Security in NFC Readers

Similar documents
NFC FOR CONSUMABLES AND ACCESSORIES

NFC ESSENTIALS JORDI JOFRE NFC EVERYWHERE MARCH 2018 PUBLIC

Fundamentals of Near Field Communication (NFC) Tvrtko Barbarić NXP Semiconductors

A Multi-Application Smart-Card ID System for George Mason University. - Suraj Ravichandran.

Smart home NFC commissioning solution

Connecting Securely to the Cloud

Secure Elements 101. Sree Swaminathan Director Product Development, First Data

PKI Credentialing Handbook

NFC is the double click in the internet of the things

NTAG I 2 C plus your entryway to NFC

WHAT FUTURE FOR CONTACTLESS CARD SECURITY?

CardOS Secure Elements for Smart Home Applications

NTAG for Electronics. James Zhu Business Development Manager Business Unit Identification

NFC USE CASES FOR INDUSTRIAL APPLICATIONS. December 2016

Secure Connections for a Smarter World

Leveraging the full potential of NFC to reinvent physical access control. Friday seminar,

NFC embedded microsd smart Card - Mobile ticketing opportunities in Transit

JMY600 Series IC Card Module

LEARN ALL ABOUT NFC SESSION 4: PRODUCT SUPPORT PACKAGE FOR NFC READERS & NFC CONNECTED TAGS

$263 WHITE PAPER. Flexible Key Provisioning with SRAM PUF. Securing Billions of IoT Devices Requires a New Key Provisioning Method that Scales

IDCore. Flexible, Trusted Open Platform. financial services & retail. Government. telecommunications. transport. Alexandra Miller

ACR1251U-A1 USB NFC Reader with SAM Slot

HOW TO INTEGRATE NFC CONTROLLERS IN LINUX

Securing IoT devices with STM32 & STSAFE Products family. Fabrice Gendreau Secure MCUs Marketing & Application Managers EMEA Region

Contents. Preface. Acknowledgments. xxiii. List of Acronyms i xxv

ACR1255 NFC Bluetooth Smart Card Reader

Wi-Fi Security for Next Generation Connectivity. Perry Correll Aerohive, Wi-Fi Alliance member October 2018

ACR1255U-J1 Secure Bluetooth NFC Reader

Key Protection for Endpoint, Cloud and Data Center

The Next Generation of Credential Technology

Juniper Network Connect Cryptographic Module Version 2.0 Security Policy Document Version 1.0. Juniper Networks, Inc.

Trusted Computing Group

Cryptography for the Internet of Things. Kenny Paterson Information Security

CYBERSECURITY AND SERVICE STATIONS

DEFCON 26 - Playing with RFID. by Vanhoecke Vinnie

ACR1252U. NFC Forum Certified Reader. Technical Specifications V1.03. Subject to change without prior notice.

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

Cyber security of automated vehicles

1. Product Overview 2. Product Features 3. Comparison Chart 4. Product Applications 5. Order Information 6. Q & A

AN MIFARE Type Identification Procedure. Application note COMPANY PUBLIC. Rev August Document information

PN7462 family Product support package

ARM European Technical Symposium The security challenges that IoT and Mobile Computing Devices are facing. Pierre Garnier, COO

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

Atmel Trusted Platform Module June, 2014

Products and solutions for Secure Wearables

Mobile Security / Mobile Payments

Automotive Security An Overview of Standardization in AUTOSAR

NFC PAIRING FOR AUDIO DEVICES

The Cryptographic Sensor

The Future of Smart Cards: Bigger, Faster and More Secure

Cyber security mechanisms for connected vehicles

FAMILY BROCHURE. Gemalto SafeNet Authenticators. Diverse Form Factors for Convenient Strong Authentication

Security of Transaction performed using credit card reader for smartphones and Tablets. Author Falade Tunde Supervisor - Dr Kris Gaj

vs. WWPass provides an answer to these security threats with convenient, secure authentication and data storage. Here s how it works.

Digital Certificates Demystified

Authentication Technology for a Smart eid Infrastructure.

