Security In Near Field communication

                  Security In Near Field communication

Introduction 

NFC stands for Near Field Communication. The specification details of NFC can be  found in ISO 18092 [1]. The main characteristic of NFC is that it is a wireless communication interface with a working distance limited to about 10 cm. The interface can operate in several modes. The modes are distinguished whether a device creates its own  RF field or whether a device retrieves the power from the RF field generated by another device. If the device generates its own field it is called an active device, otherwise it is  called a passive device. Active devices usually have a power supply, passive devices  usually don't (e.g. contactless Smart Card).


In active mode the data is sent using amplitude shift keying (ASK) [1],[2]. This  means the base RF signal (13,56 MHz) is modulated with the data according to a coding  scheme. If the baudrate is 106 kBaud, the coding scheme is the so-called modified Miller coding. If the baudrate is greater than 106 kBaud the Manchester coding scheme is  applied. In both coding schemes a single data bit is sent in a fixed time slot. This time  slot is divided into two halves, called half bits. In Miller coding a zero is encoded with  a pause in the first half bit and no pause in the second half bit. A one is encoded with  no pause in the first bit, but a pause in the second half bit. In the modified Miller coding  some additional rules are applied on the coding of zeros. In the case of a one followed  by a zero, two subsequent half bits would have a pause. Modified Miller coding avoids  this by encoding a zero, which directly follows a one with two half bits with no pause.


Furthermore it should be mentioned that NFC communication is not limited to a pair of  two devices. In fact one initiator device can talk to multiple target devices. In this case all target devices are enabled at the same time, but before sending a message, the initiator device must select a receiving device. The message must then be ignored by all non selected target devices. Only the selected target device is allowed to answer to the received data. Therefore, it is not possible to send data to more than one device at the same time (i.e. broadcasting messages are not possible).

Applications

It is impossible to give a complete picture of NFC applications as NFC is just an interface. The following sub sections introduce three example applications. These shall be viewed as typical use cases and where chosen to motivate the list of possible threats given in the next section.

Contactless Token

This covers all applications, which use NFC to retrieve some data from a passive token. The passive token could be a contactless Smart Card, an RFID label, or a key fob. Also,  the token could be physically included in a device without any electric connections to  that device.
What is important is that the only interface of the token is the contactless interface. This means it cannot act as a communication link to a device main CPU of a device because it cannot connect to the device main CPU via a contact interface. Let us also assume that the token has rather limited computing power, so it cannot run any complex protocols. The primary use would be to store some data, which can then conveniently  be read by an active NFC device. Examples of such data would be a URL stored in a  tag of a consumer product or the user guide of such a product. The user could then read  the tag and get automatically linked to the support web page of that product. A different  example would be to store the configuration data needed to access a WiFi network. New users could then easily configure their laptops to be connected to the network.

Device Pairing

In this application the two devices communicating would belong to the same group of  devices. An example could be a laptop and a digital camera. The user wants to establish a Bluetooth connection between the two devices to exchange image data. The Bluetooth link is established by bringing the two devices close together and running a given protocol over NFC between the two devices. This makes it obvious for the user which two devices get actually linked and takes away the burden of navigating through menus and selecting the right devices from lists of possible communication partners.It should be noted that the NFC connection itself in this example is only used to establish the Bluetooth link. Image data is not transferred over NFC because NFC’s bandwidth is simply too small for transferring big amounts of data.

Threats

   Eavesdropping

Because NFC is a wireless communication interface it is obvious that eavesdropping is  an important issue. When two devices communicate via NFC they use RF waves to talk  to each other. An attacker can of course use an antenna to also receive the transmitted  signals. Either by experimenting or by literature research the attacker can have the required knowledge on how to extract the transmitted data out of the received RF signal. 

Also the equipment required to receive the RF signal as well as the equipment to decode  the RF signal must be assumed to be available to an attacker as there is no special equipment necessary.

