You are on page 1of 15

Near

(In Cell Phones)

Field

Communication

Contents
Introduction Standards and Compatibility Technology Overview Communication Coding and odes! "ctive and Passive odulation iller Code

anchester Code odi#ied Initiator and Target Collision "voidance $eneral Protocol #low Comparison with other Technologies NFC and %FI& Comparison with 'luetooth and In#rared Security "spects (avesdropping &ata &estruction &ata odi#ication &ata Insertion an)in)the) iddle)"ttac* Conclusion

Introduction
Near Field Communication (NFC) is a technology #or contactless short)range communication+ 'ased on the %adio Fre,uency Identi#ication (%FI&)- it uses magnetic #ield induction to enable communication between electronic devices+ The number o# short)range applications #or NFC technology is growing continuously- appearing in all areas o# li#e+ (specially the use in con.unction with mobile phones o##ers great opportunities+ The main applications are! Payment & ticketing NFC enables users to ma*e #ast and secure purchases- go shopping with electronic money- and also to buy- store and use electronic tic*ets- such as concert/event tic*ets- plane tic*ets- travel cards- etc+ Electronic keys For e0ample- these can be car *eys- house/o##ice *eys- etc+ Identification In addition- NFC ma*es it possible to use mobile phones instead o# identity documents+ In 1apan- #or e0ample- student I&s can be stored on cell phonewhich allows the students to electronically register #or classes- to open loc*ed campus doors- buy #ood at the school ca#eteria- borrow boo*s- and even get discounts at local movie theaters- restaurants- and shops+ 2 %eceive and share in#ormation The data stored on any tagged ob.ect (e+g+ a &3& bo0 or a poster) can be accessed by mobile phones in order to download movie trailers- street)mapstravel timetables etc+ 2 Set)up service To avoid the complicated con#iguration process- NFC can be used #or the set)up o# other longer)range wireless technologies- such as 'luetooth or 4ireless 5"N+ 6p to now the convenience o# NFC is mostly used in "sia- #or instance in 1apan or South 7orea- where paying with a mobile phone or a NFC)smartcard already

belongs to everyday li#e+ In September 899:- "'I research predicted that by 89;;- about <9= o# the mobile phones in the world (about >?9 million phones) would be NFC)enabled+ In this paper we will discuss the characteristics o# NFC+ 4e start with the underlying Standards and Compatibility in Chapter 8- be#ore we will consider the basic technology capabilities in Chapter <+ Chapter > deals with the correlation between NFC and %FI& and con#ronts NFC with 'luetooth and in#rared+ Chapter ? observes the Near Field Communication #rom the security point o# viewconsidering di##erent types o# attac*+ In Chapter : the ma.or results o# this wor* are summari@ed+

Standards and Compatibility


Near Field Communication is an open plat#orm technology- developed by Philips and Sony+ NFC- described by NFCIP); (Near Field Communication Inter#ace and Protocol ;)- is standardi@ed in ISO ;A9B8 C;D- (C " <>9C8D as well as in (TSI TS ;98 ;B9C<D+ These standards speci#y the basic capabilities- such as the trans#er speeds- the bit encoding schemes- modulation- the #rame architecture- and the transport protocol+ Furthermore- the active and passive NFC modes are described and the conditions that are re,uired to prevent collisions during initiali@ation+ TodayEs NFC devices do not only implement NFCIP);- but also NFCIP)8- which is de#ined in ISO 8;>A; C>D- (C " <?8 C?D and (TSI TS ;98 <;8C:D+ NFCIP)8 allows #or selecting one o# three operating modes! 2 NFC data trans#er (NFCIP);)2 Pro0imity coupling device (PC&)- de#ined in ISO ;>>>< CFD- and 2 3icinity coupling device (3C&)- de#ined in ISO ;?:B< CAD+ NFC devices have to provide these three #unctions in order to be compatible with the main international standards #or smartcard interoperability- ISO ;>>>< (pro0imity cards- e+g+ PhilipEs i#are)- ISO ;?:B< (vicinity cards) and to Sonys FeliCa contactless smart card system+ Gence- as a combination o# smartcard and

contactless interconnection technologies- NFC is compatible with todayEs #ield proven %FI&)technology+ That means- it is providing compatibility with the millions o# contactless smartcards and scanners that already e0ist worldwide+

