFire, MIFARE Ultralight or SmartMX card.

Alternatively the MAD Identifier can be used as it is used for MIFARE Classic.

| T . I . I | UD All         | 0 1    |
|-----------|----------------|--------|
| Table 1.  | IID Allocation | Scheme |

| Variant                          | 15   | 14   | 13                  | 12   | 11   | 10                 | 09               | 80   | 07            | 06     | 05     | 04       | 03        | 02        | 01        | 00   |
|----------------------------------|------|------|---------------------|------|------|--------------------|------------------|------|---------------|--------|--------|----------|-----------|-----------|-----------|------|
| 7 byte UID                       | 0xA0 | 0x00 | 0x00                | 0x03 | 0x96 | 0x56               | 0x43             | 0x41 | 0x01          | UID0   | UID1   | UID2     | UID3      | UID4      | UID5      | UID6 |
| AID                              | 0xA0 | 0x00 | 0x00                | 0x03 | 0x96 | 0x56               | 0x43             | 0x41 | 0x03          | MO     | M1     | M2       | 0x00      | 0x00      | 0x00      | 0x00 |
| Default for<br>MIFARE<br>Plus    | 0xA0 | 0x00 | 0x00                | 0x03 | 0x96 | 0x56               | 0x43             | 0x41 | 0xFF          | 0xFF   | 0xFF   | 0xFF     | 0xFF      | 0xFF      | 0xFF      | 0xFF |
| Default for<br>MIFARE<br>DESFire | -    | -    | -                   | -    | -    | -                  | -                | -    | -             | 0xD2   | 0x76   | 0x00     | 0x00      | 0x85      | 0x01      | 0x00 |
| Explanation                      |      |      | RID for<br>rding IS | `    | 0    | Virtual<br>Archite | Card<br>ecture ( | √CA) | Variant<br>ID | UID, M | IAD ID | or defau | ult bytes | s, and fi | ller byte | es   |

UID0 ... UID6 bytes from the UID

UID0 is the first byte as it is transferred over the air, then UID1 etc.

M0 ... M2 3 bytes from the MIFARE DESFire Application ID MAD ID

M0 = MIFARE DESFire AID byte 0

M1 = MIFARE DESFire AID byte 1

M2 = MIFARE DESFire AID byte 2

The way to transform a MIFARE Classic AID into a MIFARE DESFire AID is as specified in [1].

| MIFARE DESFI | re AID Byte 0 | MIFARE DESFI | re AID Byte 1 | MIFARE DESFire AID Byte 2 |         |  |
|--------------|---------------|--------------|---------------|---------------------------|---------|--|
| Nibble 0     | Nibble 1      | Nibble2      | Nibble3       | Nibble4                   | Nibble5 |  |
| 0xF          |               | 0x0 0xF      |               |                           |         |  |

# Fig 1. MAD for MIFARE DESFire

# **IID Allocation for Virtual Card Architecture**

# 5. The process

The process that needs to be followed is:

# 5.1 MAD has been allocated to the customer's installation / application

If an MAD ID has been allocated for the installation / application of the customer, then the IID is as stated in the table above using the row MAD ID.

# 5.2 MAD has not been allocated

If no MAD ID has been allocated for the installation of the customer, then the customer (or the installer acting on his behalf) must:

- Take a MIFARE card (MIFARE Plus, MIFARE DESFire, MIFARE Ultralight or SmartMX).
- 2. Use an application to read out the card UID. (Note: If the card possesses a 4 byte NUID we highly recommend to use another card which is characterized through a 7 byte UID to guarantee uniqueness)
- 3. Clearly mark the card that this is the card that has been used to derive the IID from.
- 4. Make sure that the UID stays readable, so do not configure the card into Random ID. Actually, after reading out the UID do not further interact with it.
- 5. Lock the card away so that it can be demonstrated that the IID was correctly allocated. Don't use this card but keep it only as a reference and UID-source.
- Compose the IID using the table above using the 7 byte UID that was read from the card.

# 6. List of References

[1] AN10787 MIFARE Application Directory (MAD)

# **IID Allocation for Virtual Card Architecture**

# 7. Legal information

#### 7.1 Definitions

Draft — The document is a draft version only. The content is still under internal review and subject to formal approval, which may result in modifications or additions. NXP Semiconductors does not give any representations or warranties as to the accuracy or completeness of information included herein and shall have no liability for the consequences of use of such information.

#### 7.2 Disclaimers

Limited warranty and liability — Information in this document is believed to be accurate and reliable. However, NXP Semiconductors does not give any representations or warranties, expressed or implied, as to the accuracy or completeness of such information and shall have no liability for the consequences of use of such information.

In no event shall NXP Semiconductors be liable for any indirect, incidental, punitive, special or consequential damages (including - without limitation - lost profits, lost savings, business interruption, costs related to the removal or replacement of any products or rework charges) whether or not such damages are based on tort (including negligence), warranty, breach of contract or any other legal theory.

Notwithstanding any damages that customer might incur for any reason whatsoever, NXP Semiconductors' aggregate and cumulative liability towards customer for the products described herein shall be limited in accordance with the Terms and conditions of commercial sale of NXP Semiconductors.

