Since 2014, all smartphone manufacturers have been offering near-field communication (NFC) connectivity; NFC standards use electromagnetic properties of radiofrequency across very short distances of no more than a few inches.
“NFC” refers to several technologies using electromagnetic fields allowing data transfer between two peripheral devices set close to one another. Known since the Second World War, radiofrequency identification (RFID) is a contactless communication system using electromagnetic fields to send messages for identification and automated traceability purposes thanks to tags linked to objects. Tags contain electronically stored data. Some tags are powered through electromagnetic induction from magnetic fields created when brought into proximity with an RFID reader/encoder. Passive tags act as a passive transponder, powered by the electromagnetic radio waves sent by the peripheral device initiating communication (reader).
NFC technology could offer a general purpose connection to any other wireless communication system (Bluetooth®, Wi-Fi, GPRS, 4G, Li-Fi, etc.) and allow device pairing with a simple tap (“TAP and PLAY” paradigm). This chapter focuses on the ecosystem in which NFC standards are implemented, its background and its standards.
Mobiquity is not a mere portmanteau word, suggested by Xavier Dalloz in the beginning of the 1990s, with Internet access in mobile phones (during the failure of WAP especially due to a lack of contents and services). Today, it has become a cross-concept between the real and the virtual world, full of new content and services, creating a convergence between MOBility of the cellular phone, which became a computer per se (Smartphone) and the ubiQUITY of the Internet, now “n.0”, local (Local Wide Web) and marked by its extensive distribution, being in everybody’s pockets today. This concept of mobiquity, which matches that of ATAWAD (“Any Time, AnyWhere, Any Device” or “Any Content”), is promising in terms of its innovation and multidisciplinary in research on content, services, architectures and methods.
A new ecosystem developed endogenously: information consumers (target customers) have become information providers – via websites and mobile apps (because of the Internet) for media sharing (pictures, videos on social networks), alternative press (e.g. Agoravox and Alterinfo), free encyclopedia (Wikipedia), open augmented reality (Wikitude), etc. – thus making professionals, who were once suppliers, consumers and information managers; new business models arise, generating a considerable load of raw information involving new real-time predictive processing (big data).
We have entered a new era in which usage arises from individual, associative or participative practice (social networks, communaction), and no longer from pre-existing models managed by lobbyists. An adaptive “bottom-up” approach tends to take over the traditional “top-down” approach of multimedia technologies market and digital and telecom services in any environment (business, tourism, transportation, healthcare, education, etc.).
NFC is a close contact-free communication mode (through “touch”), which extends connectivity and allows for the emergence of new usages while keeping the principle of prior consent (recommended by the French Commission on Computer Sciences and Freedoms (Commission Nationale de l'Informatique et des Libertés)1), since the user is asked to confirm his/her will of interaction (without intrusion) and must make an explicit gesture.
Since the NFC-enabled smartphone has the capacity to read NFC tags but also to act as an NFC tag (or NFC smartcard), information can be distributed across tags, mobile phones or servers driving to very different business models around a strategic question: who will control the information coming from the user’s interactions with his/her mobile phone? Mobile network operators (MNOs), Internet providers, banks, cities, service providers, mobile phones manufacturers, tag managers?
In 2015, there were as many mobile phone subscriptions as individuals on the planet, with 7.3 billion connected mobile devices, around half of which are smartphones2 (only half of this population has a bank account). Almost every individual on the planet has (or will have) a communication terminal, with very fast data processing, in his pocket. This means that around 3 billion people have a mobile phone, but no bank account. Half the planet owns a smartphone, among which 64% will be NFC enabled in 20183, thus creating new opportunities of Internet services with added value: a banker, a guide, a tutor, a doctor, a counselor in our pocket. This prospect leads the way to unlimited creativity in terms of content, services and practices in the private, public and professional spheres the mobile phone crosses.
The era of the mobile Internet is only starting, the era of the Internet between objects and individuals, symbiont (J. de Rosnay), suppression of space-time (Michel Serres), creative destruction (Schumpeter), and mobiquity, which will be very productive in terms of innovations and research in all economic sectors: teaching, tourism, culture, mobile commerce, mobile payment (international fund transfer, virtual money, etc.).
The three key factors to the success of a new technological ecosystem are as follows:
A genuine engineering of mobiquitous services and applications was set up like illustrated by Apple’s AppStore concept or Google’s Market/Play Store (since 2013, more than 100 billion mobile applications are being downloaded in the world every year, according to Gartner Goup4).
