nxp mifare webinar: how to protect contactless systems today and tomorrow
TRANSCRIPT
EXTERNAL USE
CHRISTOPH ZWAHLEN
JUNE 1ST, 2016
PRESENT IMPROVED - FUTURE
INSIDE
HOW TO PROTECT YOUR
CONTACTLESS SYSTEMS
TODAY AND TOMORROW
• Basic forms of password protection requires
exchange of the actual secret – the password –
to be exchanged
• Additional measures used to improve weakness
of basic form• Second factor authentication
• Enciphered transmission of password
• Password policies, e.g. minimal complexity, regular update
• Achievement of basic requirements for protection• Confidentiality No
• Authenticity No
• Integrity No
PasswordsCommonly used to access to IT equipment and online services
June 1, 20162.
Agenda
1. Security requirements in access management
2. Requirements for sustainable system security
3. Practical implementation
• MIFARE Plus EV1
• MIFARE DESFire EV2
Christoph ZwahlenMarketing Manager
Access Management
• Selective restriction of access to places and
resources
• Access management protects assets and
value streams
• Required level of protection depends on value
of assets and value streams
• Basic requirements for protection• Confidentiality
• Authenticity
• Integrity
Access Management Protecting our assets
4. June 1, 2016
Access ManagementMarket Segments
5.
Enterprise Access to corporate
facilities and services
including
• Access mgmt.
• Logical Access
• Resource mgmt.
• Payment
• Parking
• IT Services
HospitalityAccess to facilities and
services including
• Room Access
• Leisure facilities
• Parking
• Vending
EducationAccess to campus
facilities and services
including
• Access mgmt.
• Logical Access
• Attendance ctrl.
• Payment
• IT Services
• Library services
ResidentialAccess to residential
buildings
• House
• Appartment building
• Residential complex
LeisureAccess to leisure
activities such as
• Theme park
• Fitness studio
• Stadium
• Event ticketing
• Waterpark and Spa
• Ski resorts
June 1, 2016
Access ManagementSecurity requirement
6.
Single Use
Low Value
Limited Use
Limited Value
Long-term Use
High Value
Security means
Password protection
Authentication
MAC
Full enciphered
communication
ApplicationsProtected value Product recommendationJune 1, 2016
• Address current security demands• Appropriate security mechanisms for individual situation
• Support of existing legacy applications
• Updateability to comply with new security needs• Possibility to adopt to new security demands
• Long term maintainability of protection mechanisms
• Reliable and secure concepts for in-field updates
• Application independent work flow• Individual migration depending on application
requirements
• Smooth migration path for cost efficiency
Sustainable system securityDemands for long-term protection of assets and value streams
7. June 1, 2016
• Latest innovations in MIFARE portfolio
simplify sustainable system security
• MIFARE Plus EV1
Selective system security upgrades
• MIFARE DESFire EV2
In-field key update procedure
• Independent security validation according
Common Criteria EAL5+
• Functional backwards compatibility
MIFARE – Evolutionary enhancementsProtecting contactless systems today and tomorrow!
8. June 1, 2016
MIFARE Plus® generation benefitsMIFARE Plus® EV1
MIFARE
Plus S
MIFARE
Plus SE
MIFARE
Plus X
MIFARE
Plus EV1
RF Interface
P rotocol
UID –
unique
identif ier
Communication
speed
M emory size
[Byte]2KB 1KB 2KB 2KB
4KB 4KB 4KB
M emory M odel
Crypto
Key Length
Authentication
Communication,
S ecurity
T ransaction
M ACyes
P roximity Check yes
V irtual Card
S elect
CC Certif ication EAL4+ no EAL4+ EAL5+
IS O 7816-4
AP DUyes
NFC compliance
T arget
applications
Input
capacitance17pF 17pF 17pF 17pF or 70pF
S ecure NFC
channelin SL1 & SL3
M ulti
applications
yes
NFC capabilities in SL3
Public transport / Campus cards / Access management
Compact, Sectors & 16- byte block
Crypto- 1, AES
48- bit crypto- 1, 128- bit AES
3- pass mutual
CMACed
MIFARE Plus
ISO/IEC 14443- 2, type A
ISO/IEC 14443- 3&4
7- byte UID, 4- byte NUID, RID
106- 848 Kbps
in SL3 level
Supported via MAD
no
no
no
1994
MIFARE Classic
2009
MIFARE Plus
06/2015
MIFARE Plus SE
04/2016
MIFARE Plus EV1
June 1, 20169.
MIFARE Plus® EV1 Key Features
10.
