Professional Documents
Culture Documents
10 3844@jcssp 2019 1809 1819
10 3844@jcssp 2019 1809 1819
Article history Abstract: In this paper, we proposed a new Authentication Protocol for
Received: 01-09-2019 Mobile Applications using NFC technology (AP for MAN). The proposed
Revised: 03-12-2019 protocol minimizes the required time to complete the authentication
Accepted: 24-12-2019
process between the shared entities with a high level of privacy.
Corresponding Author:
According to the main security measures, the proposed protocol is
Reham Abdellatif Abouhogail evaluated. The current paper presents a new idea for preventing denial of
Department of Electrical service attack and preserves the limited mobile device capability. The
Quantities Metrology, National proposed protocol is checked using BAN logic and established that it has
Institute of Standards (NIS), no redundancy, the mutual authentication property between the shared
Egypt parties is verified. The implementation of the proposed protocol shows
Email: rehlatif@yahoo.com that it works as designed and it is practical.
© 2019 Reham Abdellatif Abouhogail and Ahmed H. Ali. This open access article is distributed under a Creative Commons
Attribution (CC-BY) 3.0 license.
Reham Abdellatif Abouhogail and Ahmed H. Ali / Journal of Computer Science 2019, 15 (12): 1809.1819
DOI: 10.3844/jcssp.2019.1809.1819
(Levy et al., 2015). Thus, security is a prerequisite for NFC NFC wireless media
PS
applications. Moreover, NFC technology transmission M
capacity is limited as its operating frequency is 13.56 MHz
and its transmission speed starting from 106 Kbps up to 424 NFC PS NFC mobile
Kbps cm (Odelu et al., 2016). As a result, authentication
protocol should ensure high security in addition to low
AS
computation and communication time (Levy et al., 2015).
During the last years, there are many types of Database
research presented for authentication protocols that are
based on NFC. However, most of these proposed NFC
protocols have some weaknesses in information security Fig. 1: Mobile payment system based on NFC technology
and fairness. And as a result, these protocols face a
problem with many attacks (Ukalkar, 2017). In addition, Related Work
the missed of fairness prevents the trust among all NFC
system parties and without trust, no NFC applications Number of efficient and secured protocols are
are to be used that lead to a failure of the mobile NFC proposed for payment system using NFC application
proposed system (Ukalkar, 2017). (Thammarat and Kurutach, 2019; Badra and Badra,
In this paper, a new authentication protocol (AP for 2019; Ahamad et al., 2013; Tung and Juang, 2017; Al-
MAN) allowing to overcome weaknesses of existing Fayoumi and Nashwan, 2018; Nashwan, 2017;
corresponding protocols. The proposed protocol depends (Thammarat et al., 2015; Ceipidor et al., 2012;
on online communication with an authentication Kungpisdan and Metheekul, 2009; Ahamad et al., 2012;
Application Server (AS) that considered a representative Bojjagani and Sastry, 2019). As proposed by
of the confidence and security of issuing and acquiring (Thammarat et al., 2015), Thammarat et al. proposed
data from other systems. Moreover, it depends on two two protocols, NFCAuthv1 and NFCAuthv2.
devices support NFC application. So The proposed NFCAuthv1 is the authentication protocol between an M
protocol has three main entities as shown in Fig. 1, the mobile device and the AS server. NFCAuthv2 is the
main component of driver entity is the application server authentication protocol between M mobile device, PS
that handles all authentication and registration processes, device and the AS server. In the NFCAuthv1 protocol,
second and third entities are NFC mobile device and each mobile user needs to install an application. Then, M
Point-of-Sale (PS), finally, all the data processed will be makes registration through a secure channel. After the
stored in a database. The main security target for these registration process, the AS server and the M mobile can
types of protocols is to satisfy the mutual authentication create a set of session keys, SKN-ASj, where j = 1, …, m,
between these three mentioned shared parties. as mentioned in (Kungpisdan and Metheekul, 2009).
The main contribution of this paper is: First the This method for session key generation is used to
proposed protocol is free from the most security drawbacks prevent sending the session keys over the internet.
that other similar protocols suffer from. Second, comparing However, it may cause a data desynchronization attack.
with other comparable authentication protocols, the These proposed protocols use six messages. Another
proposed one satisfies low processing time, because it’s protocol called SAP-NFC protocol proposed in
based on Keyed Hash Message Authentication Code (Nashwan, 2017) and its performance analysis is
(HMAC) function. The HMAC function verifies the presented in (Al-Fayoumi and Nashwan, 2018). The
integrity and authenticity. Therefore, the mobile device SAP-NFC protocol's structure consists of the AS server
doesn’t need to run heavy processing functions to be and two NFC devices. In SAP-NFC protocol, some
authenticated making the proposed protocol more practical. assumptions are required like: Both of the AS and the
Third, the proposed protocol uses pseudonyms instead of NFC devices can generate their session keys using Key
the real identity of the users to preserve their privacy. These Derivation Function (KDF). To solve the problem of the
pseudonyms are updated periodically for more privacy data desynchronization attack, the AS saves the new and
preservation. Moreover, the mobile device in the (AP for the old session keys of the NFC devices in its database.
