Nfc Privacy

8/11/2019 Nfc Privacy

1/8

H. Eun et al: Conditional Privacy Preserving Security Protocol for NFC Applications 153

Contributed PaperManuscript received 01/01/13Current version published 03/25/13

Electronic version published 03/25/13. 0098 3063/13/$20.00 2013 IEEE

Conditional Privacy Preserving Security Protocol

for NFC ApplicationsHasoo Eun,Member, IEEE, Hoonjung Lee,Member, IEEE, and Heekuck Oh,Member, IEEE

Abstract In recent years, various mobile terminalsequipped with NFC (Near Field Communication) have been

released. The combination of NFC with smart devices has led

to widening the utilization range of NFC. It is expected toreplace credit cards in electronic payment, especially. In this

regard, security issues need to be addressed to vitalize NFC

electronic payment. The NFC security standards currentlybeing applied require the use of user's public key at a fixed

value in the process of key agreement. The relevance of the

message occurs in the fixed elements such as the public key of

NFC. An attacker can create a profile based on user's public

key by collecting the associated messages. Through the

created profile, users can be exposed and their privacy can becompromised. In this paper, we propose conditional privacy

protection methods based on pseudonyms to solve these

problems. In addition, PDU (Protocol Data Unit) forconditional privacy is defined. Users can inform the other

party that they will communicate according to the protocol

proposed in this paper by sending the conditional privacypreserved PDU through NFC terminals. The proposed method

succeeds in minimizing the update cost and computation

overhead by taking advantage of the physical characteristics

of NFC1.

Index Terms NFC security, Pseudonym,

Unlinkability, Conditional privacy protection.

I.

INTRODUCTION

NFC (Near field Communication) is a short-range wireless

communication technology whose technology distance is

around 4 inches, and it operates in the 13.56MHz frequency

band at a speed of 106Kbps to 424Kbps. The combination of

NFC with smart devices resulted in widening the range of

NFC, which includes data exchange, service discovery,

connection, e-payment, and ticketing. It is expected to replace

credit cards in electronic payment, especially. According to

Gartner, a market research company, the number of NFC-

1

This research was supported in part by the Ministry of KnowledgeEconomy, Korea, under the Information Technology Research Center support

program (NIPA-2012-H0301-12-4004) supervised by the National IT IndustryPromotion Agency

This work was also supported in part by the National Research Foundationof Korea grant funded by the Ministry of Education, Science and Technology(No. 2012-R1A2A2A01046986)

Hasoo Eun is with the Dept. of Computer Science & Engineering,Hanyang University, South Korea (e-mail: [email protected]).

Hoonjung Lee is with the Dept. of Computer Science & Engineering,Hanyang University, South Korea (e-mail: [email protected]).

Heekuck Oh is with the Dept. of Computer Science & Engineering,Hanyang University, South Korea (e-mail: [email protected]).

based payment services is expected to increase by 11.3 times

from $316 million in 2010 to $3.572 billion in 2015 [1], and

Juniper research predicted that the global NFC payment

market size would be increased to $180 billion in 2017 [2].

To use NFC in electronic payment, security is a prerequisite

to be addressed. Presently, NFC security standards define data

exchange format, tag types, and security protocols, centering

on NFC forum. It is expressly stipulated in the NFC security

standards that key agreement is required for secret

communications between users [3]-[5]. In the process of key

agreement, both users should exchange their public keys. The

public key is received from CA (Certificate Authority), and it

uses a fixed value until reissued.Malicious internal attackers can create profiles of users

through the acquisition of public keys of other users in the

process of key agreement. If NFC is used in e-payment in this

way, the privacy of users can be infringed through profiles

created by attackers. Suppose Alice purchases items such as

cloths, food, and medicine several times at a supermarket, the

supermarket can get information about her tastes, preferences,

and health conditions. The collected information can help her

to purchase products more efficiently, but it may contain

information that nobody wants to announce to others such as

his or her health conditions.

In this paper, we propose privacy protection methods based

on pseudonyms to protect privacy of users. The proposed

methods provide conditional privacy in which the identity of

users can be verified by the TTP (Trusted Third Party) to

resolve disputes when necessary. In addition, the PDU

(Protocol Data Unit) for the conditional privacy is proposed in

this paper. The data used to help a future purchase uses

protected PDU of NFC-SEC, and data not wanted to be

recorded uses conditional privacy PDU selectively, which

makes it possible to remove the connectivity with the existing

messages. This paper is the extended version of [6]. It covers

background, security requirements, and differences between

pseudonym-based method and the proposed method.

