DESFire EV2 has finally arrived and with it brings a whole host of new features, many of which could finally bring the secure multi-application smart card solution that has been much sought since smart cards first hit the scenes twenty odd years ago. More about that later.

For thosewho don’t already know, NXP’s DESFire chip was introduced in 2002 with more hardware and software security features than the already established MIFARE Classic and it’s own operating system offering a simple directory structure, flexible application space and multiple files. In 2008, NXP released the next evolution of the product, the EV1, which bought better encryption, namely AES, along with other improved security features such as random ID. The EV1 has become a mainstay product for many applications such as public transport, access management and identification documents.

So what new features does EV2 bring to wow us? The answer is an unsurprising, "lots!" I’ve counted at least ten key features as I’ve read my way through the documentation. But which are the ones that I think are the most important or useful? Here’s my summary of the EV2’s headline features:

BETTER RANGE

This can only be good news to manufacturers of terminals which previously faced read issues due to the original DESFire’s (& EV1’s) power requirement which led to short read ranges. The implication of which is that the reader often had to be mounted on top of the device, rather than internally (more secure and aesthetically pleasing). With EV2’s lower power requirement. that read range is much improved and will allow these manufacturers to place the reader securely within their devices. Users will also find this a benefit as the read of the chip will happen much more smoothly and quickly. which means less time spent placing (and re-placing) the card onto the reader. If you’ve ever used the London Underground at rush hour you’ll know how it feels when your card doesn’t read immediately. The looks you get from other commuters whom you may have delayed by an extra two seconds can be quite powerful!

ROLLING KEY SETS

Historically, should a key in a system become compromised, all the cards (and possibly readers) would need to be replaced in order re-secure the system. Something that will take time and money to achieve. With the use of rolling key sets the DESFire EV2 eliminates that need. Should a key become compromised, using a simple command via the readers the chip simply switches to a different set of keys for the application, instantly securing the system again. This can be during normal use which may mean the user is completely unaware of the change. Up to 16 key sets per application can be set up. Compromised key sets could also be re-programmed, again during normal use, so that once the highest key set has been reached it can be simply rolled back around to key set 1 again. The keys, of course, can be the very secure AES which is widely recommended by governments worldwide.

PROXIMITY CHECKING

With the risk of “man in the middle” or “Remote Relay” attacks it’s important to know whether the device you are communicating with is actually in front of the reader. This is important in order to protect users from fraud. The DESFire EV2 has a checking system that can be used to make sure the card is actually in direct communication with the reading device by checking that it is within a certain distance. This is something a lot of contactless credit cards don’t even have yet.

SECURE MULTI-APPLICATION KEY MANAGEMENT

In the past, the problem with adding a new application to an existing card has been that the cards either had to be returned to have the new application installed, or the card issuer had to reveal the card master key to the application owners; thus risking the security of their own application. This is no longer a problem with DESFire EV2. The card issuer can, after agreement, issue a delegation key to the new application owner which allows them to install their app without knowing the master key. Even better, this can be done at user terminals which means the cards do not have to be returned for “upgrading." Tools are being made that would also allow users to add specified applications to the card via an Android NFC phone or tablet application.

Consider this scenario, taking the City of London (UK) as an example. Many commuters have an Oyster card which they use for public transport, run by Transport for London (TfL). Let’s say TfL launches a new Oyster+ card, using DESFire EV2, which they supply to one million Londoners. After eight months of the program, TfL does a deal with a fast food chain, for example Burger King (BK), that allows them to use some space on the card for a loyalty program offering free food as an incentive. All TfL would have to do is generate a delegated key allowing BK to install their application to the agreed space on the card and send it to BK. And that’s it, BK  can then do the rest as if they are working with their own cards. The next time an Oyster+ card holder visits a BK outlet, their card can be read and the BK application installed is ready for immediate use. BK doesn't have the cost of purchasing cards and the user doesn’t have yet another piece to carry in their wallet or purse. The TfL application continues to work as before as its security has remained in place.

DROP IN REPLACEMENT

If you are already using a DESFire EV1 product, I can’t see a reason not to use DESFire EV2. It is 100% fully backwards compatible. This means that existing systems will continue to function with the new DESFire EV2 chips straight away - there’s no work to be done. If you want to start using the new features of EV2 at a later stage then that’s possible aswell. It's even cost effective! It’s a no-brainer.

FINAL THOUGHTS

There are a lot of other new features I could list. However these five are the ones that I feel are the most prominent and important. This is the third version of MIFARE DESFire and it looks to me to be the first one that could finally bring a multi-application smart card to fruition. It’s certainly not a product that should be overlooked if you are serious about security and privacy for your users.

Kevin Loveman - Technical Manager

For more information about DESFire EV2, Click Here!

Take a look at the DESFire EV2 video here.

For pricing or to get your hands on some samples, please contact Universal Smart Cards - 1-800-810-4959 (www.usmartcards.com)