Security Strategy for Mobile ID GSMA Mobile Connect Summit

Ezetap V3 Security policy

AN Over-the-Air top-up with MIFARE DESFire EV2 and MIFARE Plus EV1. Document information

The Open Protocol for Access Control Identification and Ticketing with PrivacY

Secure Application Trend in Smartphones. STMicroelectronics November 2017

Beyond Payment: Secure NFC applications and their relation to RFID

LEARN ALL ABOUT NFC SESSION 3: NFC PRODUCT PORTFOLIO

AMP 8200 Security Policy

CSCE 813 Internet Security Final Exam Preview

NFC Equipped Smartphones

Introduction to Electronic Identity Documents

Remote Key Loading Spread security. Unlock efficiency

Security & Chip Card ICs SLE 55R04. Intelligent 770 Byte EEPROM with Contactless Interface complying to ISO/IEC Type A and Security Logic

ACR128U Dual- Interface Reader

Extensive proximity connectivity capabilities for USB-enabled devices

Interface. Circuit. CryptoMate

Getting to Grips with Public Key Infrastructure (PKI)

ALIKE: Authenticated Lightweight Key Exchange. Sandrine Agagliate, GEMALTO Security Labs

Lecture 1: Introduction to Security Architecture. for. Open Systems Interconnection

Network Security and Cryptography. December Sample Exam Marking Scheme

The SafeNet Security System Version 3 Overview

Wearable Technologies and the IoT. David Lamb Market Development Manager, North Europe STMicroelectronics

AMP 8000 Security Policy V 1.0.0

Unbound and Oasis KMIP Interoperability

Multifunctional Identifiers ESMART Access

Smart Grid Embedded Cyber Security: Ensuring Security While Promoting Interoperability

Security Requirements for Crypto Devices

STMicroelectronics NATIXIS Payment Solutions Conference

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

MF1ICS General description. Functional specification. 1.1 Key applications. 1.2 Anticollision. Energy. MIFARE card contacts La, Lb.

Hacking new NFC cards

Security of Embedded Hardware Systems Insight into Attacks and Protection of IoT Devices

DEVICE-TO-DEVICE COMMUNICATION VIA NFC

Securing Smart Meters with MULTOS Technical Overview

E Series : Network PC/SC Contactless Couplers. TwistyWriter-IP PC/SC / FunkyGate-IP PC/SC

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

MIFARE4MOBILE: the road TO NFC MASS ADOPTION. NFC WORLD CONGRESS Sophia Antipolis, 2011

Security in sensors, an important requirement for embedded systems

Implementing Cryptography: Good Theory vs. Bad Practice

EDGE COMPUTING & IOT MAKING IT SECURE AND MANAGEABLE FRANCK ROUX MARKETING MANAGER, NXP JUNE PUBLIC

User Authentication. Modified By: Dr. Ramzi Saifan

VMware, SQL Server and Encrypting Private Data Townsend Security

CREDENTSYS CARD FAMILY

Transcription:

Security in Readers Public

Content and security, a different kind of wireless Under the hood of based systems Enhancing the security of an architecture Secure data exchange Information security goals Cryptographic techniques Secure Access Module Unauthorized access protection Remote access interface access Use cases Access control system Internet gateway security cookbook and conclusions 2

AND SECURITY 3

, a different kind of wireless at a glance: Contactless proximity technology Standardized under ISO/IEC18092 and ISO/IEC 21481 Operating range: 10 cm (4 in) Easy, simple and convenient data exchange between devices Open and interoperable data following Forum specifications Privacy and security inherent to short range Standardized, interoperable and simple data exchange between devices 4

The three modes of : A tap is all it takes Read/Write Mode Peer-to-Peer Mode Card Emulation Mode Interacts with an -enabled device Reads data in from device or writes data out Establishes two-way communication between enabled devices Each device serves as an endpoint System behaves as contactless smartcard* Makes -enabled systems compatible with contactless cards Get information or initiate an action Passive and active communication Ticketing, payments, access control, transit * ISO/IEC 14443-compliant smartcard 5

connected devices Market update - some key figures 1.2 billion smartphones shipped in 2014 Smartphone s share expected to continue growing from 67% in 2014 to > 80% or even higher in coming years 850 million handsets shipped between 2012 and 2014 3 in 4 mobile phones to come with by 2018 > 5 billion handsets will be shipped between 2013 and 2018 -enabled CE devices and tags growing exponentially, IoT wave coming. 11.0B+ -enabled devices shipping 2013-2018 * Updated list of phones and tablets available in the market: http://www.nfcworld.com/nfc-phones-list/ Sources: ABI Research, Sep 14 6

The Internet of Things Revolution Ingredients for security challenges The Internet of Things (IoT) is the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure (wikipedia) Distributed communications Large number of heterogeneous devices It is about - sensing, collecting and sharing data; - control, actuation, automation. 7

Under the hood of based devices Adding an reader IC: Full/partial capabilities Active device Adding an Connected tag: Behaves as a tag Connected to an active device uc Reader IC Connected tag uc Adding an tag: tag Behaves as a tag No additional electronics INHERENTLY SECURE DUE TO ITS PROXIMITY 8

