Authentication Issues in Near Field Communication and RFID

Near Field Communication is a short-range wireless technology based on RFID standard ISO 18092, ISO 14443 and ISO 15693. This means, it provides compatibility with the millions of contactless smartcards and RFID scanners that already exist worldwide. NFC is now available on the phones and this integration has resulted in a sharp rise in its utility. An NFC-enabled cell phone acts as an RFID reader to read compatible RFID tags (NFC tags), such as smart posters. The same cell phone can also be used as an NFC tag storing relevant data. In this case, a cell phone transforms into a digital wallet storing bank cards (money), vouchers, loyalties card etc., at a secure place called ‘Secure Element’. Abuse of NFC technology is also on sharp rise because of large number of users and inadequate security standards. This thesis looks at security issues of NFC and RFID and provides mechanisms to improve the security features. NFC Forum (an association for developing NFC standards) released the signature specification in 2010 describing rules to digitally sign the NFC tag’s contents. A part of the thesis covers the security related issues of the signature specification. Later in the thesis, a new specification for authenticating an NFC tag is proposed, including a framework of its implementation in a supply chain in order to detect counterfeit products. The thesis also includes a framework for NFC mobile wallet, where the Secure Element in the cell phone is only used for customer authentication and the banking credentials are stored in a cloud. At the end of the thesis, security analysis of an authentication protocol for low-cost RFID tags is described with multiple attacks resulting in full disclosure of secret keys.

[1]  R. Stanley What Is Enumerative Combinatorics , 1986 .

[2]  Joeri de Ruiter,et al.  Formal Analysis of the EMV Protocol Suite , 2011, TOSCA.

[3]  Konstantinos Rantos,et al.  Analysis of Potential Vulnerabilities in Payment Terminals , 2014, Secure Smart Embedded Devices, Platforms and Applications.

[4]  Gildas Avoine,et al.  Yet Another Ultralightweight Authentication Protocol That Is Broken , 2011, RFIDSec.

[5]  David A. Wagner,et al.  Security and Privacy Issues in E-passports , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[6]  Martin Feldhofer,et al.  A low-resource public-key identification scheme for RFID tags and sensor nodes , 2009, WiSec '09.

[7]  Matthew J. B. Robshaw,et al.  Improved (and Practical) Public-Key Authentication for UHF RFID Tags , 2012, CARDIS.

[8]  G.P. Hancke,et al.  Using 3G network components to enable NFC mobile transactions and authentication , 2010, 2010 IEEE International Conference on Progress in Informatics and Computing.

[9]  Christof Paar,et al.  Lightweight Cryptography and RFID: Tackling the Hidden Overhead , 2010, KSII Trans. Internet Inf. Syst..

[10]  Hung-Yu Chien,et al.  SASI: A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity , 2007, IEEE Transactions on Dependable and Secure Computing.

[11]  G. Andrews ENUMERATIVE COMBINATORICS, VOLUME 2 (Cambridge Studies in Advanced Mathematics 62) By R ICHARD P. S TANLEY : 581 pp., £45.00 (US$69.95), ISBN 0 521 56069 1 (Cambridge University Press, 1999). , 2000 .

[12]  K. Conrad,et al.  Stirling’s Formula , 2015 .

[13]  Josef Langer,et al.  Digital Signature Records for the NFC Data Exchange Format , 2010, 2010 Second International Workshop on Near Field Communication.

[14]  Ernst Haselsteiner Security in Near Field Communication ( NFC ) Strengths and Weaknesses , 2006 .

[15]  Frédéric Thiesse,et al.  Extending the EPC network: the potential of RFID in anti-counterfeiting , 2005, SAC '05.

[16]  Gheorghita Ghinea,et al.  Mobile Transaction over NFC and GSM , 2013, IACR Cryptol. ePrint Arch..

[17]  Ronald L. Rivest,et al.  Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems , 2003, SPC.

[18]  Marc Pasquet,et al.  Payment and privacy: A key for the development of NFC mobile , 2010, 2010 International Symposium on Collaborative Technologies and Systems.

