An improved NFC device authentication protocol

Abstract

Aimed at the security authentication problem between Near Field Communication (NFC) devices, this paper uses the technology of asymmetric encryption algorithm, symmetric encryption algorithm, hash function, timestamp and survival period to improve the confidentiality, performance and security of the protocol. The symmetric encryption algorithm encrypts the transmission content, while the asymmetric encryption algorithm encrypts the shared key. The whole authentication process is secure, and the key distribution is secure. The improved NFC device authentication protocol can effectively resist the brute force attack, man-in-the-middle attack and replay attack in the authentication process, it can reduce the number of message transmission in the authentication process, improve the transmission efficiency, enhance the confidentiality, integrity, non-repudiation and improve the security of NFC device authentication.

Introduction

In recent years, with the wide application of smart phones, people’s life and consumption patterns have been fundamentally changed, especially in the aspect of mobile payment, which is expected to replace credit card payment and cash payments. The way of mobile payment consumption has gradually become popular and is well known and accepted by the public [1–3]. NFC technology [4] is a very common way in the process of mobile payment. This technology uses the frequency of 13.56 MHz to work within a range of 10 cm. By using the ISO/IEC 18092 standard, NFC devices can work like ordinary contactless smart cards, and is now widely used in various fields [5–8]. Because NFC contains ISO/IEC 14443 standard, relay attack is feasible [9]. At the same time, more attention is paid to its transmission efficiency in the process of NFC communication, but the security issues in the process of communication are ignored, and faced with the risk on the penetration [10], especially the defects in authentication. This paper proposes an improved, efficient and secure NFC device authentication protocol.

Symmetric encryption algorithm [11,12], asymmetric encryption algorithm [13,14], hash function [15,16] and other related technologies are used in the protocol. In the whole protocol design process, man-in-the-middle attack [17], replay attack [18], brute force attack [19], data integrity and confidentiality [20,21] and other factors are comprehensively considered. Based on Lee et al. ’s research on NFC man-in-the-middle attack [22], Ceipidor et al.’ s research on NFC payment security [23], Thammarat et al. ’s research on NFC security lightweight protocol [24], Tung et al.’ s research on efficient NFC authentication scheme [25] and other relevant studies [26–31], an improved efficient and secure NFC device authentication scheme is proposed.

Methodology

In this paper, the protocol uses symmetric algorithm to guarantee the security of NFC device Identity (ID) and random number in the transmission process, uses public key algorithm to realize shared key distribution and message authentication, and uses hash function to verify the integrity of messages, which is divided into two stages: registration stage and authentication stage. In the registration phase, a random number is generated by the NFC device, and a random number is generated by the Authentication Server (AS). By using the two random numbers, the two-factor authentication is realized and the brute force attack is prevented. At the same time, the survival period of the NFC device issued by the authentication server and the timestamp of the authentication stage are used to prevent the replay attack. The identifiers and explanations used in this protocol are as shown in Table 1.

Table 1. Identifiers and explanations used in the protocol.

Identifier	Interpretative Statement
N i	N is NFC device, i is NFC device number
AS	Authentication Server
E	Asymmetric Encryption Algorithm
S	Symmetric Encryption Algorithm (Shared key encryption algorithm)
puk	Public key of AS
prk	Private key of AS
K i	The Shared key between Ni and AS
H	Hash Encryption Algorithm
Rn i	The random number generated by Ni
Rn Ai	The random number generated by AS
SP i	The survival period of Ni
TS	Timestamps

Registration phase

Step1 N₁—> AS: RQE1, RQS1

N₁ Sends the requests of RQE1 and RQS1 to AS.

$$RQE1=E_{puk}\left\{K_1\right\}$$ (1)

$$RQS1=S{K}_1\left\{IDN1,R{n}_1\right\}$$ (2)

R represents the Registered stage. Q represents the Request message. E represents the use of asymmetric encryption algorithm. S represents the use of Shared Key encryption (symmetric encryption algorithm), and the number one represents the first message in the information of RQE1 and RQS1. N₁ encrypts the shared key K₁ through the public key of AS, and encrypts its own information IDN1 and random number Rn₁ through the shared key and sends it to AS to complete the shared key distribution and registration request.

