Ernst Haselsteiner, Klemens Breitfuss

RFIDSec 06July 13th, 2006

Security in Near Field CommunicationStrengths and Weaknesses

2July 13th, 2006

Contents

• What is NFC?

• Threats & Countermeasures– Eavesdropping– Data Modification– Man-in-the-Middle

• Secure Channel– Key Agreement

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

3July 13th, 2006

What is NFC?

• Designed for short distance communication (up to 10 cm)

• It’s a contactless card and a contactless reader in one chip

• It operates at 13.56 MHz

• It’s designed for low bandwidth (max speed is 424 kBaud)

• Applications aimed for are

– Ticketing

– Payment

– Device Pairing

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

Short Range 13,56MHz

RF Link

4July 13th, 2006

Some details we need to know…

• There are dedicated roles– Initiator and Target– Any data transfer is a message and reply pair.

Initiator Target

Message

Reply

• There are dedicated modes of operation– Active and Passive– Active means the device generates an RF field– Passive means the device uses the RF field generated by the other device

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

5July 13th, 2006

Some details we need to know…

Active Passive

106 kBaud Modified Miller, 100% ASK Manchester, 10% ASK

212 kBaud Manchester, 10% ASK Manchester, 10% ASK

424 kBaud Manchester, 10% ASK Manchester, 10% ASK

Active Passive

Initiator Possible Not Possible

Target Possible Possible

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

6July 13th, 2006

Eavesdropping

• I am sorry, but NFC is not secure againsteavesdropping .

• From how far away is it possible to eavesdrop?– Depends….

• RF field of sender• Equipment of attacker• ….

• Does Active versus Passive mode matter?– Yes

• In active mode the modulation is stronger (in particular at 106 kBaud)• In passive mode eavesdropping is harder

• Countermeasure– Secure Channel

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

7July 13th, 2006

Data Modification

1 Bit

1. Half-Bit 2. Half-Bit

100

0

Coded “0” Coded “1”

Modified Miller Coding, 100% ASK

Manchester Coding, 10% ASK

1 Bit

1. Half-Bit 2. Half-Bit

100

0

1 Bit

1. Half-Bit 2. Half-Bit

100

0

1 Bit

1. Half-Bit 2. Half-Bit

100

0

Countermeasure– Secure Channel

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

8July 13th, 2006

Man in the Middle Attack

Alice Bob

Eve

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

9July 13th, 2006

Man in the Middle Attack

Alice Bob

Message

Eve

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

10July 13th, 2006

Man in the Middle Attack

Alice Bob

Message

Eve

Eavesdropping

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

11July 13th, 2006

Man in the Middle Attack

Alice Bob

Message

Eve

EavesdroppingDisturb

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

12July 13th, 2006

Man in the Middle Attack

Alice Bob

Message

Eve

EavesdroppingDisturb

Alice detects the disturbance and stops the protocol• Check for active disturbances !

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

13July 13th, 2006

Man in the Middle Attack

Alice Bob

Eve

Message

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

14July 13th, 2006

Man in the Middle Attack

Alice Bob

Eve

Message

Eve cannot send to Bob, while RF field of Alice is on!• Use Active – Passive connection !• Use 106 kBaud !

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

15July 13th, 2006

Man in the Middle Attack

Alice Bob

Eve

Message

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

16July 13th, 2006

Man in the Middle Attack

Alice Bob

Eve

Message

Alice would receive data sent by Eve• Verify answer with respect to this possible attack!

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

17July 13th, 2006

What we have so far

• Eavesdropping– No protection

• Use a Secure Channel

• Data Modification– No protection

• Use Secure Channel

• Man in the Middle Attack– Very good protection if

• Alice uses 106 kBaud• Alice uses Active – Passive mode• Alice checks for disturbance• Alice checks for suspicious answers from Bob

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

18July 13th, 2006

Secure Channel is easy…

• Standard DH Key Agreement– Suffers from Man-in-the-Middle issue

• That’s fine with NFC, because right here NFC really provides protection !

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

19July 13th, 2006

Secure Channel is easy…

• Standard DH Key Agreement– Suffers from Man-in-the-Middle issue

• That’s fine with NFC, because there NFC really provides protection !

• Eavesdropping

• Data Modification

• Man-in-the Middle

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

20July 13th, 2006

Key Agreement – An Alternative

1 Bit

1. Half-Bit 2. Half-Bit

100

0

100

0

100

0

200

1 Bit

1. Half-Bit 2. Half-Bit

100

0

100

0

100

0

200

Alice

Eve

Bob

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

21July 13th, 2006

Key Agreement – An Alternative

• Perfect in theory – Obvious to see

• Needs perfect synchronization between Alice and Bob

– Amplitude

– Phase

• Alice and Bob must actively perform this synchronization

• Security in practice depends on

– Synchronization

– Equipment of attacker

• Advantages

– Cheap (requires no cryptography)

– Extremely fast

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents

22July 13th, 2006

Conclusion

• NFC does not provide any security by itself

• Secure Channel is required

• Physical properties of NFC protect against Man-in-the-Middle

• Establishing a Secure Channel becomes easy

NFC Intro

Eaves-dropping

Conclusion

DataModification

Man-in-the-Middle

SecureChannel

Contents