According to survey conducted so far, this paper has itssignificance in the sense it is the first research on the

conditional privacy protection of users in NFC.

In this paper, section 2 describes standards and privacy

protection methods related to NFC, and the NFC environments

that are currently applied are introduced in section 3. In

section 4, an analysis on the security threats that can occur in

the current NFC environment is conducted, and the security

requirements necessary for NFC are deduced. In section 5, the

conditional privacy methods for NFC are proposed, and a


2/8

154 IEEE Transactions on Consumer Electronics, Vol. 59, No. 1, February 2013

comparative analysis with existing method is carried out in

section 6. Finally, section 7 concludes the paper.

II. BACKGROUND

In this section, the current NFC standards are introduced,

and the pseudonyms are also introduced as conditional privacy

protection methods. In the current NFC standards, a variety of

standards ranging from the basic interface protocols to testingand security methods are defined. This section also introduces

NFCIP-1, the basic interface and NFC-SEC, the security

method.

A. NFCIP-1: Near Field Communication Interface andProtocol

In NFC, the object of communication is divided into an

initiator and a target. An initiator generates RF field (Radio

Frequency field) and starts NFCIP-1. A target that receives

signals from initiator responds to the initiator through the RF

field. When target communicates using RF field of initiator, it

is called passive communication mode, and using self-

generated RF field is referred to as active communicationmode. Communication mode is determined according to

applications when transaction starts. Once the transaction is

started, the communication mode cannot be changed until the

target becomes disabled or removed.

The major mechanism provided by NFCIP-1 is SDD

(Single Device Detection) and RFCA (Radio Field Collision

Avoidance) [7]. The SDD is an algorithm for initiator to find

a specific target among multiple targets in the RF field. In

existing RFID system, collision problem may occur. The

collision is referred to as a state in which more than two

initiators or targets transmit data at the same time, and it is

impossible to distinguish which data is real. The collision

problem is solved by NFC standard using algorithm namedRFCA [8]. RFCA is an algorithm that detects other RF fields

and prevents collision using carrier frequency. RFCA begins

by confirming the presence of other RF fields. If other RF

fields exist, the NFC does not generate its own RF field.

Thanks to the SDD that finds specific target within the range

and RFCA that does not permit 2 RF fields, the NFC can be

safe from MITM (Man-In-The-Middle) attacks [9]. The

detailed information about this is discussed in section IV-A.

B. NFC-SEC: NFCIP-1 Security Services and Protocol

NFC-SEC defines SSE (Shared SEcret service) and SCH

(Secure CHannel service) for NFCIP-1 [4]. SSE generates a

secret key for secure communication between NFC devicesand in this process, key agreement and key confirmation is

performed. SCH service provides the communication between

NFC devices with confidentiality and integrity using a key

generated through SSE service.

Also NFC-SEC defines the procedures of key agreement

using ECSDVP-DH (Elliptic Curve Secret Value Derivation

Primitive, Diffie-Hellman version) for SCH between NFC

terminals in SSE [5], [10]. To achieve the above, NFC

terminal must have public key and private key based on

Elliptic curve. SCH makes three keys hierarchically by using

the key generated through SSE and provides confidentiality

and integrity to the messages using generated keys. The three

keys created in SCH are used to provide the confidentiality

and integrity of the message. The key agreement and

confirmation protocols are implemented as shown in Figure 1,

and the notation follows Table I.

TABLE I

NOTATION

Notation Description|| Concatenation symbol

NX Nonce of userXIDX Random ID of userXfor the activation of transport protocols

QX, QX, QX Compressed elliptic curve public key of userXQX, QX, QX Elliptic curve public key of userX

dX Elliptic curve private key of userXG Elliptic curve base point

KDF Key derivation functionMacTagX Key verification tag received fromX

MK Shared secret keyz Unsigned integerrX Random integer generated by userX

PN Pseudonym setEnc(k, m) Encrypt mwith k

Sig(k, m) Signature on mwith kIDX follows NFCID format. NFCID is generated dynamically and used in

SDD and RFCA.

Figure 1. Key agreement and confirmation protocol in NFC-SEC

User A generates a random number NA before

communication. When communication starts, user A sends

compressed public key QAto userB. UserBwho receives the

message creates a random number NB and sends it to user A

along with the compressed public key QB. The two users get

point P through multiplying the other party's public key by

their private key. The x coordinate of the point P becomes

secrete value z of two users. The two users who generate z

obtain the secret key MKby using their ID, random numbers,


3/8


and secrete valuez. To verify that sameMKis generated; they

send MacTag reciprocally. Each user can generate their

MacTagusingMK, IDs, and public keys.

