NXP Embeds Powerful Security Features in the 'DNA' of HF, NFC, and RAIN RFID ICs!
New IC for Secure Smart City Applications
With the MIFARE IC product line, contactless ticketing in public transport started over 25 years ago. This was a milestone for the development of smart cities. NXP is now introducing the MIFARE DESFire EV3 chip, a new milestone for fast and secure transactions – such as the payment of parking fees or access to offices and campuses – in smart cities.
The IC hardware and software is certified according to Common Criteria EAL 5+.
The chip supports numerous open crypto-algorithms. A card-generated MAC supports secure authentication of transactions. Man-in-the-middle attacks are made more difficult by a new Transaction Timer function. The Secure Unique NFC (SUN) messaging function, integrated for the first time in a MIFARE chip, ensures data confidentiality and integrity.
Protection Against Manipulation, Resistance to Hacker Attacks, Untraceable IDs, and More
Item-level identification, authentication, tamper protection, data privacy – in an interview with RFID & Wireless IoT Global , RFID experts Sylvia Kaiser-Kershaw, Johannes Grüll, Mahdi Mekic, and Ralf Kodritsch of NXP Semiconductors provide comprehensive insights into state-of-the-art security features of RFID ICs.
They show numerous use cases and explain why the digital transformation can bring lasting benefits for corporations, public administrations and individuals. Connectivity needs robust security to empower trusted IoT applications at scale
RFID Security Features by NXP
Tag and Mutual Authentication
The product name 'DNA' is used to specify all NXP RFID and-NFC ICs that come with state-of-the-art cryptographic security attributes for tag and/or mutual (two-way tag-host) authentication. The features differ depending on the RFID frequency in use – A common feature of all DNA products is the AES-128 cryptography to ensure highest tag data protection with secret keys.
The Advanced Encryption Standard is used by governments worldwide to secure classified documents.
DNA technology supports multiple 128bit AES authentication keys. They are stored in the protected attack-resistant tag IC memory and can be pre-injected and locked by NXP at source of production, or programmed by customers in a secure personalization environment.
These cryptographic keys can be used for tag authentication and for the protection of sensitive data through a mutual authentication scheme. Special privacy features, such as the NTAG 424 DNA’s encrypted UID or UCODE DNA’s privacy protection, also make the chips untraceable.
The 'TagTamper' functionality was developed to provide electronic tamper detection using conductance. A quick read of the opening status with a reader device checks if a conductive loop is intact, to confirm product integrity. In case of a broken loop, the once-opened status is – in the case of NTAG 424 DNA TagTamper – permanently and irreversibly stored in the chip memory upon tag interrogation, and, is reported to the cloud as part of the authentication message.
Memory Access Protection
Access to the data stored in the RFID chip is, in the most basic case, protected against unauthorized use by a password. For more advanced protection, the chip memory shall be protected through a mutual authentication scheme (whereby both tag and host prove they share the same secret) and predefined user access rights, e.g. to read or write data.
In the case of UCODE DNA, the data which the user wishes to protect can be hidden via Untraceable command and then read out only in an encrypted manner via the Authentication command.
Encrypted Communication & LRP
The AES-128 cryptography as built into the DNA ICs is used by governments worldwide to authenticate and secure the transmission of messages. Encrypted communication allows an encrypted end-to-end communication channel to secure the data transfer between tag and host device against third parties. In addition to the standard AES protocol, NXP offers a Leakage Resilient Primitive (LRP), i.e. a software wrapper around AES, to further minimize the risk of attack by potential hackers.
Secure Unique NFC Message (SUN)
Each time an NTAG 424 DNA tag is tapped with an NFC-enabled mobile device, the IC generates a Secure Unique NFC (SUN) authentication message using an AES-128 cryptogram. The device reads the tap-unique URL with the crypto-secure SUN code, sends it to a cloud server for secure authentication, and returns a verification result. The SUN mechanism ensures data authenticity, confidentiality and integrity.
NFC is Synonymous with Security
Contactless credit and payment cards or electronic passports embedded with NFC security chips are used worldwide. The technology has meanwhile also entered the retail, medical, and security industries, and is applied to products as varied as luxury goods, pharmaceuticals, beverages, cosmetics or household appliances to protect against counterfeits and other fraud attacks.
