Introducing MIFARE DESFire EV2

ID Customer Day 2013 | 1

Z

Introducing MIFARE DESFire

EV2

Q3 2014

Agenda

‣ _{Introduction to the world of}

NXP  MIFARE  MIFARE DESFire

‣ _{IHS analysis of the transport ticketing market}

‣ _{An invitation to explore new business opportunites}

enabled by MIFARE DESFire EV2 innovations

‣ _{Key innovative features explained}

We bring Security & Convenience

NXP is #1 with over

8B

units shipped

eGovernment Bank Cards Smart Mobility & Access Management Cards

Tags & Authentication Smart Readers Mobile Devices

NXP is the Identification Industry

’

s

#1 Semiconductor Supplier

MIFARE DESFire was designed for smart mobility and access And is now a platform available across form factors

MIFARE

the application

platform

NXP’s MIFARE Product Portfolio

limited-use ticket ICs

contactless memory card ICs

Medi a V al ue Functionality MIFARE Ultralight C MIFARE Ultralight MIFARE Classic 1K MIFARE Classic 4k MIFARE DESFire EV2 8K MIFARE DESFire EV2 2K MIFARE DESFire EV2 4K MIFARE Plus S/X 2K MIFARE Plus S/X 4K contactless CPU card ICs

multi-interface CPU card and mobile ICs

SmartMX Products P5CD0XX JTA021 J3A041 / J3C081 P60D040 MIFARE Ultralight EV1 6 PN65T

MIFARE DESFire

®

by Numbers

Available as

implementation on

SmartMX

>5 Licensees

NFC Forum Type 4 Tag

compliant

#1

secure microcontroller for transport ticketing category

Compliant to

>10 standards

and industry best practices

Powering eTicketing

in

>60

>10

Managing access to

>250

>300Mpcs

>65%

in average for the last 10 years

Some MIFARE DESFire reference projects

London Oyster

Mumbai Cairo & Egypt

Railways

New Zealand countrywide Transdev Studios Seattle Mpumalanga province Loyalty BKK Monterrey San Francisco Daimler Benz Nairobi Google Beba Rosario Mexico DF Prague

Public transport Access Management Micro payment Other applications Bilbao Istanbul Parking Nestlé Helsinki DoD E-money Abu Dhabi

Bangalore New Delhi Kolkata

Melbourne

Sydney Reims

Vancouver

Open Cash finle Contactless Betalen Nile University Dubai Berlin Library Velocity Loyalty Kesko Loyalty EU commission German blood donor card Wladiwostok

Nanjing Citizen card

Madrid Costa Rica University of Pennsylvania Lubljana Vietin Orange Car2Go University of Michigan Theme park Tap&Go Toronto Toulouse GM Hamburg University Ankara

Bangkok Road Tolling 1FC Köln

ITSO

University of

Arizona Miami St. Louis

MIFARE DESFire EV2 – speaking the language

of the world‘s leading system integrators

IHS Electronics & Media

IHS Electronics & Media

IHS Key Global Market Findings

It is estimated that 995 million smart cards were sold into transportation applications in 2012. This number is forecast to grow at a CAGR of 14.6%, reaching 2.3 billion shipments in 2018.

IHS Electronics & Media

Global Smart Credentials Shipped - By Technology Format (Not Including Limited Use)

Thousands of Cards Shipped

Source: IHS Aug-13

2012 2013 2018

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

MIFARE DESFire MIFARE Classic MIFARE Plus

Calypso FeliCa CiPurse S/ CiPurse T

MOC Other - Chip Card

IHS Global Card Shipments

By 2018, MIFARE DESFire is projected to reach 111 million which is only 11 million fewer than MIFARE Classic, making it the fastest growing microcontroller card in the

market, over the forecast period.

IHS Smart Cards in Transportation – World – 2013 Report

To elevate the value for our key applications

we have innovated along 3 strategic axes

Multi-application

Enabling new business models through seamless integration of additional services in the field

Cross system interoperability Easy migration through

backwards compatibility with MIFARE DESFire and

MIFARE Classic infrastructure

Security & Privacy

Next level certification

Security self healing

mechanism with rolling keys Assuring authentication in multi operator schemes Anticipating future need for privacy protection

Contactless Performance

Convenient touch‘n‘go experience through

improved operating distance Fast and reliable

transactions

Design freedom for smaller form factors on the

MIFARE DESFire EV2 Key Features

Functional backwards compatible to DESFire EV1 – Drop-In Replacement MIsmartApp supporting post-issuance applications – Multi-Application

Multiple file access conditions – Enhances Key Management File sharing between applications – Common Purse

Per fo rmance Securi ty & Pr iv ac y Mul ti A pp li ca tio n

Multiple Rolling Keysets per application – Update Keys in the Field Transaction MAC – Fraudulent Transaction Claim Protection

Proximity Check – Relay Attack Protection Virtual Card Architecture – Privacy Protection

Improved transaction speed (vs DESFire EV1) – Faster Transactions Improved RF performance (vs DESFire EV1) – More Operating Range

 Contactless systems with multiple operators / merchants

 merchants might not be fully trusted by the clearing instance

 Making the transaction trusted in MIFARE DESFire EV2:

 MAC computed over all transaction data by the card

 Using an AES key that is only known by the card and the backend system  Transaction MAC allows the backend system to detect:

 Forged transactions

 Replay of valid transactions

 Unreported transactions (e.g. important for Credit operations)