TheIDXused in NFC-SEC follows NFCID format. NFCID

is dynamically generated in accordance with the application

and used for SDD and RFCA. Accordingly, NFC can identify

each other through the NFCID but they cannot figure out the

definite identity. Since the NFCID is updated each time, the

connectivity between messages is not provided. However, the

public key QXused withIDXis a fixed value. Accordingly, if

an attacker collects communication history based on the public

key, an invasion of user's privacy breaks out due to the

occurrence of the connectivity between messages.

C. Pseudonyms

Pseudonym represents ID that changes randomly, and it has

widely been studied in VANET (Vehicle Adhoc NETwork) to

remove the linkage between messages [11]-[16]. The general

pseudonym-based privacy protection method uses pseudonym

set received from TTP [11]-[14]. The pseudonyms are

composed of public key, private key, and a certificate. Users

can be assured of their anonymity through pseudonym and

authenticated as normal users through a certificate. The TTP

stores pseudonyms and actual ID of users to reveal the

anonymity in case of a problem. However, the method using

the pseudonym requires additional costs for storage and

communication [17]. Users should maintain data in devices for

pseudonyms. In addition, when the pseudonym set owned by

users is all used, additional communication needs to be done

for reissuance. To improve this, recent studies have been

conducted to generate pseudonyms without the help of TTP

[15], [16].

III.

NFCENVIRONMENTIn this section, NFC environment and features currently

being applied are introduced. In particular, the suitability of

applying pseudonym to NFC is demonstrated through

comparison between NFC environment and VANET

environment in which pseudonym has widely been studied.

A. TSM: Trusted Service Manager

TSM (Trusted Service Manager) is an institution that

transfers mobile financial data of customers to financial

institutions safely. The GSMA (Global System for Mobile

Communications Association) proposed TSM to facilitate the

provision of NFC services in 2007 [18], [19]. TSM serves as

CA (Certification Authority) and RA (Registration Authority)

at the market of certification services. In this paper, the TSM

is considered as TTP for mobile payment services, and the

public key used in NFC devices is assumed to be issued from

TSM.

B. SE: Secure Element

SE is a security area that can safely store important data such

as financial information, authentication information, and service

applications as a secure smart chip. In SE, the range of functions

varies depending on the type of implementation, but the storage

features and secure domain is certainly included. The secure

domain is a unique area separated to safety store important

information such as service applications and access key, etc.

Since each secure domain exists independently, it cannot have

access to the secure domain in which other services are

installed. Users can be provided with payment services from

various financial companies through a NFC device.

C.

NFC FeaturesNFC provides TRH (Tamper Resistamt Hardware) called

SE, along with TSM, the trusted third party, which is similar

to the VANET environment. However, NFC is somehow

different from VANET in communication environment. In the

NFC, attacker's actions are further limited compared to

VANET. Accordingly, the pseudonyms used in VANET are

improved to meet the NFC features and the protection of user's

privacy can be achieved at low cost. The NFC features noted

in this paper are as follows.

One-to-One communication: In VANET, all vehicles within

the range of RSU (Road-Side Unit) perform communication

with one RSU. However, in case all vehicles are anonymized,RSU cannot communicate with specific vehicles. Accordingly,

if a certificate is not provided, an attacker can make an attack

more easily by mingling. On the other hand, since only one-

to-one communication is possible in case of NFC, it is easy to

identify with whom you communicate.

Near field Communication: VANET features

communication between vehicles and RSU, and it is

implemented during driving, which makes it difficult for users

to check the contents of the communication. On the other

hand, NFC is a near field communication, and communication

is conducted with the target in front of our eyes. Two users

can identify whether the communication is properlyprogressed through each other's device.

Sporadic Communication: VANET performs

communication consistently until users arrive at their

destination, while updating pseudonym periodically. On the

other hand, since NFC performs sporadic communication for

payment, it is advantageous to use one-time ID such as

pseudonym. In addition, it is not necessary to store a large

amount of pseudonyms in advance due to plenty of time

before next-payment.

IV. SECURITY THREATS IN THE NFC

NFC is a short-range wireless communication technology.Due to its distance limitations, the short-range wireless

communication technology seems to be safer than wired

communication technology, which really is not. In case

communication is performed through RF field, along with

NFC, data can be obtained even when users stay near the

transmitter. In this section, the security requirements met by

methods that analyze security threats of NFC are deduced.

