Abstract
Numerous contactless smartcards (and the corresponding RFID readers) are compatible with NFC, e.g., Mifare cards and the governmental ID card in Germany called nPA. NFC-enabled smartphones and other NFC objects such as door locks have become widespread. Existing and future applications of the up-and-coming technology require a secure way of assigning and transporting user rights, e.g., for opening and starting a car or access control to a building. In this paper, we propose a scheme that securely identifies a customer on a website and creates a (personalized) credential containing the booked access permissions. This credential is safely transported via the Internet to the user’s smartphone and finally grants access to an NFC-enabled object. In our proof-of-concept implementation, an application on a commercial smartphone is used for communicating with a web server of a car rental agency. During the booking process, the phone operates as an RFID reader to interrogate the nPA of the user and utilizes the security mechanisms of the nPA, including the PACE protocol, for identifying the customer. After having obtained the credential, the smartphone emulates a Mifare DESFire card that is read by the NFC door lock of a rental car to verify the validity of the access permission. We discuss security issues and limitations of our approach.
Keywords
This work was supported in part by the German Federal Ministry of Economics and Technology (Grant 01ME12025 SecMobil).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In future scenarios in which an electronic driver’s license is available, this visit could probably be omitted
- 2.
We opted to emulate a real-world card, because this enables additional use cases in which a real contactless card executes a (pre-paid) right instead of the smartphone.
- 3.
The same applies to various other manufacturers of smartphones: No vendor was willing to give us access to a secure element.
- 4.
It is conceivable that a smartphone resides close to the nPA in a wallet of the owner.
References
Emulating a PKI smart card with CyanogenMod 9.1. http://nelenkov.blogspot.it/2012/10/emulating-pki-smart-card-with-cm91.html
Eastlake III, D., Hansen, T.: RFC 4634 - US Secure Hash Algorithms (SHA and HMAC-SHA). Motorola Labs and AT &T Labs, July 2006
ACG id. HF Multi ISO RFID Reader User Manual (2006)
BlackBerry. BlackBerry Bold 9900/9930 Smartphones - Safety and Product Information
BlackBerry Support Community. Java Development - NFC Primer for Developers. http://supportforums.blackberry.com/t5/Java-Development/NFC-Primer-for-Developers/ta-p/1334857
Bundesamt für Sicherheit in der Informationstechnik. Worked Example for Extended Access Control (EAC) (PACE, Chip Authentication and Terminal Authentication) (2010)
Carlisle Adams, S.L.: Understanding PKI: Concepts, Standards, and Deployment Considerations. Pearson Education Inc., Boston (2003)
Chaos Computer Club. Praktische Demonstration erheblicher Sicherheitsprobleme bei Schweizer SuisseID und deutschem elektronischen Personalausweis (2010)
Christina Brzuska, M.F., Dagdelen, Ö.: TLS, PACE, and EAC: A Cryptographic View at Modern Key Exchange Protocols
CyanogenMod. http://www.cyanogenmod.org/
Dierks, T., Rescorla, E.: RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2. RTFM, IETF, August 2008
Dworkin, M.: NIST Special Publication 800–38B (Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication). NIST (2005)
Federal Information Processing Standards. Federal Information Processing Standards Publication 180–2 - Secure Hash Standard, February 2004
Federal Ministry of the Interior, German Federal Republic. White Paper - Neuer Personalausweis - eID-Server und eID-Service (2011)
Federal Office for Information Security, German Federal Republic. Technical Guideline TR-03119 (Requirements for Smart Card Readers Supporting eID and eSign Based on Extended Access Control) (2011)
Federal Office for Information Security, German Federal Republic. Technical Guideline TR-03127 (Architecture electronic Identity Card and electronic Resident Permitl) (2012)