The NFC communication is usually done between two devices in close proximity. This means they are not more than 10 cm (typically less) away from each other. The main question is how close an attacker needs to be to be able to retrieve a usable RF  signal. Unfortunately, there is no correct answer to this question. The reason for that is the huge number of parameters which determine the answer. For example the distance

depends on the following parameters, and there are many more.
• RF filed characteristic of the given sender device (i.e. antenna geometry, shielding effect of the case, the PCB, the environment)
• Characteristic of the attacker’s antenna (i.e. antenna geometry, possibility to
change the position in all 3 dimensions)
• Quality of the attacker’s receiver
• Quality of the attacker’s RF signal decoder
• Setup of the location where the attack is performed (e.g. barriers like walls or metal, noise floor level)
• Power sent out by the NFC device
Therefore any exact number given would only be valid for a certain set of the above given parameters and cannot be used to derive general security guidelines.

Data Corruption

Instead of just listening an attacker can also try to modify the data which is transmitted via the NFC interface. In the simplest case the attacker just wants to disturb the communication such that the receiver is not able to understand the data sent by the other device.
Data corruption can be achieved by transmitting valid frequencies of the data spectrum at a correct time. The correct time can be calculated if the attacker has a good understanding of the used modulation scheme and coding. This attack is not too complicated, but it does not allow the attacker to manipulate the actual data. It is basically a  Denial of Service attack.

 Data Modification

In data modification the attacker wants the receiving device to actually receive some  valid, but manipulated data. This is very different from just data corruption.The feasibility of this attack highly depends on the applied strength of the amplitude  modulation. This is because the decoding of the signal is different for 100% and 10% modulation.

In 100% modulation the decoder basically checks the two half bits for RF signal on (no pause) or RF signal off (pause). In order to make the decoder understand a one as a  zero or vice versa, the attacker must do two things. First, a pause in the modulation must  be filled up with the carrier frequency. This is feasible. But, secondly, the attacker must generate a pause of the RF signal, which is received by the legitimate receiver. This means the attacker must send out some RF signal such that this signal perfectly overlaps  with the original signal at the receiver’s antenna to give a zero signal at the receiver. This is practically impossible. However, due to the modified Miller coding in the case  of two subsequent ones, the attacker can change the second one into a zero, by filling the pause which encodes the second one. The decoder would then see no pause in the second bit and would decode this as a correct zero, because it is preceded by a one. In 

100% modulation an attacker can therefore never change a bit of value 0 to a bit of value 1, but an attacker can change a bit of value 1 to a bit of value 0, in case this bit is preceded by a bit of value 1 (i.e. with a probability of 0.5). 

Man-in-the-Middle-Attack

In the classical Man-in-the-Middle Attack, two parties which want to talk to each other,called Alice and Bob, are tricked into a three party conversation by an attacker Eve. Alice and Bob must not be aware of the fact that they are not talking to each other, but that they are both sending and receiving data from Eve. Such a setup is the classical threat in unauthenticated key agreement protocols like Diffie-Hellmann protocol. Alice
and Bob want to agree on a secret key, which they then use for a secure channel. However, as Eve is in the middle, it is possible for Eve to establish a key with Alice and another key with Bob. When Alice and Bob later use their key to secure data, Eve is able to eavesdrop on the communication and also to manipulate data being transferred.How would that work when the link between Alice and Bob is an NFC link?
Assuming that Alice uses active mode and Bob would be in passive mode, we have the following situation. Alice generates the RF field and sends data to Bob. In case Eve is close enough, she can eavesdrop the data sent by Alice. Additionally she must actively disturb the transmission of Alice to make sure that Bob doesn’t receive the data. This is possible for Eve, but this can also be detected by Alice. In case Alice detects the disturbance, Alice can stop the key agreement protocol.

Solutions and Recommendations

Eavesdropping

As described in section 3.1, NFC by itself cannot protect against eavesdropping. It is important to note that data transmitted in passive mode is significantly harder to be  eavesdropped on, but just using the passive mode is probably not sufficient for most applications which transmit sensitive data.The only real solution to eavesdropping is to establish a secure channel as outlined in section 4.6.

 Data Corruption 

NFC devices can counter this attack because they can check the RF field, while they are transmitting data. If an NFC devices does this, it will be able to detect the attack. The power which is needed to corrupt the data is significantly bigger, than the power which  can be detected by the NFC device. Thus, every such attack should be detectable.

