Application Report Secure My-d TM and Mifare TM RFID reader system by using a security access module Erich Englbrecht (info@eonline.de) V0.1draft Embedded RF ABSTRACT This application report describes the implementation of a high secure RFID reader system. The firmware is running on a MSP430F2370 microcontroller. This software controls the multiprotocol 13,56MHz transceiver TRF7970A which can handle a wide range of authentication and identification systems. This current implementation supports my-d TM proximity 2 and Mifare TM compatible application devices. Additionally the firmware has implemented an ISO7816 interface for accessing a Security Access Module (SAM). The SAM contains the appropriate encryption algorithm and a key management system for interacting with the above described RFID devices. For visualization purposes the complete communication steps are handled by a host system connected via USB. Contents 1) Introduction... 4 2) Hardware Description... 5 1) Device Specifications... 5 MSP430F2370... 5 TRF7970A... 5 EasySAM (SLF9620)... 5 Mifare TM (SLE66R35)... 5 My-d TM proximity 2 (SLE66R32S)... 5 2) Interface specification... 6 Interface between MSP430F2370 and TRF7970A... 6 Interface between MSP430F2370 and the EasySAM... 7 3) Schematic and Layout of the TRF7970A SAM dongle board... 9 Schematic... 9 Layout...11 1
3) Firmware Description... 12 1) System architecture of the firmware... 12 2) ISO7816 firmware module... 12 Interfaces and their functionality... 12 Limitations and known issues... 16 3) my-d TM proximity 2 firmware module... 17 Interfaces and their functionality... 17 Limitations and known issues... 18 Communication sequence for my-d TM proximity 2 cards with SAM... 18 4) Mifare TM firmware module... 19 Interfaces and their functionality... 19 Limitations and known issues... 21 Communication sequence for Mifare TM cards with SAM... 22 4) Host GUI... 23 1) my-d TM proximity 2 systems... 25 2) Mifare TM compatible systems... 29 5) References... 33 Figures Figure 1: Block Diagram of Interface between MSP430F2370 and TRF7970A... 7 Figure 2: Block Diagram of Interface between MSP430F2370 and EasySAM... 8 Figure 3: Eagle schematics of the TRF7970A SAM dongle board...10 Figure 4: Eagle Layout of the TRF7970A SAM dongle board...11 Figure 5: System architecture of the firmware...12 Figure 6: ISO7816 ATR flow chart...13 Figure 7: ISO7816 TxCmd flow chart...14 Figure 8: ISO7816 ISR flow chart...15 2 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
Figure 9: ISO7816 TxCmd flow chart... 16 Figure 10: my-d TM proximity 2 flow chart... 18 Figure 11: Sequence diagram for my-d TM proximity 2... 19 Figure 12: Mifare TM Manchester decoding flow chart... 20 Figure 13: Mifare TM transmit flow chart... 21 Figure 14: Sequence for Mifare TM compatible system... 22 Figure 15: Demo GUI: start... 23 Figure 16: Demo GUI: MSP connected... 24 Figure 17: Demo GUI: SAM and TRF initialized... 25 Figure 18: Demo GUI: my-d TM proximity 2 detected... 26 Figure 19: Demo GUI: my-d TM proximity 2 authenticated... 26 Figure 20: Demo GUI: Secure read done... 27 Figure 21: Demo GUI: Secure write done... 28 Figure 22: Demo GUI: Re-read after secure write... 28 Figure 23: Demo GUI: Mifare TM detected... 29 Figure 24: Demo GUI: Mifare TM authenticated... 30 Figure 25: Demo GUI: Secure read done... 31 Figure 26: Demo GUI: Secure write done... 32 Figure 27: Demo GUI: Re-read after secure write... 32 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 3
1) Introduction A RFID reader system which has to be resistant against manipulation and tampering requires a security element. This security element contains the shared secrets as well as the common algorithms of the RFID devices. The security element guarantees that every communication to the RFID devices can be done encrypted. Any readout or changes of data on the RFID devices can only be done after a full 3-pass authentication sequence with the secure element. 4 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
2) Hardware Description 1) Device Specifications MSP430F2370 The MSP430F2370 is a 16-bit microcontroller from the 2xxx family of the ultra-low-power MSP430 family of devices from Texas Instruments. The supply voltage for this microcontroller ranges from 1.8 V to 3.6 V. The MCU is capable of operating at frequencies up to 16 MHz. The microcontroller has an integrated memory of 32KB flash and 2KB RAM. TRF7970A The TRF7970A is an integrated analog front end and data-framing device for a 13.56-MHz RFID/Near Field Communication system. Built-in programming options make it suitable for a wide range of applications for proximity and vicinity identification systems. It can perform in one of three modes: RFID/NFC Reader, NFC Peer, or in Card Emulation mode. The TRF7970A is configured by selecting the desired protocol in the control registers. Direct access to all control registers allows fine tuning of various reader parameters as needed. EasySAM (SLF9620) EasySAM is a security access module for Mifare TM compatible interface, my-d TM algorithm, 3DES and AES128. It enables security authentication between the reader and my-d TM chip cards or cards using Mifare TM technology, 3DES or AES128 authentication schemes. It features a dedicated key management system including key derivation and key upload. The contact-based communication interface is according ISO/IEC 7816-3 T=1. Mifare TM (SLE66R35) The SLE 66R35 is designed to operate in a Mifare TM compatible system. Access to SLE 66R35 / is only allowed after a three pass authentication. Each data transmission is enciphered. Protection from misuse is done by configurable access conditions that are protected by secret keys used for memory operations such as read or write. My-d TM proximity 2 (SLE66R32S) my-d TM proximity 2 products are based on the ISO/IEC 14443-3 Type A standard for contactless proximity cards. my-d TM proximity additionally features my-d TM commands and my-d TM cryptographic algorithm. Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 5