Federal Office for Information Security, German Federal Republic. TR-03110-2 (Advanced Security Mechanisms for Machine Readable Travel Documents – Part 2 – Extended Access Control Version 2 (EACv2), Password Authenticated Connection Establishment (PACE), and Restricted Identification (RI)) (2012)
Federal Office for Information Security, German Federal Republic. TR-03110-3 (Advanced Security Mechanisms for Machine Readable Travel Documents – Part 3 – Common Specifications) (2012)
Finke, T., Kelter, H.: Radio Frequency Identification - Abhörmöglichkeiten der Kommunikation zwischen Lesegerät und Transponder am Beispiel eines ISO14443-Systems. BSI - Bundesamt für Sicherheit in der Informationstechnik
Finkenzeller, K.: RFID-Handbuch, 3rd edn. Hanser Fachbuchverlag, München (2002)
Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones, IACR Cryptology ePrint Archive (2012)
Gartner: Gartner Says Asia/Pacific Led Worldwide Mobile Phone Sales to Growth in First Quarter of 2013. http://www.gartner.com/newsroom/id/2482816 (2013)
Hancke, G.: A practical relay attack on ISO 14443 proximity cards. http://www.cl.cam.ac.uk/~gh275/relay.pdf (2005)
Hancke, G.: Eavesdropping attacks on high-frequency RFID tokens. In: RFIDSec (2008)
Haselsteiner, E., Breitfuss, K.: Security in Near Field Communication (NFC) - Strengths and Weaknesses. In: RFIDSec, Graz, Austria (2006)
INSIDE Secure. SecureRead. http://www.insidesecure.com/eng/Products/NFC-Products/SecuRead
International Civil Aviation Organization. JTC1 SC17 WG3/TF5 (Supplemental Access Control for Machine Readable Travel Documents) (2010)
International Organization for Standardization (ISO). ISO/IEC 14443 Parts 1–4 (2001). http://www.iso.ch
International Organization for Standardization/International Electrotechnical Commission. ISO/IEC 18092 (Near Field, Communication (NFCIP-1)) (2004)
Jens Bender, D.K., Fischlin, M.: Security Analysis of the PACE Key-Agreement Protocol (2009)
Kasper, T., Carluccio, D., Paar, C.: An Embedded System for Practical Security Analysis of Contactless Smartcards. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 150–160. Springer, Heidelberg (2007)
Kasper, T., von Maurich, I., Oswald, D., Paar, C.: Chameleon: A Versatile Emulator for Contactless Smartcards. In: Rhee, K.-H., Nyang, D. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 189–206. Springer, Heidelberg (2011). http://sourceforge.net/projects/chameleon14443
Lochter, M., Merkle, J.: RFC 5639 - Elliptic Curve Cryptography (ECC) Brainpool Standard - Curves and Curve Generation. Federal Office for Information Security of the German Federal Republic, secunet Security Networks, IETF, March 2010
Miller, C.: Exploring the NFC Attack Surface. Black Hat (2012)
NXP. Mifare DESFire Short Form Specification MF3 IC D40. http://www.nxp.com/acrobat_download/other/identification/SFS075530.pdf (2004)
NXP. AN200701: ISO/IEC 14443 Eavesdropping and Activation Distance. Technical report (2007)
Research In Motion (RIM). BlackBerry JDE 7.0.0 API Reference. http://www.blackberry.com/developers/docs/7.0.0api
Research In Motion (RIM) - BlackBerry Support Community. Java Development - NFC - Virtual Target Emulation. http://supportforums.blackberry.com/t5/Java-Development/NFC-Virtual-Target-Emulation/ta-p/1509687
Rivain, M.: Fast and regular algorithms for scalar multiplication over elliptic curves. IACR Cryptology ePrint Archive, 338 (2011)
Trusted Computing Group. TPM MOBILE with Trusted Execution Environment for Comprehensive Mobile Device, Security (2012)
Winter, J., Wiegele, P., Pirker, M., Toegl, R.: A flexible software development and emulation framework for ARM TrustZone
Özgür Dagdelen, M.F.: Security Analysis of the Extended Access Control Protocol for Machine Readable Travel Documents (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kasper, T., Kühn, A., Oswald, D., Zenger, C., Paar, C. (2013). Rights Management with NFC Smartphones and Electronic ID Cards: A Proof of Concept for Modern Car Sharing. In: Hutter, M., Schmidt, JM. (eds) Radio Frequency Identification. RFIDSec 2013. Lecture Notes in Computer Science(), vol 8262. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41332-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-41332-2_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41331-5
Online ISBN: 978-3-642-41332-2
eBook Packages: Computer ScienceComputer Science (R0)