This document discusses how to protect contactless systems both today and in the future. It begins by explaining basic password protection and its weaknesses. It then discusses additional security measures like two-factor authentication and encrypted password transmission. The document goes on to describe requirements for sustainable long-term security like backwards compatibility, updatability, and migration paths. It presents NXP's MIFARE Plus EV1 and DESFire EV2 products as solutions, highlighting features like selective security level switching and multiple rolling keysets that enable simplified security upgrades. The goal is to help users protect the value of their assets over the long term in a cost-effective manner.

1. EXTERNAL USE
CHRISTOPH ZWAHLEN
JUNE 1ST, 2016
PRESENT IMPROVED - FUTURE
INSIDE
HOW TO PROTECT YOUR
CONTACTLESS SYSTEMS
TODAY AND TOMORROW

2. • Basic forms of password protection requires
exchange of the actual secret – the password –
to be exchanged
• Additional measures used to improve weakness
of basic form
• Second factor authentication
• Enciphered transmission of password
• Password policies, e.g. minimal complexity, regular update
• Achievement of basic requirements for protection
• Confidentiality No
• Authenticity No
• Integrity No
Passwords
Commonly used to access to IT equipment and online services
June 1, 20162.

3. Agenda
1. Security requirements in access management
2. Requirements for sustainable system security
3. Practical implementation
• MIFARE Plus EV1
• MIFARE DESFire EV2
Christoph Zwahlen
Marketing Manager
Access Management

4. • Selective restriction of access to places and
resources
• Access management protects assets and
value streams
• Required level of protection depends on value
of assets and value streams
• Basic requirements for protection
• Confidentiality
• Authenticity
• Integrity
Access Management
Protecting our assets
4. June 1, 2016

5. Access Management
Market Segments
5.
Enterprise
Access to corporate
facilities and services
including
• Access mgmt.
• Logical Access
• Resource mgmt.
• Payment
• Parking
• IT Services
Hospitality
Access to facilities and
services including
• Room Access
• Leisure facilities
• Parking
• Vending
Education
Access to campus
facilities and services
including
• Access mgmt.
• Logical Access
• Attendance ctrl.
• Payment
• IT Services
• Library services
Residential
Access to residential
buildings
• House
• Appartment building
• Residential complex
Leisure
Access to leisure
activities such as
• Theme park
• Fitness studio
• Stadium
• Event ticketing
• Waterpark and Spa
• Ski resorts
June 1, 2016

6. Access Management
Security requirement
6.
Single Use
Low Value
Limited Use
Limited Value
Long-term Use
High Value
Security means
Password protection
Authentication
MAC
Full enciphered
communication
ApplicationsProtected value Product recommendation
June 1, 2016

7. • Address current security demands
• Appropriate security mechanisms for individual situation
• Support of existing legacy applications
• Updateability to comply with new security needs
• Possibility to adopt to new security demands
• Long term maintainability of protection mechanisms
• Reliable and secure concepts for in-field updates
• Application independent work flow
• Individual migration depending on application
requirements
• Smooth migration path for cost efficiency
Sustainable system security
Demands for long-term protection of assets and value streams
7. June 1, 2016

8. • Latest innovations in MIFARE portfolio
simplify sustainable system security
• MIFARE Plus EV1
Selective system security upgrades
• MIFARE DESFire EV2
In-field key update procedure
• Independent security validation according
Common Criteria EAL5+
• Functional backwards compatibility
MIFARE – Evolutionary enhancements
Protecting contactless systems today and tomorrow!
8. June 1, 2016

9. MIFARE Plus® generation benefits
MIFARE Plus® EV1
MIFARE
Plus S
MIFARE
Plus SE
MIFARE
Plus X
MIFARE
Plus EV1
RF Interface
P rotocol
UID –
unique
identifier
Communication
speed
M emory size
[Byte]
2KB 1KB 2KB 2KB
4KB 4KB 4KB
M emory M odel
Crypto
Key Length
Authentication
Communication,
S ecurity
T ransaction
M AC
yes
P roximity Check yes
V irtual Card
S elect
CC Certification EAL4+ no EAL4+ EAL5+
IS O 7816-4
AP DU
yes
NFC compliance
T arget
applications
Input
capacitance
17pF 17pF 17pF 17pF or 70pF
S ecure NFC
channel
in SL1& SL3
M ulti
applications
yes
NFC capabilities in SL3
Public transport / Campus cards / Access management
Compact, Sectors & 16- byte block
Crypto- 1, AES
48- bit crypto- 1, 128- bit AES
3- pass mutual
CMACed
MIFARE Plus
ISO/IEC 14443- 2, type A
ISO/IEC 14443- 3&4
7- byte UID, 4- byte NUID, RID
106- 848 Kbps
in SL3 level
Supported via MAD
no
no
no
1994
MIFARE
Classic
2009
MIFARE Plus
06/2015
MIFARE Plus SE
04/2016
MIFARE Plus EV1
June 1, 20169.