2) Interface specification Interface between MSP430F2370 and TRF7970A Figure 1 shows the interface between MSP430F2370 and TRF7970A. The TRF7970A is connected to the MSP430F2370 by using the SPI interface. All configurations of the TRF7970A itself are done over the SPI interface. The communications with my-d TM proximity 2 cards are done over the SPI interface and the integrated FIFO of the TRF7970A. Once the data are transmitted the protocol handling is done by the TRF7970A. If data are received the TRF7970A triggers the MSP430 by an IRQ. Then the microcontroller can receive all reception date via the SPI interface. The communication with Mifare TM compatible cards is different and must be done in the Direct Mode 0 of the TRF7970A. This means all modulation have to be done elementary by the MSP430F2370 itself in software. The transmission pin of the modulation is the MOD pin of the TRF7970A. The reception modulation of the Mifare TM card can be sampled via I/O_6 pin of the TRF7970A. Then the sampled data have to be decoded according the Manchester line code specification. The ASK/OOK pin signals the TRF7970A the relevant modulation. I/O_2 pin can be used for special mode settings but can be kept at high signal during the whole execution. 6 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
Figure 1: Block Diagram of Interface between MSP430F2370 and TRF7970A Interface between MSP430F2370 and the EasySAM Figure 2 shows the interface between MSP430F2370 and the EasySAM. EasySAM requires the ISO/IEC7816-3 T=1 protocol as communication interface. The MSP430F2370 does not support this protocol in hardware. Therefore the ISO/IEC7816-3 T=1 protocol interface has been implemented completely in software. The SIM_SWP pin is connected for future purposes. Currently there exists no software implementation for the Single Wire Protocol (SWP). Consequently the connection is not in use! Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 7
Figure 2: Block Diagram of Interface between MSP430F2370 and EasySAM 8 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
3) Schematic and Layout of the TRF7970A SAM dongle board Schematic Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 9
Figure 3: Eagle schematics of the TRF7970A SAM dongle board 10 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
Layout Figure 4: Eagle Layout of the TRF7970A SAM dongle board Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 11
3) Firmware Description This section describes the MSP430 firmware used for this application report. The firmware is separated into different logical modules. The general system architecture is shown in the next sub-chapter. The following sub-chapter describes the new firmware modules. These modules are iso7816, my-dp2 and mifare. 1) System architecture of the firmware Figure 5 shows the principal system architecture of the MSP430F2370 firmware. All new firmware modules are filled in red. 2) ISO7816 firmware module Figure 5: System architecture of the firmware The ISO7816 firmware module implements the ISO/IEC7816 part 3 T=1 communication protocol between contact-based integrated chip circuit and readers. The current implementation is working with the EasySAM security access cards only. Interfaces and their functionality The ISO7816 firmware module implements the following functions. 12 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
Iso7816Init This function initialized the relevant interface pins from the MSP430F2370 and the EasySAM security access card. Iso7816Atr This function activates the EasySAM card. Due to the activation the EasySAM card sends an Answer-to-Reset (ATR) to the MSP430F2370.microcontroller. Figure 6: ISO7816 ATR flow chart Iso7816TxCmd This function prepares and transfers data to the EasySAM card. For this the data will be enveloped according the T=1 protocol specification. NAD, PCB and LEN bytes will be added as well as an CRC checksum at the end of the data sequence. Each individual byte are separated into 10 bits (start bit, 8 data bits, 1 parity bit). The fixed guard time after each byte is 2 stop bits. After the transmission of the data the function waits for the reception data from the EasySAM card. Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 13
Figure 7: ISO7816 TxCmd flow chart Iso7816Isr This is a low level interrupt service routine of the iso7816 module. During the reception phase each byte will be signaled by an interrupt service request. This IRQ will be forwarded to this interrupt service routine. Basically this routine prepares the reception of the individual bits of an byte according the T=1 protocol specification. Among some things like set the bit counter the timer service routine will be initiated and started, 14 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