Mobiquity is based on several technological concepts as follows:
With NFC standards, any object can become “communicating” (and thus alive). Whether they are on the market, or developing, there is already a wide range of NFC-enabled devices and wearables: smart watches, bracelets, glasses, clothes or directly on our body. Smart devices increasingly become part of our daily life; parking meters, NFC mailboxes, fridges analyzing its users’ habits and forwarding the information to a smartphone (power consumption, temperature, door opening, etc.); connected oven able to pair with an NFC-enabled smartphone to suggest cooking recipes to the user and automatically set up a cooking function. NFC and its three operating modes (see section 1.3.2) in tag reader/writer, (smart) card emulation and peer-to-peer (P2P) represent a source of innovation for objects that have become “smart” because, specifically, of the smartphone’s connectivity.
NFC-enabled “objects” can be divided into two categories:
A basic NFC device is made up of at least of an antenna coupled to a modulator-demodulator that converts electromagnetic signals into digital data (and vice versa); in an NFC tag, a chip has very low memory capacity (~1 kb), whereas for a more complex peripheral device, an NFC controller enables the NFC chip to interface with the host device’s operating system.
NFC tags can be of any kind and form: stickers, key rings, bracelets, etc. They offer the same functionalities as a QR code, but they do not require more than a simple “tap” with no user intervention, unlike QR codes that require the user to launch the right application to read it. NFC tags are the link between the real and the virtual world; they can also be used to activate or deactivate functions (alarms, devices, digital processing) and any other event triggered by a simple “tap” using a smartphone.
Figure 1.2 shows a (passive) NFC tag, here a transparent sticker, which belongs to the NTAG’s family produced by NXP.
Identification is a specificity inherent to NFC tags with an unmodifiable universal unique identifier (UID) attributed to them when manufactured. In this way, with no additional data needed, a connected object can simply be uniquely identified because of the UID of the NFC tag it is coupled to, whether the tag is stuck or embedded in this object. A “terminal” application connected to an NFC reader or executed in an NFC-enabled mobile device (in reader mode) can thus read the object’s UID depending on the use case of the application:
The smart card is a more sophisticated type of tag with a sometimes hybrid communication interface (dual interface) providing both a traditional contact interface and an NFC interface enabling communication with services embedded in the smart card.
The contactless NFC smartcard is used as a payment card (in 2014, 600 million NFC payment cards were sold in the world9), as a transportation ticket as well as means of identification and authentication of the cardholder, for example for access control. The SIM card is the most widespread type (similar to a smart card, but smaller): there are as many active SIM cards as there are inhabitants in the world, and this is due to the fact that some users have more than one SIM card.
Embedded in an NFC-enabled mobile (smartphone, tablet), the smart card acts as a secure element (SE) in order to safely host services and confidential data. This configuration shows the advantage of extending services based on smart cards to smartphones’ advanced technologies (graphical user touch sensitive interface, audio, camera, embedded sensors, GPS, etc.) and, mostly, its web connectivity offers friendly user interfaces and improves services with new functionalities.
Enforced security is a broad field covering many aspects such as protection of privacy, access control, protection against viruses and hacking, integrity and data non-repudiation in the digital world.
Authentication is used to validate user identity. It can be attested through different, possibly combined factors (multi-factor authentication). For example, they can be based on:
Permission/authorization consists of checking that the (authenticated) entity wishing to access a resource is permitted to do so. Permission management is done on an individual level or by a group of entities (permissions or restrictions can be defined according to roles).
Confidentiality is the guarantee that neither authentication data nor shared resources can be intercepted. Data encryption (cryptography) is the most widespread technique to preserve confidentiality.
Data integrity consists of making sure that resources do not experience any alteration, during data storage nor during the access to where they must be fully retrieved, with the same precision, but mostly by attesting their authenticity and their validity.
The public key infrastructure (PKI) standard is a method for cryptographic key management based on the principle of private key/public key:
In this way, a PKI-based system secures the provenance of the message (only encrypted messages with a private key can be decrypted with the public key) and confidentiality (only the owner of the public key can decrypt the encrypted message with the private key).
