CryptoRF EEPROM Memory

Features • One of a Family of Devices with User Memory of 1 Kbit to 64 Kbits • Contactless 13.56 MHz RF Communications Interface – ISO/IEC 14443-2:2001 Type B Compliant – ISO/IEC 14443-3:2001 Type B Compliant Anticollision Protocol – Command Set Optimized for Multicard RF Communications – Tolerant of Type A Signaling for Multiprotocol Applications • Integrated 82 pF Tuning Capacitor • User EEPROM Memory – 4 Kbits Configured as Four 128-byte (1-Kbit) User Zones – Byte, Page, and Partial Page Write Modes – Self-timed Write Cycle • 256-byte (2-Kbit) Configuration Zone – User-programmable Application Family Identifier (AFI) – User-defined Anticollision Polling Response – User-defined Keys and Passwords • High-Security Features – 64-bit Mutual Authentication Protocol (under license of ELVA) – Encrypted Checksum – Stream Encryption – Four Key Sets for Authentication and Encryption – Four Sets of Two 24-bit Passwords – Password and Authentication Attempts Counters – Selectable Access Rights by Zone – Antitearing Function – Tamper Sensors • High Reliability – Endurance: 100,000 Write Cycles – Data Retention: 10 Years www.DataSheet4U.com – Operating Temperature: −40°C to +85°C 13.56 MHz CryptoRF EEPROM Memory 4 Kbits AT88SC0404CRF Summary Description The CryptoRF® family integrates a 13.56 MHz RF interface into a CryptoMemory®, resulting in a contactless smart card with advanced security and cryptographic features. This device is optimized as a contactless secure memory, for RF smart cards, and secure data storage, without the requirement of an internal microprocessor. For communications, the RF interface utilizes the ISO/IEC 14443-2 and -3 Type B bit timing and signal modulation schemes, and the ISO/IEC 14443-3 Slot-MARKER Anticollision Protocol. Data is exchanged half duplex at a 106-kbit/s rate, with a two-byte CRC_B providing error detection capability. The maximum communication range between the reader antenna and contactless card is approximately 10 cm when used with an RFID reader that transmits the maximum ISO/IEC 14443-2 RF power level. The RF interface powers the other circuits; no battery is required. Full compliance with the ISO/IEC 14443-2 and -3 standards results in anticollision interoperability with the AT88RF020 2-Kbit RFID EEPROM product and provides both a proven RF communication interface and a robust anticollision protocol. The AT88SC0404CRF contains 4 Kbits of user memory and 2 Kbits of configuration memory. The 2 Kbits of configuration memory contain four sets of read/write passwords, four crypto key sets, security access registers for each user zone, and password/key registers for each zone. The CryptoRF command set is optimized for a multicard RF communications environment. A programmable AFI register allows this IC to be used in numerous applications in the same geographic area with seamless discrimination of cards assigned to a particular application during the anticollision process. Rev. 5023CS–CRRF–12/06 Note: This is a summary document. A complete document is available under NDA. For more information, please contact your local Atmel sales office. Block Diagram Figure 1. Block Diagram RF Interface AC1 Command and Response EEPROM VSS R ec t C Over Voltage Clamp Modulator ifi er Regulator VDD Data Transfer Password Verification AC2 Clock Extraction Data Extraction Frame Formatting and Error Detection Interface Anticollision Authentication Encryption and Certification Unit Random Number Generator Communications All personalization and communication with this device is performed through the RF interface. The IC includes an integrated tuning capacitor, enabling it to operate with only the addition of a single external coil antenna. The RF communications interface is fully compliant with the electrical signaling and RF power specifications in ISO/IEC 14443-2:2001 for Type B only. Anticollision operation and frame formatting are compliant with ISO/IEC 14443-3:2001 for Type B only. ISO/IEC 14443 nomenclature is used in this specification where applicable. The following abbreviations are utilized throughout this document. Additional terms are defined in the section in which they are used. • • • • PCD – Proximity Coupling Device: the reader/writer and antenna PICC – Proximity Integrated Circuit Card: the tag/card containing the IC and antenna RFU – Reserved for Future Use: any feature, memory location, or bit that is held as reserved for future use $ xx – Hexadecimal Number: denotes a hex number “xx” (Most Significant Bit on left) Anticollision Protocol When the PICC enters the 13.56 MHz RF field of the host reader (PCD), it performs a power on reset (POR) function and waits silently for a valid Type B polling command. The CryptoRF PICC processes the antitearing registers as part of the POR process. The PCD initiates the anticollision process by issuing an REQB or WUPB command. The WUPB command