A. MITM attack: Man-In-The-Middle attack

MITM attack means an attacker's obtaining data between

two users by spoofing. Suppose that Alice and Bob try to


4/8


exchange their keys, and Carol is an attacker. Carol obtains

key KACby performing key agreement after disguising her as

Bob, and key KBC after disguising her as Alice. When user

Alice sends data encrypted withKACto Carol disguised as Bob,

Carol can obtain data m. Carol transfer mencrypted with KBC

to Bob. Attacker can modify data of the two users through

MITM attack.

However, it is known that the MITM attack is generally

impossible in NFC [9] due to physical characteristics that

protocols performs in close proximity as well as SDD and

RFCA described in section II-A. To identify the impossibility

of MITM attacks in NFC, let us suppose an environment in

which NFC-SEC is not applied (attackers can perform

eavesdropping).

In case Alice is in active communication mode, and Bob is

in passive communication mode: Alice generates RF field and

transfers data to Bob. Carol, an attacker, can prevent Bob from

receiving data, while watching the data of Alice. In this case,

Alice can detect an attack and stop key agreement. Though

Alice cannot detect the attack, Carol needs to generate her

own RF field to transfer data to Bob. However, since Aliceand Bob are in communication with active-passive mode,

Alice does not reap the RF field until NFC of Bob becomes

disabled or removed. Since two RF fields cannot exist

simultaneously according to RFCA, it is impossible for Carol

to transfer data to Bob. Accordingly, a MITM attack is

impossible.

In case both Alice and Bob are in active communication

modes: If Alice's data is blocked, Alice can detect attacks as in

case of active-passive mode. If not, Alice comes to reap her

own RF field to receive data from Bob, when Carol can

generate her own RF field successfully and transfer data to

Bob. However, Alice waiting for Bob's data can detect attacksafter receiving Carol's data. Alice discontinues protocols after

detecting attacks, and Carol's MITM attack fails.

B. Eavesdropping and Data modulation

Eavesdropping on wireless communication is a major threat,

which is true in the NFC. It is generally considered that

eavesdropping is difficult in the NFC since the recognition

distance of NFC is within 4 inches. However, there are many

factors that can affect recognition distance in the NFC unlike

RFID with mere relationship of a tag and a reader. In

particular, eavesdropping is possible up to 10m in active

communication mode and up to 1m in passive communication

mode depending on the performance of attacker's receiver,antenna, and RF signal decoder. An attacker can modulate

data arbitrarily using a jammer in the same situation as in

eavesdropping. The modulated data can be arbitrary data or

regular data depending on the purpose of attackers.

Fortunately, the data that is being transmitted can be easily

protected from eavesdropping by using secure channel. In

NFC-SEC, key agreement is performed through SSE and SCH

is generated by using the key obtained from results. The user's

data is encrypted when it is transmitted through secure channel,

when an attacker only obtains the encrypted data, and he fails

to get meaningful data. The SCH service of NFC-SEC

performs an integrity check by calculating MacTag through

hierarchy keys. Therefore, a user can be aware of data

modulation. The user can respond to data modulation attacks

by asking for retransmission or discontinuing protocols.

C. Privacy

In order to preserve privacy, one would like to do things

when nobody else could see or disturb him or her. In case ofNFC which can be used in overall life, an attacker can infringe

the privacy of users easily by tracking usage history. Suppose

that Alice purchases items such as cloths, food, and medicine

several times at a supermarket. The supermarket can get

information about her tastes, preferences, and health

conditions. The collected information may help her to

efficiently purchase products; however, it may contain

information which she does not want others to know such as

her health conditions.

However, it is impossible to authenticate users in case all

information is hidden to protect the privacy of users, which

leads to vulnerability to spoofing attacks such as MITM. In

case complete anonymity is provided, even honest users may

distinguish to be someone else, and it is impossible to predict

their actions behind the anonymity. Therefore, it is required to

formulate conditional privacy protection methods that can

protect the privacy of users and reveal the real identity of users

by trusted third party when problems occur.

D. Security Requirement

In response to the security threats covered in this section,

NFC security protocols should satisfy the following

properties. In general, the key agreement protocol should be

robust to the MITM attack. However, as mentioned in section

IV-A, the NFC is robust to the MITM attack itself; it is not

included in the security requirements in this paper.

Data Confidentiality: It is required to protect data from

unauthorized users.

Data Integrity: The transmitted data should be identical to

the source data.

Unobservability: The data of specific users should not be

distinguished from multiple data.

Unlinkability: When two data generated by the same user is

presented, the connectivity between the two data should not be

identified.

Tracability: It is required to enable to find out whogenerated the data if a problem occurs.