The main characteristics of PKI are based on software and hardware security:
In this way, smart cards are ideally suitable for identification and authentication purposes; among other things, they store an encrypted digital certificate in order to authenticate for a service. The most widely used cryptographic algorithms are triple Data Encryption Standard (3DES) with private and shared keys (in symmetrical reader mode) and the RSA standard10 with the distribution of a public key (in an asymmetrical mode). Keys can be loaded or generated on the smart card at the customization stage.
Europary MasterCard Visa (EMV) cards, chip-based debit–credit cards, as well as payment terminals and ATMs allowing the use of bank cards are widely deployed to attest the cardholder’s authentication. This is one of the reasons why smart cards are prime targets of security attacks. Smart card attacks go from physical intrusion of electronics (with a ionic probe, a microscope, a chemical attack or a laser, etc.), which lead to the destruction of the smart card, to semi-invasive attacks (with an oscilloscope) and non-invasive attacks (programmatically), which exploit weaknesses in the card’s hardware and software. Smart card manufacturers and security standards have developed simultaneously with attacks in order to incorporate countermeasures guaranteeing a maximum security and immunity during the card’s lifecycle; this is why it is important to only deploy recent smart card models whose technology incorporates full countermeasures to known attacks.
The most sophisticated smart cards are conceived with materials, which especially are dedicated to cryptography and encryption algorithm such as RSA and public key digital signature algorithms based on elliptic curve cryptography, used in asymmetrical operations for key exchanges on a non-secure channel or for asymmetrical encryption. The key pairs are generated inside the smart card in order to remove all risk of revelation of the private key, which is not distributed and thus remains unknown.
A method of enforcement of digital access control that requires more than one typical authentication factor. They can be login credentials (login, password) and a one-time-use code randomly generated by the system and whose validity is limited in time. The one-time-use code is sent in real-time to the user through another communication channel, for example the sending of an authorization code by SMS is a wide spread example of the two-factor authentication (2FA) used in secure online payment transactions: the user authenticates to the bank interface on the web with his/her login and password and validates the purchase, then the bank system sends a verification code by SMS on the mobile phone of the user and the user must input this received verification code in the Web interface to complete the transaction. The payment is validated only after the check of the 2FA.
Usually, the multi-factors authentication is based on two complementary principles:
Isolated communication channel enables to establish a private network channel between two programs (i.e. VPN/specific point-to-point socket connection). Setting up a secure communication channel requires prior authentication and identification; the protocol must ensure privacy and integrity (encryption/decryption, state). An isolated communication channel can be secure or not, and a secure communication can be isolated or not.
NFC smartphones answer five dimensions in a mobiquitous information system (the five “W”: who, where, when, whereabouts and what): holder’s identity (with his habits, his preferences), space and time (“here and now”, when he/she taps), goal to reach by tapping (information, transaction?) and result obtained (information, voucher, transaction, appointment, etc.).
The first NFC-enabled mobile phone was launched on the market in 2006 by Nokia: the Nokia 6131 NFC was delivered with an embedded SE (or eSE), for a default use of services (e.g. MasterCard, Visa©, SNCF) available on a service platform.
Today, all major smartphone manufacturers propose NFC-enabled mobile devices: Google first launched the first NFC smartphone in 2010 (Nexus S) with a primary strategy on mobile payment launched in May 2011 in New York. Since then, Samsung, Apple, then LG followed Google, offering their own contactless, mobile m-payment platforms, competing with the universal SIM card as an SE controlled by the MNO.
With or without SE, the NFC smartphone can act as an NFC tag (or a contactless smart card), but it can also act as NFC reader in order to read (or write) the content of tags, or even act as payment terminal, which might as well revolutionize secure transactions; so far, this field was for proprietary systems only, owned and controlled by professionals.
The NFC reader can read and write content on tags depending on formats determined by the NFC standard (see section 1.3). With or without a keypad and a screen, NFC readers are accessed by a program that allows reading/writing or communication with another NFC device (for example a tag or a smartphone) depending on the reader’s standards compliance.
Whether it be through infrared, Wi-Fi, Bluetooth® or NFC, we live in the times of “machine-to-machine” and connected objects: connected infrastructures equipped with sensors (pollution, humidity, light, temperature, motion, traffic jam, etc.), automated triggering (alarms, signals, urban lightening, public garden watering, etc.), electronic autodiagnostic, automatic detection of accidents and troubleshooting, etc.
NFC finds practical applications in eco-citizen life, for example in multimodality, which aims at offering all possible transportation solutions, possible connections from point A to point B: mobile applications allow us to locate, book and pay for ecological means of transportation (vélibs/blue bikes, electric vehicles, car share or public transportation), while calculating their availability and based on journey time, schedules, etc.
