13.56 MHz Contact-less Smart Card Communications

Contactless Smart Card - ISO 14443b

Author: Chris Vanderbles

Date: 04/14/2008

White Paper – 13.56 MHz Contact-less Smart Card Communications

Objective: This white paper will cover communication methods for 13.56 MHz contact-less smart cards, more specifically it will cover the communication standard set forth by ISO 14443b. Other ISO specifications for contact-less smart card communications will be briefly reviewed, but not covered in detail.

Literature Review: The contact-less smart card is a relatively new technology belonging to the family of radio frequency identification (RFID) technology. This piece of technology differs in nature from previous RFID technologies by having a micro-processor on the card itself to provide intelligent communications to the end device, rather than just a static ID number. There are many different card technologies that operate in the 13.56 MHz spectrum, but this paper will focus on the implementation of the ISO 14443b specification for contact-less smart card communications. The other specifications that will be briefly covered in this paper are ISO 14443a, and ISO 15693.

Before delving into the technical specifications of contactless smart-cards, it is important to understand the history of the technology and how it has developed over time. The first known implementation of RFID was used by the British during World War II; it was used to identify planes returning from mainland Europe. This system was know as the “Identify: Friend or Foe” system, or IFF. By 1977, the US government released their developed RFID technology, developed at the Los Alamos National Laboratory, to the public. In the early to mid 1980’s, companies started utilizing RFID cards for controlling physical access to their facilities. By 1986, a “de-facto” standard for proximity based credentials had emerged; this was initially developed by the Atmel Corporation. This standard utilized a 125 KHz carrier wave for transmitting and receiving RF data and has a capacity of up to 256 bytes of data. The 125 KHz standard is still common-place technology today. The first smart cards were also developed in 1986, but operated at much lower frequencies than today’s technology, and required multiple processors for implementation. On July 1, 2001, the International Standards Organization (ISO) published the operational standards for the 14443 specification. As of 2002, there are more than 50 million ISO 14443 compliant, and 200 million pre-standards smart cards in use around the world. Table 1-1 below contains a summary of the different specifications for contactless communications:

Table 1-1
Characteristic 125 KHz ISO 14443a ISO 14443B ISO 15693
Carrier Frequency 125 KHz 13.56 MHz +/- 7KHz 13.56 MHz +/- 7KHz 13.56 MHz +/- 7KHz
Downlink Bit Rate 4 Kbps 106 Kbps 106 Kbps 1.65 Kbps-26.48 Kbps
Uplink Bit Rate 4 Kbps 106 Kbps 106 Kbps 6.62 Kbps-26.69 Kbps
Downlink Modulation vendor specific 100% ASK 10% ASK 10% or 100% ASK
Downlink Encoding vendor specific Modified Miller Code NRZ Code PPM
Uplink Modulation vendor specific Load Mod., ASK Load Mod., BPSK Load Modulation
Uplink Encoding vendor specific Manchester NRZ Code Manchester
Uplink LMS vendor specific 847 KHz 847 KHz 432.75, 484.28 KHz
Storage Capacity 256 bytes 64 Kbytes 64 Kbytes 2 Kbytes
Read Distance 1 meter 10 cm 10 cm 1 meter

There are a wide array of communication applications for this technology, particularly since smart cards can store data in separate memory spaces and provide multiple memory stores for multiple applications. Some of the more common uses of smart card technology are:

Physical Access Control
Logical Access Control
Secure Authentication
Health Records
Transit Passes
Digital Cash
Time and Attendance

Power supplies for cards are bulky and require maintenance and replacement, so this technology is designed to utilize a passive card technology, and use inductive coupling as a means of deriving power from the RF field being produced by the reader. The ISO 14443a method of sending information to the card (downlink) is 100% amplitude shifting key (ASK) modulation. This method of downlink communications adds complexity to the cards, as they must be able to store enough power to continue to operate when the reader station is sending 0 (no RF signal). The ISO 14443b specification addresses this issue by using a 10% ASK modulated signal for downlink communications, providing continuous operating power for the card while in range of the reader. The encoding method for downlink communications in ISO 14443b is standard non return to zero (NRZ) code. The uplink communications portion of this specification operates on a 847 KHz sub-carrier frequency, which is one sixteenth of the primary carrier frequency. The uplink modulation scheme is binary phase shifting key (BPSK) and also uses NRZ code for its encoding scheme. Figure 1-1 below depicts the modulation and encoding method for downlink and uplink communications respectively. Since the card does not produce its own RF field, it uses load modulation to modify the carrier signal of the reader to transmit its uplink data. Figure 1-2 below depicts the process of load modulation. The load on coil Lc is varied by switching R2 in and out of parallel in the circuit. This causes the load on Lt to vary, and modifies the current U0 flowing through Ri. U0 is monitored by the reader and is used to decode the uplink data transmission.

modulation-encoding 10% ASK Down-link Signal
BPSK Up-link Signal

Figure 1-1: Modulation and encoding graphical representation


Figure 1-2: Load modulation diagram (source RFID Handbook, second ed.)