For example Alice purchased items at a supermarket. Here,

the confidentiality means that if Alice's purchase information

is assumed asPA, the contents ofPAshould not be revealed to

an unauthorized user. Integrity means it is guaranteed that data

is not modulated in the process of transferring Alice's

purchase information PA. Unobservability means that Alice's

purchase information PA should not be distinguished from

purchase information collected at the market. Unlinkability


5/8


means that should not be identified as Alice's purchase

information through Alice's last purchase information PA1.

Lastly, TSM should be able to be identified as Alice's

purchase information by withdrawal of anonymity when

problem occurs.

V. PROPOSED METHOD

The conditional privacy method has widely been studied inthe light of pseudonyms when the privacy protection is

required. In this paper, conditional privacy protection methods

tailored to the NFC environment are proposed. Since the

proposed method can reuse NFCIP-1 and NFC-SEC, the NFC

standards in most cases, more efficient production is possible

in the implementation and chip design sector. Let us suppose

that a user stores the long-term public key issued by TSM in

the SE.

A. MuPM: Multiple pseudonym based method

If user Arequests TSM for pseudonyms, TSM generates

pseudonyms and transmit it to user A. Then, the TSM stores

the transmitted pseudonyms and ID of user A. A pseudonym

composed of public key, private key (that is encrypted with

long-term public key of userA), ID of the TSM, and signature

of the TSM. Pseudonym is generated as follows:

( , ( , ) )i i iTSM TSM A A A TSM

S Sig d Q Enc Q d id

( ( , ) )i i i iA A A A TSM TSMPN Q Enc Q d id S

Here, represents userA's private key of order i,

is the

public key of order iand represents TSM's signature on

the message of order i. When pseudonyms are requested, TSM

generates nnumber of random values and then generates n

number of public keys through multiplying them by base point

G respectively. Then, TSM creates pseudonym set based on

the generated data and delivers it to userA, who conducts SSE

protocols by selecting one of pseudonyms to be delivered. The

used pseudonym is managed through revocation list. This

method has its advantage of simple protocol and easy

authentication of the users. However, it has disadvantages for

instance; it requires a storage space to maintain the

pseudonyms, overhead of managing revocation list, and

communication costs for issuance of pseudonyms.

B. uPM: Self-updateable pseudonym based method

If we consider the NFC features in the protocol design

process, the protocol can be configured so that it can update

pseudonym without the need to communicate with TSM. The

communication with the TSM can be used only to keep track

of the message constructor. The proposed protocol is shown in

Figure 2, and the notation follows Table I in section II-B.

QA||NA of Figure 1 is changed as in (1) so that TSM can

identify the identity.

AQA QA N (1)

Sender A Recipient B

GenerateNAGenerate rACompute Q'A=rAQACompute Q''A=rAdAQS+QA

P=rAdAQ'BComputez fromP

ComputeMK

=KDF(NA,NB,IDA,IDB, z)

ComputeMacTagA=f(MK,IDA,IDB, QA'', QB'')

CheckMacTagBFor SSE,

Set SharedSecret=MK

QA'|| QA''||NA

GenerateNBGenerate rBCompute Q'B=rBQBCompute Q''B=rBdBQS+QB

QB'||QB''||NB

P=rBdBQ'AComputezfromP

ComputeMK

=KDF(NA,NB,IDA,IDB, z)

MacTagA

CheckMacTagAComputeMacTagB=f(MK,IDB,IDA, QB'', QA'')

MacTagB

For SSE,

Set SharedSecret=MK

Figure 2. Proposed key agreement and confirmation protocol using self-

updatable pseudonym based method

User Bcan obtain Q'Aand QAby decompressing QA'and

QA. Q'Aand QAare the points on the elliptic curve, and theyare developed as in (2) and (3).

A A A A AQ r Q r d G (2)

A A A S A A A S AQ r d Q Q r d d G d G (3)

According to ECDLP (Elliptic Curve Discrete Logarithm

Problem), user B cannot find that Q'A is QA which is the

message made by same person, even if user B knows QA.

Likewise, in QA, user B cannot find rAdAQS because user B

does not know rAdA. Thus, userBcannot remove rAdAQSfrom

QA, and cannot recognize that the message was constructing

by user A. In contrast, the TSM can recognize who made ofthis message by (4).

( ( )) ( ( ))A S A A A S A S A A AQ d Q r d d G Q d r d G Q (4)

Two users can obtain the common values by using the

exchanged messages of Q'Aand Q'B. To obtain the same value,

multiply private key and the random value to Q'Aand Q'B. The

random value is the same number used when making QAand

QB. Equation (5) expresses the process in which the two users

get the same value.


