NXP SMART MOBILITY & RETAIL PRODUCT PORTFOLIO AND TRENDS:
NEW PRODUCTS FOR ITALIAN PUBLIC TRANSPORT OPERATORS AND PARTNERS
STATO DELL’ARTE DELLA BIGLIETTAZIONE ELETTRONICA PER IL TPL ITALIANO
PUBLIC Agenda
First session • Continuous urbanization • NXP Product offer for AFC − Chip-on-paper and importance of an original NXP product − MIFARE DESFire EV2 − MIFARE DESFire Light
Second session • MIFARE SAM AV3 • Javacard products for Calypso installed base − MF DF EV2-J • AFC multiservice platform − AppXplorer • MIFARE card qualification − Partners in certification • Support material • Live-demo • Q/A session
1 PUBLIC 1 Continuous urbanization – need for optimization
• 2050 – as many people in cities as on planet today • Need to manage urban flows (mobility & access to services) • Need scalable and extendable technology
2 PUBLIC NXP solutions for admission to services in smart cities
Secure Point of service key store Convergence
Limited use
Multi use
4 PUBLIC Processing C‘less Why NXP & MIFARE®? Support • +20 years application Security knowledge • Track record of high security ICs • Tech. trainings for eGov, banking, MIFARE • Design in • Application consultancy • Failure analysis • Full ownership of provided Proven & Reliable • Approx. 11,000 engineers in 25 solution security countries • 3 of 4 cities on MIFARE
• 300Mpcs reader ICs
• 8 of 10 governments select Standardization NXP • Active in more than 120 • 1B NFC ICs standardization bodies and consortia
Solution portfolio Partner network
• NFC, reader IC, BTLE • > 1000 industry partners offering solutions on MIFARE • Smart card IC, ticket IC
• UHF IC
• HW + OS
• Software solutions Digital solutions
• Cloud solutions • MIFARE mobile NFC • AppXplorer business collaboration 5 PUBLIC platform
• Authentication service NXP PRODUCT OFFER FOR AFC
6 PUBLIC NXP´s CONTACTLESS IDENTIFICATION TECHNOLOGY FAMILIES OVERVIEW
Secure Smart NFC MIFARE NFC RFID NXP Category Card ICs
PLATFORM
OPERATING HF – (13,56 MHz) LF – (125 kHz) UHF – (840-960 MHz) FREQUENCY
ISO 14443 ISO 14443 ISO 14443 ISO 18000-3 ISO 18000-3 ISO 18000-6 ISO 14443 ISO 7816 ISO 14223 ISO 29157-10 STANDARDS ISO18092 ISO18092 ISO 15693 ISO 15693 EPC G2 ISO 7816 Global Platform ISO 11784/85 EPC G2 V2 NFC Forum NFC Forum EPC Class-1 EPC Class-1 EPC G2 V2 MIFARE
up to CC EAL6+ basic level AES basic level AES128 up to CC EAL5+ AES authentication basic level basic level SECURITY EMVCo AES (ICODE DNA) authentication
• Brand • Unique Secure • Micropayment • Credit Cards • Brand • Brand • Animal ID • Supply Chain & • AVI - Engagement & identification • Loyalty • Debit Cards Protection & Inventory Automatic Protection High • Asset Tagging Protection of NFC tags in • Smart Mobility • ePassport Engagement Value & Management Vehicle through NFC the cloud • Access Mgt • eID • Industry 4.0 Identification • Retail Engagement • Logisitcs enabled smart • Product • Event Mgt • eDriver License APPLICATIONS track&trace • Asset Tracking products authentication • Brand • MIFARE • Supply Chain & • Retail • Brand Protection High- functionality Inventory • Retail and • Brand • Gaming • Supply Chain & protection Value (Crypto ICs Management Inventory Brands Protection • Device pairing • Smart Adverting only) Management High Value • Secure web • Libraries access • Access Control
OPERATING PROXIMITY up to 10cm VICINITY up to 1,2m DISTANCE LONG RANGE up to 15m
READER ICs Extensive contactless3rd readerparty certified IC portfolio MIFARE functionality made available on SmartMX 14.2.2019 7 PUBLIC CONTACTLESS IDENTIFICATION TECHNOLOGY OVERVIEW Relative positioning operating range vs. features and data security
Operating range comaprison
UCODE DNA up 15 m
UCODE UHF UCODE
Note: The operating distance of an RFID system (Tag / reader-writer) UCODE - ISO18000 depends on various parameters: - Tag and reader ´s @ 860-960MHz (UHF) - antenna size and form factor - shape - tuning - Reader IC family - Environment (e.g. metal in proximity) - etc.