Step2 AS—> N1: RPE1, RPS1

After AS receives the message from N₁, it decrypts RQE1 through its own private key to get K₁, and then RQS1 is decrypted by using K₁ to get Rn₁ and IDN1. After registering the IDN1 and Rn₁ of N₁ in its database, AS generates Rn_A1 and SP₁, and sends RPE1 and RPS1 to N₁.

$$RPE1=E_{prk}\left\{H\left(IDN1,R{n}_1\right)\right\}$$ (3)

$$RPS1=S{K}_1\left\{S{P}_1,H\left(R{n}_{A1}\right)\right\}$$ (4)

P represents the response request message in the information of RPE1 and RPS1. Rn_A1 is the random number generated by AS. SP₁ is the survival period of N₁ device. N₁ needs to be authenticated within the SP₁, and otherwise authentication fails.

When N₁ receives RPE1 and RPS1, it decrypts RPE1 by using the public key of AS to obtain H(IDN1, Rn₁), and then compares it with the H(IDN1, Rn₁) generated by itself. If it is consistent, the message is indeed sent by AS and has not been changed in the transmission process. The verification is successful, then the registration stage is completed, otherwise the registration fails. The working process of the registration phase is shown in Fig 1.

Fig 1. The working process of the registration phase.

Authentication phase

Step1 N1—> N2: AQS1, AQH1

N₁ sends AQS1 and AQH1 requests to N₂, where "A" represents the authentication phase in the message of AQS1 and AQH1.

$$AQS1=S{K}_1\left\{IDN1,R{n}_1,H\left(R{n}_{A1}\right)\right\}$$ (5)

$$AQH1=H\left\{IDN1,R{n}_1,H\left(R{n}_{A1}\right)\right\}$$ (6)

N₁ encrypts IDN1, Rn₁ and H(Rn_A1) using the shared key K₁ to generate AQS1, and at the same time carries out the hash calculation to generate the hash value AQH1 to ensure the confidentiality and integrity of the information.

Step2 N2—> AS: AQS2, AQH2

After receiving the messages send by N₁, N₂ encrypts IDN2, Rn₂, H(Rn_A2) and AQS1 with its shared key with AS to generate AQS2. At the same time, the information in AQS2 and the value of H{IDN1, Rn₁, H(Rn_A1)} is used to generate the hash value AQH2 to ensure the data integrity in the transmission process. After that, the generated AQS2 and AQH2 are sent to AS.

$$AQS2=S{K}_2\left\{IDN2,R{n}_2,H\left(R{n}_{A2}\right),S{K}_1\left\{IDN1,R{n}_1,H\left(R{n}_{A1}\right)\right\}\right\}$$ (7)

$$AQH2=H\left\{IDN2,R{n}_2,H\left(R{n}_{A2}\right),H\left\{IDN1,R{n}_1,H\left(R{n}_{A1}\right)\right\}\right\}$$ (8)

Step3 AS—> N2: APS1, APE1, APE2

After receiving the request from N₂, the AS decrypts AQS2 information through K₂ and K₁, and obtains the information of IDN2, Rn₂, H(Rn_A2), IDN1, Rn₁ and H(Rn_A1). If this information does not match the data in the database, the authentication process is terminated. If it is consistent, the information in AS database is used to generate H{IDN2, Rn₂, H(Rn_A2), H(IDN1, Rn₁, H(Rn_A1)}}. If it is consistent with the hash value sent by N₂, the authentication will continue, otherwise, the authentication will be terminated.