Technology Overvie
NFC operates in the standard- globally available ;<+?: G@ #re,uency band+ Possible supported data trans#er rates are ;9:- 8;8 and >8> *bps and there is potential #or higher data rates+ The technology has been designed #or communications up to a distance o# 89 cm- but typically it is used within less than ;9 cm+ This short range is not a disadvantage- since it aggravates eavesdropping+

Communication !odes" #ctive and Passive


The NFC inter#ace can operate in two di##erent modes! active and passive+ "n active device generates its own radio #re,uency (%F) #ield- whereas a device in passive mode has to use inductive coupling to transmit data+ For battery) powered devices- li*e mobile phones- it is better to act in passive mode+ In contrast to the active mode- no internal power source is re,uired+ In passive mode- a device can be powered by the %F #ield o# an active NFC device and trans#ers data using load modulation+ Gence- the protocol allows #or card emulation- e+g+- used #or tic*eting applications- even when the mobile phone is turned o##+ This yields to two possible cases- which are described in Table <+;+ The communication between two active devices case is called active communication mode- whereas the communication between an active and a passive device is called passive communication mode+ Communication &escription each other+ (ach device has to generate its own %F #ield- i# it wants to send data+ The %F #ield is alternately generated by one o# the two devices+ ode "ctive Two active devices communicate with

Passive In this mode the communication ta*es place between an active and a passive device+ The passive device has no battery and uses the %F #ield generated by the active device+ In general- at most two devices communicate with each other at the same time+ Gowever- as de#ined in C8D- H;;+8+8+<- in passive mode the initiator (see Section This is reali@ed by a time slot method- which is used to per#orm a Single &evice &etection (S&&)+ The ma0imal number o# time slots is limited to ;:+ " target responds in a random chosen time slot that may lead to collision with the response o# another target+ In order to reduce the collisions- a target may ignore a polling re,uest set out by the initiator+ I# the initiator receives no response- it has to send the polling re,uest again+

Coding and !odulation


The distinction between active and passive devices speci#ies the way data is transmitted+ Passive devices encode data always with anchester coding and a ;9="S7;+ Instead- #or active devices one distinguishes between the modi#ied iller coding with ;99= modulation i# the data rate is ;9: *bps- and the anchester coding using a modulation ratio o# ;9= i# the data rate is greater than ;9: *bps+ "s we will discuss later the modulation ratio- de#ined in C;D is o# high importance #or the security o# the NFC data trans#er+ "ctive &evice Passive &evice ;9: *'aud 8;8 *'aud >8> *'aud odi#ied iller- ;99= "S7 anchester- ;9= "S7 anchester- ;9= "S7 anchester- ;9= "S7 anchester- ;9= "S7 anchester- ;9= "S7

!anchester Code
The anchester coding depends on two possible transitions at the midpoint o# a period+ " low)to)high transition e0presses a 9 bit- whereas a high)to)low transition stands #or a ; bit+ Conse,uently- in the middle o# each bit period there is always a transition+ Transitions at the start o# a period are not considered+ "mplitude)shi#t *eying is a #orm o# modulation that represents digital data as variations in the amplitude o# a carrier wave+

!odified !iller Code


This line code is characteri@ed by pauses occurring in the carrier at di##erent positions o# a period+ &epending on the in#ormation to be transmitted- bits are coded as shown in Figure <+8+ 4hile a ; is always encoded in the same waycoding a 9 is determined on the basis o# the preceded bit+

