P5CD016/021/041/051 and
P5Cx081 family
Secure dual interface and contact PKI smart card controller
Rev. 3.2 — 14 March 2011
150332
Product short data sheet
PUBLIC
1. General description
1.1 CMOS14 SmartMX family features overview
The CMOS14 SmartMX family members are a modular set of devices featuring:
•
•
•
•
•
•
•
•
•
•
16 KB, 20 KB, 40 KB, 52 KB and 80 KB EEPROM
ROM memory size extended to 264 KB
RAM memory size extended to 7.5 KB (CXRAM 5 KB, FXRAM 2.5 KB)
High-performance secure Public Key Infrastructure (PKI) coprocessor (RSA, ECC)
Secure dual/triple-DES coprocessor
Secure AES coprocessor
Memory Management Unit (MMU)
ISO/IEC 7816 contact interface
Optional ISO/IEC 14443 A Contactless Interface Unit (CIU)
EEPROM with typically 500000 cycles endurance and a minimum of 25 years
retention time
•
Broad spectrum of delivery types
•
Optional certified crypto library modules for RSA, ECC, DES, AES, SHA and PRNG
The P5CD016/041/051 and P5Cx081 products provide improved SmartMX family
performance with the following additional features:
•
CPU kernel accelerated by factor 2, at the same time maintaining full instruction
compatibility
•
FameXE coprocessor (clock up to 72 MHz) with reduced power consumption in all
three voltage classes
•
Memory Management Unit (MMU) with 8 instead of 5 cache segments
•
Full binary ROM Code compatibility to P5Cx012/02x/040/073/080/144 family
1.2 CMOS14 SmartMX family properties
The long-established CMOS14 SmartMX family features a significantly enhanced secure
smart card IC architecture. Extended instructions for Java and C code, linear addressing,
high speed at low power and a universal memory management unit are among many
other improvements added to the classic 80C51 core architecture. In the
P5CD016/041/051 and P5Cx081 product family, NXP Semiconductors’ proven
NXP Semiconductors
P5CD016/021/041/051 and P5Cx081
Secure dual interface and contact PKI smart card controller
Secure_MX51 processor core has been further optimized over the existing version in
0.14
μm
CMOS technology. Therefore, these products now offer improved CPU speed,
leading to shorter overall transaction times. At the same time, the FameXE cryptography
coprocessor has been optimized for even lower power operation, while keeping its
performance at the same industry-leading level.
The availability of both contact interface and contactless or S
2
C interface enable the easy
implementation of native or open platform and multi-application operating systems in
market segments such as banking, E-passports, ID cards, Health cards, secure access,
Java cards as well as Trusted Platform Modules (TPM).
1.3 Naming conventions
Table 1.
x
y
Naming conventions
Type of category:
C
= PKI controller + triple-DES coprocessor + AES coprocessor on selected products
Interface options:
C
= contact interface - ISO/IEC 7816
D
= dual interface - ISO/IEC 7816 + ISO/IEC 14443 contactless interface
N
= ISO/IEC 7816 + S
2
C interface for NFC
zzz
Amount of non-volatile memory in KB, increasing count for further product options
P5xyzzz SmartMX platform
1.4 Cryptographic hardware coprocessors
1.4.1 FameXE coprocessor
The approved and modular FameXE architecture supports the trend of increasing RSA
keys with faster execution speeds as well as Elliptic Curve Cryptography (ECC) based on
GF(p) or GF(2
n
) at best performance. FameXE supports RSA with an operand length of
up to 8-kbit (up to 4-kbit with intermediate storage in RAM only).
The now further reduced power-consumption FameXE PKI coprocessor supports 192-bit
ECC key length that offers the same level of security as 2048-bit RSA. An ECC GF(2n)
based signature, using a 163-bit key can be executed in less than 30 ms providing a
security level comparable to 1024-bit RSA. The operand size for ECC, supported by
FameXE, is only limited by the 2.5 KB size of the FXRAM. FameXE operates at up to
72 MHz, is easy to use and the flexible interface provides programmers with the freedom
to implement their own cryptography solutions. A secure and CC EAL5+ certified crypto
library providing a large range of required functions will be available for all devices in order
to support customers in implementing public key-based solutions.
1.4.2 Triple-DES coprocessor
The DES widely used for symmetric encryption is supported by a dedicated, high
performance, highly attack-resistant hardware coprocessor. Single DES and triple-DES,
based on two or three DES keys, can be executed within less than 40
μs.