NFC is a universal connector with which any space can become a smart place: storing real-time medical data in a healthcare platform that would tell us when to go see a doctor, collecting statistics on power consumption directly on our mobile phone, benefiting from directions for use and being able to interact remotely, avoiding waste of time at a cash desk to pay for something.
All these concepts are in fashion, there are existing pilots and their emergence goes hand in hand with a mindset of sustainability. In this context, because of its low power consumption and its secure approach to communication, NFC will play a key role.
E-commerce was born with the emergence of the Internet and online commerce; this new consumption pattern boomed with the appearance of smartphones and tablets, opening the way to m-commerce (whether it be geolocated or not), and m-payment has become a habit. Today, with technology we can select a product, wherever we are (at home, in the office or outside, alone or with others), whenever, whether it be day or night.
M-payment opened the way to dematerializing traditional means of payment (cash, cheque, bank cards): already globally tested out, the use of NFC standards seems to be the most appropriate technology to compete with bank cards (as a logical addition to blockchain transactions and cryptocurrencies).
The stakes are high since NFC could disrupt an established ecosystem and initiate a transition between banking monopoly toward new actors (MNOs, Google, Apple, Samsung) and the opening to private individuals with online banking management (money transfer from private bank accounts to third party accounts), then from our mobile phones (“bottom-up” approach in which the final user takes control vs. “top-down” approach where the bank service provider manages and controls everything).
The concept of virtual currency can also apply to unbanked populations: according to a 2012 World Bank study conducted on financial inclusion, 2.5 billion adults on the planet (almost half of the world population) have no bank account (among them, 70% have a mobile phone). This is a huge field for potential dynamization from which mobiquitous projects emerged on crowd funding or microfinance, whose exchange currency is not necessarily financial (for example livestock exchange and seed trade).
Outside of standards, no salvation for developers!
Standardization meets a common need in a multi-actors ecosystem in order to ease interoperability, durable applications development and promote the deployment of new technologies and their usages.
NFC standards are inherently tied to telecoms and smartphones, on the one hand, due to the fact that its use cases are ideally adapted to mobile use, and, on the other hand, because of the most commonly used smart card, globally deployed in all mobile phones: the SIM card.
In 200212, Philips (called NXP in 2006) and Sony invented the NFC technology and standard based upon their know-how of wireless chips (FeliCa for Sony and MIFARE). At that time, Nokia joined Philips and Sony to create the NFC Forum in 2004 (www.nfcforum.org).
NFC is one of the 16 RFID ISO standards, classified according to their frequency range: low frequency (<135 kHz), high frequency (including NFC at 13.56 MHz), ultrahigh frequency (433 MHz) and microwaves (2.45 and 5.8 GHz).
NFC standards can be used within smart cards as well as mobile devices. Encounters of the most popular hardware device (mobile phone) with the most widespread communication platforms (the Internet) and the most recent wireless short-range standard (NFC) gave birth to a new paradigm of services in public transports, mobile payment, marketing, geolocation, contextual information retrieval, social networks, teaching, digital content delivery and sharing, while rethinking physical world interactions. Use cases of contactless applications and services with NFC are unlimited.
In this way, NFC is a half or full-duplex, short-range wireless communication technology (<10 cm) based on RFID and unlicensed 13.56 MHz radiofrequency. NFC standards are recognized by ISO/IEC and ETSI and gathers several norms such as ISO/IEC 18092, ISO/IEC 14443 and ECMA (ECMA-340).
NFC allows two communication modes based on RFID inductive coupling:
Contactless communication consists of modulating and demodulating binary data (bits of value 0 or 1) in a signal (analog signal) by sending a wave (electromagnetic) called a “carrier wave”: through the creation of a variation in amplitude, phase and frequency, the signal is digitally transposed when received.
In its initial specification, the NFC standard gathers three types of codings:
NOTE.– The NFC forum is studying a new specification through which the standard (Tag Type 5) would be compliant with the vicinity cards signaling (standard ISO/IEC 15693) in the short range required by NFC.
The transition (shift from 1 to 0 bit) occurs because of a shift in the amplitude of the signal: the amplitude is lowered or null.
With each transition, the signal’s amplitude is reversed, thus creating a phase jump.
Demodulation is a data extraction process that consists of converting an analog source into binary encoding.