6/8


( )

( )

A A B A A B B A A B B

B B A A B B A

P r d Q r d r d G r d r d G

r d r d G r d Q

(5)

Two users can get a shared secret value z by taking x

coordinate value at pointP. When compared with the existing

protocols based on the above process, Q'Aand Q'Bcan replace

QA and QB, the existing public keys. In other words, the

anonymity of users can be guaranteed by replacing the publickey alone, while retaining the existing protocols.

This method cannot be used to specify the owner of the

public key, but it can identify whether the public key is

regularly generated or not [4]. Therefore, it can be identified

that the message is generated by using the public key received

from TSM. In case the user's public key doesn't pass the

verification, the NFC communication is discontinued. When the

protocol is discontinued in the process of one-to-one short range

communication, users suspect the involvement of attackers, and

they can discontinue or restart the communication.

C. Conditional privacy PDU

The methods proposed in this paper allow users to hide theirinformation. However, in case information is hidden in all

situations, there arises a problem where the personalized

service is not provided. Therefore, additional instruction is

needed so that the methods proposed in this paper can be used

selectively. For this, purpose this paper defines Conditional

privacy PDU, which performs the role of instruction in the

NFC protocol.

Table II

CODING OF THE CONDITIONAL PRIVACY PDU

Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0

RFU ONE ONE MI NAD DID PNI PNI

- Bit 7: Reserved for future use. The initiator will set it to Zero.

-

Bit 6 to Bit 5: Will be set ONE.

-

Bit 4: If bit is set to ONE then it indicates multiple information

chaining activated.

- Bit 3: If bit is set to ONE then it indicates node address is available.

- Bit 2: If bit is set to ONE then it indicates Device ID is available.

-

Bit 1 and Bit 0: Packet number information.

Coding of the PFB (Control information for transaction) bit 7 to 5

Bit 7 Bit 6 Bit5 PFB

0 0 0 Information PDU

0 0 1 Protected PDU

0 1 0 Acknowledge PDU

0 1 1 Conditional privacy PDU

1 0 0 Supervisory PDU

Other setting are reserved for future use

In this paper, the conditional privacy PDU is defined as

shown in Table II. Users can request services through

protected PDU if they want to receive the personalized

service, while protecting their data from third-party attackers

and through conditional privacy PDU if they want to be

guaranteed to receive the conditional privacy additionally. For

instance, if users want to receive the personalized services

such as product recommendations, they need to use the

protected PDU. When the users want to hide purchase

information they need to use the conditional privacy PDU.

VI. ANALYSIS

MuPMneeds additional storage to maintain the pseudonym

set and communication cost for issuance of pseudonym. SuPM

does not need any communication cost for the issuance of

pseudonyms, but it needs additional computation time and

transfer time. In this section, the proposed methods are

analyzed in terms of additional cost for maintaining and using

the pseudonyms.

A. Additional storage to maintain the pseudonyms

A pseudonym is composed of public key, private key

(encrypted with long-term key of user), ID of TSM, and

signature on the message. TSM should generate a number of

pseudonyms and send to user. The size of the fields generally

used in NFC protocol is shown in Table III [6].

Table III

SIZE OF THE FIELDS

Field Size

IDTSM 16bits

NX, rX 96bitsMacTagX 96bits

MK 128bits

dX,z 192bits

QX, QX', QX 200bits

Enc(QA, dA) 352bits

QX 384bits

STSM 448bits

Encrypted message size is based on ECIES, and signature size is based on

EDCSA

The size of single pseudonym is computed as follows:

Size ofPN= Public key + Encrypted Private Key+ ID of TSM + Signature = 1200 bits

Suppose the number of pseudonyms is 1000, the memory

needed to store these much pseudonyms is 146.484Kbytes.

However it is not a big deal, when considering the recent

trends of combining mobile device and NFC. But updated

environment is limited because of the billing charges of

mobile device.

B. Additional computation time

Table IV shows the computation time of affine coordinates

of GF(q) like elliptic curve P-192 used in NFC-SEC [4]. Themultiplication, square and inverse notation are represented as

M, S, and I respectively, the time taken to add two points is

(p3=p1+p2) and computation time required for doubling is

(p2=2p1).

Table IV

COMPUTATIONTIMEOF

AFFINECOORDINATESOFWITH

Operation Format Computation time

Doubling t(2p1) 2M+2S+I

Addition t(p1+p2) 2M+S+I


7/8


To create Q'X, QXshould be added rX times. And to create

QX, the point QSshould be added rXdX+1 times. In QX, dXQS

is a fixed value, it needs to be calculated in advance.