A recent ABI survey on contactless payment usage indicates users are confident in the security of contactless NFC cards and mobile wallets. Over 50 % of the respondents also claim they use contactless technology for connected consumer goods. This development is spurred by the omnipresent growth of NFC-enabled smartphones.
There are already over two billion such devices on the market today, putting easy-to-use readers right into people’s hands. NXP demonstrates the importance of NFC technology with its extensive NFC chip portfolio.
Has a package already been opened? Has a bottle been refilled? Tamper evident seals and labels, equipped with an electronic TagTamper feature, can indicate if a product has been opened or interfered with, anywhere in the supply chain, prior to sale and usage. The NTAG 424 DNA TagTamper solution provides an advanced tamper protection.
Quick read of the tag status verifies that the conductive tamper loop is intact, to confirm product integrity. The once-opened status is permanently and irreversibly stored in the chip memory, and the two-state status message is securely protected against manipulation. Source
Enable Personalized Consumer Experiences
New products are launched within short intervals, loyalty is declining, so brand manufacturers need to find new ways to differentiate their products and strengthen consumer relationships. Advanced NFC technology allows manufacturers to evolve the brand experience by engaging users more dynamically and intimately. NTAG 424 DNA with its built-in SUN feature enables exclusive brand content, individualized services, loyalty rewards, and unique buying privileges. It also helps protect gift vouchers against counterfeits, and digital promotions against misuse, by securing one-time use URLs.
Global sales loss from counterfeit and pirated goods amount to double- to triple-digit billion dollars. Counterfeit products decrease companies’ revenues and profits, damage brands’ reputation, and harm long-term trust built with partners and consumers, whilst causing serious risks to people’s health and safety.
NXP's NFC IC portfolio includes chip technologies with multi-layered security features that can be applied to or embedded into products and packaging, in order to verify a product’s authenticity, improve accountability for provenance and increase customer confidence. Each time an NTAG 424 DNA tag is tapped with a smartphone, it generates a secure unique NFC (SUN) authentication message using an AES-128 crypgram, making taps unclonable.
With special privacy features, such as random ID or encrypted ID, the DNA solution also supports latest regulations for privacy protected user data. The chip is certified according to Common Criteria EAL 4.
Safeguard the supply chain
For improved product traceability and to help identify sales outside authorized markets, NFC tags can be assigned to specific distributors and locations. Manufacturers are able to authenticate and trace products within the supply chain, using geo-location and cloud based monitoring, making it easy meet regulations and protect even the last mile to the consumer.
This helps address grey-market diversions, which can involve a product being bought in a low-price region and then sold in a highprice region at a mark-up or being sent to a region that prohibits its sale. The NTAG 424 DNA security chip technology can aslo safeguard tag data through access-protected memory for only authorized inspectors, e.g. to read production or quality data.
RAIN RFID for Long Range + Security
Secure RAIN RFID technology is the perfect solution when security, data verification and authentication need to be combined with read ranges of up to 15 meters and more. NXP's (RAIN RFID) UCODE DNA ICs provide a high level of technological data and privacy security mechanisms. Cryptographic authentication is an important feature. The UCODE DNA chips support the use of up to two 128-bit AES keys.
These crypto keys, which are the secrets on which the secure interaction is based, are protected in a secure vault embedded in the chip. The keys never leave this secure vault, so they’re protected from being “sniffed” or otherwise intercepted.
They can be generated, diversified and inserted by NXP during chip production, or this task can be carried out by other members of the value chain such as label manufacturers. The AES keys can be used for tag authentication or privacy protection
Logistics: Secured Supply Chains
Being able to transparently trace the complete path of a high-priced branded product or medication, from production to the hands of the end customer, is an essential aspect of building secure and stable supply chains. With the use of RAIN RFID, the identification of products at the individual part level becomes possible. It makes no difference whether the goods are packed as individual products or as part of a container.
In highly automated systems, it is possible to identify more than 600 individual objects within one second. The NXP IC UCODE DNA Track can be integrated directly into a product, a tag or into the product packaging. The IC supports a secure authentication process based on 128-bit AES keys in a standardized authentication scheme.
