EXTERNAL USE

CHRISTOPH ZWAHLEN

JUNE 1ST, 2016

PRESENT IMPROVED - FUTURE

INSIDE

HOW TO PROTECT YOUR

CONTACTLESS SYSTEMS

TODAY AND TOMORROW

• Basic forms of password protection requires

exchange of the actual secret – the password –

to be exchanged

• Additional measures used to improve weakness

of basic form• Second factor authentication

• Enciphered transmission of password

• Password policies, e.g. minimal complexity, regular update

• Achievement of basic requirements for protection• Confidentiality No

• Authenticity No

• Integrity No

PasswordsCommonly used to access to IT equipment and online services

June 1, 20162.

Agenda

1. Security requirements in access management

2. Requirements for sustainable system security

3. Practical implementation

• MIFARE Plus EV1

• MIFARE DESFire EV2

Christoph ZwahlenMarketing Manager

Access Management

• Selective restriction of access to places and

resources

• Access management protects assets and

value streams

• Required level of protection depends on value

of assets and value streams

• Basic requirements for protection• Confidentiality

• Authenticity

• Integrity

Access Management Protecting our assets

4. June 1, 2016

Access ManagementMarket Segments

5.

Enterprise Access to corporate

facilities and services

including

• Access mgmt.

• Logical Access

• Resource mgmt.

• Payment

• Parking

• IT Services

HospitalityAccess to facilities and

services including

• Room Access

• Leisure facilities

• Parking

• Vending

EducationAccess to campus

facilities and services

including

• Access mgmt.

• Logical Access

• Attendance ctrl.

• Payment

• IT Services

• Library services

ResidentialAccess to residential

buildings

• House

• Appartment building

• Residential complex

LeisureAccess to leisure

activities such as

• Theme park

• Fitness studio

• Stadium

• Event ticketing

• Waterpark and Spa

• Ski resorts

June 1, 2016

Access ManagementSecurity requirement

6.

Single Use

Low Value

Limited Use

Limited Value

Long-term Use

High Value

Security means

Password protection

Authentication

MAC

Full enciphered

communication

ApplicationsProtected value Product recommendationJune 1, 2016

• Address current security demands• Appropriate security mechanisms for individual situation

• Support of existing legacy applications

• Updateability to comply with new security needs• Possibility to adopt to new security demands

• Long term maintainability of protection mechanisms

• Reliable and secure concepts for in-field updates

• Application independent work flow• Individual migration depending on application

requirements

• Smooth migration path for cost efficiency

Sustainable system securityDemands for long-term protection of assets and value streams

7. June 1, 2016

• Latest innovations in MIFARE portfolio

simplify sustainable system security

• MIFARE Plus EV1

Selective system security upgrades

• MIFARE DESFire EV2

In-field key update procedure

• Independent security validation according

Common Criteria EAL5+

• Functional backwards compatibility

MIFARE – Evolutionary enhancementsProtecting contactless systems today and tomorrow!

8. June 1, 2016

MIFARE Plus® generation benefitsMIFARE Plus® EV1

MIFARE

Plus S

MIFARE

Plus SE

MIFARE

Plus X

MIFARE

Plus EV1

RF Interface

P rotocol

UID –

unique

identif ier

Communication

speed

M emory size

[Byte]2KB 1KB 2KB 2KB

4KB  4KB 4KB

M emory M odel

Crypto

Key Length

Authentication

Communication,

S ecurity

T ransaction

M ACyes

P roximity Check yes

V irtual Card

S elect

CC Certif ication EAL4+ no EAL4+ EAL5+

IS O 7816-4

AP DUyes

NFC compliance

T arget

applications

Input

capacitance17pF 17pF 17pF 17pF or 70pF

S ecure NFC

channelin SL1 & SL3

M ulti

applications

yes

NFC capabilities in SL3

Public transport / Campus cards / Access management

Compact, Sectors & 16- byte block

Crypto- 1, AES

48- bit crypto- 1, 128- bit AES

3- pass mutual

CMACed

MIFARE Plus

ISO/IEC 14443- 2, type A

ISO/IEC 14443- 3&4

7- byte UID, 4- byte NUID, RID

106- 848 Kbps

in SL3 level

Supported via MAD

no

no

no

1994

MIFARE Classic

2009

MIFARE Plus

06/2015

MIFARE Plus SE

04/2016

MIFARE Plus EV1

June 1, 20169.

MIFARE Plus® EV1 Key Features

10.