Enhancing the security of an -based architecture Adding an reader IC: Full capabilities Active device PROTECT THE DEVICE FROM UNAUTHORIZED ACCESS SECURE DATA EXCHANGE Adding an Connected tag: Behaves as a tag Connected to an active device uc Reader IC Connected tag uc Adding an tag: PROTECT DATA STORED IN TAG tag Behaves as a tag No additional electronics DATA SECURITY UNAUTHORIZED ACCESS PROTECTION 9

Security need: Secure data exchange systems are interoperable and open by default. Securing data exchanged through RF channel through cryptographic methods. Using cryptography implies the usage of cryptographic keys on both sides of the communication. Data is now protected through cryptographic means, system is not open/interoperable anymore. Cryptographic methods can be: Dynamic Static Cryptographic algorithms and keys can be: Symmetric Assymetric Key management and cryptographic implementation needs to be considered. uc Key Reader IC Key 10

Security need: Protection from unauthorized access Any device connected to the cloud is subject to be compromised and attacked if not properly protected. This has a negative impact on consumers, infrastructure owners and equipment manufacturers alike. Need to implement security mechanisms to: Grant access to authorized servers Prevent exposure of user related data (privacy) Secure communications between device and backend Ensure system integrity Protection of credentials Above objectives can be ensured through: Cryptographic methods Hardware based security EEPROM of tag can be modified through interface. uc Connected tag Reader IC uc 11

Security a big word! Security is a state of mind Lack of objective approach towards security Securing the information and process on based devices requires the combination of techniques and protocols Cryptography as inter-disciplinary science to achieve information security goals Compromise between security and risk What do I need to protect? Trade-off between benefit vs cost for an attacker Your system is as secure as your weakest link Perfect security does not exist! 12

SECURE DATA EXCHANGE 13

What do we want to protect? Remember: by default is open and interoperable, data exchange is inherently secure due to its proximity. A B We want to secure the information exchanged through the interface between A and B. Information security goals Confidentiality Integrity Authenticity Cryptography as a means to achieve information security goals. Threat Information Security goal Mechanism Algorithm 14

Information Security goals Security goal Description Mechanism Algorithm Confidentiality Guarantee that data cannot be read by an unauthorized entity Encryption/Decryption Integrity Guarantee that data cannot be changed by an unauthorized entity CMAC and Digital Signatures TDES, AES, RSA, ECC Authentication Guarantee mutual identification of two parties entering into a communication Static (password, PIN, ) Dynamic (challenge-response protocol) Using cryptographic algorithms implies usage of secret keys. Cryptographic algorithms: Symmetric: Same key on both sides. TDES, AES. Secret key Asymmetric: Public/private key pair. RSA, ECC. Public key Private key 15

Cryptographic mechanisms summary Symmetric Asymmetric Confidentiality Integrity Authentication Secret Keys need to be protected and securely distributed 16

Secret Key management How are the secret keys loaded into the Reader? Key Where are the keys located in the Reader? Microcontroller not designed to protect secret keys uc Reader IC Using NXP s Secure Access Modules: Key Adding a SAM to the Reader allows us to securely store and protect the cryptographic keys OK Highest level of protection for cryptographic keys Secure remote management of key storage tables Additional support for MIFARE products cryptography uc Reader IC

Secure Access Modules (SAMs) MIFARE SAM AV2 Supports MIFARE DESFIRE EV1, MIFARE Plus, MIFARE Classic and MIFARE Ultralight C Can be used for generic cryptography (symmetric and asymmetric) Supports TDES, AES, RSA and Crypto1 cryptographic algorithms 128 key entries ISO/IEC 7816 contact interface, with a communication speed up to 1.5 Mbps Can work in X-mode Hardware Common Criteria EAL 5+ certified 18

Data protection for tags To ensure confidentiality of the written data in the tag: Data stored are encrypted. Secret key to decrypt it stored in SAM in the device. To ensure data integrity and authenticity of the written data in the tag: Digital signature added to data stored. Secret key to verify digital signature stored in SAM in the device. Key Data stored can be: - Encrypted - Digitally signed uc Reader IC tag 19

Secure data exchange summary Objective: secure data being exchanged through RF interface or available in EEPROM of tag. Use cryptographic mechanisms to achieve information security goals: Confidentiality Integrity Authenticity Cryptography implies the usage of keys: how are keys securely distributed and stored? NXP Secure Access Modules (SAM) to ensure highest level of protection in your device. 20

