Security Standard for NFCIP-1
Download
Report
Transcript Security Standard for NFCIP-1
Ecma/TC47/2009/024-Rev1
Security Standards for NFCIP-1
TC47
NFC-SEC provides Security
Specification for NFCIP-1
NFCIP-1 is standardised in ECMA-340. It specifies the signalling interface and
protocols for Near Field Communication (NFC) which is a wireless
communication technology for closely coupled Consumer Electronic devices.
NFC-SEC defines a protocol stack that enables application independent and
state of the art encryption functions on the data link layer, on top of NFCIP-1.
NFC security standards will be deployed for all those NFCIP-1 connections
which require protection against eavesdropping and data manipulation and
which do not necessarily require application specific encryption mechanisms.
A typical example is the initial association ("pairing") of devices for longer
range wireless communications. Bluetooth or WiFi pairing protocols may use
NFC security standards to exchange security-sensitive connection contexts on
a protected NFCIP-1 connection before switching to their respective longer
range wireless technologies.
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
2
NFCIP-1 Protocol Arrangement
ISO/IEC 21481 ECMA-352 (NFCIP-2)
ISO/IEC
14443
ISO/IEC
18092
ECMA-340
(NFCIP-1)
ISO/IEC
15693
NFC-WI
ECMA-373
ISO/IEC 28361
Protocol Test
Methods
RF I/F Test
Methods
ECMA-362
ECMA-356
ISO/IEC 23917
ISO/IEC 22536
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
3
Motivation for NFC-SEC
Protection of Short Range Wireless Interface
• Use cases: wired equivalent privacy for Short range
communication for
e.g. WiFi easy setup, Bluetooth easy setup
• Function: protection against eavesdropping, skimming
and data modification
• Application independent security layer
• For protecting NFC peer-to-peer communications
• New feature for NFCIP-1
• Good balance between state-of-the-art security and
performance
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
4
NFC-SEC status is Published &
Available
Ecma GA published NFC-SEC standards in Dec 2008
Available for free download
http://www.ecma-international.org/publications/standards/Ecma-385.htm
http://www.ecma-international.org/publications/standards/Ecma-386.htm
Submitted for ISO/IEC JTC1 Fast Track
Public White Paper
http://www.ecma-international.org/activities/Communications/tc47-2008-089.pdf
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
5
… NFC-SEC protects peer-2-peer ad-hoc
secure connection
Pairing phase
NFC-SEC
headset
Normal use phase
Wireless
headset
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
6
NFC-SEC Modular Concept
More cryptography standards may
come
If extended, the actual list will be
maintained on Ecma pages
……
NFC-SEC-0x
ECMA-xxx
Flexibility and extensibility
ECMA-386
ECMA-386 NFC-SEC-01 contains
cryptographic mechanisms, specific
methods, algorithm key parameters
NFC-SEC-01
ECMA-385 NFC-SEC-SP is the common
framework and protocol specification
NFC-SEC-SP
ECMA-385
ISO/IEC
18092
ECMA-340 (NFCIP-1)
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
7
ECMA-385 Architecture
Follows OSI reference model specified in ISO/IEC 7498-1
NFC-SEC User
NFC-SEC User
NFC-SEC
User
NFC-SEC-SAP
NFC-SEC entity
NFC-SEC connection
NFC-SEC-SDU
NFC-SEC-PCI
NFC-SEC
protocol
Peer NFC-SEC entity
NFC-SEC
NFC-SEC-PDU
NFCIP-1 connection
NFCIP-1-SAP
NFCIP-1
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
8
NFC-SEC Services
2 Services
SSE
SSE
NFC-SEC User
SCH
SCH
NFC-SEC User
Std. Encrypted
Communication
NFC-SEC User
Prop.Encrypted
Communication
Proprietary
Encryption
Proprietary
Encryption
NFC-SEC User
– Secure Channel
encrypts data
The shaded areas indicate the scope of
NFC-SEC
– Shared Secret
provides a key for
proprietary
encryption
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
9
NFC-SEC Protocol
Security protocol:
Key
– Key establishment phase
(for SSE and SCH)
agreement
Key
c onfirmation
– Secure data exchange phase
Encryption and MAC
(for SCH only)
Service
SCH
SSE
PDU security
Encapsulated in DEP packets of
NFCIP-1
Termination
-
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
10
ECMA-386 NFC-SEC-01
Cryptography Standard
NFC-SEC-01 provides
• Message contents with concatenation rules for keys and other
fields
• Key primitives
• Random number requirements
• Conversion and transformation rules
• Cryptographic algorithms and methods
to enable secure communication between NFCIP-1 devices
that do not share any common secret data ("keys") before
they start communicating with each other.