Merchant Terminal Backend

Clearing House

Transaction MAC System level illustration

KTMAC KTransaction K_Transaction K_TMAC TMAC $ Reimburse TMAC check OK Transaction

data + TMAC _{Submit claims}

A TMAC is calculated over the transaction data and is returned by the card Transaction is only accepted for reimbursement with a valid TMAC

Application 1 Application 2 Application n Std. Data File BackUp Data File Cyclic Record File Linear Record File Value File

Multiple Rolling Keysets

Application Keys

Keyset 16 Keyset 2

…

Active Keyset

• Secure and Reliable updating keys in the field

• Increase system security with key renewal policy

• A self-healing mechanism in the event of keys being compromised

Keyset 2 Up to 16 keysets per application RollKey command

New Car d s New Cards Reader Infrastructure support Key Up d atin g Key rolling during transaction

 Increase system security with key renewal policies

 Limit the lifespan of each keyset version and its exposure in the field

 A self-healing mechanism after a keyset has been compromised

 The next higher keyset version stored on the card can be activated quickly and securely on any terminals in the field

Multiple Rolling Keysets per Application

KS1 Keyset 1 Keyset 2 KS1 KS2 KS1  KS2 Keyset 3 KS1 KS2 KS3 KS1  KS3 KS2  KS3 Keyset 4 KS2 KS3 KS4 KS1  revoke* KS2 KS4 KS3 KS4 Keyset 5 KS3 KS4 KS5 KS1  revoke* KS2  revoke* KS3 KS5 KS4 KS5

Multiple Rolling Keysets per Application

Security upgrade with key type migration

 Migrate applications to higher security

 For existing MIFARE DESFire installations using 3DES crypto to migrate to AES or 3K3DES crypto progressively.

 3DES  3K3DES

 3DES  AES

Application x

3DES

AES

Roll Keyset Application x

Allowing secure application creation in already deployed cards – facilitating sharing of a card for multi-application.

Service providers / Application owners Card Issuer/Owner

Card Owner has only access to his

applications but not to third party applications

Service provider has entire access to his application EV2 A pp. k e y s A pp. k e y s

MIsmartApp

Request

MIsmartApp Token & K_MIsmartApp

MIsmartApp

Card Issuer/Owner can generate a MIsmartApp token for anyone who wants to put their applications on his deployed cards. The MIsmartApp token allows only an agreed application to be created on the cards.

MIsmartApp

MIsmartApp Token delivery

Master key never shared!!! 1 2 3

CARD ISSUER APP PROVIDERS

APP STORE CARD HOLDER Card holders install APPs Commercial agreement Upload APP in STORE

Illustrating an App Store concept with a City card where the card holders can install new applications available for his card at his convenience.

MIsmartApp

Interoperability with one card in two separate system environments

Namma Metro Travel Card MIFARE DESFire EV1 4KB

Delhi Metro Travel Card MIFARE DESFire EV1 4KB

Reques t Send M Is m art App T ok en & Key

Delhi Metro Travel Card MIFARE DESFire EV2 8KB

New Delhi

Bangalore DMRC (PTO)

Feature comparison MIFARE DESFire, EV1, EV2

ISO/IEC 7816-4 commands and file structure support basic extended extended

EEPROM data memory 4KB 2/4/8KB 2/4/8KB

Flexible file structure √ √ √

NFC Forum Tag Type 4 V2.0 compliant √ √ √

Secure, high-speed command set √ √ √

Unique ID 7BUID 7BUID or 4B random ID 7BUID or 4B random ID

Number of applications 28 28 unlimited

Number of files 16 32 32

High data rates according to ISO/IEC 14443-3 up to 424 Kbit/s up to 848 Kbit/s up to 848 Kbit/s

Crypto algorithm DES/2K3DES DES/2K3DES/3K3DES/AES DES/2K3DES/3K3DES/AES

Unique 7-byte serial number (ISO cascade level 2) √ √ √

Common Criteria certification (HW + SW) EAL 4+ EAL 5+ or higher (in progress)

MIsmartApp feature for post-issuance of applications √

Transaction MAC to authenticate transactions √

Multiple keysets per application for key rolling Up to 16 keysets per app

Multiple access right settings per file Up to 8 keys per access

Files sharing between 2 applications √

Virtual Card architecture for privacy protection √

Proximity Check against relay attacks √

MIFARE DESFire implementations by NXP

and our licensees

NXP

‣ _{MIFARE DESFire EV1 is available on the SmartMX and SmartMX}2 _platforms

from NXP and will be part of NXP’s mobile offering.

‣ _{MIFARE DESFire EV2 is available on future SmartMX platform releases.}

MIFARE Licensees

‣ _{MIFARE DESFire EV1 is available on IC solutions from STM as well as on}

UICC SIM solutions form Gemalto, G&D and Oberthur.

‣ _{Key functionality of MIFARE DESFire EV2 has been shared with our licensees.} ‣ _{Our MIFARE licensees are required to support the latest version in a defined}

window after the release of the original NXP product.

MIFARE DESFire EV2 for system design ins

Leaflet & Data Sheet – Available

NXPReaderLib, MIFAREdiscover SW, Application Notes – In progress

Pricing

MIFARE DESFire EV2 offers a wealth of innovations…

…and is positioned at the same price level as MIFARE DESFire EV1

Conclusions & next steps

‣ _{Speaking the language of leading system integrators,}

MIFARE DESFire EV2 brings a rich heritage to the next level.

‣ _{You can immediately enjoy the improved operating distance and}

speed in existing MIFARE DESFire installations.

‣ System operators are enabled to launch new business models offering

additional revenue streams.

‣ _{System integrators will enjoy the functional backwards compatibility}

Thank you