Figure 8: ISO7816 ISR flow chart Iso7816Timer The timer interrupt service routine handles the individual bits in the transmission as well as in the reception mode. In the transmission phase the start bits, the 8 individual data bits and the calculated parity bit is handled in this routine. Additionally the two stop bits are handled after the transmission of the 10bits for each byte. In the reception phase the 8 data bits are read out controlled by a counter which is initiated by iso7816 interrupt service routine. Parity bit and the guard time is currently not checked in this version. Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 15
Figure 9: ISO7816 TxCmd flow chart Limitations and known issues ATR The ATR will be not interpreted. The ATR is currently fixed for EasySAM cards only. T=1 T=1 is implemented without any error handling (R-Blocks). T=1 do not support S-Blocks. T=1 do not support block chaining. T=0 T=0 is not supported. PPS PPS is not supported. The transmission rate is limited to F=372 and D=1 (default). 16 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
3) my-d TM proximity 2 firmware module The my-dp2 firmware module implements contactless proximity cards based on the ISO/IEC 14443-3 Type A standard. my-d TM proximity 2 family features my-d TM commands and my-d TM cryptographic algorithm. Interfaces and their functionality The my-dp2 firmware module includes the following functions. Mydp2AuthenticateA This function authenticates a specific area with a specific key on the contactless my-d TM proximity 2 cards. This authenticate command is the 1-pass command of a 3-pass authentication sequence. Mydp2AuthenticateB This function is the 3 rd pass command of a 3-pass authentication sequence. If successful any read or write command on the specific authenticated pages can be done now. Mydp2ReadOneBlock This function reads one specific page on the contactless my-d TM proximity 2 cards. This command will be successful only after a preceded authentication. Mydp2WriteOneBlock This function writes bytes on a page on the contactless my-d TM proximity 2 cards. This command will be successful only after a preceded authentication. In principle any of the above commands have a similar execution sequence. The sequence diagram is shown in figure below.. Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 17
Figure 10: my-d TM proximity 2 flow chart Limitations and known issues The baud rate between the TRF7970A and my-d TM proximity 2 cards is fixed at 106K baud. The demonstration for my-d proximity 2 cards is limited to an authentication of a specific memory area and one block read and one block write commands. In reception mode it is possible that an IRQ occur without any available data. This is currently fixed by a workaround which detect this and waits again for data reception. Personalization commands for my-d TM firmware. proximity 2 cards are currently not integrated into the Communication sequence for my-d TM proximity 2 cards with SAM The figure below shows the typical communication sequences for my-d TM proximity 2 systems. Similar to the demonstration system the 3-pass authentication, a read and a write sequence is shown. 18 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
Figure 11: Sequence diagram for my-d TM proximity 2 4) Mifare TM firmware module The mifare firmware module is implemented to operate in a Mifare TM compatible system. Interfaces and their functionality The mifare firmware module includes the following functions. MifareDirect0Start This function starts the Direct Mode 0 of the TRF7970A. MifareDirect0Stop This function stops the Direct Mode 0 of the TRF7970A Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 19
MifareManchesterDecode This function decodes a set of sample data into a binary format according the Manchester Coding. MifareTransmit Figure 12: Mifare TM Manchester decoding flow chart This function transmits and receives a command to a Mifare TM compatible card. Each Mifare TM command will be passed through this function. The differentiation will be done by the host system. 20 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
Figure 13: Mifare TM transmit flow chart Additionally to the function above there exists two highly optimized low level function coded in MSP430 assembler. Direct0Send This assembler function modulates a binary sequence according ISO14443 Type A via the TRF7970A. Direct0Recv This assembler function starts to sample the return signal after receiving a SOF from the MifareTM compatible system. Limitations and known issues The baud rate must be fixed at 106K baud as communication speed between the TRF7970A and the Mifare TM compatible system. Higher communication rates are currently not possible due to the system clock of 13.56MHz. Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 21
The demonstration of Mifare TM compatible cards is limited to an authentication of a specific memory area and to read and write commands. Personalization of the Mifare TM compatible cards is not part of the firmware module. Communication sequence for Mifare TM cards with SAM The figure below shows the typical communication sequences for Mifare TM compatible systems. Similar to the demonstration system the 3-pass authentication, a read and a write sequence is shown. Figure 14: Sequence for Mifare TM compatible system 22 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