Initiator and Target


Furthermore- it is important to observe the role allocation o# initiator and target+ The initiator is the one who wishes to communicate and starts the communication+ The target receives the initiatorEs communication re,uest and sends bac* a reply+ This concept prevents the target #rom sending any data without #irst receiving a message+ %egarding the passive communication modethe passive device acts always as NFC target+ Gere the active device is the initiator- responsible #or generating the radio #ield+ In the case o# an active con#iguration in which the %F #ield is alternately generated- the roles o# initiator and target are strictly assigned by the one who starts the communication+ 'y de#ault all devices are NFC targets- and only act as NFC initiator device i# it is re,uired by the application+ In the case o# two passive devices communication is not possible+

Collision #voidance

6sually misunderstandings are rather rare- since the devices have to be placed in direct pro0imity+ The protocol proceeds #rom the principle! listen be#ore tal*+ I# the initiator wants to communicate- #irst- it has to ma*e sure that there is no e0ternal %F #ield- in order not to disturb any other NFC communication+ It has to wait silently as long as another %F #ield is detected- be#ore it can start the communication- a#ter an accurately de#ined guard)time (C8D- H;;+;)+ I# the case occurs that two or more targets answer at e0actly the same time- a collision will be detected by the initiator+

$eneral Protocol flo


The general protocol #low can be divided into the initiali@ation and transport protocol+ The initiali@ation comprises the collision avoidance and selection o# targets- where the initiator determines the communication mode (active or passive) and chooses the trans#er speed+ 2 "ctivation o# the protocol- which includes the %e,uest #or "ttributes and the Parameter Selection+ 2 The data e0change protocol- and 2 The deactivation o# the protocol including the &eselection and the %elease+ &uring one transaction- the mode (active and passive) and the role (initiator and target) does not change until the communication is #inished+ Though- the data trans#er speed may be changed by a parameter change procedure+

Comparison
%&C and '&I(

ith other Technologies

'asically- the technologies %adio Fre,uency Identi#ication and Near Field Communication use the same wor*ing standards+ Gowever- the essential e0tension o# %FI& is the communication mode between two active devices+ In addition to contactless smart cards (ISO ;>>>< CFD)- which only support communication between powered devices and passive tags- NFC also provides peer)to)peer communication+

Thus- NFC combines the #eature to read out and emulate %FI& tags- and #urthermore- to share data between electronic devices that both have active power+

Comparison

ith )luetooth and Infrared

Compared to other short)range communication technologies- which have been integrated into mobile phones- NFC simpli#ies the way consumer devices interact with one another and obtains #aster connections+ The problem with in#rared- the oldest wireless technology introduced in ;BB<- is the #act that a direct line o# sight is re,uired- which reacts sensitively to e0ternal in#luences such as light and re#lecting ob.ects+ The signi#icant advantage over 'luetooth is the shorter set)up time+ Instead o# per#orming manual con#igurations to identi#y the otherEs phonethe connection between two NFC devices is established at once (I9-;s)+ "ll these protocols are point)to)point protocols+ 'luetooth also supports point)to multipoint communications+ 4ith less than ;9 cm- NFC has the shortest range+ This provides a degree o# security and ma*es NFC suitable #or crowded areas+ The data trans#er rate o# NFC (>8> *bps) is slower than 'luetooth (F8; *bps)- but #aster than in#rared (;;? *bps)+ In contrast to 'luetooth and in#rared NFC is compatible to %FI&+

Security #spects
In this chapter- we want to analy@e the security o# NFC+ In this conte0t two very interesting papers have been published+ In CBD (rnst Gaselsteiner and 7lemens 'reit#uJ discuss some threats and solution #or the security o# NFC- and also the paper KSecurity "spects and Prospective "pplications o# %FI& SystemsK C;<D gives some use#ul in#ormation+ First o# all it should be mentioned that the short communication range o# a #ew centimeters- though it re,uires conscious user interaction- does not really ensure secure communication+ There are di##erent possibilities to attac* the Near Field Communication technology+ On the one hand the di##erent used devices can be manipulated physically+

