What exactly is smart Access? Smart Access is a new and dynamic way to handle and manage key credentials for NFC or BLE locks. Instead of having static credentials with smart access you can enable or disable keys over the air. This allows you to give temporary access to someone or disable someone with suspicious behavior.
Traditional smart cards are great at providing credentials for one specific and static task. What they don't do is allow for one time access, temporary deactivation or additional security features like pin entry. With a smart badge you can define and edit process flows to enable features and save time without compromising on security.
The Infrafon CC1 device is provided with two different NFC peripherals,
- NXP PN7150: High performance NFC controller with integrated firmware, supporting all NFC forum modes
- NXP NTP52101: NTAG 5 switch - NFC Forum-compliant PWM and GPIO bridge
The embedded PN7150 controller allows the microcontroller to read and emulate most NFC TAGs on the market at 13.56MHz. In particular the PN7150 is capable of handling in firmware all of the communication up to the ISO 14443-4 layer, while delegating to the firmware on the microcontroller the upper layer protocols.The PN7150 supports card emulation mode based on either technology NFC-A, NFC-B, or NFC-F.By using the combination of the PN7150 frontend with a microcontroller, it is possible to emulate tags like the NXP MIFARE Classic or NXP DESFire EV1/2/3 and/or the use of NDEF messages.It is also possible to emulate tags based on the ISO-DEP protocols on top of NFC-A or NFC-B by using the firmware integrated in the PN7150. The PN7150 also allows the microcontroller to emulate T3T tags trough NFC-F protocol support. Finally, other protocols, like FeliCA or Topaz, may be supported, but their full emulation has not been investigated yet.
Figure 1: View of the capabilities of the firmware of the NXP PN7150. "NFC Protocol Stack" by Erik Hubers is licensed under CC-BY-SA-4.0.
src: Link
The PN7150 is capable of acting as both a reader and an emulator, while also supporting peer to peer (P2P) communication mode. By using the NCI API interface, it is possible to exchange with the Cortex M0 microcontroller embedded in the NXP PN5170, in order to set its mode to reader, emulator, or P2P communication.
A variety of encryption protocols are possible on the CC1 NFC modules. Especially interesting is the integration of the most common NXP protocols Mifare Classic and DESFire EV2:
The emulation of the NXP Mifare Classic protocol with the PN7150 is different from that of other NFC protocols. As the Mifare Classic protocol is built upon the ISO 14443-3 layer, messages coming from such a layer are not forwarded to the external microcontroller. Thus, the PN7150 implements the Mifare Classic protocol in firmware. In particular, by setting particular values in the Flash memory of the PN7150, it is possible to customize various aspects of the NXP Mifare Classic responses, from the UID, ATS, to various other aspects of the radio communication of the lower layers. Finally, NXP firmware provides space to configure up to 16 keys used in MIFARE Classic Authentication command.
As a proof of concept, part of the NXP Mifare DESFire protocol has been developed on the ESP32 with support from the PN7150. In particular, the proof of concept allows emulating the UID of another card, setting a particular 2TEA key for authentication, emulating the originality signature of an authentic NXP DESFire EV2 card, and in general being recognized as a valid DESFire EV2 tag.Python APIs are provided on the ESP32 to set the 2TEA key, or to set a custom NDEF message of the NFC emulator.When tested with a proxmark3 reader, the Infrafon device was able to emulate the answers of an authentic NXP DESFire EV2 card to the following requests:
- UID
- ATQA
- SAK
- ATS
- Authentication with 2tdea key
- GetVersion command (originality check)
Finally, the TagInfo application from NXP recognized the emulated tag as an authentic (Signature verified with NXP public key) DESFire EV2 (MF3D22) tag.
By leveraging the connection of the Infrafon CC1's ESP32 microcontroller to the SE050 secure element by NXP, it is possible to use the security functionalities of the SE050 to handle sensitive data. It is thus possible to pair the SE050 and the NFC controller PN7150 through the microcontroller, to use the security of the SE050 to perform secure NFC transactions.
Security Pattern is our designated Partner when it comes to custom NFC projects. Please reach out to us if you do have any special requirements to get more details and an estimate.