ICODE - ISO15693 @ 13,56 MHz (HF)
HITAG - ISO 11784/85 @ 100-125 KHz (LF) Operating range Operating ICODE DNA up to 1,2 m ICODE HF
HITAG LF MIFARE ICODE NTAG MIFARE on SmartMX MIFARE®, NTAG® SmartMX MIFARE DESFire ISO14443, ISO 18092 (NFC) MIFARE Classic MIFARE PLUS @ 13,56 MHz (HF) MIFARE Ultralight C SmartMX ISO14443, ISO7816 NTAG MIFARE Ultralight HF up to 10 cm
8 Security features and hardening MIFARE® product and security features positioning
SmartMX2
DESFire EV2 SmartMX Plus EV1
Plus X DESFire EV1
Plus SE DESFire
light Security level Security
Ultralight C
Ultralight EV1 CLASSIC EV1
Ultralight Nano
MIFARE MIFARE MIFARE MIFARE SmartMX Ultralight Classic Plus DESFire with MIFARE
Platform features 9 PUBLIC CHIP ON PAPER STATUS
13 PUBLIC MIFARE Ultralight next generation limited use paper ticketing ICs
MIFARE Ultralight
• MIFARE Ultralight is NXP’s well-known brand for Contactless ticket applications single / limited use tickets and cards ideal flexible limited-use solution • MIFARE Ultralight based tickets are ideal for low- MIFARE cost, high-volume applications serving as the NXP originality Ultralight perfect contactless replacement for magnetic stripe, signature barcode, pure printed tickets, … Product unique ECC based signature
• MIFARE Ultralight products comply with the international standard ISO14443, which is used in more than 80% of all contactless smart cards today Reliable Sustainable Mature • Compatible to existing ISO14443 infrastructure 4 Billion pcs shipped 80% global market share NFC ensures smooth upgrade Fully ISO14443 Infrastructure compatible ISO14443 Best in class RF-performance (ABI research 2013) Connectivity • NFC forum type 2 tag compliant Easy information transfer via NFC-enabled devices
14 PUBLIC MIFARE Ultralight® family continuous evolution and compatibility
May 2016 MIFARE Ultralight Nano
2013 The best contactless alternative MIFARE Ultralight EV1 to mag stripe/ barcode/ QR Successor of MIFARE Ultralight Code & printed tickets
Ideal solution for Cost down solution for 2009 limited use tickets single use tickets MIFARE Ultralight C • 48 and 128 Byte versions adding 3DES security • 40 Byte memory version • Memory write protection additional features: • ECC supported NXP originality • 3 24-bit one-way counter • 3DES authentication signature (preprogramed by NXP, • configurable 32-bit password for • 1536 bits (192 bytes) EEPROM reprogrammable in the field to 2002 write or read/write protection MIFARE Ultralight • 16 bit counter own unique originality signature) • ECC supported NXP originality • ISO14443A 1-3 • Cloning protection via • NFC forum tag type 2 signature compliant authentication key • 17pF und 50 pF versions • NFC forum tag type 2 • NFC forum tag • NFC forum tag type 2 • 17pF und 50 pF versions type 2 compliant
NFC forum tag type 2
16 How to authenticate MIFARE Ultralight EV1 / Nano
Fetch PuK (Public key)
receive UID (one time only) Send originality signature read command
Receive originality signature
VERIFY = f2 (SIG,UID, PuK ) SIG = f1(UID, PrK )
19 MIFARE® implementations on SmartMX
SmartMX P5 SmartMX2 - MIFARE Flex
Card OS Card OS
Contactless or or Contactless or Contactless
Dual InterfaceDualCard InterfaceDualCard
or and /or
On SmartMX (P5) devices MIFARE DESFire On SmartMX2 (P60) the flexible MIFARE “card-in-card” EV1or MIFARE Classic functionality can be functionality MIFARE Flex allows to combine MIFARE DESFire ordered and are fixed during the card lifetime. EV1, MIFARE Plus and MIFARE Classic functionality in addition to existing applications. These functionalities can co- exist and be used in mixed mode.