Kind of first (and at the moment the only) profile of NFC-SEC
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
11
NFC-SEC-01 Basic Mechanisms
Elliptic Curve Diffie-Hellman (ECDH) Key exchange
• 192 bit
Key derivation and confirmation
• AES 128 bit
Data encryption
• AES 128 bit
Data integrity
• AES 128 bit
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
12
State of the Art and
Standardised Cryptography
NFC-SEC is based on established international standards,
most were developed by ISO/IEC JTC1 SC27
NFC-SEC-SP references
• Framework: ISO/IEC 11770-1
• Basic model: ISO/IEC 7498-1
• Security architecture: ISO 7498-2
• Conventions for the definition of OSI services: ISO/IEC 10731
NFC-SEC-01 references
• General specifications: ISO/IEC 15946-1
• Key management using asymmetric technique: ISO/IEC 11770-3
• Block ciphers: ISO/IEC 18033-3 and ISO/IEC 10116
• Public key cryptography: IEEE 1363 and FIPS 186-2
• Random number bit generation: ISO/IEC 18031
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
13
Other Requirements …
NFC-SEC is tailored and linked to NFCIP-1
Contents of error messages unspecified
The way, when and how the ECDH key pair (public and
private key) are refreshed is not in the scope and depends on
implementation of applications
NFC-SEC notifies the NFC-SEC User about message sequence
violations
NFC-SEC-01 is the first registered cryptography standard
• More may come
• Publicly available register will be maintained by Ecma
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
14
Relevance of NFCIP-1
Specified in Annex B of ECMA-385 until ECMA-340 becomes revised
Method by which NFCIP-1 devices indicate their support of
NFC-SEC
• Initiator: SECi field of ATR_REQ (byte 13 PPi)
• Target: SECt field of ATR_RES (byte 14 PPt)
Additional Protected PDUs
•
Coding “001” of PFB
Extension of PDU numbering rules for protected PDUs
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
15
Nothing is Perfect
NFC-SEC-01 is vulnerable for MAN-IN-THE-MIDDLE (MITM)
attacks
• No entity authentication possible because no pre-installed shared
secret
Practical risk of MITM
• To be evaluated for individual implementation
• Short operating distance and RF characteristics of NFC (“load
modulation”) help keeping risk low
• Reference:
Security in NFC (Strength and Weaknesses)
http://events.iaik.tugraz.at/RFIDSec06/Program/papers/002%20%20Security%20in%20NFC.pdf
Sequence integrity tailored for NFCIP-1
• Allows replay of last delivered message
• Notifies lost packages
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
16
Application example: Pairing
Device A includes Bluetooth or WiFi
and NFC: Laptop
Device B includes Bluetooth or WiFi and
NFC: Cell phone
USER finds NFC-Forum Target Mark
on both devices
• USER ACTION: touch phone with Laptop
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
17
Application example: Pairing
Identification and initialization via NFCIP-1 (ECMA-340)
A and B both enumerate internal capabilities and applications
A and B detect that they share Bluetooth or WiFi without being paired
and both have NFC capabilities, including NFC-SEC
Triggered by OS or user any of the devices, A or B may start an
Bluetooth or WiFi pairing process which should exchange an
connection context based on a secured NFC channel
•
USER Notification:
If you want to pair A with B please touch devices
and subsequently confirm with OK
•
USER ACTION: touch phone with Laptop again and push confirmation
button on phone and laptop
Pairing succeeded!
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
18
Rue du Rhône 114
CH-1204 Geneva
T: +41 22 849 6000
F: +41 22 849 6001
Rue du Rhône 114 - CH-1204 Geneva - T: +41 22 849 6000 - F: +41 22 849 6001 - www.ecma-international.org
www.ecma-international.org
19