RF Identification (RFID) is currently the dominating technology in physical access control systems. Four standards currently dominate RFID communication: ISO/IEC 14443-A, ISO/IEC 14443-B, ISO/IEC 15693, and JIS X6319-4, each of which are hereby incorporated herein by reference in their entirety. Most access control systems installed over the last decade support one or more of these standards, or can be upgraded to support one or more of these standards. Consequently, there is a huge legacy of installed access control readers that use these standards on global basis.
The same RFID standards are used for other applications such as transport, luggage identification, ticketing, payment according to the Contactless EMV standard (Europay, MasterCard, Visa), and more.
Due to the wide spread implementation of these RFID standards, the Near-Field Communications (NFC) technology that is developed for use in mobile devices, such as smart phones and tablet devices, builds upon the same RFID standards. One could say that NFC is RFID embedded in a phone, instead of a RFID embedded in to a card, key fob, sticker or even a card reader embedded in a phone.
The NFC hardware can either be an integral part of the mobile device or phone or it can be removable (e.g., a removable NFC chip or device). NFC devices can typically operate in any one of three modes, where the first two modes are most commonly used: (1) card emulation mode; (2) read/write mode; and (3) peer-to-peer mode.
As expected, NFC tags have proliferated along with the adoption of NFC technologies in mobile devices. Most NFC tags contain data that is read by NFC-capable devices. Tags that use other communication protocols (e.g., non-NFC protocols such as Bluetooth, ZigBee, etc.) have also experienced significant development in parallel with the development of NFC tags.
The assurance that a tag is genuine and the data on the tag has not been tampered with is critical in certain tag-based solutions, regardless of the communication protocol used by the tag. To add security to the data stored on an NFC tag, the NFC forum describes a security standard that consists of a static signature of the data. The corresponding certificate identifying the signing party can then either be present on the tag itself or be de-referenced using a certificate URL. The reading device if it reads a certificate URL and complies with the NFC forum standard will then fetch the certificate from the URL before validating the signature using the certificate. This static signature augments the security of the original data, but has limitations in that the data ands its signature can be copied from one tag to another and still result in a successful validation. In other words, the static signature does not protect the data against replay attacks.