PROTECTION FROM UNAUTHORIZED ACCESS 21

device access considerations Remote Access protection: A device that is connected to the cloud is subject to be compromised and attacked if not properly protected uc Reader IC Interface Access protection: An Connected tag is inherently secure due to proximity, however to avoid unauthorized modifications of data through interface it needs to be properly configured. Connected tag uc 22

Remote access protection Need to implement security mechanisms to: Grant access to authorized servers Prevent exposure of user related data (privacy) Secure communications between device and backend Ensure system integrity Protection of credentials Above objectives can be ensured through: Cryptographic methods Hardware based security A-Series ICs from NXP are HW Security Module for IoT Devices Supporting wide variety of use cases and targeting multiple applications Off-the-shelf solutions offering key injection service, on chip application SW and host library with a high level API. A-Series Security ICs ADAPT TO ANY TYPE OF µc A- Series IC uc Host SW Reader IC 23

Access protection Ensure that data written in EEPROM from tag cannot be modified. tags from NXP offer several features to protect EEPROM: All NTAG Lock bits for read-only EEPROM NTAG21xF Password protection mechanism NTAG I2C no WRITE Access from the side through configuration registers 24

USE CASES 25

Access control systems What do we want to achieve in Access Control systems? Secure system with optimized cost Intuitive and fast access Simple and flexible management Readers Credentials Technology fully covers the above requirements. Credentials designed to securely store and protect cryptographic keys. Readers shall be designed to offer the same level of protection. uc Reader IC 26

Security design in access control systems Cryptographic keys Key uc Reader IC Key Microcontrollers do not ensure the secure storage and protection of cryptographic keys NOK Credentials are designed to securely store and protect cryptographic keys OK 27.

Security design in access control systems SAM ensures protection in overall system Secure Access Module (SAM) in the Reader: Ensure data exchange protection over interface Protect remote access to the reader Adding a SAM to the Reader allows us to securely store and protect the cryptographic keys OK Remote management access protected Key interface access protected uc Reader IC 28.

Internet gateway As homes become smarter, the number of IoT devices continues to expand. The router is truly the heart of the Smart Home. Router acts as a home Gateway, providing internet access to all devices. Reader A-Series to ensure security towards the internet. Reader for confidential commissioning. A- Series IC 29

Internet Gateway Secure cloud access use case DCC Use Case: Authentication Insecure Cloud or network Router A- Series IC uc Host SW Reader IC Sign digitally data; Verify digitally signed data DCC fad%&sh28sjdksjdf Use Case: Secure Channel Jdef87$6sdf!s Router A- Series IC uc Host SW Reader IC Setup Secure channel; Encrypt/ Decrypt 30

Internet Gateway Confidential commissioning use case IoT devices obtain access to home network through an tap. Confidential mode: 1. Router writes Network key in NTAG, 2. IoT Device reads key through I2C bus, 3. IoT Device deletes key in NTAG I2C. ROUTER Connected Tag Reader 31

CONCLUSION 32

Security Cookbook Active device required? YES NO The use of Connected Tag - NTAGF - NTAG I2C CAN PROTECT EEPROM CONTENT FROM UNAUTHORIZED UPDATES device will be connected to the cloud? NO application based on MIFARE? YES YES The use of A-Series HW security module CAN PROTECT ACCESS TO THE DEVICE The use of SAM devices CAN SECURE DATA EXCHANGE THROUGH INTERFACE 33

Summary and Conclusion enabled devices are growing exponentially. Security enhancements for enabled devices: Secure data exchange Unauthorized access protection Secure data exchange Information security goals: confidentiality, integrity and authentication Cryptographic mechanisms: encryption, MAC/Digital Signature, 3 pass mutual authentication Symmetric and assymetric cryptography SAM for secure key storage Unauthorized access protection Remote access protection through A-Series HW security module access protection features in Connected tags 34

Need More? NXP - Reader Solutions Reference material & documentation: Everywhere http://www.nxp.com/nfc Everywhere support page: http://www.nxp.com/techzones/nfczone/community.html Reader forum: http://www.mifare.net/en/micommunity/forum/mif are-and-nfc-reader-ics For other questions or further support, please contact: nfc.readers@nxp.com 35

MobileKnowledge Thank you for your attention www.themobileknowledge.com We are a global competence team of hardware and software technical experts in all areas related to contactless technologies and applications. Our services include: Application and system Design Engineering support Project Management Technological Consulting Advanced Technical services We address all the exploding identification technologies that include, secure micro-controllers for smart cards and mobile applications, reader ICs, smart tags and labels, MIFARE family and authentication devices. For more information Eric Leroux eric.leroux@themobileknowledge.com +34 629 54 45 52 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback