NFC Forum specifications include several security-related features:
The Signature Record Type Definition (RTD) 2.0 technical specification enables the digital signing of NDEF messages stored on NFC tags. In Peer-to-Peer mode this specification allows the signing of transmitted messages between two NFC devices. This enables the receiving device to verify the integrity (and optionally, the author) of the message to bear digital signatures. By adding a signature to NFC tags, developers can build a tag authenticity checking process into their applications. Signatures can be used to protect any NDEF message in the NFC ecosystem and are not limited to tags.
In Peer-to-Peer mode, the Logical Link Control Protocol (LLCP) 1.3 technical specification uses industry-standard advanced cryptography for encryption and message authentication, to ensure the confidentiality of messages exchanged between peer devices. It includes a secure channel that is negotiated uniquely for each new peer-to-peer session to prevent passive eavesdropping without the need for the NFC applications to manage the necessary keys for the secure channel.
The NCI 2.0 Technical Specification offers a flexible concept to integrate different types of secure elements into a NFC device. In principle, a secure element can be either directly connected to the NFC Controller allowing secure and prompt-performing NFC applications, or it can be connected to the main processor of the device (Device Host) providing security services to NFC applications (e.g., Host Card Emulation applications).
NCI even supports secure elements directly connected to both the NFC Controller and the main processor to address the needs of different types of NFC applications (this solution is used, for example, by NFC SIM cards).
NCI supports different interfaces on the secure element. In addition to the SWP/HCI connection used by NFC SIM cards and many other secure elements, secure elements with other connections are supported (e.g., the ISO/IEC 7816 APDU Smartcard interface).
The powerful routing mechanism of NCI 2.0 allows it to forward received RF commands to the right entity hosting the NFC applications. This mechanism permits secure NFC applications hosted on different secure elements to coexist with HCE applications inside the same NFC device. This mechanism supports NFC applications installed on secure elements that announce their configurations and capabilities according to the GlobalPlatform Amendment C Specification.