Calculations and Standards for ISO 14443b:
Downlink: Maximum theoretical bandwidth (Nyquist) calculation, using number of states (n) = 2, and carrier frequency = 13.56 MHz. BW = log2 (n) * fb Max theoretical bandwidth = log2 (2) * 13.56MHz = 13.56 Mbps Standards defined bit rate = 106 Kbps Calculated downlink baud = bit rate = 106 Kbaud/sec Bit rate utilization ratio: defined/maximum = ~ 1/128

Uplink: Maximum theoretical bandwidth (Nyquist) calculation, using number of states (n) = 2, and sub-carrier frequency = 847 KHz. BW = log2 (n) * fb Max theoretical bandwidth = log2 (2) * 847 KHz = 847 Kbps Standards defined bit rate = 106 Kbps Calculated downlink baud = bit rate = 106 Kbaud/sec Bit rate utilization ratio: defined/maximum = ~ 1/8

Data Communications for Contact-less Smart Cards: The data communication process for the 14443b specification has been designed to allow for communications with multiple cards at concurrently using time division multiplexing. The process involves using an anti-collision technique called “slotted aloha”. The process of card to reader communications is as follows. While idle, the reader continuously generates REQB messages. This message is used to pass information to any card in its field range so that it knows how to respond to its signal. The REQB frame format is shown below in Figure 1-3. The data fields encoded within the frame are the anti-collision prefix (APf), the application family identification (AFI), the PARAM parameter, and a cyclic redundancy check. The anti-collision prefix is a one byte value that is fixed and is used to mark the beginning of each REQB frame. The value assigned to this field is 0000 0101 (binary) or 05 (hex). The application family identification is further used to prevent unnecessary transmissions by smart cards that do not contain the type of information the reader is looking for. Table 1-2 below covers the pre-determined values of this one byte frame and their assigned designations.

AFI Bit 7 - bit 4 AFI Bit 3 - bit 0
Application Group Subgroup Description
0000 0000 All application groups and subgroups
'X' 'Y' Only subgroup Y of application group X
0001 ---- Transport (local transport, airlines, …)
0010 ---- Payments (banks, tickets,…)
0011 ---- Identification (passport, drivers license)
0100 ---- Telecommunication (telephone card, GSM, …)
0101 ---- Medicine (health insurance card, …)
0110 ---- Multimedia (internet service, Pay-TV)
0111 ---- Games (casino card, lotto card)
1000 ---- Data storage (portable files)
1001 - 1111 ---- Reserved for future applications
Table 1-2: Application Family Identification Index (source RFID Handbook, 2nd ed.)

