P5CC081 Secure dual interface and contact PKI smart card controller

The CMOS14 SmartMX family members are a modular set of devices featuring:

The P5CD016/021/041/051 and P5Cx081 products provide improved SmartMX family performance with the following additional features:

CMOS14 SmartMX family properties

The long-established CMOS14 SmartMX family features a significantly enhanced secure smart card IC architecture. Extended instructions for Java and C code, linear addressing, high speed at low power and a universal memory management unit are among many other improvements added to the classic 80C51 core architecture. In the P5CD016/021/041/051 and P5Cx081 product family, NXP Semiconductors’ proven Secure_MX51 processor core has been further optimized over the existing version in 0.14 µm CMOS technology. Therefore, these products now offer improved CPU speed, leading to shorter overall transaction times. At the same time, the FameXE cryptography coprocessor has been optimized for even lower power operation, while keeping its performance at the same industry-leading level.

The long-established CMOS14 SmartMX family features a significantly enhanced secure smart card IC architecture. Extended instructions for Java and C code, linear addressing, high speed at low power and a universal memory management unit are among many other improvements added to the classic 80C51 core architecture. In the P5CD016/021/041/051 and P5Cx081 product family, NXP Semiconductors’ proven Secure_MX51 processor core has been further optimized over the existing version in 0.14 µm CMOS technology. Therefore, these products now offer improved CPU speed, leading to shorter overall transaction times. At the same time, the FameXE cryptography coprocessor has been optimized for even lower power operation, while keeping its performance at the same industry-leading level.

The availability of both contact interface and contactless or S²C interface enable the easy implementation of native or open platform and multi-application operating systems in market segments such as banking, E-passports, ID cards, Health cards, secure access, Java cards as well as Trusted Platform Modules (TPM).

The approved and modular FameXE architecture supports the trend of increasing RSA keys with faster execution speeds as well as Elliptic Curve Cryptography (ECC) based on GF(p) or GF(2n) at best performance. FameXE supports RSA with an operand length of up to 8-kbit (up to 4-kbit with intermediate storage in RAM only).

The now further reduced power-consumption FameXE PKI coprocessor supports 192-bit ECC key length that offers the same level of security as 2048-bit RSA. An ECC GF(2n) based signature, using a 163-bit key can be executed in less than 30 ms providing a security level comparable to 1024-bit RSA. The operand size for ECC, supported by FameXE, is only limited by the 2.5 KB size of the FXRAM. FameXE operates at up to 72 MHz, is easy to use and the flexible interface provides programmers with the freedom to implement their own cryptography solutions. A secure and CC EAL5+ certified crypto library providing a large range of required functions will be available for all devices in order to support customers in implementing public key-based solutions.

Triple-DES coprocessor

The DES widely used for symmetric encryption is supported by a dedicated, high performance, highly attack-resistant hardware coprocessor. Single DES and triple-DES, based on two or three DES keys, can be executed within less than 40 μs. Relevant standards (ISO/IEC, ANSI, FIPS) and Message Authentication Code (MAC) are fully supported. A secure crypto library element for DES is available.

AES coprocessor

SmartMX is the first smart card microcontroller platform to provide a dedicated high performance 128-bit parallel processing coprocessor to support secure AES. The implementation is based on FIPS197 as standardized by the National Institute for Standards and Technology (NIST), and supports key lengths of 128-bit, 192-bit, and 256-bit with performance levels comparable to DES. AES is the next generation for symmetric data encryption and recommended successor to DES providing significantly improved security level. A secure crypto library element for AES is available.

SmartMX interfaces

SmartMX contact interface

Operating in accordance with ISO/IEC 7816, the SmartMX contact interface is supported by a built-in Universal Asynchronous Receiver/Transmitter (UART), which enables data rates of up to 1 Mbit/s allowing for the automatic generation of all typical baud rates and supports transmission protocols T=0 and T=1. Up to two additional I/Os are available.

SmartMX contactless interface

The optional contactless interface is fully compatible with ISO/IEC 14443 A as well as NXP Semiconductors’ field proven MIFARE technology. A dedicated Contactless Interface Unit (CIU) manages and supports communication using data rates up to 848 kbit/s. A true anti-collision method (in accordance with ISO/IEC 14443-3) enables multiple cards to be handled simultaneously.

The optional MIFARE functionality provided in configurations B1 (MIFARE 1K implementation) and B4 (MIFARE 1K implementation) safeguard the interface compatibility with any installed MIFARE infrastructure. The ability to run the MIFARE protocol concurrently with other contactless transmission protocols implemented by the customer code (T=CL or self defined) enables the combination of new services and existing applications based on MIFARE (e.g. ticketing) on a single dual interface controller based smart card.