Retail: Transparency on the Shop Floor
Manual inventories are time-consuming and prone to errors – real-time inventory management on the sales floor is impossible without technological support. With RAIN RFID tagged products, the effort for stocktaking is reduced to a minimum – from hours to minutes – with a simultaneously precise data capture. The UCODE 8/8m is specially designed for processes in retail logistics and on the shop floor.
The chip has features such as 'Self Adjust', where the IC automatically adjusts the chip sensitivity to a maximum in the application environment. The integrated 'Brand Identifier' provides proof of product authenticity by programming a customer-specific, unique 16-bit code during the NXP manufacturing process and storing it unalterably in the chip memory.
Road Traffic: Automatic Vehicle Identification (AVI)
The need for a secure identification of cars, trucks and motorcycles in governmental applications such as vehicle registration is increasing. Toll collection, access authorization and fleet management benefit from innovative functions of highly secure RAIN RFID technology. For drivers, the use of RAIN RFID UCODE DNA ICs in windshield labels, license plates or headlight tags offers greater convenience. Vehicle identification is literally captured and authenticated 'in passing'.
To ensure this convenience, a secure and powerful technology must work in the background. The use of 128-bit AES keys meets the highest requirements for authentication and data protection. RAIN RFID tags have proven to be resistant to weather conditions and can be reliably identified and authenticated, even at speeds exceeding 200 km/h.
Global Air Traffic: Baggage Tracking
By embedding NXP RAIN RFID ICs in baggage labels, suitcases and bags can be efficiently tracked in global air traffic. Airlines are supported in increasing the range of services offered to passengers and in reducing the costs of mishandled baggage – more than four billion dollars per year worldwide. From check-in or self-drop-off to collection, passengers can receive real-time status updates on their check-in baggage on their smartphones.
HF RFID for Close Proximity
Compared to other wireless IoT technologies, HF technology is characterized not only by its use via smartphone, but also – especially in consumer interaction – by its high flexibility. The HF ICs of the ICODE product family from NXP have a technically comprehensive feature portfolio to secure short-range applications with reading ranges of up to 1.5 meters and the necessary security level, depending on the specific requirements.
Track and Trace Along the Supply Chain
Products that are labeled with an RFID tag during production automatically generate numerous potentials along the entire product lifecycle. If a technology is to be used to store production data, support logistical processes, and enable seamless communication with the end customer, then the hour of HF RFID has come.
Over 95 percent of the smartphones currently on the market have an NFC interface. With the exception of a few special products, all HF RFID ICs in the NXP portfolio are NFC Tag Forum compatible. Only ICs for special applications, such as the casino industry, do not have NFC functionality.
With 128-bit AES encryption, the ICODE DNA ICs offer optimum conditions for secure to highly secure access control systems. The cryptographic AES authentication and reading performance of the ICODE DNA chips ensure convenient handling for the user while maintaining a high level of security. The cryptographic authentication is performed in an AES co-processor.
The decryption of a 128-bit key is complex and requires high computing power. As an additional protective measure, the AES-128 keys for each IC are derived from a master key and are therefore unique to each chip. Since each tag has its own AES key, the effort required for hacking to manipulate mass applications is disproportionate.
Document and Media Management
Even in an increasingly digitalized world, paperless processes are not possible in all areas. Authorities, institutes or law firms continue to work with a multitude of paper-based files. Managing, archiving and preparing these documents are time consuming processes. The same applies to libraries. The use of HF RFID relieves employees of time-consuming activities and allows them to concentrate on essential core tasks.
DNA technology ensures highly secure authentication processes, especially in the field of document management, which can additionally verify the authenticity of a document. Libraries benefit from improved circulation by eliminating time-consuming manual processes and implementing self check-outs and automated check-ins.
An unmanned store reflects the demands of modern lifestyles: Goods for daily needs are available 24/7 without a closing time – and is also a perfect example for the scope of services of HF RFID. Users of an unmanned store authenticate themselves at the entrance via NFC tap.
In the store, each product – usually 700 to 800 SKUs on 20 square meters of floor space – is labeled with an HF tag. Users pack all the goods they want into a basket or directly into their rucksack. All goods are securely and reliably captured at the self-service checkout. At the exit, HF technology automatically supports anti-theft protection, which can be provided by gates.