4) Host GUI The following windows appear when TRFDemo.exe is executed. At this stage the dongle board should be plugged in via the USB connector. To connect the dongle board device the USB icon should be clicked next. Figure 15: Demo GUI: start If the USB connection was established successfully the USB icon disappears and the MSP430F2370 is shown. In order to initialize the EasySAM and the TRF7970A the MSP430F2370 icon can be clicked now. Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 23
Figure 16: Demo GUI: MSP connected Once the TRF7970A and the EasySAM is initialized both icon appear as shown below. In order to detect RFID devices the wave icon should be clicked. This can be repeated as often as required e.g. to show how cards are detected when they are entered the detection field. The system of cards is automatically detected. This means when my-d TM proximity 2 cards are detected the DemoTRF is configured according this product for the next authentication and read or write commands. The same is valid for MifareTM compatible system. When Mifare TM cards are detected the DemoTRF is configured for Mifare TM products. 24 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
Figure 17: Demo GUI: SAM and TRF initialized 1) my-d TM proximity 2 systems The figure below appears when a my-d TM proximity 2 card was detected. The UID of the card is shown but the card itself is not authenticated yet. This can be proceeded by clicking on the keys icon near the EasySAM card. Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 25
Figure 18: Demo GUI: my-d TM proximity 2 detected When the authentication was successful proceeded the lock symbol disappear as well as the keys icon. Instead of that a button for initiating secure read commands appears. In order to do this the button can be clicked now. Figure 19: Demo GUI: my-d TM proximity 2 authenticated 26 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
The figure below shows the my-d TM proximity 2 system after a successful secure read command. The secure content on the card is now shown in read. In order to write new secure content on the card a input field and a secure write button is provided. The new content has to be entered in the text field. The allowed length is checked and cannot be exceeded. By clicking on the secure write button the new content will be written to the card. Figure 20: Demo GUI: Secure read done In order to write new secure content on the card a input field and a secure write button is provided. The new content has to be entered in the text field. The allowed length is checked and cannot be exceeded. By clicking on the secure write button the new content will be written to the card. Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 27
Figure 21: Demo GUI: Secure write done The new written content can be verified by re-read the content on the card. This can be simply done by clicking on the read button again. Figure 22: Demo GUI: Re-read after secure write 28 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
2) Mifare TM compatible systems The figure below appears when a Mifare TM card was detected. The UID of the card is shown but the card itself is not authenticated yet. This can be proceeded by clicking on the keys icon near the EasySAM card. Figure 23: Demo GUI: Mifare TM detected When the authentication was successful proceeded the lock symbol disappear as well as the keys icon. Instead of that a button for initiating secure read commands appears. In order to do this the button can be clicked now. Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 29
Figure 24: Demo GUI: Mifare TM authenticated The figure below shows the Mifare TM compatible system after a successful secure read command. The secure content on the card is now shown in read. In order to write new secure content on the card a input field and a secure write button is provided. The new content has to be entered in the text field. The allowed length is checked and cannot be exceeded. By clicking on the secure write button the new content will be written to the card. 30 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
Figure 25: Demo GUI: Secure read done In order to write new secure content on the card a input field and a secure write button is provided. The new content has to be entered in the text field. The allowed length is checked and cannot be exceeded. By clicking on the secure write button the new content will be written to the card. Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 31
Figure 26: Demo GUI: Secure write done The new written content can be verified by re-read the content on the card. This can be simply done by clicking on the read button again. Figure 27: Demo GUI: Re-read after secure write 32 Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt
5) References 1. MSP430x2370, MSP430x2370 Mixed Signal Microcontroller Data Sheet (SLAS518E) 2. MSP430x2xx Family User s Guide (SLAU144E) 3. TRF7970A (http://www.ti.com/lit/ds/symlink/trf7970a.pdf, SLOS743B) Fehler! Verwenden Sie die Registerkarte 'Start', um title dem Text zuzuweisen, der hier angezeigt 33