[19]  Avishai Wool,et al.  Toward practical public key anti-counterfeiting for low-cost EPC tags , 2011, 2011 IEEE International Conference on RFID.

[20]  George Ghinea,et al.  A Proposed NFC Payment Application , 2013, ArXiv.

[21]  Christof Paar,et al.  Lightweight Cryptography and RFID: Tackling the Hidden Overhead , 2009, KSII Trans. Internet Inf. Syst..

[22]  Pedro J. Miana,et al.  New identities in the Catalan triangle , 2008 .

[23]  Florian Michahelles,et al.  BRIDGE Anti-Counterfeiting Business Case Report , 2007 .

[24]  Josef Langer,et al.  NFC Devices: Security and Privacy , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[25]  Keith M. Martin,et al.  Multiple Attacks on Authentication Protocols for Low-Cost RFID Tags , 2015 .

[26]  Gerhard P. Hancke,et al.  On the security issues of NFC enabled mobile phones , 2010 .

[27]  Lejla Batina,et al.  RFID-Tags for Anti-counterfeiting , 2006, CT-RSA.

[28]  Colin D. Walter,et al.  Off-line NFC Tag Authentication , 2012, 2012 International Conference for Internet Technology and Secured Transactions.

[29]  D. Engels,et al.  Security and Privacy : Modest Proposals for Low-Cost RFID Systems # , 2004 .

[30]  Lejla Batina,et al.  Using NFC Phones for Proving Credentials , 2012, MMB/DFT.

[31]  Colin D. Walter,et al.  A Record Composition/Decomposition attack on the NDEF Signature Record Type Definition , 2011, 2011 International Conference for Internet Technology and Secured Transactions.

[32]  Martin Feldhofer,et al.  WIPR Public Key Identi cation on Two Grains of Sand , 2008 .

[33]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[34]  Ari Juels,et al.  RFID security and privacy: a research survey , 2006, IEEE Journal on Selected Areas in Communications.

[35]  N. David Mermin Stirling’s formula! , 1984 .

[36]  Barry Berman,et al.  Strategies to detect and reduce counterfeiting activity , 2008 .

[37]  Matthew B Hoy Near Field Communication: Getting in Touch with Mobile Users , 2013, Medical reference services quarterly.

[38]  Yung-Cheng Lee,et al.  Two Ultralightweight Authentication Protocols for Low- Cost RFID Tags , 2012 .

[39]  Ari Juels,et al.  Strengthening EPC tags against cloning , 2005, WiSe '05.

[40]  Josef Langer,et al.  Security Vulnerabilities of the NDEF Signature Record Type , 2011, 2011 Third International Workshop on Near Field Communication.

[41]  Daniele Sgandurra,et al.  A Survey on Security for Mobile Devices , 2013, IEEE Communications Surveys & Tutorials.

[42]  Colin D. Walter,et al.  An NFC based consumer-level counterfeit detection framework , 2013, 2013 Eleventh Annual Conference on Privacy, Security and Trust.

[43]  Diana Maimut,et al.  Lightweight Cryptography for RFID Tags , 2012, IEEE Security & Privacy.

[44]  J.-H. Chiu,et al.  NFC Mobile Transactions and Authentication Based on GSM Network , 2010, 2010 Second International Workshop on Near Field Communication.

[45]  Roy Want,et al.  An introduction to RFID technology , 2006, IEEE Pervasive Computing.

[46]  Josef Langer,et al.  Near Field Communication based Payment System , 2008, MMS.

[47]  Ari Juels,et al.  Squealing Euros: Privacy Protection in RFID-Enabled Banknotes , 2003, Financial Cryptography.

[48]  Colin D. Walter,et al.  An Attack on Signed NFC Records and Some Necessary Revisions of NFC Specifications , 2013 .

[49]  Mikko Lehtonen,et al.  From Identification to Authentication – A Review of RFID Product Authentication Techniques , 2008 .

[50]  Gerhard P. Hancke,et al.  Practical NFC Peer-to-Peer Relay Attack Using Mobile Phones , 2010, RFIDSec.