RF Identification (RFID) is currently the dominating technology in physical access control systems. Four standards currently dominate RFID communication: ISO/IEC 14443-A, ISO/IEC 14443-B, ISO/IEC 15693, and JIS X6319-4, each of which are hereby incorporated herein by reference in their entirety. Most access control systems installed over the last decade support one or more of these standards, or can be upgraded to support one or more of these standards. Consequently, there is a huge legacy of installed access control readers that use these standards on global basis.
The same RFID standards are used for other applications such as transport, luggage identification, ticketing, payment according to the Contactless EMV standard (Europay, MasterCard, Visa), and more.
Due to the wide spread implementation of these RFID standards, the Near-Field Communications (NFC) technology that is developed for use in mobile devices, such as smart phones and tablet devices, builds upon the same RFID standards. One could say that NFC is RFID embedded in a phone, instead of a RFID embedded in to a card, key fob, sticker or even a card reader embedded in a phone.
The NFC hardware can either be an integral part of the mobile device or phone or it can be removable (e.g., a removable NFC chip or device). NFC devices can typically operate in any one of three modes, where the first two modes are most commonly used: (1) card emulation mode; (2) read/write mode; and (3) peer-to-peer mode.
As expected, NFC tags have proliferated along with the adoption of NFC technologies in mobile devices. Most NFC tags contain data that is read by NFC-capable devices. The assurance that the tag is genuine and the data on the tag has not been tampered with is critical in certain tag-based solutions. To add security to the data stored on the NFC tag, the NFC forum describes a security standard that consists of a static signature of the data. This static signature augments the security of the original data, but has limitations in that the data ands its signature can be copied from one tag to another and still result in a successful validation. In other words, the static signature does not protect the data against replay attacks.