Relevant
standards (ISO/IEC, ANSI, FIPS) and Message Authentication Code (MAC) are fully
supported. A secure crypto library element for DES is available.
P5CD016_021_041_51_Cx081_FAM_SDS
All information provided in this document is subject to legal disclaimers.
© NXP B.V. 2011. All rights reserved.
Product short data sheet
PUBLIC
Rev. 3.2 — 14 March 2011
150332
2 of 20
NXP Semiconductors
P5CD016/021/041/051 and P5Cx081
Secure dual interface and contact PKI smart card controller
1.4.3 AES coprocessor
SmartMX is the first smart card microcontroller platform to provide a dedicated high
performance 128-bit parallel processing coprocessor to support secure AES. The
implementation is based on FIPS197 as standardized by the National Institute for
Standards and Technology (NIST), and supports key lengths of 128-bit, 192-bit, and
256-bit with performance levels comparable to DES. AES is the next generation for
symmetric data encryption and recommended successor to DES providing significantly
improved security level. A secure crypto library element for AES is available.
1.5 SmartMX interfaces
1.5.1 SmartMX contact interface
Operating in accordance with ISO/IEC 7816, the SmartMX contact interface is supported
by a built-in Universal Asynchronous Receiver/Transmitter (UART), which enables data
rates of up to 1 Mbit/s allowing for the automatic generation of all typical baud rates and
supports transmission protocols T=0 and T=1. Up to two additional I/Os are available.
1.5.2 SmartMX contactless interface
The optional contactless interface is fully compatible with ISO/IEC 14443 A as well as
NXP Semiconductors’ field proven MIFARE technology. A dedicated Contactless Interface
Unit (CIU) manages and supports communication using data rates up to 848 kbit/s. A true
anti-collision method (in accordance with ISO/IEC 14443-3) enables multiple cards to be
handled simultaneously.
The optional MIFARE functionality provided in configurations B1 (MIFARE 1K
implementation), B4 (MIFARE 4K implementation), D1 (MIFARE 1K implementation with
MIFARE simultaneous operation enabled) and D4 (MIFARE 4K implementation with
MIFARE simultaneous operation enabled) safeguard the interface compatibility with any
installed MIFARE infrastructure. The ability to run the MIFARE protocol concurrently with
other contactless transmission protocols implemented by the customer code (T=CL or self
defined) enables the combination of new services and existing applications based on
MIFARE (e.g. ticketing) on a single dual interface controller based smart card.
The MIFARE implementation on the SmartMX makes use of the approved true random
number generator and thus is not susceptible to attacks based on the predictability of
random numbers. This emulation is separated from the rest of the SmartMX by a firewall
that is part of the Common Criteria evaluation.
A tutorial software library for ISO/IEC 14443-3 and ISO/IEC 14443-4 is available to
support NXP Semiconductors’ customers for easy integration of the contactless
technology into current system solutions.
The input capacitance can be factory configured for either standard loop antennas or for
smaller antennas (such as “ID1/2” antennas). This is accomplished by setting the device
input capacitance to either the standard value or to a higher value.
1.5.3 SmartMX S
2
C interface
The S
2
C interface is intended for use with NXP Semiconductors NFC circuits (e.g. PN544)
in order to configure secure NFC systems, for example in mobile hand sets.
P5CD016_021_041_51_Cx081_FAM_SDS
All information provided in this document is subject to legal disclaimers.
© NXP B.V. 2011. All rights reserved.
Product short data sheet
PUBLIC
Rev. 3.2 — 14 March 2011
150332
3 of 20
NXP Semiconductors
P5CD016/021/041/051 and P5Cx081
Secure dual interface and contact PKI smart card controller
Operated both in Contact mode (ISO/IEC 7816) and in S
2
C mode, the user defines the
final function of the controller chip with its operating system. This allows the same level of
security, functionality and flexibility for the contact interface and the S
2
C interface.
The S
2
C interface is connected to the internal ISO/IEC 14443 CIU. The CIU handles the
demodulation and the modulation of the S
2
C signals which enables a full contactless
communication via this interface, and the NFC front-end can be enabled. As the S
2
C
interface is connected to the CIU, the power to the P5CN081 must be supplied via the
VDD and VSS pads in order to use the S
2
C interface. The S
2
C interface does not need
any software adaptation compared to normal contactless operation.
