DOT Android NFC library

Introduction

DOT Android NFC as a part of DOT Android libraries family provides the NFC Travel Document Reader component. Supported documents are those which implement Machine Readable Travel Document (MRTD) standards as specified by International Civil Aviation Organization (ICAO).

Components overview

DOT Android NFC provides a non-UI component for Travel Document reading. You may build your own UI using the DOT Android NFC functionality.

List of Non-UI Components

NFC TRAVEL DOCUMENT READER

The component for reading NFC enabled travel documents.

Distribution

The library is distributed as an *.aar package stored in Innovatrics public Maven repository. It can be easily integrated into Android Studio project. The first step is to include Innovatrics Maven public repository and Google repository to your top level build.gradle file.

build.gradle
allprojects {
    repositories {
        jcenter()
        google()
        maven {
            url 'http://maven.innovatrics.com/releases'
        }
    }
}

You must specify the dependency on the DOT Android NFC library in module build.gradle file. Dependencies of this library are downloaded alongside the library. The version x.y.z must be replaced with the current version.

build.gradle
dependencies {
    …
    implementation 'com.innovatrics.android:dot-nfc:x.y.z'
    …
}

Sample Project

The usage and configuration are demonstrated in DOT Android Kit Sample project. To run the Sample, import it into Android Studio.

Permissions

DOT Android NFC declares the following permission in AndroidManifest.xml:

AndroidManifest.xml
<uses-permission android:name="android.permission.NFC" />

Logging

Although logging is disabled by default, it can be enabled explicitly by using the following method from com.innovatrics.android.commons.Logger class.

Logger.setLoggingEnabled(true);

Appropriate place for this call is within the onCreate() method of your subclass of android.app.Application. Each TAG of a log message starts with the prefix dot-nfc:.

This setting enables logging for all DOT Android libraries.
Keep in mind that logging should be used just for debug purposes as it might produce a lot of log messages.

Reading Process

Travel document reading process consists of three steps: Access Establishment, Passive Authentication, Active Authentication.

Access Establishment

There are two Access Establishment protocols Basic Access Control - BAC and Password Authenticated Connection Establishment - PACE. DOT Android NFC supports both BAC and PACE. To establish access, first PACE is used, if PACE fails BAC is used.

BAC

In order to access document using BAC, MRZ Key is required. This MRZ Key is created from the document number, date of birth and date of expiry.

PACE

PACE is the newer and more secure version of Access Establishment protocols. It uses MRZ Key (weak password with low entropy) and generates cryptographically strong session keys.

Passive Authentication

The purpose of Passive Authentication is to validate the integrity of data stored on NFC chip. In other words, it verifies that data stored on NFC chip has not been altered. Passive Authentication has the following steps:

  • extract and validate Document Signing Certificate with CSCA Certificates from master list

  • verify that Security Data (EF.SOD) has been correctly signed by Document Signing Certificate

  • verify that hashes stored in EF.SOD are valid, i.e. hashes stored in EF.SOD are equal to hashes computed from data groups present on the document

Active Authentication

The purpose of Active Authentication is to verify that document is genuine, i.e. it is not a copy. Active Authentication has the following steps:

  • generate random challenge

  • request a signature for this challenge from the NFC chip

  • verify the signature using the public key stored in Data Group 15 (DG15)

The public key stored in DG15 can be RSA or ECDSA. DOT Android NFC supports both RSA and ECDSA.

Non-UI Components

NFC Travel Document Reader

In order to read NFC enabled travel document use the NfcTravelDocumentReader class.

You can adjust travelDocument reading timeout in constructor:

public NfcTravelDocumentReader(int timeout)

In order to successfully execute Passive authentication, you need to provide Country Signing Certificate Authority certificate to NfcTravelDocumentReader constructor:

public NfcTravelDocumentReader(Collection<X509Certificate> cscaCertificates)

To start reading the travelDocument call read() function, it has two parameters: Tag, NfcKey. Tag represents NFC Tag discovered by NfcAdapter. If travelDocument reading was successful, read() function returns TravelDocument object.

public TravelDocument read(Tag tag, NfcKey nfcKey) throws NfcTravelDocumentReaderException, TravelDocumentAccessFailedException, MissingDataGroupException;

Common classes

NfcKey

NfcKey is created from the travel document number, date of birth and date of expiry.

public NfcKey(String documentNumber, String dateOfExpiry, String dateOfBirth)

TravelDocument

This object contains data read successfully from the NFC enabled travel document and it contains the resulting status for Passive authentication and Active authentication.

Appendix

Changelog

Unreleased

Changed
  • Update target Android SDK version to 30 (Android 11).

  • Update documentation.

1.0.0 - 2020-05-27

Added
  • First major release.