AES vs 3DES for NFC device authentication (Mifare)

Question

I'm in a situation where i have to choose between two types of cards, Mifare Ultralight C and Mifare Plus. Former offers 3DES and the latter, AES. QUite obviously, security is a must and is important in the given circumstance.

1. On what basis do i select the technology?
2. If possible, do you know how it can be used through the Android SDK?
3. Please keep in mind ultimately i would like to move into Payments through the usage of NFC. Does this change the dynamics of the selection criteria?

Thanks

Answer 1

Some facts that may help in your decision:

• MIFARE Plus has 3 possible Security Levels (depending on the exact type of MIFARE Plus IC). Security Level 2 cannot be accessed by the Android NFC API.
• MIFARE Plus, although it is Android IsoDep compatible, is not ISO 7816 compatible
• Communication between phone and MIFARE Ultralight C (and v.v.) is never encrypted.
• MIFARE Ultralight C has very limited storage capability
• MIFARE DESFire EV1 offers 3DES and AES authentication and communication encryption, offers ISO 7816 compatibility, is NFC Forum compliant and available in 2K, 4K and 8K variants.

Answer 2

Considering that according to the Mifare Ultralight C documentation the DES implementation is a 2-key DES only (and not a 3-key DES) I would prefer the AES capable card.