After AS verifies N₁ and N₂, it sends responses APS1, APE1, APE2 to N₂. Note that the information in APS1, APE1, and APE2 all use the information in the database of AS. TS₁ is the timestamp.

$$APS1=S{K}_2\left\{H\left\{IDN2,R{n}_2,H\left(R{n}_{A2}\right)\right\},T{S}_1,S{K}_1\left\{H\left\{IDN1,R{n}_1,H\left(R{n}_{A1}\right)\right\}\right\}\right\}$$ (9)

$$APE1=E_{prk}\left\{H\left(IDN1\right)\right\}$$ (10)

$$APE2=E_{prk}\left\{H\left(IDN2\right)\right\}$$ (11)

Step4 N2—> N1: APS2, APE1

After receiving the response from AS, N₂ decrypts APE2 through the public key issued by AS to verify whether the H(IDN2) is the same as its own ID hash value to confirm whether the message comes from AS. If the verification fails, the authentication is terminated. If it succeeds, SK₂ is used to decrypt APS1 to obtain the messages of H{IDN2, Rn₂, H(Rn_A2)} and TS₁. N₂ uses TS₁ to verify the validity of the message. When the verification of TS₁ passed, the H{IDN₂, Rn₂, H(Rn_A2)} is calculated to be consistent with those received. If TS₁ verification fails, the authentication will be terminated. At the same time, if the verification of H{IDN2, Rn₂, H(Rn_A2)} fails, the authentication will also be terminated.

When N₂ confirms that the received message is correct, APS2 and APE1 are sent to N₁.

$$APS2=S{K}_1\left\{H\left\{IDN1,R{n}_1,H\left(R{n}_{A1}\right)\right\}\right\}$$ (12)

$$APE1=E_{prk}\left\{H\left(IDN1\right)\right\}$$ (13)

After N₁ receives the response from N₂, it first obtains H(IDN1) by calculating APE1 with public key, and then compares the obtained hash value with itself hash value to verify their consistency. If they are consistent, the source and integrity authentication are completed.

N₁ uses SK₁ to solve APS2 to obtain H{IDN1, Rn₁, H(Rn_A1)} and then compared with the H{IDN1, Rn₁, H(Rn_A1)} generated by itself using local data for matching verification. If they are consistent, the authentication is completed. Otherwise, the authentication fails and the authentication is terminated. The working process of certification phase is shown in Fig 2.

Fig 2. The working process in the authentication phase.

Results

Prevent man-in-the-middle attacks

In this paper, ciphertext transmission is adopted. In the whole process of the protocol, including two phases of registration and authentication, the middleman cannot obtain the effective plaintext information. Suppose the middleman is located in N₁And N₂, APE1 cannot be generated, because he does not know the key of AS and the value of IDN1, so it will not pass the fourth step in the authentication phase. If the middleman is located at N₂ and AS, because he doesn’t know the shared key K₂ and the private key of AS, the middleman will not generate APS1, APE1 and APE2, and TS will also be able to defend against man-in-the-middle attacks between N₂ and AS to some extent.

Prevent replay attacks

In this paper, random numbers Rn_i and Rn_Ai, message lifetime, timestamp and other technologies are used. Compared with the scheme proposed by Lee et al., Ceipidor et al., Thammarat et al., it can effectively achieve the purpose of preventing replay attacks.

Prevent brute force attacks

In this paper, the random numbers Rn_i generated by the NFC device and the random numbers Rn_Ai generated by the AS are used. At the same time, symmetric encryption, asymmetric encryption and hash encryption technologies are adopted, making brute force cracking extremely difficult. Compared with the scheme proposed by Lee et al., Tung et al., the scheme is more secure and reliable on the whole process.

Ensure data integrity

In this paper, there are corresponding hash values in each step of the registration phase and authentication phase, which can fully guarantee the integrity of the data. In the second step of authentication stage, dual hashing integrity authentication is used, which can ensure the integrity of data better than other schemes.