This may be the removal o# a tag #rom the tagged item or wrapping them in metal #oil in order to shield the %F signal+ "nother aspect is the violation o# privacy+ I# proprietary in#ormation is stored on a tag it is important to prevent #rom unauthori@ed read and write access+ "s outlined in C;<D read)only tags are secure against an unauthori@ed write access+ In the case o# rewritable tags we have to assume that attac*ers may have mobile readers and the appropriate so#tware which enable unauthori@ed read and write access i# the reader distance is normal+ In this wor* we want to #ocus on attac*s with regard to the communication between two devices+ For detecting errors- NFC uses the cyclic redundancy chec* (C%C)+ This method allows devices to chec* whether the received data has been corrupted+ In the #ollowing- we will consider di##erent possible types o# attac*s on the NFC communication+ For most o# these attac*s there are countermeasures in order to avoid or at least reduce the threats+

Eavesdropping
NFC o##ers no protection against eavesdropping+ %F waves #or the wireless data trans#er with an antenna enables attac*ers to pic* up the transmitted onitoring data+ In practice a malicious person would have to *eep a longer distance in order not to get noticed+ The short range between initiator and target #or a success#ul communication is no signi#icant problem- since attac*ers are not bound by the same transmission limits+ Conse,uently the ma0imum distance #or a normal read se,uence can be e0ceeded+ The ,uestion how close an attac*er has to be located to retrieve an usable %F signal is di##icult to answer+ Furthermore- eavesdropping is e0tremely a##ected by the communication mode+ ThatEs because- based on the active or passive mode- the trans#erred data is coded and modulated di##erently (see Section <+8)+ I# data is trans#ered with stronger modulation it can be attac*ed easier+ Thus- a passive device- which does not generate itEs own %F #ield is much harder to attac*- than an active device+ In

order to let the reader presume the ris* resulting #rom eavesdropping- there are given rough distances in CBD! K4hen a device is sending data in active modeeavesdropping can be done up to a distance o# about ;9 m- whereas when the sending device is in passive mode- this distance is signi#icantly reduced to about ; m+K Gowever- we assume that such attac*s will occur since the re,uired e,uipment is available #or everyone+ (,uipped with such an antenna a malicious person that is able to passively monitor the %F signal may also e0tract the plain te0t+ (0perimenting and literature research can be used to get the necessary *nowledge+ Gence- the con#identiality o# NFC is not guaranteed+ For applications which transmit sensitive data a secure channel is the only solution+ In C;>D some more detailed in#ormation o# this attac* are given+ ?+8 &ata &estruction "n attac*er who aspires data destruction intends a corruption o# the communication+ The e##ect is that a service is no longer available+ Still- the attac*er is not able to generate a valid message+ Instead o# eavesdropping this is not a passive attac*+ This attac* is relatively easy to reali@e+ One possibility to disturb the signal is the usage o# a so called %FI& 1ammer+ There is no way to prevent such an attac*- but it is possible to detect it+ NFC devices are able to receive and transmit data at the same time+ That means- they can chec* the radio #re,uency #ield and will notice the collision+ ?+< &ata ?+< &ata odi#ication ;? odi#ication

6nauthori@ed changing o# data- which results in valid messages- is much more complicated and demands a thorough understanding+ "s we will point out in the #ollowing- data modi#ication is possible only under certain conditions+ In order to modi#y the transmitted data an intruder has to concern single bits o# the %F signal+ "s already mentioned in Section <+8 data is send in di##erent ways+ The #easibility o# this attac*- that means i# it is possible to change a bit o# value 9 to