When connected to the S
2
C interface of a NFC front-end, the device is compatible with
existing MIFARE reader infrastructure, and the optional emulation modes of MIFARE 1 K
or MIFARE 4 K enable fast system integration and backward compatibility to MIFARE
based cards. The communication on the S
2
C interface supports both the
ISO/IEC 14443 A part 3 and the ISO/IEC 14443 part 4.
1.6 Security features
SmartMX incorporates a wide range of both inherent and OS-controlled security features
as a countermeasure against all types of attack. NXP Semiconductors apply their
extensive knowledge of chip security, combined with handshaking circuit technology, very
dense 5-metal layer 0.14
μm
technology, glue logic and active shielding methodology for
optimum results in CC EAL5+, EMVCo and other third-party certifications and approvals.
SmartMX Memory Management Unit (MMU), designed to define various memory
segments and assign security attributes accordingly, supports a strong firewall concept
that keeps different applications separate from each other. Only the System mode has full
access privileges to all memory space and on-chip peripherals, while the User mode only
has privileges defined upon card personalization and executed under the control of the
System mode.
Secure Fetch technology significantly enhances the chip hardware security against
certain classes of light attack using light directed at chip hardware. More specifically,
Secure Fetch offers increased protection against attacks using higher spatial resolution
and those using shorter and longer light pulses with both single and multiple pulses. It
protects both the device memory and ROM, RAM and EEPROM code fetching operations,
greatly increasing the probability of detecting fault injection attacks.
This unique security technology offers increased protection against future attack
scenarios that use light and laser sources, facilitating the development of highly secure
software applications for customers.
The SmartMX security features are acknowledged as having outstanding properties by
most NXP Semiconductors’ customers. The countermeasures against light attacks are
regarded as “best-in-class”.
P5CD016_021_041_51_Cx081_FAM_SDS
All information provided in this document is subject to legal disclaimers.
© NXP B.V. 2011. All rights reserved.
Product short data sheet
PUBLIC
Rev. 3.2 — 14 March 2011
150332
4 of 20
NXP Semiconductors
P5CD016/021/041/051 and P5Cx081
Secure dual interface and contact PKI smart card controller
1.7 Security evaluation and certificates
Hardware security certification in accordance with CC EAL5+ is attained. Also, third-party
approval such as EMVCo (VISA, CAST), ZKA and others, depending on the application
requirements, are available.
NXP Semiconductors continues to drive forward third-party security evaluations to provide
its customers with the relevant information and documentation needed to execute
subsequent composite evaluations of implemented applications.
1.8 Security licensing
In addition to the various intellectual properties regarding attack resistance of the NXP
Semiconductors’ owned SmartMX family, NXP Semiconductors has obtained a patent
license for SPA and DPA countermeasures from Cryptography Research Incorporated.
(CRI). This license covers both hardware and software countermeasures. It is important to
customers that countermeasures within the operating system are covered under this
license agreement with CRI. Further details are available on request.
1.9 Optional crypto library
NXP Semiconductors offer an optional crypto library for all family types:
•
Various algorithms
–
AES encryption and decryption using the AES coprocessor
–
DES and triple-DES encryption and decryption using the DES coprocessor
–
RSA encryption and decryption, signature generation and verification for
straightforward and CRT keys up to 5024 bits
–
RSA key generation
–
ECC over GF(p) signature generation and verification (ECDSA) and Diffie-Hellman
key exchange for keys up to 544 bits
–
ECC over GF(p) key generation
–
ECC over GF(2
n
) signature generation and verification (ECDSA) and
Diffie-Hellman key exchange for keys up to 571 bits
–
ECC over GF(2
n
) key generation
–
SHA-1, SHA-224 and SHA-256 hash algorithm
–
Pseudo-Random Number Generator (PRNG)
•
Easy to use API for all algorithms
•
Secure operation in contact as well as in the contactless mode
•
Latest built-in security features to avoid power (SPA/DPA), timing and fault attacks
(DFA)
•
Common criteria CC EAL5+ certification available [except ECC over GF(2
n
)] in
accordance with BSI-PP-0002 protection profile
P5CD016_021_041_51_Cx081_FAM_SDS
All information provided in this document is subject to legal disclaimers.
© NXP B.V. 2011. All rights reserved.
Product short data sheet
PUBLIC
Rev. 3.2 — 14 March 2011
150332
5 of 20
Analog electronics
京公网安备 11010802033920号
EEWORLD