22 MIFARE DESFIRE EV2
23. MIFARE® DESFire® serves many different applications
Closed-loop Payment Taxi Cards Home Access Transport Ticketing Event Ticketing Car Rentals Corporate Access
University Cards Ferry Cards
Hotel Access Bike Rentals Library Cards Road Tolling Museum Cards City Cards
Document Tourist Cards Loyalty Schemes Authentication
Amusement Membership Stadium Door Access Parking Student Cards Fuel Cards Park Cards MIFARE® DESFire® Projects Worldwide
German Kesko K- University of Blood donor Plussa Helsinki Michigan card San Francisco Clipper Card Istanbulkart Nanjing Citizen card London Oyster card Taiwan iCash 2.0 Abu Dhabi University of Kolkata KDDI au Pennsylvania EU Commission Wallet Mumbai NOL card Orlando Cairo University of Dubai Arizona BEEP Bangkok card San Jose Rabbit card Mexico Mexibus Google Beba Pay Melbourne Myki
Brizzi card
Sydney
Smart Mobility Access Management Smart Loyalty Micropayment Others 25 ® ® MIFARE MIFARE Evolution to MIFARE DESFire EV2 DESFire EV1 DESFire EV2 ISO/IEC 14443 A 1-4 ✓ ✓
ISO/IEC 7816-4 support extended extended
EEPROM data memory 2/4/8KB 2/4/8KB
Flexible file structure ✓ ✓
NFC Forum Tag Type 4 ✓ ✓
Secure, high-speed cmd ✓ ✓
Unique ID 7BUID or 4B RID 7BUID or 4B RID 2016 Number of applications 28 unlimited MIFARE DESFire EV2 Number of files per app 32 32 High data rates support up to 848 Kbit/s up to 848 Kbit/s DES/2K3DES/ DES/2K3DES/ 2008 Crypto algorithms support 3K3DES/AES 3K3DES/AES MIFARE DESFire EV1 CC certification (HW + SW) EAL 4+ EAL 5+
MIsmartApp feature - ✓
Transaction MAC per app - ✓
2002 Multiple keysets per app - Up to 16 keysets MIFARE DESFire Multiple file access rights - Up to 8 keys
Inter-app files sharing - ✓
Virtual Card Architecture - ✓
Proximity Check - ✓ Wafer, MOA4 & Wafer, MOA4 & Delivery types 26 MOA8 MOB6 MIFARE® DESFire® Secure Multi-Application Architecture
MIFARE DESFire card PICC Level (root) • Flexible application and file PICC Keys system • Each application is alike a folder under a Windows root ApplicationTransport w ApplicationEmployee ID x ApplicationeMoney y Application z directory • Applications and files are APP Keys APP Keys APP Keys defined during its creation - User Info - Name - User info - Card validity - ID number - Card validity • Each application manages its - Privilege class own keys • Card owner hold PICC keys - Stored Value - Access level - ePurse for card management
- Transaction records - Transaction records
27 Features & Benefits
Drop-In • Easy migration through backward compatibility with MIFARE DESFire infrastructure Replacement • System integrators will enjoy the performance enhancement and smart feature extensions
Improved • Convenient touch n‘ go experience through increased operating distance Operating • Improving the user experience of existing MIFARE DESFire installations Range • Fast and Reliable transactions
• Enhanced security level with Common Criteria EAL5+ certification, same level as products Common used in Banking and ePassport application Criteria EAL 5+ • Solution providers and system integrators have a “trusted independent” certified 3rd party certificate with regard to security aspects
30 Features & Benefits
• MIsmartApp enabling new business models through seamless integration of additional services in the field MIsmartApp • Allowing secure application creation in already deployed cards – facilitating sharing of a card for multi-application • Interoperability with one card in many separate system environments
Agreement & Token delivery
eMoney Provider
eMoney Card Transport Operator Transport Card
Gift Card Gift Card Provider 31 Agreement & Token delivery Features & Benefits • Card generated Transaction MAC ensuring the authenticity of each transaction Transaction • TMAC securely sign a transaction which provides a proof of valid transaction to the backend MAC • Ideal for multi-operators or multi–merchants environment where cards are interoperable • Transaction MAC allows the backend system to detect: • VALID TRANSACTIONS • Forged transactions • Replay of valid transactions • Unreported transactions • Enable online validation with no keys stored in readers
Valid offline transaction
TMAC with transaction data stored in reader
BEST SOLUTION FOR SO-CALLED CLEARING
32 MIFARE DESFIRE LIGHT
34.34 PUBLIC MIFARE DESFire Family Flexible, secure and scalable platform for trusted contactless services
MIFARE DESFire EV2 MIFARE DESFire Light Flexible and secure contactless platform Simple and secure contactless platform for dynamic multi-application use cases. for single application use cases.