Functional backwards compatible to MIFARE Classic – Seamless upgrade path
Functional backwards compatible to MIFARE Plus EV0 – Easy replacement
Upgrade security relevant applications to AES only – Enable AES system security upgrades
Leave non-security relevant applications in Crypto1 – Reduce system upgrade cost
Pe
rfo
rma
nc
eS
ec
ure
en
d-e
nd
co
mm
.
Se
cto
r-w
ise S
L
sw
itc
hin
g
SL1SL3 Mix Mode– Enabling fast security update for critical applications
Transaction MAC – Fraudulent Transaction Claim Protection
Fully ISO compliant Proximity Check – Relay Attack Protection
Virtual Card Architecture – Privacy Protection
Optimum transaction speed vs security – Fast & Reliable Transactions
High-cap versions available – More Operating Range
Features & Benefits
11.
Sector-wise
security level
switching
Optional AES
secure channel
in SL1
Extending the application scope for existing customers
Switching only necessary infrastructure to AES
security
keep and operate non-security relevant Crypto1
infrastructure
Switching system integrators as soon as
implementation is finished
Enabling security update for critical applications
Introduce secure services into legacy systems
Fast enhancement of security critical use cases
June 1, 2016
Nutshell Security Concept for Physical Access ControlSector-wise Security Level Switching
Different security layers possible
Reduce system upgrade effort and
complexity
Reduce system upgrade cost
AE
S
AE
SJune 1, 201612.
Optional security in legacy mode for critical use casesOptional AES secure channel in SL1
13.
All applications use the
same protocol
Seamless integration into existing
infrastructure
Fast update of security in critical
infrastructure
Reduce system upgrade cost
June 1, 2016
MIFARE DESFire® generation benefitsMIFARE DESFire® EV2
14.
2002MIFARE DESFire
2008MIFARE DESFire EV1
2015
MIFARE DESFire EV1 256B
2016MIFARE DESFire EV2
MIFARE
DESFire EV1
MIFARE
DESFire EV2
ISO/IEC 14443 A 1-4
ISO/IEC 7816-4 support extended extended
EEPROM data memory 2/4/8KB 2/4/8KB
Flexible file structure
NFC Forum Tag Type 4
Secure, high-speed cmd
Unique ID 7BUID or 4B RID 7BUID or 4B RID
Number of applications 28 unlimited
Number of files per app 32 32
High data rates support up to 848 Kbit/s up to 848 Kbit/s
Crypto algorithms supportDES/2K3DES/
3K3DES/AES
DES/2K3DES/
3K3DES/AES
CC certification (HW + SW) EAL 4+ EAL 5+
MIsmartApp feature -
Transaction MAC per app -
Multiple keysets per app - Up to 16 keysets
Multiple file access rights - Up to 8 keys
Inter-app files sharing -
Virtual Card Architecture -
Proximity Check -
Delivery typesWafer, MOA4 &
MOA8
Wafer, MOA4 &
MOB6June 1, 2016
Features & Benefits
16.
Multiple Rolling
Keysets
• Simplified key changing procedure for deployed cards
• Rolling to the next keyset can be done in a secure and reliable way in the field
• Increase system security by rolling keyset regularly to limit its exposure in the field
• A self-healing mechanism in the event of current keyset being compromised
• Enabling current MIFARE DESFire installations to migrate to AES or 3K3DES crypto progressively
Application n
Std. Data
FileBackUp Data
FileCyclic Record
File
Linear Record
File
Value
File
Application Keys
Keyset 16Keyset 2
…
Active
Keyset Keyset 2
Up to 16
keysets
per
applicationRollKey
command
June 1, 2016
• Verify backwards compatibility of new products in
existing components
• Update key management procedures• Extend credential key management to extended features
• Define system key deployment
• Introduction of new platforms• Extended feature set for new and existing systems
Integration Enabling in-field security updates
17. June 1, 2016
Thank you
Visit us at http://MIFARE.net
Follow us:
https://twitter.com/nxp_mifare https://at.linkedin.com/in/nxpmifarewww.youtube.com/user/nxpsemiconductorshttp://blog.nxp.com/ https://www.facebook.com/nxpsemi
Webinar SeriesOutlookDate Title
May 24th 2016 MIFARE Innovation Roadmap – present improved, future inside
June 1st 2016 How to protect contactless systems today and tomorrow
June 8th 2016 Enhanced user experience through active application management
June 15th 2016 Streamlined user management for multi-vendor installations
June 22nd 2016 Secure closed loop payments in an open environment
June 29th 2016 Introduce the future in your today’s system – how to ensure smooth system upgrades
July 6th 2016 Added value to card based environments through NFC and cloud – when IoT
becomes reality
July 13th 2016 Complement use cases with mobiles and wearables