Architecture and security
Gauthier Van Damme, IBBT/COSIC, K.U.Leuven
Kris Vanhecke, IBBT/WICA, UGent
Table of content
System overview Fundamental idea The NFC Voucher system
Technical: user-side components MIDlet running on NFC phone OS (S40) Secure Element (SE) for secure voucher manipulation
Practical: user-side features Voucher management Voucher use cases
Conclusions
2
System overview: fundamentals
Offline system implies important security issues
Focus on maximal security
Therefore: PKI to create circle of trust: Issuer certifies users
Users can be trusted and if necessary revoked Efficient key management
Breaking one link does not scale to the system OS of mobile devices can’t be trusted
Use trusted platform on phones: SE
3
The NFC Voucher System Registration
4
TSM
Handset
Voucher Issuer 4
2
3
5
MIDlet/Applet
Public Key
Certificate
1Phone Number
Public Key/Certificate
The NFC Voucher System
5
Technical – User-side components
MIDLet, running in the S40 OS of the (Nokia) phone GUI/Keypad Receiving Vouchers through MMS (encrypted) Communication proxy for Voucher transfer with SE’s
Java Card (2.2.1) applet, running in SE
Security backbone of the system Receive & store Vouchers Voucher transfer and payment protocol Stores all sensitive data and cryptographic keys
6
7
OS Features (Java based)
The MIDlet Suite Java Archive (JAR) Java Application Descriptor (JAD)
JSR-257 Contactless Communication API Control the NFC interface ISO-14443 communication with SE
Push Registry Some Security
8
Push Registry
MIDlets can be launched automatically by the Application Management Software
Timer based Inbound network connections
Static registration in JAD descriptors Possible use cases
Timely warnings about expiring vouchers Intercept incoming MMS messages that carry vouchers
9
Security aspects
Access to some APIs is restricted Some require explicit user confirmation Some actions can only be performed by trusted
MIDlets X.509 PKI public key digital certificates.
Verisign Thawte …
Only trusted MIDlets may connect to the internal Secure Element
SE: security backbone of the system
Security in offline payment systems is critical NFC has limited range but security issues remain:
(Haselsteiner & Breitfuss [RFIDSec2006])
Eavesdropping up to 10m from active devices Data modification possible for some transfer rates Denial-of-Service always possible
Risks for NFC Voucher scheme: Re-routing of Vouchers in transit (stealing) Loss of Vouchers Counterfeiting or duplication
10
The Java Card applet on the SE
Strong cryptography is needed on top of the NFC Maximum use of SE functionalities:
Controlled by the Trusted Service Manager (TSM) Java Card applet will be deployed by TSM Application in SE gets a PKI key pair on initialization Limited applet access by OS/MIDlet
No Voucher leaves the SE unencrypted Issuer Signed Vouchers: Vouchers have a digital
signature
11
Limitations of the SE
Unfortunately the Java Card used is not perfect
(NXP SmartMX with G&D's Sm@rtCafe Expert 3.1 OS) Preferred cryptographic primitives are not available
RSA (1024 bit keys) used instead of ECC (160 bit keys) 3DES used instead of more efficient AES
Memory issues limit the speed of every operation:
12
13
Practical: user-side features
Check Balance
Review History
Make Payment
MMS Intercept
Phone 2 Phone
Configuration
14
Use Cases in more detail
1. Receiving new Vouchers via MMS
2. Making a payment at the cash desk
3. Tranferring Vouchers to other users
15
1. Receiving new vouchers via MMS
Multimedia Messaging Service MMS Encapsulation Specification Payload
Images, sound files SMIL file to describe message layout
NFC-Voucher MMS Payload is binary data: encrypted vouchers 20 vouchers: 3 kB of binary data MIDlet sends data to SE through APDU calls
16
2. Making a payment at the cash desk
MIDlet
1
2
3
NotificationExternalReaderDetected
ISO 14443 (APDUs)Check new balance
JSR-257
17
3. Transferring Vouchers to users
MIDlet
2
3
4
Notification
JSR-257
MIDlet
JSR-257
Initialize transaction
1
Start protocol
Execute protocol
4
Conclusions: Security issues solved/remaining
Solved: Vouchers can not be created (signature) Voucher can not be duplicated (they do not leave SE
unencrypted) Vouchers can not be stolen as users are identified
Remaining issues: Vouchers can sometimes appear ‘lost in transaction’
18
Conclusions: usability
Promising technology Improvement compared to other systems (e.g. Proton) High enough security for Voucher payments
But needs speed improvements: ~6sec for NFC Phone-to-Phone transfer ~4sec for payments
19