I want to use Mifare Desfire Light or EV2 in a payments product. Given payments, security is paramount including anti-counterfeiting, encryption, MACing, etc. In this regard, I needed confirmation as to whether the NXP Tagwriter app or any other publically available app or tool of NXP can be used to encode/personalize a Desfire chip fulfilling the following security requirements.
Key security requirements:
Writing/encoding the chip:
- Securely writing data on the chip in a manner that the chip is able to authenticate the writer and no other writer can write to the same chip.
- Ability to lock the chip so once data is written and chip locked, no one else can write/rewrite/modify data to the same chip.
- Ability to write encrypted data on the chip that identifies the customer such as Customer ID, Customer PAN, Expiry date, etc.
- Ability to write keys on the chip, which the chip can use to dynamically encrypt data with a unique key for every read from the chip.
- Anti-counterfeiting.
- Keys injection/writing on the chip for a Desfire-capable terminal to read/access the chip.
Reading the chip:
- The ability of the Desfire-capable terminal to access data through access keys from the chip.
- Data so provided by the chip should be dynamically encrypted and with MACing done for authentication on the server.
- AES-256 or 128-bit encryption.
- Secure messaging from the chip/terminal to the server.
- The server will support verifying MAC sent from the chip and decrypting encrypted data before authorizing the transaction and sending it back to the terminal. There will be no offline transactions. Only online.
- The ability of the chip to authenticate a return MAC (optional).
Kindly confirm how I can achieve the above with NXP Tagwriter or any other NXP tool in regards to Desfire Light or Desfire EV2 chip.