NRZ is the simplest coding. A positive tension represents the data bit of value 1, whereas a negative tension represents the bit of value 0.
It is a transition coding (not a level coding): a rising edge transition represents a bit of value 0. A falling edge transition corresponds to a bit of value 1.
The Miller coding scheme is based on the Manchester coding scheme from which every other transition is discarded: for a bit of value 1, a transition is placed at the midpoint of a bit interval, unless it is followed by a bit of value 0, in which case a transition is placed at the end of the bit interval.
NFC-enabled devices can support three operating modes, as illustrated in Figure 1.10:
NOTE.– These three complementary operating modes of NFC standard are exclusive to one another.
NFC modes are based upon the ISO/IEC 18092 NFC IP-1, JIS X 6319-4 and ISO/IEC 14443 contactless smart card standards (referred to as NFC-A, NFC-B and NFC-F in NFC forum specifications).
As illustrated in Figure 1.11, the read/write mode of NFC enables NFC devices to read and write information stored on passive NFC tags consisting of an antenna and an integrated circuitry. Power is supplied by inductive coupling from the NFC device initiator of the communication when it is brought into the proximity of the NFC passive tag.
Information stored on the NFC tag should comply with the record type definition (RTD) standard specified by NFC forum or be a proprietary format (see section 1.3.3.3.2).
Different types of NFC tags are described by the standard (see section 1.3.3.3.1): in the NFC tag, data are stored in NFC data exchange format (NDEF) messages (see section 1.3.3.2) that include type, type format, ID and byte array. For example it is possible to write download links/URLs into the NFC tag, which can store several records. A mere reference can also enable the device to recollect linked data from a remote server, for example using dedicated web service.
The NFC-enabled device can, with prior end user acceptance or automatically, launch the appropriate application to access the linked content (for example text, media picture/audio/video, web page) or trigger an electrical action (for example switch-on the light), a mechanical or olfactory action.
NFC card emulation mode enables NFC devices to act like smart cards, allowing users to perform transactions such as mobile payment, ticketing and transit access control with just a tap. In this mode, the contactless layer and RF fields act as a transport for smart card standard (ISO/IEC 7816), as illustrated in Figure 1.12.
In card emulation mode, NFC devices communicate with an external contactless reader: the NFC card emulation mode allows the handling of already existing protocols on top of NFC stacks with no change in infrastructure (see Figure 1.12). For NFC payment applications, this NFC card emulation mode is based upon the EMV standard and PIN card specifications.
NFC card emulation mode involves a tamper-resistant hardware component called “secure element”. The SE is a multiservice chip with its own microprocessor (CPU) and a crypto-processor, its own operating system (JavaCard™) as well as volatile and non-volatile, including Erasable Programmable Read Only Memory (EPROM) with a storage capacity up to 6 Gb, input/output interface to receive messages and send responses and one or several (for example contact/RFID hybrid card) power supply interfaces. It can either be a standalone (contact or contactless) smart card or a component of a host device (e.g. a smartphone or a tablet) with, in that case, three possible SE configurations, as illustrated in Figure 1.13:
The SE could be accessed remotely in the Cloud, and/or emulated by a background service that behaves like a (hardware) SE. This mode, which is not hardware based, is called the host-based card emulation (HCE) mode.
The SE is mainly intended to securely store confidential data (e.g. account data, identification, user credential, encryption/decryption keys). Processes running into the SE (outside the main OS of the host device) are commonly called Applets (inheritance from JavaCard™), Cardlet or Servlet; the application that allows the user to manage a set of virtual cards and services digitalized into the SE is called a Wallet.
SE-related standards are centralized by GlobalPlatform (www.globalplatform.org), the international cross-industry standardization organization adopted as global reference by MNOs with the GSM Alliance (GSMA) and European Telecommunications Standards Institute, as well as banking institutions (e.g. EMV) and other standardization bodies, including the NFC forum.
NFC P2P mode enables two NFC-enabled devices to exchange information and share content. NFC P2P mode can be used to pair another NFC device (e.g. computer, speaker, headphones, TV) and boostrap a secondary high-speed connection like Bluetooth® or Wi-Fi (e.g. by exchanging setup parameters). In this case, NFC is used to negotiate a second communication channel and transfer authentication data for the secondary protocol. The file or data (e.g. media file: pictures, videos or audio files) is then sent over the high bandwidth protocol. Two standardized operating modes (either passive or active role) exist (see Table 1.1):
These standards are shown in section 1.3.3.