; or the other way around- is sub.ect to the strength o# the amplitude modulation+ I# ;99= modulation is used- it is possible to eliminate a pause o# the %F signalbut not to generate a pause where no pause has been+ This would demand an impracticable e0act overlapping o# the attac*ers signal with the original signal at the receiverEs antenna+ Gowever- Near Field Communication technology uses modulation o# ;99= in con.unction with the modi#ied changed by an attac*er is- where a ; is #ollowed by another ;+ 'y #illing the pause in two hal# bit o# the %F signal the decoder receives the signal o# the third case+ &ue to the agreement o# the preceding bit the decoder would veri#y a valid one+ The other three cases are not susceptible to such an attac*+ Figure ?+;! 'it modi#ication o# the odi#ied iller Code anchester For NFC- a modulation ratio o# ;9= is always used together with iller coding which leads to > possible cases (see Figure ?+;)+ The only case- where a bit might be

coding+ In contrast to the ;99= modulation- where really no signal is send in a pause- here within a pause the %F signal is e+g+ A8= o# the level o# the #ull signal+ 5etEs assume- an attac*er may increase the e0isting %F signal about ;A= during the whole session- without being noticed by the decoder+ Then- the attac*er is able to change a @ero to one by increasing the %F signal during the #irst hal# o# the signal period by another ;A=- and also may change a bit o# value one to @ero by simply stopping to send anything+ ;: Security "spects %egarding the threat in summary! (0cept #or one case- always anchester coding with ;9= "S7 is used #or NFC data trans#er+ This represents the best possible conditions #or the malicious intention o# modi#ying NFC data (compare Table <+8)+ This way o# transmitting the data o##ers a modi#ication attac* on all bits+ The only e0ception are active devices trans#ering data at ;9: *bps+ In this case the usage o# the modi#ied iller coding with a modulation ratio o# ;99= accomplishes that only certain bits can be modi#ied+ In CBD three countermeasures are described+ One possibility is the usage o# the active communication mode with ;9: *bps+ "s mentioned above this would not

prevent- but at least reduce the ris* o# this attac*+ Furthermore- it is possible to let the devices chec* the %F #ield as already described in Section ?+8+ &enoted as the Kprobably best solutionK is the use o# a secure channel+ This would provide data integrity+ ?+> &ata Insertion This attac* can only be implemented by an attac*er- i# there is enough time to send an inserted message be#ore the real device starts to send his answers+ I# a collision occurs the data e0change would be stopped at once+ In order to prevent such attac*s the device should try to answer with no delay+ "lternatively- again chec*ing the %F #ield and also the secure channel can be used to protect against attac*s+ ?+? an)in)the) iddle)"ttac* an)in)the) iddle)"ttac* we have In order to show that NFC is secure against a

to survey both- the active and the passive communication mode+ In the #ollowing we distinguish between device " and device ' that are e0changing data+ In passive mode the active device (") generates the %F #ield in order to send data to a passive device (')+ The aim o# an intruder is to intercept this message and prevent device ' #rom receiving it+ The ne0t step would be to replace it with a di##erent message+ The #irst step is possible- but can be detected i# device " chec*s the %F #ield while sending the message+ Gowever- the second one is practically impossible+ To send a message to device ' the attac*er would have to generate his own %F #ield+ Gence- the %F #ield o# device " has to be per#ectly aligned which is not practically #easible+ In contrast to the passive mode- in active mode device " switches o## the %F #ield a#ter sending a message+ Now the attac*er is con#ronted with another ?+? an)in)the) iddle)"ttac* ;F problem+ (ven though he may generate an %F #ield- he is not able to trans#er a message to device ' that would not be recogni@ed by device "- because device " is waiting #or a response #rom device '+ Thus- device " is assigned with the tas*