Right to make changes — NXP Semiconductors reserves the right to make changes to information published in this document, including without limitation specifications and product descriptions, at any time and without notice. This document supersedes and replaces all information supplied prior to the publication hereof.

Suitability for use — NXP Semiconductors products are not designed, authorized or warranted to be suitable for use in life support, life-critical or safety-critical systems or equipment, nor in applications where failure or malfunction of an NXP Semiconductors product can reasonably be expected to result in personal injury, death or severe property or environmental damage. NXP Semiconductors accepts no liability for inclusion and/or use of NXP Semiconductors products in such equipment or applications and therefore such inclusion and/or use is at the customer's own risk.

**Applications** — Applications that are described herein for any of these products are for illustrative purposes only. NXP Semiconductors makes no representation or warranty that such applications will be suitable for the specified use without further testing or modification.

Customers are responsible for the design and operation of their applications and products using NXP Semiconductors products, and NXP Semiconductors accepts no liability for any assistance with applications or customer product design. It is customer's sole responsibility to determine whether the NXP Semiconductors product is suitable and fit for the customer's applications and products planned, as well as for the planned application and use of customer's third party customer(s). Customers should provide appropriate design and operating safeguards to minimize the risks associated with their applications and products.

NXP Semiconductors does not accept any liability related to any default, damage, costs or problem which is based on any weakness or default in the customer's applications or products, or the application or use by customer's third party customer(s). Customer is responsible for doing all necessary testing for the customer's applications and products using NXP

Semiconductors products in order to avoid a default of the applications and the products or of the application or use by customer's third party customer(s). NXP does not accept any liability in this respect.

**Export control** — This document as well as the item(s) described herein may be subject to export control regulations. Export might require a prior authorization from competent authorities.

**Evaluation products** — This product is provided on an "as is" and "with all faults" basis for evaluation purposes only. NXP Semiconductors, its affiliates and their suppliers expressly disclaim all warranties, whether express, implied or statutory, including but not limited to the implied warranties of non-infringement, merchantability and fitness for a particular purpose. The entire risk as to the quality, or arising out of the use or performance, of this product remains with customer.

In no event shall NXP Semiconductors, its affiliates or their suppliers be liable to customer for any special, indirect, consequential, punitive or incidental damages (including without limitation damages for loss of business, business interruption, loss of use, loss of data or information, and the like) arising out the use of or inability to use the product, whether or not based on tort (including negligence), strict liability, breach of contract, breach of warranty or any other theory, even if advised of the possibility of such damages.

Notwithstanding any damages that customer might incur for any reason whatsoever (including without limitation, all damages referenced above and all direct or general damages), the entire liability of NXP Semiconductors, its affiliates and their suppliers and customer's exclusive remedy for all of the foregoing shall be limited to actual damages incurred by customer based on reasonable reliance up to the greater of the amount actually paid by customer for the product or five dollars (US\$5.00). The foregoing limitations, exclusions and disclaimers shall apply to the maximum extent permitted by applicable law, even if any remedy fails of its essential purpose.

#### 7.3 Licenses

#### ICs with DPA Countermeasures functionality



NXP ICs containing functionality implementing countermeasures to Differential Power Analysis and Simple Power Analysis are produced and sold under applicable license from Cryptography Research, Inc.

# 7.4 Trademarks

Notice: All referenced brands, product names, service names and trademarks are property of their respective owners.

MIFARE — is a trademark of NXP B.V.

MIFARE Classic — is a trademark of NXP B.V.

MIFARE Ultralight — is a trademark of NXP B.V.

MIFARE Plus — is a trademark of NXP B.V.

**DESFire** — is a trademark of NXP B.V.

SmartMX — is a trademark of NXP B.V.

AN11909 **NXP Semiconductors** 

# **IID Allocation for Virtual Card Architecture**

# **Contents**

| 1.  | Symbols and abbreviated terms              | 3 |
|-----|--------------------------------------------|---|
| 2.  | Introduction                               |   |
| 3.  | Objectives for the IID assignment process  | 5 |
| 3.1 | Uniqueness                                 | 5 |
| 3.2 | Simplicity                                 |   |
| 3.3 | Availability                               |   |
| 3.4 | Privacy                                    | 5 |
| 4.  | The mechanism                              | 6 |
| 4.1 | Considerations for getting a unique number | 6 |
| 5.  | The process                                | 7 |
| 5.1 | MAD has been allocated to the customer's   |   |
|     | installation / application                 | 7 |
| 5.2 | MAD has not been allocated                 |   |
| 6.  | List of References                         | 7 |
| 7.  | Legal information                          | 8 |
| 7.1 | Definitions                                |   |
| 7.2 | Disclaimers                                |   |
| 7.3 | Licenses                                   |   |
| 7.4 | Trademarks                                 |   |
| 0   | Contents                                   | c |

Please be aware that important notices concerning this document and the product(s) described herein, have been included in the section 'Legal information'.

© NXP B.V. 2016.

All rights reserved.

For more information, please visit: http://www.nxp.com For sales office addresses, please send an email to: salesaddresses@nxp.com

Date of release: 14 November 2016 407310

Document identifier: AN11909