The MIFARE implementation on the SmartMX makes use of the approved true random number generator and thus is not susceptible to attacks based on the predictability of random numbers. This emulation is separated from the rest of the SmartMX by a firewall that is part of the Common Criteria evaluation.

A tutorial software library for ISO/IEC 14443-3 and ISO/IEC 14443-4 is available to support NXP Semiconductors’ customers for easy integration of the contactless technology into current system solutions.

The input capacitance can be factory configured for either standard loop antennas or for smaller antennas (such as “ID1/2” antennas). This is accomplished by setting the device input capacitance to either the standard value or to a higher value.

SmartMX S²C interface

The S²C interface is intended for use with NXP Semiconductors NFC circuits (e.g. PN544) in order to configure secure NFC systems, for example in mobile hand sets.

Operated both in Contact mode (ISO/IEC 7816) and in S²C mode, the user defines the final function of the controller chip with its operating system. This allows the same level of security, functionality and flexibility for the contact interface and the S²C interface.

The S²C interface is connected to the internal ISO/IEC 14443 CIU. The CIU handles the demodulation and the modulation of the S²C signals which enables a full contactless communication via this interface, and the NFC front-end can be enabled. As the S²C interface is connected to the CIU, the power to the P5CN081 must be supplied via the VDD and VSS pads in order to use the S²C interface. The S²C interface does not need any software adaptation compared to normal contactless operation.

When connected to the S²C interface of a NFC front-end, the device is compatible with existing MIFARE reader infrastructure, and the optional emulation modes of MIFARE 1K or MIFARE 4K enable fast system integration and backward compatibility to MIFARE based cards. The communication on the S²C interface supports both the ISO/IEC 14443 A part 3 and the ISO/IEC 14443 part 4.

Security features

SmartMX incorporates a wide range of both inherent and OS-controlled security features as a countermeasure against all types of attack. NXP Semiconductors apply their extensive knowledge of chip security, combined with handshaking circuit technology, very dense 5-metal layer 0.14 µm technology, glue logic and active shielding methodology for optimum results in CC EAL5+, EMVCo and other third-party certifications and approvals.

SmartMX Memory Management Unit (MMU), designed to define various memory segments and assign security attributes accordingly, supports a strong firewall concept that keeps different applications separate from each other. Only the System mode has full access privileges to all memory space and on-chip peripherals, while the User mode only has privileges defined upon card personalization and executed under the control of the System mode.

Secure Fetch technology significantly enhances the chip hardware security against certain classes of light attack using light directed at chip hardware. More specifically, Secure Fetch offers increased protection against attacks using higher spatial resolution and those using shorter and longer light pulses with both single and multiple pulses. It protects both the device memory and ROM, RAM and EEPROM code fetching operations, greatly increasing the probability of detecting fault injection attacks.

This unique security technology offers increased protection against future attack scenarios that use light and laser sources, facilitating the development of highly secure software applications for customers.

The SmartMX security features are acknowledged as having outstanding properties by most NXP Semiconductors’ customers. The countermeasures against light attacks are regarded as “best-in-class”.

Security evaluation and certificates

Hardware security certification in accordance with CC EAL5+ is attained. Also, third-party approval such as EMVCo (VISA, CAST), ZKA and others, depending on the application requirements, are available.

NXP Semiconductors continues to drive forward third-party security evaluations to provide its customers with the relevant information and documentation needed to execute subsequent composite evaluations of implemented applications.

Security licensing

In addition to the various intellectual properties regarding attack resistance of the NXP Semiconductors’ owned SmartMX family, NXP Semiconductors has obtained a patent license for SPA and DPA countermeasures from Cryptography Research Incorporated. (CRI). This license covers both hardware and software countermeasures. It is important to customers that countermeasures within the operating system are covered under this license agreement with CRI. Further details are available on request.

Optional crypto library

NXP Semiconductors offer an optional crypto library for all family types:

产品特点 Features

Standard family features

Product specific family features
Security features
Design-in support
应用
P5CC081 技术支持
档案名称 标题 类型 格式
P5CC081 Secure dual interface and contact PKI smart card controller Data sheet pdf
130830 AN10834 MIFARE ISO/IEC 14443 PICC Selection Application note pdf
AN10927 MIFARE and handling of UIDs Application note pdf
AN10787 AN10787 MIFARE Application Directory (MAD) Application note pdf
AN1305 MIFARE Classic as NFC Type MIFARE Classic Tag Application note pdf
AN1304 NFC Type MIFARE Classic Tag Operation Application note pdf
AN10833 MIFARE Type Identification Procedure Application note pdf