Ensure data confidentiality

In this paper, asymmetric algorithm is used to encrypt the key of symmetric algorithm, and symmetric algorithm is used to encrypt the data, which not only ensures the confidentiality, but also ensures the efficiency of the whole protocol. The whole process is encrypted, so that all the data obtained by the attacker are ciphertext. Compared with the scheme proposed by Ceipidor et al. and Tung et al., the data confidentiality is stronger and more secure.

Mutual authentication

In the second step of the authentication phase, AS verifies the consistency of the ID and Rn₁, Rn_A1, Rn₂ and Rn_A2 by receiving requests from N₁ and N₂, and then uses the data in the local database to conduct hash calculation in response to N₁ and N₂. N₁ and N₂ use their own Rn₁, Rn_A1, Rn₂ and Rn_A2 to conduct hash calculation and verify whether they are consistent and achieve the purpose of mutual authentication.

Discussion

Confidentiality and performance analysis

Compared with other schemes, this paper comprehensively uses symmetric encryption algorithm, asymmetric encryption algorithm and hash algorithm to achieve high confidentiality. In terms of message transfer operation frequency, the protocol in this paper completes the entire authentication process with the minimum message transmission times, which is efficient and safe. Comparison of confidentiality and performance analysis are shown in Table 2.

Table 2. Comparison of confidentiality and performance analysis.

Operating	Our scheme	Lee et al.	Ceipidor et al.	Thammarat et al.	Tung et al.
Symmetric Encryption algorithm	8	4	-	3	-
Asymmetric Encryption algorithm	6	1	2	-	-
Hash algorithm	8	3	3	9	9
Message transmissions	6	8	7	8	7

Safety analysis

This paper compares with other schemes in security aspects such as confidentiality, prevention of man-in-the-middle attack, prevention of replay attack, prevention of brute force attack, integrity, mutual authentication, etc., as shown in Table 3. It can be seen that the protocol in this paper can complete the mutual authentication of NFC devices and ensure the security at the same time. The message transmitted in the registration and authentication stages is encrypted throughout, which is more secure than the protocol with others.

Table 3. Comparison of safety analysis.

Security	Our study	Lee et al.	Ceipidor et al.	Thammarat et al.	Tung et al.
Confidentiality	Yes	No	No	No	No
Preventing man-in-the-middle attacks	Yes	-	-	Yes	Yes
Prevent replay attacks	Yes	No	No	Yes	Yes
Prevent brute force attacks	Yes	-	-	Yes	Yes
Integrity	Yes	No	-	Yes	Yes
Mutual authentication	Yes	-	Yes	Yes	Yes

Note that the "-" in the table indicates that this study claims that the solution can provide this security attribute, but other studies believe that the solution still lacks this security attribute.

Conclusion

A secure and efficient authentication scheme between NFC devices is proposed in this paper. The whole ciphertext transmission can not only be used for communication between mobile NFC devices, but also for secure communication between NFC devices and smart cards. At the same time, the scheme uses the timestamp, survival period and other technologies to solved the man-in-the-middle attack, replay attack and other problems. The hash algorithm is used to ensure the data integrity in the transmission process. The asymmetric encryption algorithm is used to solve the problem of message source authentication and shared key distribution. The symmetric encryption is used to make the protocol more efficient. In this protocol, the number of interactive information transmission between devices is reduced as much as possible, and the messages transmitted in both the registration stage and the authentication stage are all encrypted, which makes the whole system more secure.

Data Availability

Our article belongs to Study Protocol articles. Our article does not data and the data availability policy is not applicable to our article.

Funding Statement

This work was supported by the Project of the Quality Engineering of Education Section of Anhui Province of China (2020xfxm27, 2015ckjh117, 2016mooc190, 2017ghjc228).and the Project of the Quality Engineering of Anhui Xinhua University of China (2019sysxx03) and the Project of the Cooperation between Production and Education of Ministry of Education of the People’s Republic of China (201702139041).