35 PUBLIC MIFARE DESFire Light Three pillars for your success!
Simplicity Scalability Security and Privacy
36 PUBLIC PUBLIC MIFARE DESFire Light The solution for a single application
• Universal solution for contactless smart card applications −Superior total transaction times −Maximum cost efficiency • Addressing single application solutions for new and existing systems • Available in all form factors – cards, implementation for Java Cards, mobiles and wearables • Full compatibility and up-scalability with MIFARE DESFire EV2 incl. compatibility with AppXplorer • Certified according to Common Criteria EAL 4*
37 PUBLIC *Certification ongoing – level indicates targeted assurance level MIFARE DESFire Light Performance and cost optimized product for hosting a single MIFARE DESFire EV2 application
Interoperability Performance Security,Privacy Configurability
✓ Fully ISO/IEC ✓ Similar RF ✓ AES-128 ✓ Configurable 14443-4 compliant performance as cryptography Access rights, ✓ ISO/IEC 7816 based MIFARE Classic ✓ LRP wrapper Application IDs file system and ✓ Bench-mark around AES for and File IDs command frames transaction time strong side ✓ Optionally limiting ✓ MIFARE DESFire performance channel attack the number of protection EV2 AES-128 ✓ 17 pF and 50 pF to actual transactions secure messaging support all antenna ✓ Transaction MAC ✓ Transaction signing classes w/o authentication ✓ Random ID option ✓ Security certified CC EAL 4 targeted
38 PUBLIC MIFARE DESFire Secure Multi-Application Architecture
MIFARE DESFire card PICC Level (root) • Flexible application and file PICC Keys system with 2kB, 4kB or 8kB of memory • Each application is like a ApplicationTransport w ApplicationEmployee ID x ApplicationeMoney y Application z folder under a Windows root directory APP Keys APP Keys APP Keys • Applications and files are - User Info - Name - User info - Card validity defined during its creation - ID number - Card validity - Privilege class • Each application manages
its own keys - Stored Value - Access level - ePurse • Card owner hold PICC keys for card management - Transaction records - Transaction records
39 PUBLIC MIFARE DESFire Light - File System
• Single application & fixed file structure [16-byte DF Name/ISO File ID to Select] AES 128 or LRP − Application ISO ID, DF name, File numbers changeable 32-byte std. • 1 kB available memory data file Value file − 640 Byte user memory similar to MIFARE Classic 1K
256-byte std. • Security & Privacy 4 x 16 cyclic data file 5 Application Keys − MIFARE DESFire EV2 AES Secure messaging record file • Access rights: Read, Write, Read&Write, CC − Plain, MACed, Encrypted communication
256-byte std. • Plain, CMACed, − Access rights per file and operation data file TMAC file Encrypted TMC, TMCLimit, TMV Communication − Optional Random ID − TMAC transaction protection MIFARE DESFire EV2 command (sub)set • Communication protocol − ISO/IEC 7816 wrapped communication
40 PUBLIC MIFARE Product Selection Criteria for product selection
- Convenience Seasonal tickets - Enhanced protection mechanisms Employee cards Long-term Use - Multi-application Student IDs High Value - Maintainability Micro-payment applications DESFire EV2 Plus EV1 - Performance DESFire EV1 Plus S/X
- Convenience Limited Use Multiple-trip Ticket - Basic protection mechanisms Hotel Card - Multi-application Limited Value Visitor Passes - Maintainability Account based systems DESFire Light Plus SE Ultralight C DISPOSED AFTER LIMITED USEDESFire EV1 256B Ultralight EV1 - Convenience Single Use Smart Paper Ticket - Maintainability Low Value Event Tickets - Cost competitive system
Ultralight Nano
Protected value Applications Key drivers 41 PUBLIC MIFARE DESFire – Maximal scalability and acceptance
Basic Credential Multi-application credential Convergance Consumer devices Accessibility
MIFARE DESFire Light* MIFARE DESFire EV2 Implementations and MIFARE 2GO AppXplorer Multi-application platform Multi-application platform Applets Enabling MIFARE DESFire Enabling channel with global support from with global support from Enabling MIFARE DESFire on more than 2B mobile independent, cross OEMs and SI in OEMs and SI in on Java Cards including devices and wearables organization mgt. of transportation, access, transportation, access, banking cards, eID. DESFire applications micropayment. micropayment. post-issuance.