activates any card (PICC) in the field with a matching AFI code. 2 AT88SC0404CRF 5023CS–CRRF–12/06 AT88SC0404CRF The REQB command performs the same function but does not affect a PICC in the Halt state. The CryptoRF command set is available only after the anticollision process has been completed. CRC Error Detection A two-byte CRC_B is required in each frame transmitted by the PICC or PCD to permit transmission error detection. The CRC_B is calculated on all of the command and data bytes in the frame. The SOF, EOF, start bits, stop bits, and EGT are not included in the CRC_B calculation. The two-byte CRC_B follows the data bytes in the frame. Figure 2. Location of the Two CRC_B Bytes within a Frame SOF K data bytes CRC1 CRC2 EOF Type A Tolerance The RF Interface is designed for use in multiprotocol applications. It will not latch or lock up if exposed to Type A signals and will not respond to them. The PICC may reset in the presence of Type A field modulation but is not damaged by exposure to Type A signals. 3 5023CS–CRRF–12/06 User Memory The EEPROM user memory is divided into four user zones as shown in the memory map in Table 1. Multiple zones allow for different types of data or files to be stored in different zones. Access to the user zones is allowed only after security requirements have been met. These security requirements are defined by the user in the configuration memory during personalization of the device. The EEPROM memory page length is 16 bytes. Table 1. Memory Map Zone $00 User 0 – – $78 $00 User 1 – – $78 $00 User 2 – – $78 $00 User 3 – – $78 128 Bytes 128 Bytes 128 Bytes 128 Bytes $0 $1 $2 $3 $4 $5 $6 $7 Configuration Memory The configuration memory consists of 2048 bits of EEPROM memory used for storing system data, passwords, keys, codes, and security-level definitions for each user zone. Access rights to the configuration zone are defined in the control logic and may not be altered by the user. These access rights include the ability to program certain portions of the configuration memory and then lock the data written through use of the security fuses. There are three fuses on the device that must be blown during the device personalization process. Each fuse locks certain portions of the configuration memory as OTP memory. Fuses are designated for the module manufacturer, card manufacturer and card issuer and must be blown in sequence. Security Fuses 4 AT88SC0404CRF 5023CS–CRRF–12/06 AT88SC0404CRF Communication Security Communication between the PICC and reader operates in three basic modes. Standard mode is the default mode for the device after power-up and anticollision. Authentication mode is activated by a successful authentication sequence. Encryption mode is activated by a successful encryption activation, following a successful authentication. Table 2. Configuration Security Modes Mode Standard Authentication Encryption Notes: User Data clear clear encrypted Passwords clear encrypted encrypted Data Integrity Check MDC(1) MAC(2) MAC(2) 1. Modification Detection Code 2. Message Authentication Code Security Methodology Figure 3. Security Methodology Device (card) Card Number VERIFY A Compute Challenge B Challenge B Host (reader) COMPUTE Challenge A Challenge A VERIFY B Read Password (RPW) VERIFY CS (optional) Write Password (WPW) DATA CS Check Password (RPW) DATA Checksum (CS) Check Password (WPW) VERIFY CS Write DATA Memory Access Depending on the device configuration, the host will carry out the authentication protocol and/or present different passwords for each operation: read or write. To insure security between the different user zones (multiapplication card), each zone can use a different set of passwords. A specific attempts counter for each password and for the authentication provides protection against systematic attacks. 5 5023CS–CRRF–12/06 Security Operations Antitearing In the event of a power loss during a write cycle, the integrity of the device’s stored data may be recovered. This function is optional: the host may choose to activate the antitearing function depending on application requirements. When antitearing is active, write commands take longer to execute since more write cycles are required to complete them. Data writes are limited to 8-byte pages when antitearing is active. Data is written first to a buffer zone in EEPROM instead of to the intended destination address, but with the same access conditions. The data is then written to the required location. If this second write cycle is interrupted due to a power loss, the device will automatically recover the data from the buffer zone at the next power-up. Password Verification Passwords may be used to protect user zone read and/or write access. When a password is presented using the Check Password command, it is memorized and active until power is removed unless a new password is presented or a valid DESELECT or IDLE command is received.