to chec* i# the received messages really come #rom device '+ &isregarding relay attac*s- NFC provides good protection against a is used and the %F #ield is monitored by device "+ ;A Security "spects : Conclusion In summary- Near Field Communication is an e##icient technology #or communications with short ranges+ It o##ers an intuitive and simple way to trans#er data between electronic devices+ " signi#icant advantages o# this techni,ue is the compatibility with e0isting %FI& in#rastructures+ "dditionally- it would bring bene#its to the setup o# longer)range wireless technologies- such as 'luetooth+ 4ith regard to the security o# NFC- we discussed di##erent attac*s and possible countermeasures to mitigate their impact+ &espite the restriction o# the rangeeavesdropping or data modi#ication attac*s can be carried out+ 'ut- disregarding relay attac*s- NFC provides security against an)in)the) iddle)"ttac*s+ In order to provide protection against these threats- the establishment o# a secure channel is necessary+ For this purpose simply the well *nown &G *ey agreement can be used- because 89 Conclusion 'ibliography C;D ISO/I(C ;A9B8((C ")<>9)! In#ormation technology ) Telecommunications and in#ormation e0change between systems ) Near Field Communication ) Inter#ace and Protocol (NFCIP);)+ First (dition899>)9>)9;+ C8D (cma International! Standard (C ")<>9- Near Field Communication Inter#ace and Protocol (NFCIP);)- &ecember 899>- 6%5! http!//www+ecma)international+org/publications/standards/(cma) <>9+htm+ C<D (TSI TS ;98 ;B9 3;+;+;! Near Field Communication an)in)the) iddle)"ttac*s represent no threat+ 4ith a secure channel NFC provides con#identiality- integrity and authenticity+ an)inthe) iddle attac*+ This applies particularly i# the passive communication mode

(NFC) IP);L Inter#ace and Protocol (NFCIP);) 899<)9<- 6%5! http!//www+etsi+org+ C>D ISO/I(C 8;>A;! In#ormation technology Telecommunications and in#ormation e0change between systems Near Field Communication Inter#ace and Protocol )8 (NFCIP)8)+ 1anuary 899?+ C?D (cma International! Standard (C ")<?8- Near Field Communication Inter#ace and Protocol )8 (NFCIP)8)- &ecember 899<- 6%5! http!//www+ecmainternational+ org/publications/#iles/(C ")ST/(cma)<?8+pd#+ C:D (TSI TS ;98 <;8- 3;+;+;! (lectromagnetic compatibility and %adio spectrum atters ((% )LNormali@ed Site "ttenuation (NS") and validation o# a #ully lined anechoic chamber up to >9 $G@ 899>) 9?- 6%5! http!//www+etsi+org+ CFD ISO/I(C ;>>><! Identi#ication cards ) Contactless integrated circuit cards ) Pro0imity cards+ 899;- 6%5! www+iso+ch+ CAD ISO/I(C ;?:B<! Identi#ication cards ) Contactless integrated circuit cards ) 3icinity cards+ CBD (rnst Gaselsteiner and 7lemens 'reit#uss! Security in near #ield communication (NFC)Philips Semiconductors- Printed handout o# 4or*shop on %FI& Security %FI&Sec 9:- 1uly 899:- 6%5! 88 'ibliography http!//events+iai*+tugra@+at/%FI&Sec9:/Program/papers/998=89) =89Security=89in=89NFC+pd#+ C;9D (rnst Gaselsteiner and 7lemens 'reit#uss! Security in near #ield communication (NFC)- %FI&Sec 9:- 8+ 1uly ;<th- 899:- 6%5! http!//events+iai*+tugra@+at/%FI&Sec9:/Program/slides/998=89) =89Security=89in=89NFC+ppt+ C;;D 4i*ipedia! "mplitude)shi#t)*eying- 6%5! http!//en+wi*ipedia+org/wi*i/"mplitude shi#t *eying+

C;8D (lectronic (ngineering Times "sia! NFC delivers intuitive- connected consumer e0perience- 6%5! http!//www+eetasia+com/"%TIC5(S/899: "M/P&F/((O5 899: "M9; ST(CG %F& T"+pd#NSO6%C(SO&O4N5O"&+ C;<D Oertel- 4Pol*- Gilty- 7Pohler- 7elter- 6llmann4ittmann! Security "spects and Prospective "pplications o# %FI& Systems- 'undesamt #r Sicherheit in der In#ormationstechni*- 'onn- ;;+ 1anuary 899?- 6%5! http!//www+bsi+de/#achthem/r#id/%I7CG" englisch+pd#+ C;>D $erhard P+ Ganc*e! " practical relay attac* on ISO ;>>>< pro0imity cards+ 899?- 6%5! http!//www+cl+cam+ac+u*/Q gh8F?/relay+pd#+