Therefore, to create QX, the addition operation is requested

rX+1 times. In the addition operation, computation time can be

reduced through doubling. As identified in Table IV, adding

and doubling have one difference in squaring. In this regard, it

is more efficient to replace addition with doubling in terms of

computation time. As Table III shows, rX is 96 bits.

Accordingly, the maximum size of rXis 296. If the addition of

296times is replaced with doubling, the number of operations

decrease to 96( log 2) times. Therefore, to calculate Q'X,

maximum 96 times of doubling is required, and to calculate

QX, 96 times of doubling and 1 addition is required. Later, to

obtain the common point P, user A has to calculate rAdAQ'B,

and user Bhas to calculate rBdBQ'A. The number of doubling

operations required for each user to perform the operation is

shown in (6).

96 192

2 2 2log log 2 log 2 288X Xr d (6)

Accordingly, a total of 288 times of doubling operations is

required, which is an increase of 96 times compared to NFC-

SEC.

C. Additional transference time

SuPM requires each user to transfer points on the elliptic

curve additionally in the key agreement process. Therefore,

200 bits are additionally transmitted by user. In comparison

with the transfer time based on the lowest 106 kbpsNFC, the

standard method requires 2.727 ns, and 4.569 nsis needed for

the proposed method. In the assumption that the transfer time

required by each user is the same, transfer of 3.628 ns isadditionally required.

Even when random value rX and updated public key are

created, additional time is required, but it does not have an

effect on the transfer time itself since pre-computation is

possible. On the other hand, user A and user B cannot be

allowed to calculate point P in advance. The doubling

operation takes 0.08 ms in Pentium III process of 548 MHz

[20]. The proposed method takes 7.680003628 ms, because it

performs 288 doubling operations to calculate point P. When

compared with NFC-SEC, 7.68 msturned out to be increased.

Accordingly, since conditional anonymity is provided, the

additional transfer time required is 7.680003628 ms.

VII. CONCLUSION

With recent release of various terminals equipped with NFC

(Near Field Communication), e-payment market using NFC is

expected to be activated. In such situation, the user's

transaction information leaks can lead to the invasion of

privacy. In this paper, the conditional privacy protection

methods are proposed to solve the aforementioned problems.

The proposed method uses random public key like

pseudonyms. Since the public key is updated, fewer burdens

are imposed on the administration. The update is made based

on the long-term public key issued from TSM (Trusted

Service Manager), and safe management is achieved by

storing the long-term public key in the SE (Secure Element).

Unlike VANET (Vehicle Adhoc NETwork) environment in

which pseudonym methods have been studied for long time,

NFC is a short range one-to-one communication technology,

and it has the robust characteristics to MITM (Man In The

Middle) attack. Due to its design based on NFC features, the

proposed method can provide conditional privacy with less

overhead.

The proposed methods follows standard systems,

additionally can hide user's identity, and if necessary, the

user's identity can be confirmed by the TSM. Also the user can

get personalized services by the selective use of our proposed

method. In conclusion, it is expected that the proposed method

will help users to protect their privacy and use personalized

services. It will contribute to the promotion of mobile payment

services through NFC.

REFERENCES

[1] Gartner, "Market Insight: The Outlook on Mobile Payment," MarketAnalysis and Statistics, May 2010.

[2]

Juniper Research, "NFC Mobile Payments & Retail Marketing Business Models & Forecasts 2012-2017," May 2012.

[3] ISO/IEC 15946-1:2008, "Information technology Security methods Cryptographic methods based on elliptic curves Part 1: General," Apr.2008.

[4] ISO/IEC 13157-1:2010, "Information technology Telecommunicationsand information exchange between systems NFC Security Part 1:

NFC-SEC NFCIP-1 security service and protocol," ISO/IEC, May 2010.[5]

ISO/IEC 13157-2:2010, "Information technology Telecommunications

and information exchange between systems NFC Security Part 2:NFC-SEC cryptography standard using ECDH and AES," ISO/IEC,May 2010.

[6] H. Eun, H. Lee, J. Son, S. Kim, and H. Oh, "Conditional privacypreserving security protocol for NFC applications," IEEE International

Conference on Consumer Electronics (ICCE), pp. 380-381, Jan. 2012.[7]

ISO/IEC 18092:2004, "Information technology Telecommunicationsand information exchange between systems Near field Communication

Interface and Protocol (NFCIP-1)," ISO/IEC, Apr. 2004.[8] J. Yu, W. Lee, and D.-Z. Du, "Reducing Reader Collision for Mobile

RFID," IEEE Transactions on Consumer Electronics, Vol. 57, No. 2, pp.574-582, May 2011.