Table 1.1. NFC three standardized modes
NFC mode | Active | Passive |
Active | P2P | Card emulation |
Passive | R/W | – |
The NFC Forum was founded in 2004 by Philips Semiconductors (then NXP) and Nokia, the inventors of NFC, and then joined by Sony. It is a non-profit industry association whose objective is to develop and promote NFC technology. NFC forum specifications are based upon the ISO/IEC 14443 standard, which slightly differs from ISO/IEC 18092 standard in terms of RF layers and NFC P2P mode which was addressed by the NFC forum in 2011 (see Figure 1.14).
NOTE.– The use of “N-mark” (see Figure 1.15.) shows compliance with NFC forum specifications. Signing the license agreement for brand use is required in order to acquire N-mark.
NFC forum application documents provide guidance on how to take advantage of contactless NFC technology in specific targeted scenarios. For example, in the application documents (i.e. for NFC) provided by the NFC forum, we can find guidance on how to use NFC for secure Bluetooth® pairing: this application document describes the interactions between Bluetooth® and NFC technologies. It provides examples of both protocol implementation and data transfer for the most appropriate use cases of these two technologies. Developers will find useful guides for their own work. The document was expanded (in June 2014) to the Bluetooth low energy technology, a version of Bluetooth technology that offers reduced power consumption (NFC forum, “Bluetooth Secure Simple Pairing Using NFC Application Document”, 2011).
In this way, when used with NFC forum specifications, these tools can help achieve full interoperability across technologies: technical documentation and tools suggested by the NFC forum offer guidance on best practices and NFC implementation solutions (free of charge for NFC forum members, charged for non-members), as listed below:
NOTE.– NFCIP-2 (ISO/IEC 21484) is the specification for the selection mechanism between different contactless technologies that operates on the same frequency at 13.56 MHz. It supports communication according to ISO/IEC 18092, ISO/IEC 14443. This specification is also compatible with other contactless technologies like Vicinity cards (ISO/IEC 15693) that is also known as NFC-V, currently reviewed by NFC forum (i.e. in order to offer a specification including vicinity compliance with NFC standard).
A standard specification document explicitly describes a set of requirements of technical criteria, methods and processes. In systems and software engineering, it is intended to establish a guidance for the development and the implementation of the system (software or hardware) describing for example what must/may/shall or not be done and how. Each provider can develop their own specification implementation.
NOTE.– The NFC forum proposes a certification program for the providers who want to have their products certified and ensure they are compliant with NFC forum specifications. NFC forum specifications are related to communication protocols and application (messaging) layers of the OSI model including the tag types.
NFC LLCP protocol based on Open Systems Interconnection (OSI) message authentication code layer-2 of IEEE 802.2 standard (see Figure 1.17), ISO/IEC 18092 and ISO/IEC 14443 supporting P2P between two NFC-enabled devices for bidirectional communication. It is used on the top of NFCIP-1.
LLCP protocol specification describes the format of protocol data unit (PDU) exchange structures made up of header and payload (see Figure 1.18):
NDEF defines the data format structure of an NFC message to be read or encoded in a tag. NDEF messages have a header and one or several NDEF records with a header for each of them.
As illustrated in Figure 1.20, the first bytes are used by the header:
NFC tags’ content and capacity differ according to their characteristics, from tags locking and unlocking write capabilities, storing one or several messages linked to Internet content, to more complex tags like smart cards capable of embedding data as well as applications.
Four NFC tag types (see Table 1.3) are defined according to compliance with various standards and protocols.
In Table 1.4, a level of protocol in the activation phase of communication and data exchange differentiates the tag types.
Type 1–4 tags are all based on existing contactless products:
Record types used by NFC forum application and third parties are based on the NDEF data format described in section 1.3.3.2. Five specific RTDs are defined (see Table 1.2): Text, URI, Smart Poster, Generic Control and Signature.
NFC forum connection handover was determined in 2010 to enable a static and dynamic one-touch setup of NFC with high-speed communication technologies, such as Wi-Fi setup or Bluetooth® pairing.
NFC forum also has a standard for communication with peripheral devices dedicated to healthcare technologies (NFC Forum Personal Health Device Communication) and based on ISO/IEC/IEEE 11073-20601 standard (Health informatics).