Flexibility Low High High Very high Memory: 656 Bytes Memory: 2, 4k, 8k, 16k 32kB Memory: 2, 4k, 8k, 16k 32kB Memory: 2, 4k, 8k, 16k 32kB Similar to Apple´s App Store or Google Play # of applications 1 Unlimited Unlimited Unlimited Store this platform enables deployment of Depending on device, SE Security CC EAL 4** CC EAL 5+ CC EAL5+ or higher applications to cards in based and risk managed the hand of the end DES, TDES, AES – platform DES, TDES, AES – add. algo. Algorithms AES DES, TDES, AES users. supporting ECC and RSA depending on platform Scalable without infra. Any NFC device with Interoperability Scalable to all others devices Scalable to all others devices Scalable to all others devices change to other types connection to cloud Low – Cost neutral with Basic service free of Operator costs Medium High Medium MIFARE Classic 1kB charge
43 PUBLIC * Release in Jan. 2019 ** Targeted – currently certification in progress Coffee time, folks!
30 minutes pause
44 PUBLIC MIFARE SAM AV3
45. 45 PUBLIC Points Of Service Credentials
46 PUBLIC Quick key facts on credential & POS (point of service) systems
Symmetric key crytographic algorithms are widely spread
• For all non EMV payment and non eGOV applciations
POS interaction with symmetric key cryptographic algorithms
• Real time online e2e connection with servers (keys stored in HSM) • Local, secure key storage & crypto operation in POS (local SAM)
Challenges
• Real time online connectivity not 100% available • What happens in case of online interruption?
Recommended design for critical services
• Local secure key storage & crypto operation • With online connectivity (no real-time) to servers
47 PUBLIC MIFARE SAM: Protecting assets for more than a decade
Feature MIFARE SAM MIFARE SAM AV2 AV3 ISO/IEC 7816-4 T=1 T=1 TDEA TDEA AES AES HW Crypto RSA RSA, ECC Crypto-1 Crypto-1 No. of sym. key entry 128 128 3 RSA No. of asym. key entry 3 RSA 8 ECC 24 EMV CA 7-bytes UID ✓ ✓ X-Mode support ✓ ✓ MIFARE Classic support ✓ ✓ 2018 MIFARE DESFire support D40, EV1 D40, EV1, EV2 MIFARE Plus support EV0 EV0, EV1 SAM AV3 ICODE DNA - ✓ 2009 3DES, AES, RSA, ECC, UCODE DNA - ✓ Prog. Logic NTAG DNA - ✓ SAM AV2 ECC Originality Check - ✓ 3DES, AES, RSA CC certification (HW) EAL 5+ EAL 6+ 2004 Composite certification - MIFARE Scheme Programmable Logic - ✓ SAM AV1 I2C slave host interface - HVQFN32 Wafer, PCM & Wafer, PCM & 3DES Delivery types HVQFN32 HVQFN32
49 PUBLIC MIFARE SAM AV3 Extended credential support new use cases
Products Specific products Uses cases MIFARE® DESFire® EV2 • Access management MIFARE® product MIFARE Plus® EV1 • Automated fare collection family • Loyalty programs • Micropayments
® ® ICODE DNA • Access Management ICODE • Lift cards NTAG® NTAG® DNA • Genuine supply parts UCODE® DNA • Gated parking area access • Road tolling ® UCODE • Automated vehicle identification
52 PUBLIC USE CASES
MIFARE SAM AV3
54 PUBLIC Use Case 1 - MIFARE SAM AV3 equipped turnstile
Local interactive devices
PTO turnstile Internet/ PTO Back-end
smartcard crypto SAM AV3
NFC, BT, WIFI COMM. ek(..100110110...) MCU ek(..011010011...) wearables
• MCU manage the communication between SAM and the external devices or backend • Mutual authentication is done between the SAM and the external devices or backend • A secure session is set up after successful authentication and the communication channel will be encrypted with the session key
55 PUBLIC Use Case 5 – AVI – Authomatic Vehicle (Plate) Identification
Auth & securely download data from AVI reader, and manage AVI system remotely AVI Reader
RF COM Auth & manage Auth with the secure RFID tag protocol with traffic company
UHF EPC MCU GEN2V2 crypto TX/RX SAM AV3
Auth with MCU process RFID tag with the service UCODE DNA for the valid tag AVI Automatic Vehicle ID 59 PUBLIC JAVA CARDS FOR CALYPSO INSTALLED BASE
