1 / 16

A Secure and Practical Key Management Mechanism for NFC Read-Write Mode

A Secure and Practical Key Management Mechanism for NFC Read-Write Mode. Hsu-Chen Cheng, *Wen-Wei Liao, Tian-Yow Chi, Siao-Yun Wei Department of Information and Management, Chinese Culture University, Taipei, Taiwan

selene
Télécharger la présentation

A Secure and Practical Key Management Mechanism for NFC Read-Write Mode

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Secure and Practical Key Management Mechanismfor NFC Read-Write Mode Hsu-Chen Cheng, *Wen-Wei Liao, Tian-Yow Chi, Siao-Yun Wei Department of Information and Management, Chinese Culture University, Taipei, Taiwan * Department of Information and Management, Chinese Culture University & Graduate Institute of Information and Computer Education, National Taiwan Normal University, Taipei, Taiwan 2011

  2. Outline • Introduction • NFC technological architecture • Security Analysis • NFC key management mechanism(NKMM) • Conclusion

  3. Introduction • Near Field Communication (NFC) is a short-rangecommunication technology. • The most common service of NFC is namely micropayments service. • NFC technology processes three modes: Card emulation(ex.store value card), read/write (ex.cell phone as POS device), and peer to peer. • To investigate the security issue of key management as NFC devices read and write external cards,analyze the possible risks in various solutions and propose a NFC key management mechanism(NKMM).

  4. NFC technological architecture • Most mobile devices have the setting of Java Virtual Machine; we can install and execute MIDlet of Java ME. • MIDlet can communicate with service providing servers by OTA (Over the Air) via wireless communication of cell phones. • The differences between NFC and non-NFC devices: NFC chipsetsand secure element(SE). • The SE is a smart card chipset.

  5. NFC Mobile Device Architecture Wireless JSR257 JSR177 protocol (Store content of chip cards) (Store applet app.)

  6. Mifare Smart Card IC S50 Architecture(read-write)

  7. SecurityAnalysis NFC security threat

  8. T-A. DOS attack、 communication failure T-B. Cause secret data leakage ﹝Threats analysis﹞ T-C. MIDlet be replaced illegally and phishing menu will deceive users to transact T-D. When :cell phone lost security strength of MIDlet not strong enough T-E. (1)MIDlet be cloned (2)MIDlet be reused illegally T-F. IDs might be modified via illegal behavious T-G. Storage data might be (1)delete or corruption (2)be modified into fake transaction information

  9. . Secure tool,identity and storage

  10. ordinary key management mechanism • Analyzing the possible risks of the methods below. • 1) Store keys inMIDletdirectly. • 2) Store the key in SE, and then obtain the key from secure elements via MIDlet at run time. • 3) Store the key in the server side, and then obtain the key from the server side by MIDlet at run time. • 4) Store the key in theserverand then store the authorized access token in SE. MIDlet can obtain the token from SE and then obtain the key from the server at run time.

  11. NFC key management mechanism(NKMM) • Personalizing time and runtime time. Server NFC handset RSA pair key (SnPubKey,SnPriKey) 3. server MIDlet 4. SnPubKey 1. applet Security Element Key Store 5. 2. SnPriKey SE chipset identity ID(SEID) 5. SEID clean room Personalizing time

  12. NKMM runtime • Enter password、initial applet • Applet generate achallenge session ID(CID) and PKI pair key(CPubKey,CPriKey). • Applet send R1 and SEID to MIDlet. • Send R1 and SEID to server. MK R2 5.Check whether SEID legal issued applet. if YES→find out matching SnPriKey according to SEID for decription and computing DEC SnPriKey(R1) to obtain CID and CPubKey computing result ENCCPubKey(CID,MK) from MK encryption will be marked as R2. 7.Send server response’s information R2 into SE applet. 8.SE applet decrypts and computes DEC CPriKey(R2) to obtain CID & MK,and send MK back if CID matches. 9. MIDlet applies MK on external Mifare authentication. 10. MIDlet obtains Mifare access authorization and removes MK at the end.

  13. Sequence Diagram

  14. Implementation • Performed a half-year trail run of NKMM system on the delivery service to one university. • Implemented Nokia 6212 as the mobile contactless POS to conduct debit transaction on the campus cards. • After the user enables the token of MIDlet, the key obtaining would be finished in about 2 seconds. • No users complained about the 2 second initial process. It proves the efficacy of our implementing system.

  15. Conclusion • As to hardware, if the Applet can send the key directly into the NFC controller without through MIDlet to authenticate the external tag, the risk of sniffing the runtime memory can be reduce. • As to software, the http request from MIDlet to the server cannot be identified by the server and checked whether the request is sent by MIDlet, it cause the inability of interlocking between the server side and the MIDlet side. In the standard of J2ME, there will be a bottom layer mechanism to take the MIDlet identity out from the http head and enhance the security.

  16. THE END

More Related