DESFire SIM is One Piece of Gemalto’s NFC Strategy
Although there are no phones yet on the market to support NFC applications on the SIM, France-based smart card maker Gemalto believes the time is right to introduce the first SIM card with a high-end transit-ticketing application onboard, Mifare DESFire.
Gemalto, the only card vendor with a license for high-end Mifare, plans to have samples available of its DESFire SIM in April and said it would have it ready for production later this year. It announced the card in mid-February at the Mobile World Congress in Barcelona.
Mifare holds a commanding 75% share of the market for transit cards worldwide, according to Mifare owner NXP Semiconductors. The vast majority of these, however, are Mifare Classic cards. Only a small fraction support more secure–and more expensive–DESFire.
Key DESFire Cities
But among the list of 16 cities (see below) where transit or fare-collection operators are in various stages of rolling out DESFire are places where mobile operators also appear keen to eventually launch NFC commercially–such as London, Madrid, Dubai and Oslo.
Gemalto predicts high demand for mobile transit ticketing, once NFC phones become available, and Mifare is key for Gemalto to try to capture that market.
Most observers believe transit could be the first big application for NFC because many transit authorities or fare-collection schemes operators already have an infrastructure of terminals in place to accept contactless cards. They could also put those contactless applications on NFC phones, which their customers could tap just as they do cards. In addition, the phone applications could enable the customers to buy tickets and receive schedule and other updates over the air to their phones.
Gemalto estimates a total of 40 cities, including the 16 cities listed below, have decided to move to DESFire–some, no doubt, because of well-publicized hacks of Mifare Classic cards in 2008. Though cheap Classic cards remain popular, and adoption of DESFire has been weak since NXP launched it in 2002, other transit agencies or fare-collection schemes are expected to move from Classic to DESFire or a less costly cousin, Mifare Plus.
“There are many cities starting transit, and now they elect DESFire; and some are migrating to DESFire,” Thierry Koeberie, director for marketing and product for Gemalto’s trusted services management unit, told NFC Times. The unit is set up to download and manage payment, ticketing and other applications on SIM cards or other secure chips in NFC phones or related devices. It’s part of Gemalto’s drive to bring in more revenue from services.
Gemalto Positions Itself with Mifare
Mifare is key to Gemalto’s NFC strategy. The card vendor early last year bought NXP’s Mifare4Mobile business, which will enable it to handle Mifare applications more smoothly with its trusted services platform, including putting Mifare Classic on SIM cards.
Gemalto also bought the Mifare license from NXP, likely last year, following NXP’s decision to grant some licenses to Mifare, starting in 2008. The license gives Gemalto a leg up on competing card vendors by allowing it to produce DESFire SIMs with any SIM chip vendor.
Such rivals as Oberthur Technologies and Giesecke & Devrient could still offer DESFire SIM cards, but they would likely have to use chip suppliers that have locked up their own Mifare licenses. NXP has limited those licenses so far to Renesas Technology and STMicroelectronics for higher-end Mifare. Gemalto wouldn't have an advantage over competitors in producing SIMs with the more popular Mifare Classic onboard.
Oberthur and Giesecke & Devrient joined a vendor group anchored by chip maker Infineon Technologies and including chip supplier Inside Contactless, which announced plans in January to introduce a competing offer to Mifare for transit applications. They pledge the technology will be just as secure as DESFire but will come with a more liberal licensing policy than NXP offers for Mifare. To date, Gemalto has not joined the group.
The first cards and SIMs supporting the offer will not be available until early next year, or perhaps later.
Oyster Likely to Require DESFire SIM
That is much too late to have snagged one of the highest-profile fare-collection schemes, Oyster, owned by Transport for London. The transit authority began moving the popular scheme to DESFire this year, NFC Times has learned, after having suffered an embarrassing hack by researchers demonstrating how easily they could clone Oyster using Mifare Classic, in 2008.
And Transport for London has said it would like to launch Oyster on NFC phones sometime this year. If that happens, it could be a Mifare Classic application at first, but the agency would eventually use a DESFire application. That application would likely go onto a SIM card because mobile operators in the UK that will be leading NFC rollouts would likely insist all secure applications be stored on the cards they issue to subscribers. Transport for London participated in a well-publicized NFC trial, that launched in late 2007.
The transit agency has expected fast transactions for cards, which are needed to handle customers flowing through gates of the bustling London Underground. But some in the industry have questioned whether transaction speeds will be a problem for DESFire on a SIM.
To begin with, DESFire, with its higher-level Triple DES or AES encryption schemes, requires much more number crunching than Mifare Classic cards, though the DESFire chips have a microprocessor to do the computations. In addition, there have been some scattered reports of slower speeds for applications residing on the SIM in phones supporting the single-wire protocol connection to the NFC chip, compared with cards.
Brian Dobson, who has served as technology and systems manager for Transport for London’s Future Ticketing Project, said the agency needs the Oyster application on NFC phones to do a transaction in less than 400 milliseconds. Oyster cards are faster than that, but once a transaction exceeds 400 milliseconds, there is a risk customers would pull their phones from the contactless field around the reader before the transaction is complete. They would then have to tap the phone again.
"We need these response times to maintain the high throughput rates we have obtained with Oyster cards," Dobson told NFC Times, adding that a transaction from a DESFire application on a SIM would take longer than a less-secure Mifare Classic application on the same SIM, "unless the chip architecture has technology to do the new cryptography in a special component on the chip." He said he did not yet know what extra features smart card vendors planned to offer to make sure the DESFire transactions were fast enough.
Gemalto said in a statement to NFC Times that "the first results we collected so far gave us a good level of confidence that we can deliver product that matches transport operators’ needs."
Probably the only NFC trial to test DESFire to date is one held in 2008 by the research and development unit of Norway-based mobile operator Telenor in the far northern city of Tromsø. That trial put DESFire on a special embedded chip in an NFC phone. NT