Based on “Visa© OpenPlatform” standards in the hands of the OpenPlatform consortium, become GlobalPlatform (GP) in 1999, GP was created to meet the interoperability needs emerging from the globalization of payment transactions via smart cards; its main objectives were to promote the security, development platforms and management of the deployment of smart cards and SEs standardization.
GP acts upon interoperability for actors of the NFC ecosystem in card emulation mode, and especially upon SE management. It issues specifications and instructions on the ecosystem, especially security rules, protocols, architectures and card interfaces (card specifications20), devices (device specifications21) and systems (systems specifications22); GP defines use case scenarios, design patterns, frameworks and APIs in order to ease SE services implementation (some resources have limited access: free for members and charged for non-members).
Specifications of this section address architecture, interactions, interfaces and smart card security, regardless of the underlying technologies (i.e. regardless of the manufacturer or the card OS). Resources in the card section more specifically address smart cards issuers (aiming at hosting third party applications).
Figure 1.21 shows hosted services in a dedicated secure execution environment, security domain (SD) including GP standard-compliant API layer for key management, encryption/decryption, signature and access control, support of application portability between GP-compliant cards. We can note the SD intended for the card provider, just like another one dedicated to controlling authority (for keys and certificates management). “OPEN” API provides standardized functions for the interfacing and the lifecycle management of GP-compliant services, including a framework for secure interapplications communication.
OPEN supports the following management functions:
Specifications thoroughly describe state transitions of the lifecycle, APDU instructions for the management of card content and recommendations for secure communication channel setup (PKI, authentication modes, encryption and decryption, session setup, etc.).
The device resources section is dedicated to original equipment manufacturers and more specifically for mobile environments. Specifications are also for developers who interface with peripherals mentioned in this section.
This section addresses two environments:
TEE includes secure storage in which functions are executed in an isolated area of the memory space from the OS (separated by firewalls); communication with devices (for example screen, SIM card or SE) uses secure channels, thus securing coding instructions privacy and so-called “trusted” application data.
Applications and tools recommended by GP are related to the architecture, access control and communication interfaces of local (i.e. from the host device) or remote (i.e. from an external server) client applications. For example, Figure 1.22 shows how an administration session request is triggered on the remote admin server demand toward an Admin Agent application in the mobile device; then, the mobile sets up a secure HTTPS connection (requiring authentication) with the server to collect APDU instructions to be transmitted to the SE.
This section is devoted for every stakeholder who designs and implements administration systems as well as management systems for smart cards and their content: these specifications define the role and responsibilities of each actors of the ecosystem in a secure infrastructure of multiple application cards’ environment and describe message exchange format, protocols and interfaces.
Specifications include a mediator platform called trusted service manager (TSM). The TSM provides a standardized API that allows providers of NFC services hosted in an SE to interface with the management systems of the SE issuers (SEIs) or the MNOs that are handling end-user’s subscriptions. GP describes the SOAP secure web services into XML files (WSDL and XSD) intended for the lifecycle management (and audit) of remote applications like (among others):
Figure 1.23 illustrates the SE content management triggered by an “Actor B” (for example on behalf of the service provider, i.e. TSM) authorized by an “Actor A” controlling the SE (the SEI or the MNO) according to three delegation modes:
The GP messaging (GPM) system is the standard interface for the remote management of the service lifecycle by the TSM as shown in Figure 1.24. The figure illustrates an example of deployment notification (and function calls) triggered by the TSM to the SE provider as well as to the MNO; then, each can update the service state and proceed appropriate actions. For each actor of this ecosystem, GPM thoroughly describes the end-to-end use cases in the three modes of the SE service management, for each step and events of the lifecycle.
SIMAlliance is a non-profit organization involved in mobile device technologies and especially in SIM cards. SIMAlliance aims at easing secure mobile services development and management and simplifying hardware-based device security. Members of the organization are actors of digital security, smart card and mobile services such as Gemalto, Oberthus, Giesecke & Devrient (G&D), Incard and Morpho (Safran).
SIMAlliance gives specifications of its Open Mobile API (OMAPI)27 standard for mobile applications: OMAPI defines a reader-like interfacing (i.e. smart card reader) with the SE regardless of the configuration (i.e. SIM-SE, eSE or MicroSD); OMAPI was adopted as a standard by GP and the API was adapted in order to be compliant with ETSI and GSMA specifications. EMVco also commissioned SIMAlliance to adapt API to contactless transaction payment (NFC Tagify, February 201628).