60 PUBLIC NXP CLAP!
• Calypso light application compliant IC, compliant to latest published Calypso specification V 3.X+
• High security certified device
• State of the art silicon, tailored for low cost card and ticket products • Leveraging NXP unique position as leader in high volume paper ticketing IC provider
• Fully released product, available for testing under NDA JAVA CARDS FOR CALYPSO INSTALLED BASE
62 PUBLIC 63 PUBLIC NXP JCOP offer for transit / Calypso
• JCOP3 − Certified by Calypso • JCOP 4 − Ongoing certification. − Best in class performance − Flexible with multiple configurations, and MIFARE DESFire combination possible
64 PUBLIC TRENDS IN NFC MOBILE
65 PUBLIC Dynamic NFC Smartphone Growth NFC Shipments, Attach Rates and Installed Bases
1,408 Mn units shipped 1,092 Mn units shipped 84% 68% 815 Mn attach rate units shipped attach rate 53% 2,703 Mn 3,852 Mn attach rate installed base installed base 1,982 Mn installed base
2017 2019 2021
66 PUBLIC Source: ABI, Strategy Analytics, NXP - Nov. 2017 Apple expands NFC in iOS 13
2014 2017 2018 2019
Apple introduces Apple Apple implemented Apple implemented Apple extends NFC tag Pay in iPhone 6 using NFC tag reading background NFC tag reading, adds NFC tag NFC technology (with an app) reading (without app) writing and NFC P2P
67 PUBLIC NFC gets a lot more powerful in iOS13
• Apple's announcement brings more NFC-based convenience to millions of iPhone users worldwide.
• Apple’s Core NFC framework now supports tag reading and writing across the full range of NFC protocols for NFC tags deployed today.
• Developers can create new apps and solutions that can: • Write directly to blank tags, as well as communicate with tags through native protocols. • Interact with a range of contactless smartcards and tags, including NFC-enabled passports and other government IDs.
69 PUBLIC APPXPLORER
70 PUBLIC MIFARE the perfect partner to build independent “Smart City” scheme
▪Over 900 million ICs deployed ▪Over 40 applications
▪eTicketing in more ▪Bike-sharing ▪Hospitality and than 90 major cities ▪24 countries accommodation ▪10 regional and around the World, over countrywide schemes 5M rooms RFID
▪Universities use ▪Car-sharing and ▪Events, leisure and MIFARE for access, mobility access entertainment, micro-payment and recreation activities other applications
71 PUBLIC NXP AppXplorer collaboration platform
Open Network for Issuers and Application Providers •Many-to-Many relationship on regional and global scale Market place to facilitate collaboration Bike •Memory/card layout design Transport share Application/Serviceproviders Smart card •Regulate commercial agreement between parties by providing generic GTC for faster time-to-market •Control content available for end-users, virtual Loyalty Hospitality handshake between Issuers & Service scheme Providers
Personalization agent & channel Payment •AppXplorer to be used as secure channel for Travel & Miles Smart personalization of applications on smart wearable mediums (OTA personalization process)
Marketing platform for Smart Medium Issuer Medium Smart Issuers and Application Providers Event Access Identity •Would be able to push marketing content to end customers (e.g. offers & incentives)
Channelize end-customer reach •Common channel to reach global E-Health Smart Home Smartphone customers •APIs available for integration with partner mobile application
72 PUBLIC AppXplorer in brief
NXP AppXplorer WEB collaboration platform Common platform for smart device issuers and service providers to offer multi-application environment with single mobile interface for management of end-customer smart device on the go.