 Data Modification

Protection against data modification can be achieved in various ways. By using 106k Baud in active mode it gets impossible for an attacker to modify all the data transmitted via the RF link as described in section 3.3. This means that for both directions active mode would be needed to protect against data modification. While this is possible, this has the major drawback, that this mode is most vulnerable to eavesdropping. Also, the protection against modification is not perfect, as even at 106k Baud  some bits can be modified. The two other options might therefore be preferred.NFC devices can check the RF field while sending.

Data Insertion

There are three possible countermeasures. One is that the answering device answers with no delay. In this case the attacker cannot be faster than the correct device. The attacker can be as fast as the correct device, but if two devices answer at the same time  no correct data is received.The second possible countermeasure is listening by the answering device to the channel during the time, it is open and the staring point of the transmission. The device could then detect an attacker, who wants to insert data.
The third option again is a secure channel between the two devices.

Man-in-the-Middle-Attack

As already outlined in section 3.5 it is practically impossible to do a Man-in-the-Middle-Attack on an NFC link. The recommendation is to use active-passive communication mode such that the RF field is continuously generated by one of the valid parties. Additionally, the active party should listen to the RF filed while sending data to be able to detect any disturbances caused by a potential attacker.

Secure Channel for NFC

Establishing a secure channel between two NFC devices is clearly the best approach to protect against eavesdropping and any kind of data modification attack.Due to the inherent protection of NFC against Man-in-the-Middle-Attacks it is rather easy and straightforward to setup a secure channel.
A standard key agreement protocol like Diffie-Hellmann based on RSA [4] or Elliptic Curves could be applied to establish a shared secret between two devices. Because Man-in-the-Middle is no threat, the standard, unauthenticated version of Diffie-Hellman works perfectlyThe shared secret can then be used to derive a symmetric key like 3DES or AES, which is then used for the secure channel providingconfidentiality, integrity, and authenticity of the transmitted data. Various modes of operation for 3DES and AES could be used for such a secure channel and can be found in literature [3].

 NFC Specific Key Agreement

Besides the standard key agreement mechanism, it is also possible to implement an  NFC specific key agreement. This one does not require any asymmetric cryptography and therefore reduces the comp





The scheme works with 100% ASK only and it is not part of the ISO standard on RFC. The idea is that both devices, say Device A and Device B, send random data at the same time. In a setup phase the two devices synchronize on the exact timing of the bits and also on the amplitudes and phases of the RF signal. This is possible as devices can send and receive at the same time. After that synchronisation, A and B are able to send at exactly the same time with exactly the same amplitudes and phases.
While sending random bits of 0 or 1, each device also listens to the RF field. When both devices send a zero, the sum signal is zero and an attacker, who is listening, would know that both devices sent a zero. This does not help. The same thing happens when both, A and B, send a one. The sum is the double RF signal and an attacker knows that both devices sent a one. It gets interesting once A sends a zero and B sends a one or vice versa.
In this case both devices know what the other device has sent, because the devices know what they themselves have sent. However, an attacker only sees the sum RF signal and he cannot figure out which device sent the zero and which device sent the one. This idea is illustrated in Figure 2. The top graph shows the signals produced by A in red and by B in blue. A sends the four bits: 0, 0, 1, and 1. B sends the four bits: 0, 1, 0, and 1. The
lower graph shows the sum signal as seen by an attacker. It shows that for the bit combinations (A sends 0, B sends 1) and (A sends 1, B sends 0) the result for the attacker is absolutely the same and the attacker cannot distinguish these two cases.

Conclusion

We presented typical use cases for NFC interfaces. A list of threats has been derived and addressed. NFC by itself cannot provide protection against eavesdropping or data  modifications. The only solution to achieve this is the establishment of a secure channel  over NFC. This can be done very easily, because the NFC link is not susceptible to the Man-in-the-Middle attack. Therefore, well known and easy to apply key agreement
techniques without authentication can be used to provide a standard secure channel. This resistance against Man-in-the-Middle attacks makes NFC an ideal method for secure pairing of devices. Additionally, we introduced an NFC specific key agreement mechanism, which provides cheap and fast secure key agreement.

                                                                               By - Sudhir Rai And Shasvatam The SkyScraper