Security in Near Field Communication

Strengths and Weaknesses

Ernst Haselsteiner, Klemens Breitfuss RFIDSec 06 July 13th, 2006

Contents

Contents
What is NFC?

NFC Intro

Eavesdropping

Data Modification

Threats & Countermeasures Eavesdropping Data Modification Man-in-the-Middle Secure Channel Key Agreement

Man-in-theMiddle

Secure Channel

Conclusion

July 13th, 2006

Contents

What is NFC?
Designed for short distance communication (up to 10 cm)

NFC Intro

Eavesdropping

Its a contactless card and a contactless reader in one chip

It operates at 13.56 MHz Its designed for low bandwidth (max speed is 424 kBaud)

Data Modification

Man-in-theMiddle

Applications aimed for are

Ticketing Payment Device Pairing
Short Range 13,56MHz RF Link

Secure Channel

Conclusion

July 13th, 2006

Contents

Some details we need to know

There are dedicated roles Initiator and Target Any data transfer is a message and reply pair. Message Initiator Reply Target

NFC Intro

Eavesdropping

Data Modification

Man-in-theMiddle

Secure Channel

Conclusion

There are dedicated modes of operation Active and Passive Active means the device generates an RF field Passive means the device uses the RF field generated by the other device
July 13th, 2006

Contents

Some details we need to know

Active Initiator Possible Possible Passive Not Possible Possible

NFC Intro

Eavesdropping

Data Modification

Target

Man-in-theMiddle

Active 106 kBaud Modified Miller, 100% ASK 212 kBaud Manchester, 10% ASK

Passive Manchester, 10% ASK Manchester, 10% ASK

Secure Channel

Conclusion

424 kBaud

Manchester, 10% ASK

Manchester, 10% ASK

July 13th, 2006

Contents

Eavesdropping

NFC Intro

Eavesdropping

I am sorry, but NFC is not secure against eavesdropping . From how far away is it possible to eavesdrop? Depends.
RF field of sender Equipment of attacker .

Data Modification

Man-in-theMiddle

Secure Channel

Does Active versus Passive mode matter? Yes

In active mode the modulation is stronger (in particular at 106 kBaud) In passive mode eavesdropping is harder

Conclusion

Countermeasure Secure Channel

July 13th, 2006

Contents

Data Modification

NFC Intro

Coded 0
1 Bit

2. Half-Bit 100 0 2. Half-Bit 100 0

Coded 1
1 Bit 1. Half-Bit 2. Half-Bit

Eavesdropping

Modified Miller Coding, 100% ASK

1. Half-Bit 100 0

Data Modification

Man-in-theMiddle

1 Bit

1 Bit 1. Half-Bit 2. Half-Bit

Secure Channel

Manchester Coding, 10% ASK

1. Half-Bit 100 0

Conclusion

Countermeasure Secure Channel

July 13th, 2006

Contents

Man in the Middle Attack

NFC Intro

Bob

Eavesdropping

Data Modification

Alice

Man-in-theMiddle

Secure Channel

Eve

Conclusion

July 13th, 2006

Contents

Man in the Middle Attack

NFC Intro

Bob

Eavesdropping

Message Alice

Data Modification

Man-in-theMiddle

Secure Channel

Eve

Conclusion

July 13th, 2006

Contents

Man in the Middle Attack

NFC Intro

Bob

Eavesdropping

Message Alice

Data Modification

Man-in-theMiddle

Eavesdropping

Secure Channel

Eve

Conclusion

July 13th, 2006

10

Contents

Man in the Middle Attack

NFC Intro

Bob

Eavesdropping

Message Alice

Data Modification

Man-in-theMiddle

Disturb

Eavesdropping

Secure Channel

Eve

Conclusion

July 13th, 2006

11

Contents

Man in the Middle Attack

NFC Intro

Bob

Eavesdropping

Message
Alice

Data Modification

Man-in-theMiddle

Disturb

Eavesdropping

Secure Channel

Eve

Conclusion

Alice detects the disturbance and stops the protocol Check for active disturbances !
July 13th, 2006

12

Contents

Man in the Middle Attack

NFC Intro

Bob

Eavesdropping

Alice
Data Modification

Man-in-theMiddle

Message
Eve

Secure Channel

Conclusion

July 13th, 2006

13

Contents

Man in the Middle Attack

NFC Intro

Bob

Eavesdropping

Alice
Data Modification

Man-in-theMiddle

Message
Eve

Secure Channel

Conclusion

Eve cannot send to Bob, while RF field of Alice is on! Use Active Passive connection ! Use 106 kBaud !
July 13th, 2006

14

Contents

Man in the Middle Attack

NFC Intro

Bob

Eavesdropping

Alice
Data Modification

Man-in-theMiddle

Message
Eve

Secure Channel

Conclusion

July 13th, 2006

15

Contents

Man in the Middle Attack

NFC Intro

Bob

Eavesdropping

Alice
Data Modification

Man-in-theMiddle

Message
Eve

Secure Channel

Conclusion

Alice would receive data sent by Eve Verify answer with respect to this possible attack!
July 13th, 2006

16

Contents

What we have so far

Eavesdropping No protection
Use a Secure Channel

NFC Intro

Eavesdropping

Data Modification

Data Modification No protection

Use Secure Channel

Man-in-theMiddle

Secure Channel

Man in the Middle Attack Very good protection if

Conclusion

Alice uses 106 kBaud Alice uses Active Passive mode Alice checks for disturbance Alice checks for suspicious answers from Bob

17

July 13th, 2006

Contents

Secure Channel is easy

Standard DH Key Agreement Suffers from Man-in-the-Middle issue Thats fine with NFC, because right here NFC really provides protection !

NFC Intro

Eavesdropping

Data Modification

Man-in-theMiddle

Secure Channel

Conclusion

July 13th, 2006

18

Contents

Secure Channel is easy

Standard DH Key Agreement Suffers from Man-in-the-Middle issue Thats fine with NFC, because there NFC really provides protection !

NFC Intro

Eavesdropping

Data Modification

Man-in-theMiddle

Eavesdropping
Secure Channel

Data Modification Man-in-the Middle

Conclusion

July 13th, 2006

19

Contents

Key Agreement An Alternative

1 Bit 1. Half-Bit 2. Half-Bit 100 0 100 0 200 100 0 1 Bit 1. Half-Bit 2. Half-Bit

NFC Intro

Eavesdropping

Alice

100 0 100

Data Modification

Man-in-theMiddle

Bob
0 200

Secure Channel

Eve

100 0

Conclusion

July 13th, 2006

20

Contents

Key Agreement An Alternative

Perfect in theory Obvious to see

NFC Intro

Eavesdropping

Needs perfect synchronization between Alice and Bob

Amplitude Phase Alice and Bob must actively perform this synchronization Security in practice depends on Synchronization Equipment of attacker Advantages Cheap (requires no cryptography) Extremely fast
July 13th, 2006

Data Modification

Man-in-theMiddle

Secure Channel

Conclusion

21

Contents

Conclusion
NFC does not provide any security by itself

NFC Intro

Eavesdropping

Secure Channel is required Physical properties of NFC protect against Man-in-the-Middle Establishing a Secure Channel becomes easy

Data Modification

Man-in-theMiddle

Secure Channel

Conclusion

July 13th, 2006

22