E2E Security AES 128 encryption & websocket protocol used to secure communication between end-user Android NFC smartphone and AppXplorer WEB/cloud platform using smartphone mobile application as end-user UI.
Centralized with zero-friction customer experience Using Android NFC smartphones end-users securely manage on the go (install, update, personalize, remove) applications on their MIFARE DESFire smart device.
74 PUBLIC AppXplorer ID & Low barrier of entry/use
▪AX ID ▪Apps already installed ▪AX ID ▪Memory status secure channel secure channel AppXplorer WEB AES128 & WebSocket AES128 & WebSocket secure channel secure channel ▪Issuer branding ▪Install & uninstall ▪Memory lay-out applications ▪Available service ▪Personalize content of providers/applications each application ▪Latest updates (promotions Native NDEF app DF app NDEF & other particular content) 192b 256b file 96b
AppXplorer ID pre-perso
75 PUBLIC AppXplorer: How it works
Installed applications
AppXplorer WEB Available applications See all
GET GET
Smart Smart card wearable
76 PUBLIC AppXplorer: How it works
Step 1: Card is pre-personalized as per the specification to enable it for AppXplorer (AX Identifier & DAM keys) Step 3: Step 2: The mobile application reads the AX Card is tapped against the mobile Identifier and sends it to the AX backend application AppXplorer WEB
E2E secure channel E2E secure channel AppXplorer Mobile Application
Step 5: Step 7: AppXplorer backend sends the list of User selects the application and taps Step 4: available application along with other the card to install the selected AppXplorer backend processes the details necessary details application on card and fetches important information based on the AppXplorer Identifier Step 6: AppXplorer mobile application displays all available application to be installed and required service provider details
77 PUBLIC MIFARE DESFire EV2 Secure Multi-Application Architecture
PICC Level (root) PICC Keys
APP Keys APP Keys APP Keys
Application Application Application Application Flexible application and file system Loyalty Transport Hospitality W X Y Z Each application is like a folder under a Windows root directory Applications and files are defined - User info - User info - Card validity - Name during its creation - Card validity - Privilege class - ID number Each application manages its own keys Card owner hold PICC keys for - Stored value - Access level - ePurse card management - Transaction - Transaction records records
78 PUBLIC MIFARE CARD QUALIFICATION
79. MIFARE Certification Process
• Functional Certification ensures conformity of MIFARE products with all Functonal Level 1 requirements and is primarily used to Certification Level 2 guarantee that the card or reader products from a certified supplier will work correctly with any certified terminal or reader in the MIFARE eco- system. Security Certification Certified products fulfill the functional requirements in quality, reliability and interoperability for smart and secure contactless MIFARE solutions. Interoperability • Security Certifications are mandatory Reliability for MIFARE Plus and MIFARE DESFire Quality implementations. ISO14443
Connectivity
80 PUBLIC MIFARE Certification Level 1 and Level 2
Functional Certification Level 1 ▪ This is to ensure that the implemented MIFARE functionality shows the correct behavior according to the specification of the respective MIFARE IC. This includes NXP´s MIFARE ICs as well as implementations of MIFARE on 3rd party ICs and devices.
Functional Certification Level 2 ▪ This certification concerns the testing and certification of the proper MIFARE functionality on the RFID (air) interface (ISO14443A part 3). Wave shapes and timing measurements are measured according to the respective ISO specifications. This concerns card and inlay products as well as reader/writer and terminal products.
Note: Opposite to the EMV certification level definition the MIFARE certification level 1 concerns the conformance to the functional specification and is a pre- inlay requisite for air interface certification (MIFARE certification level2)
82 PUBLIC MIFARE Certification Partners
▪ The MIFARE team has established partnerships with independent test houses / laboratories with a global presence in order to ensure MIFARE testing and certification can be obtained easily.
▪ MIFARE Certification Partners ▪ ARSENAL Testhouse ▪ LSI-TEC ▪ UL Transaction Security https://www.mifare.net/en/partners/certification-partner-2/
Level 2 certification Level 2 certification 83 PUBLIC Level 1 certification