8/2/2019 002 - Security in NFC

1/23

Ernst Haselsteiner, Klemens Breitfuss

RFIDSec 06

July 13th, 2006

Security in Near Field CommunicationStrengths and Weaknesses

8/2/2019 002 - Security in NFC

2/23

July 13th, 2006 2

Contents

What is NFC?

Threats & Countermeasures

Eavesdropping

Data Modification Man-in-the-Middle

Secure Channel

Key Agreement

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

3/23

July 13th, 2006 3

What is NFC?

Designed for short distance communication (up to 10 cm)

Its a contactless card and a contactless reader in one chip

It operates at 13.56 MHz

Its designed for low bandwidth (max speed is 424 kBaud)

Applications aimed for are

Ticketing

Payment

Device Pairing

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

Short Range

13,56MHz

RF Link

8/2/2019 002 - Security in NFC

4/23

July 13th, 2006 4

Some details we need to know

There are dedicated roles

Initiator and Target

Any data transfer is a message and reply pair.

Initiator TargetMessageReply

There are dedicated modes of operation Active and Passive

Active means the device generates an RF field

Passive means the device uses the RF field generated by

the other device

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

5/23

July 13th, 2006 5

Some details we need to know

Active Passive

106 kBaud Modified Miller, 100% ASK Manchester, 10% ASK

212 kBaud Manchester, 10% ASK Manchester, 10% ASK

424 kBaud Manchester, 10% ASK Manchester, 10% ASK

Active Passive

Initiator Possible Not Possible

Target Possible Possible

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

6/23

July 13th, 2006 6

Eavesdropping

I am sorry, but NFC is not secure against

eavesdropping .

From how far away is it possible to eavesdrop?

Depends.

RF field of sender Equipment of attacker

.

Does Active versus Passive mode matter?

Yes

In active mode the modulation is stronger (in particular at 106 kBaud) In passive mode eavesdropping is harder

Countermeasure

Secure Channel

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

7/23July 13th, 2006 7

Data Modification

1 Bit

1. Half-Bit 2. Half-Bit

100

0

Coded 0 Coded 1

Modified MillerCoding, 100%ASK

ManchesterCoding, 10%

ASK

1 Bit

1. Half-Bit 2. Half-Bit

100

0

1 Bit

1. Half-Bit 2. Half-Bit

100

0

1 Bit

1. Half-Bit 2. Half-Bit

100

0

Countermeasure Secure Channel

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

8/23July 13th, 2006 8

Man in the Middle Attack

Alice Bob

Eve

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

9/23July 13th, 2006 9

Man in the Middle Attack

Alice Bob

Message

Eve

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

10/23July 13th, 2006 10

Man in the Middle Attack

Alice Bob

Message

Eve

Eavesdropping

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

11/23July 13th, 2006 11

Man in the Middle Attack

Alice Bob

Message

Eve

EavesdroppingDisturb

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

12/23July 13th, 2006 12

Man in the Middle Attack

Alice Bob

Message

Eve

EavesdroppingDisturb

Alice detects the disturbance and stops the protocol Check for active disturbances !

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

13/23July 13th, 2006 13

Man in the Middle Attack

Alice Bob

Eve

Message

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

14/23July 13th, 2006 14

Man in the Middle Attack

Alice Bob

Eve

Message

Eve cannot send to Bob, while RF field of Alice is on! Use Active Passive connection !

Use 106 kBaud !

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

15/23

July 13th, 2006 15

Man in the Middle Attack

Alice Bob

Eve

Message

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

16/23

July 13th, 2006 16

Man in the Middle Attack

Alice Bob

Eve

Message

Alice would receive data sent by Eve Verify answer with respect to this possible attack!

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

17/23

July 13th, 2006 17

What we have so far

Eavesdropping

No protection Use a Secure Channel

Data Modification

No protection Use Secure Channel

Man in the Middle Attack

Very good protection if

Alice uses 106 kBaud Alice uses Active Passive mode

Alice checks for disturbance

Alice checks for suspicious answers from Bob

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

18/23

July 13th, 2006 18

Secure Channel is easy

Standard DH Key Agreement

Suffers from Man-in-the-Middle issue

Thats fine with NFC, because right here NFC really provides

protection !

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

19/23

July 13th, 2006 19

Secure Channel is easy

Standard DH Key Agreement

Suffers from Man-in-the-Middle issue

Thats fine with NFC, because there NFC really provides

protection !

Eavesdropping

Data Modification

Man-in-the Middle

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

20/23

July 13th, 2006 20

Key Agreement An Alternative

1 Bit

1. Half-Bit 2. Half-Bit

100

0

100

0

100

0

200

1 Bit

1. Half-Bit 2. Half-Bit

100

0

100

0

100

0

200

Alice

Eve

Bob

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

21/23

July 13th, 2006 21

Key Agreement An Alternative

Perfect in theory Obvious to see

Needs perfectsynchronization between Alice and Bob

Amplitude

Phase

Alice and Bob must actively perform this synchronization

Security in practice depends on

Synchronization

Equipment of attacker

Advantages

Cheap (requires no cryptography)

Extremely fast

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

22/23

July 13th, 2006 22

Conclusion

NFC does not provide any security by itself

Secure Channel is required

Physical properties of NFC protect against Man-in-the-Middle

Establishing a Secure Channel becomes easy

NFC Intro

Eaves-dropping

Conclusion

Data

Modification

Man-in-the-Middle

Secure

Channel

Contents

8/2/2019 002 - Security in NFC

23/23