10. MIFARE Plus® EV1 Key Features
10.
Functional backwards compatible to MIFARE Classic – Seamless upgrade path
Functional backwards compatible to MIFARE Plus EV0 – Easy replacement
Upgrade security relevant applications to AES only – Enable AES system security upgrades
Leave non-security relevant applications in Crypto1 – Reduce system upgrade cost
Performance
Secureend-end
comm.
Sector-wiseSL
switching
SL1SL3 Mix Mode– Enabling fast security update for critical applications
Transaction MAC – Fraudulent Transaction Claim Protection
Fully ISO compliant Proximity Check – Relay Attack Protection
Virtual Card Architecture – Privacy Protection
Optimum transaction speed vs security – Fast & Reliable Transactions
High-cap versions available – More Operating Range

11. Features & Benefits
11.
Sector-wise
security level
switching
Optional AES
secure channel
in SL1
Extending the application scope for existing customers
 Switching only necessary infrastructure to AES
security
 keep and operate non-security relevant Crypto1
infrastructure
 Switching system integrators as soon as
implementation is finished
Enabling security update for critical applications
 Introduce secure services into legacy systems
 Fast enhancement of security critical use cases
June 1, 2016

12. Nutshell Security Concept for Physical Access Control
Sector-wise Security Level Switching
 Different security layers possible
 Reduce system upgrade effort and
complexity
 Reduce system upgrade cost
AES
AES
June 1, 201612.

13. Optional security in legacy mode for critical use cases
Optional AES secure channel in SL1
13.
All applications use the
same protocol
 Seamless integration into existing
infrastructure
 Fast update of security in critical
infrastructure
 Reduce system upgrade cost
June 1, 2016

14. MIFARE DESFire® generation benefits
MIFARE DESFire® EV2
14.
2002
MIFARE DESFire
2008
MIFARE DESFire EV1
2015
MIFARE DESFire EV1 256B
2016
MIFARE DESFire EV2
MIFARE
DESFire EV1
MIFARE
DESFire EV2
ISO/IEC 14443 A 1-4  
ISO/IEC 7816-4 support extended extended
EEPROM data memory 2/4/8KB 2/4/8KB
Flexible file structure  
NFC Forum Tag Type 4  
Secure, high-speed cmd  
Unique ID 7BUID or 4B RID 7BUID or 4B RID
Number of applications 28 unlimited
Number of files per app 32 32
High data rates support up to 848 Kbit/s up to 848 Kbit/s
Crypto algorithms support
DES/2K3DES/
3K3DES/AES
DES/2K3DES/
3K3DES/AES
CC certification (HW + SW) EAL 4+ EAL 5+
MIsmartApp feature - 
Transaction MAC per app - 
Multiple keysets per app - Up to 16 keysets
Multiple file access rights - Up to 8 keys
Inter-app files sharing - 
Virtual Card Architecture - 
Proximity Check - 
Delivery types
Wafer, MOA4 &
MOA8
Wafer, MOA4 &
MOB6June 1, 2016

15. MIFARE DESFire® EV2 Key Features
15.

16. Features & Benefits
16.
Multiple Rolling
Keysets
• Simplified key changing procedure for deployed cards
• Rolling to the next keyset can be done in a secure and reliable way in the field
• Increase system security by rolling keyset regularly to limit its exposure in the field
• A self-healing mechanism in the event of current keyset being compromised
• Enabling current MIFARE DESFire installations to migrate to AES or 3K3DES crypto progressively
Application n
Std. Data
File
BackUp Data
File
Cyclic Record
File
Linear Record
File
Value
File
Application Keys
Keyset 16
Keyset 2
…
Active
Keyset Keyset 2
Up to 16
keysets
per
applicationRollKey
command
June 1, 2016

17. • Verify backwards compatibility of new products in
existing components
• Update key management procedures
• Extend credential key management to extended features
• Define system key deployment
• Introduction of new platforms
• Extended feature set for new and existing systems
Integration
Enabling in-field security updates
17. June 1, 2016

18. Thank you
Visit us at http://MIFARE.net
Follow us:
https://twitter.com/nxp_mifare https://at.linkedin.com/in/nxpmifarewww.youtube.com/user/nxpsemiconductorshttp://blog.nxp.com/ https://www.facebook.com/nxpsemi

19. Q&A

20. Webinar Series
Outlook
Date Title
May 24th 2016 MIFARE Innovation Roadmap – present improved, future inside
June 1st 2016 How to protect contactless systems today and tomorrow
June 8th 2016 Enhanced user experience through active application management
June 15th 2016 Streamlined user management for multi-vendor installations
June 22nd 2016 Secure closed loop payments in an open environment
June 29th 2016 Introduce the future in your today’s system – how to ensure smooth system upgrades
July 6th 2016 Added value to card based environments through NFC and cloud – when IoT
becomes reality
July 13th 2016 Complement use cases with mobiles and wearables