NXP’s Gingerbread Coup Leaves Rivals With a Bitter Taste Dec 20 2010
If Gingerbread supports Mifare, the most popular technology used for transit ticketing, it would put Inside at a significant disadvantage to supply NFC chips with secure elements, since NXP has declined to grant Inside a Mifare license. Of course, Inside faces a problem supplying chips for any NFC phone that supports Mifare, unless it partners with a Mifare licensee. Any Mifare support in Gingerbread is also expected to favor suppliers of Mifare tags.nfctimes
....
Many in the industry, including telcos and service providers, are disappointed with the few tag-reading commands that Gingerbread and the first handset using it, the Nexus S, so far supports. “This API is useless for us,” said one telco, according to a source. Many telcos want to support retail payment, either hosting applications from banks or running the payment scheme themselves.
____________________________________________________________
future Symmetric Crypto should definitely be at least AES128
proprietary short keys are dangerous:
WikiPedia: "clone any MIFARE Classic card in not more than 10 seconds"
current 112 bit "triple DES" will surely be orphaned... will anyone continue to optimise DES chips?
........................
With symmetric crypto algorithms, NFC payment schemes currently require secret keys on Card and Reader.
Something like this:
1) Card to reader send Random1, and requested $ amount.
2) Reader to Card send encrypted Random1, send Random2 Card trusts Reader
3) Card to Reader send Encrypted Random2 Reader trusts Card (constructs card session key
4) Reader to Card send Send Signed transaction Card sure that transaction is complete
"Tearaway" logic must be in place in the reader if this sequence is broken.
.................................
If PKC were adopted
1) Card sends signed Amount to Reader Reader trusts card
2) Reader sends signed Acceptance to Card Card trusts Reader and completes transaction
Some nonce with known structure would be included in the signature
PKC (eg RSA public key) would mean
No Common Secret Key would be loaded onto Card
Each card could generate its own secret key, which would never leave the card.
A certification structure wold be required, to guard public keys. Note this is a lower order cryptographic problem.
Fast Large Integer Hardware arithmetic would be required.
A desktop can validate a PKC signature in < 10msec, not sure about NXP speed.
Is it is possible to use symmetric crypto in a 2 stage transaction?
1) card sends amount & random & encrypted random Reader trusts Card (based on shared secret key
this exposes known plaintext, whereas the 4-step allows for 'session' keys. which are calculated using CardID.
The Card's key is derived from its ID so breaking one card doesnt break all,
So in practice a 4 step transaction is used.
I expect that PKC will eventually replace symmetric crypto.
Initialising cards with Secret Keys is an arduous and anxious process.