[9] E. Haselsteiner and K. Breitfu, "Security in Near field Communication(NFC) Strengths and Weaknesses ," RFIDSec 2006, Jul. 2006.

[10]

IEEE Std. 1363-2000, IEEE Standard Specifications for Public-KeyCryptography, Jan. 2000.

[11]

G. Calandriello, P. Papadimitratos, J.P. Hubaux, and A. Lioy, Efficientand robust pseudonymous authentication in VANET," Proceedings ofthe fourth ACM international workshop on Vehicular ad hoc networks

(VANET 2007), pp. 19-28, 2007.[12]

J.C.M. Teo, L.H. Ngoh, and H. Guo, "An Anonymous DoS-Resistant

Password-Based Authentication, Key Exchange and PseudonymDelivery Protocol for Vehicular Networks," Proceedings of the 2009International Conference on Advanced Information Networking andApplications (AINA 2009), pp. 675-682, May 2009.

[13]

D. Eckhoff, C. Sommer, T. Gansen, R. German, and F. Dressler, "Strongand affordable location privacy in VANETs: Identity diffusion usingtime-slots and swapping," Proceedings of the 2010 IEEE Vehicular

Networking Conference (VNC 2010), pp. 174-181, Dec. 2010.[14]

J.-H. Lee, J. Chen, and T. Ernst, "Securing mobile network prefixprovisioning for NEMO based vehicular networks," Mathematical andComputer Modelling, vol. 55, No. 1, pp. 170-187, Jan. 2012.

[15] R. Lu, X. Lin, H. Zhu, P.H. Ho, and X. Shen, "ECPP: EfficientConditional Privacy Preservation Protocol for Secure Vehicular

Communications," Proceedings of The27th Conference on ComputerCommunications (INFOCOM 2008), pp. 1229-1237, Apr. 2008.


8/8


[16] D. Huang, S. Misra, M. Verma, and G.Xue, "PACP: An Efficient

Pseudonymous Authentication-Based Conditional Privacy Protocol for

VANETs," IEEE Transactions on Intelligent Transportation Systems,Vol. 12, No. 3, pp. 736-746, Sept. 2011.

[17] R.-J. Hwang, Y.-K. Hsiao, and Y.-F. Liu, "Secure Communication

Scheme of VANET with Privacy Preserving," Proceedings of the 2011

IEEE 17th International Conference on Parallel and Distributed Systems

(ICPADS 2011), pp. 654-659, Dec. 2011.

[18] GSMA, "Mobile NFC Technical Guidelines Version 1.0," Apr. 2007.[19] GSMA, "Pay-Buy-Mobile Business Opportunity Analysis Public

White Paper Version 1.0," Nov. 2007.[20] A. Chandrasekar, V.R. Rajasekar, and V. Vaasudevan, "Improved

authentication and key agreement protocol using elliptic curvecryptography," International Journal of Computer Science and Security

(IJCSS), Vol. 3, Issue 4, pp. 325-333, Oct. 2009.

BIOGRAPHIES

Hasoo Eun(M'11) received the B.S. and M.S. degree in

Computer Science and Engineering from Hanyang

University, Korea, in 2010 and 2012, respectively. He iscurrently working toward for the Ph.D. degree in

Computer Science and Engineering, Hanyang University,

Korea. His current research interests include mobile

security, NFC, and cryptography.

Hoonjung Lee (M'10) received the B.S. degree in

computer science from Dankook University, Korea, in

2003, and received M.S. degree in computer science andengineering from Hanyang University, Korea, in 2005.

He was a researcher at Handan BroadInfoCom, Korea,

from 2005 to 2009. He is currently working toward for

the Ph.D. degree in computer science and engineering,

Hanyang University. His research interests include Key

management, IPTV/DTV conditional access system, and cryptography.

Heekuck Oh (M'94) received his B.S. degree inElectronics Engineering from Hanyang University in

1983. He received his M.S. and Ph.D. degrees inComputer Science from Iowa State University in 1989

and 1992, respectively. In 1994, he joined the faculty of

the Department of Computer Science and Engineering,

Hanyang University, ERICA campus, where he iscurrently a professor. His current research interests

include network security and cryptography. Prof. Oh is the senior executive

vice president of Korea Institute of Information Security & Cryptology, and is

a member of Advisory Committee for Digital Investigation in Supreme

Prosecutors' Office of the Republic of Korea. He is also a member of

Advisory Committee for Internet Security under Korea CommunicationsCommission. He is the corresponding author of this paper.

Nfc Privacy

Documents

Transcript of Nfc Privacy