The PARAM parameter is used to encode within the REQB transmission, the number of slots are being used by the reader for the slotted aloha anti-collision method. This method allows the reader to dynamically change the TDM of its communications by increasing the number of slots in the REQB message. The number of slots allowed in this method are from one to sixteen spaces. When a card receives a valid REQB message, it will decode the transmission and use the data to formulate a response, or determine that it does not need to respond to the transmission. The first item the card searches for is an application area on the card’s memory store that matches the requested AFI, if no match is found, the card does nothing further. If one or more application areas are found that match the requested AFI, the card then determines which slot to transmit its response by using the received number of slots from the reader transmission and a pseudo-random generated number. When the card receives the matching slot marker transmission, it transmits back an ATQB (Answer To Request B) response. The slot marker transmission is a three byte frame that consists of an APn (anti-collision prefix N) parameter, and a two byte CRC. The APn parameter transmitted indicates the slot number for the header. The transmitted data is n5 (hex) where n is the number of the slot and can be any value from 0 to F. Figures of all the mentioned data frames can be referenced below in Figure 1-3. The ATQB transmission the frame consists of the anti-collision prefix a (APa), pseudo unique PICC identification number (PUPI), application data, protocol information, and a two byte CRC. The APa header is for anti-collision purposes. The PUPI is transmitted so that the reader device knows which card is responding, and how to address that card directly for data transmission down-link. This 64 bit number is used to uniquely identify the card. Each card can generate a unique PUPI upon power-up, or it can transmit the card’s internal serial number. This means that there are 264 possible combinations, or 18.4 billion billion possible values. Using the dynamically generated PUPI increases the inherent security of the transaction, because the PUPI is only used during communication between the card are reader, once the card is presented to another reader, it will generate a different PUPI. This prevents one from watching for a particular card to “sniff” because the ID is different each time. This also has the ability to limit “playback” attacks of the card, because the card and reader utilize mutual authentication schemes based on the PUPI, and a randomly generated number. According to the documentation of one vendor (HID), this means that the chances of being able to directly play-back a transmission between card and reader is one in 280, which is statistically insignificant. The application data section of the frame contains information regarding the appropriate application areas on the card that match the AFI. The protocol information frame indicates supported communication methods for the card, and the CRC at the end of the frame provides for error checking. Once the reader has received a valid ATQB frame from a card, communication with the card can commence. The first data communication frame sent to the card is prefixed with an ATTRIB field, which contains anti-collision addresses, PUPI of the card, and supported communication parameters of the reader. The data communications frame is structured the same for both up-link and down-link communications. The frame consists of three data fields, the node address (NAD), the data payload of N bytes, and a two byte CRC. The NAD value sent is in the format of x5 (hex) where x can be 0 – F for a total of 16 addresses. A full block diagram of card to reader communications is shown in Figure 1-4. Once the communication between card and reader are complete, the HALT command is sent to the card and the communication slot in the spectrum becomes available for the next card read transaction.


Figure 1-3: ISO 14443b Command and Frame Structures


Figure 1-4: ISO 14443b card read process block diagram. Courtesy ISO/IEC.

Security for contact-less smart cards, while a concern, is not addressed in the ISO 14443 specification. Data encryption and authentication has been left to the end user developers to implement on the application layer. The available encryption methods available for application layer implementation include DES, 3DES, and any software method that can be implemented within the processing constraints of the smart card processor and reader. Another point of concern for this technology is that a card may be read through clothing and other materials without the knowledge or consent of the person carrying the card. This proves particularly worrisome as one may have their “card” stolen without ever knowing it, and without the card ever leaving their person. This method of stealing information without the knowledge of the victim is called “skimming”. Users have a couple of options when it comes to protecting themselves from skimming. The first method, already mentioned above is the use of on-card encryption. This keeps the information on the card secure, even if it is read by an un-trusted party. The biggest problem with this method of protection is that it is completely dependent on the developers to implement, and does not afford the individual any additional protection should the encryption scheme be broken. The easiest way of preventing unauthorized reading of the data on your smart card is to carry the card is a container that utilizes a wire mesh to block RF signals from the card until removed from the container. While it sounds like this may prove to be difficult for the end user to implement on their own, there are already companies such as Stewart/Stand (http://www.stewartstand.com) and DIRFwear (http://www.difrwear.com/products.shtml) that make products that have this security feature embedded in wallets, etc. A new method for selectively blocking RFID reads has been developed by a student at Vrije University in Amsterdam by the name of Melanie Rieback. She developed a product called the RFID Guardian (www.rfidguardian.org), and was the first person to be able to selectively block certain RFID signals from getting through while allowing others to pass-through without interference. The utilizes the anti-collision methods deployed in all contact-less smart card systems, by maintaining an access control list of permitted and denied tags for reading. The RFID Guardian has both functions as both a card and reader, so it monitors requests going to cards and will purposely generate collisions for blocked cards, thereby preventing the exchange of data between reader and card. Since collisions are only generated for cards that should not be read, the remaining card transmissions and data get through without interference. This type of implementation is akin to a firewall, only pre-defined items can pass through the firewall, all others are blocked. The contact-less smart card is a device that will continue to grow in use and popularity in the information age. With the myriad of information it has become necessary to retain about one’s own person, it has become necessary to carry multiple credentials for licenses, travel, banking, medical information, etc. Utilizing smart card technology, this information can be aggregated onto a single credential that can serve multiple functions while still providing data privacy on non-associated application areas.


Finkenzeller, Klaus, RFID Handbook Second Edition: Fundamentals and Applications in Contactless Smart Cards and Identification, John Wiley & Sons.

International Standards Organization, ISO/IEC JTC1/SC17 N 1531

HID Corporation, ISO Standards, iCLASS Compatibility and Market Position, http://www.hidcorp.com

Smart Card Alliance, Contactless Technology for Secure Physical Access, http://www.smartcardalliance.org