Functional backwards compatible to MIFARE Classic – Seamless upgrade path

Functional backwards compatible to MIFARE Plus EV0 – Easy replacement

Upgrade security relevant applications to AES only – Enable AES system security upgrades

Leave non-security relevant applications in Crypto1 – Reduce system upgrade cost

Pe

rfo

rma

nc

eS

ec

ure

en

d-e

nd

co

mm

.

Se

cto

r-w

ise S

L

sw

itc

hin

g

SL1SL3 Mix Mode– Enabling fast security update for critical applications

Transaction MAC – Fraudulent Transaction Claim Protection

Fully ISO compliant Proximity Check – Relay Attack Protection

Virtual Card Architecture – Privacy Protection

Optimum transaction speed vs security – Fast & Reliable Transactions

High-cap versions available – More Operating Range

Features & Benefits

11.

Sector-wise

security level

switching

Optional AES

secure channel

in SL1

Extending the application scope for existing customers

Switching only necessary infrastructure to AES

security

keep and operate non-security relevant Crypto1

infrastructure

Switching system integrators as soon as

implementation is finished

Enabling security update for critical applications

Introduce secure services into legacy systems

Fast enhancement of security critical use cases

June 1, 2016

Nutshell Security Concept for Physical Access ControlSector-wise Security Level Switching

Different security layers possible

Reduce system upgrade effort and

complexity

Reduce system upgrade cost

AE

S

AE

SJune 1, 201612.

Optional security in legacy mode for critical use casesOptional AES secure channel in SL1

13.

All applications use the

same protocol

Seamless integration into existing

infrastructure

Fast update of security in critical

infrastructure

Reduce system upgrade cost

June 1, 2016

MIFARE DESFire® generation benefitsMIFARE DESFire® EV2

14.

2002MIFARE DESFire

2008MIFARE DESFire EV1

2015

MIFARE DESFire EV1 256B

2016MIFARE DESFire EV2

MIFARE

DESFire EV1

MIFARE

DESFire EV2

ISO/IEC 14443 A 1-4

ISO/IEC 7816-4 support extended extended

EEPROM data memory 2/4/8KB 2/4/8KB

Flexible file structure

NFC Forum Tag Type 4

Secure, high-speed cmd

Unique ID 7BUID or 4B RID 7BUID or 4B RID

Number of applications 28 unlimited

Number of files per app 32 32

High data rates support up to 848 Kbit/s up to 848 Kbit/s

Crypto algorithms supportDES/2K3DES/

3K3DES/AES

DES/2K3DES/

3K3DES/AES

CC certification (HW + SW) EAL 4+ EAL 5+

MIsmartApp feature -

Transaction MAC per app -

Multiple keysets per app - Up to 16 keysets

Multiple file access rights - Up to 8 keys

Inter-app files sharing -

Virtual Card Architecture -

Proximity Check -

Delivery typesWafer, MOA4 &

MOA8

Wafer, MOA4 &

MOB6June 1, 2016

MIFARE DESFire® EV2 Key Features

15.

Features & Benefits

16.

Multiple Rolling

Keysets

• Simplified key changing procedure for deployed cards

• Rolling to the next keyset can be done in a secure and reliable way in the field

• Increase system security by rolling keyset regularly to limit its exposure in the field

• A self-healing mechanism in the event of current keyset being compromised

• Enabling current MIFARE DESFire installations to migrate to AES or 3K3DES crypto progressively

Application n

Std. Data

FileBackUp Data

FileCyclic Record

File

Linear Record

File

Value

File

Application Keys

Keyset 16Keyset 2

…

Active

Keyset Keyset 2

Up to 16

keysets

per

applicationRollKey

command

June 1, 2016

• Verify backwards compatibility of new products in

existing components

• Update key management procedures• Extend credential key management to extended features

• Define system key deployment

• Introduction of new platforms• Extended feature set for new and existing systems

Integration Enabling in-field security updates

17. June 1, 2016

Thank you

Visit us at http://MIFARE.net

Follow us:

https://twitter.com/nxp_mifare https://at.linkedin.com/in/nxpmifarewww.youtube.com/user/nxpsemiconductorshttp://blog.nxp.com/ https://www.facebook.com/nxpsemi

Q&A

Webinar SeriesOutlookDate Title

May 24th 2016 MIFARE Innovation Roadmap – present improved, future inside

June 1st 2016 How to protect contactless systems today and tomorrow

June 8th 2016 Enhanced user experience through active application management

June 15th 2016 Streamlined user management for multi-vendor installations

June 22nd 2016 Secure closed loop payments in an open environment

June 29th 2016 Introduce the future in your today’s system – how to ensure smooth system upgrades

July 6th 2016 Added value to card based environments through NFC and cloud – when IoT

becomes reality

July 13th 2016 Complement use cases with mobiles and wearables