MAN) has a great immunity against denial of service attack The AS updates the identity of the NFC user for each
which preserves its limited resources. authentication and saves only the new and the old one as
This paper is organized as follows the following mentioned. Hence, it may not satisfy the non-repudiation
section reviews the related work, the proposed protocol problem. The authentication phase needs five messages.
is described in Section3. The proposed protocol is Another protocol is presented by Tung and Juang (2017),
evaluated in Section4. Section 5 presents performance which is called "Secure and Efficient Mutual
analysis compared with other similar protocols. Authentication Scheme for NFC Mobile Devices". In
Implementation for (AP for MAN) is presented in this protocol, the system is divided into three entities,
Section 6. Finally, Section 7 concludes the paper. two NFC devices and one AS server. It's divided into two
1810
Reham Abdellatif Abouhogail and Ahmed H. Ali / Journal of Computer Science 2019, 15 (12): 1809.1819
DOI: 10.3844/jcssp.2019.1809.1819
Table 1: Notations
AS The Authentication Server
Mi The NFC mobile device i
PSj The point of sale i
IDMi , IDPSj The identity of the NFC mobile and the identity of the point of sale, respectively.
I Mi and I PSj The pseudonym of the NFC mobile and the point of sale; where i, j = 0, 1,.....n, respectively.
C Random number used to prevent denial of service check.
K Mi and K PSj The NFC mobile key and the point of sale key generated by the authentication server;
where i, j = 0, 1,.....n, respectively.
R1, N1 Nonce random numbers generated by the NFC mobile.
R2, N2 Nonce random numbers generated by the point of sale.
Tmi ,TPSj The valid life time for the NFC mobile and the point of sale; where i, j = 0, 1, .....n, respectively.
H(x) Hash function of the message x.
HMAC(x, k) Keyed Hash Message Authentication Code function (MAC) for the message x using the key k.
Es/Ds(x)k Symmetric encryption/ Decryption function for the message x using the key k.
MSG#i Message number i.
VM, VPS Verification messages.
AM, APS Authorization messages.
1811
Reham Abdellatif Abouhogail and Ahmed H. Ali / Journal of Computer Science 2019, 15 (12): 1809.1819
DOI: 10.3844/jcssp.2019.1809.1819
Mi /PSi
AS IDMi / IDPSj
IDMi / IDPSj , R1
Calculate I Mi / I PSj
Fig. 2: The Registration phase in the proposed protocol (AP for MAN)
PSi Mi
j
I ,K j I Mi , K Mi
AS PS PS
I PSj , N1
Calculate VM
I Mi , N1, N 2,VM
Calculate VPS
AM, APS
Verify APS
AM
Verify AM
Fig. 3: The authentication phase in the proposed protocol (AP for MAN)
1812
Reham Abdellatif Abouhogail and Ahmed H. Ali / Journal of Computer Science 2019, 15 (12): 1809.1819
DOI: 10.3844/jcssp.2019.1809.1819
random number used for the denial of service the received I PSj and I Mi . Then, AS starts to compute
check VM and VPS and checks if the results are the same as
3. MSG#3: PS j AS : HMAC R2, K PSj the received values to verify the identification of the
NFC mobile Mi and the point of sale PSj. If the
After the PSj receives MSG#2, it stores I PSj , K PSj verification is passed, AS authenticates M and PS.
Then, AS prepares A PS and A M as authorization
and TPSj . Note that I PSj and K PSj are updated after the life
messages; Where, APS HMAC I PS I M || N1 N 2, K PSj and
time period TPSj .
AS stores I PSj , K PSj and TPSj in its database. After TPSj AM HMAC I PS | I M N1|| N 2, K MS
i
. Then AS sends AM
expired, the AS still keeps I PSj and K PSj to prevent and APS to PSj. Otherwise, AS terminates the session.
non_repudiation. Then, AS sends a message to the user MSG#4:ASPSj:AM,APS
(either the NFC mobile device or the Point of Sale) asking
him to take the new pseudonym and the new key. In the After PSj receives MSG#4, it computes APS and
following Subsection, the authentication phase is declared. checks if the computed value equals the received one. If
the check is passed, PSj authenticates AS and Mi. Then,
B. Authentication Phase sends AM to Mi.
After the registration phase, each one of the NFC MSG#5: PSjMi:AM
mobile Mi and the PSj has the required data to start the
authentication operation as follows. After receiving MSG#5, Mi computes AM and checks
The PSj sends MSG#1 to Mi contains a generated if the computed value equals the received one. If the
random number N1 and the NFC PS pseudonym I PSj . check is passed, Mi authenticates AS and PSj and the
authentication phase is finished.
MSG#1: PSj Mi: I PSj ,N1,H(C||N)
Security Analysis
After Mi receives MSG#1, it calculates the hash
function for the stored C number concatenated with the In this section, the security analysis is presented, the
received random number. Then it compares the result analysis is based on the main security measures.
with the received value. If there isn’t any match. Mi Furthermore, the security features of the proposed
closes the session with this sender and doesn’t continue protocol have been compared with other similar NFC
the authentication process. This fast check protects the mobile payment authentication protocols.
mobile device from the possibility of occurrence of
Mutual Authentication
denial of service attack by sending, receiving and
preparing number of fake messages. So it gives the The (AP for MAN) uses about four MAC values to
mobile device the ability to differentiate between the accomplish the mutual authentication between the three
legitimate and illegitimate received messages. If Mi finds entities. To authenticate the point of sale PSj and the
the required match, it generates N2, computes VM as a NFC mobile Mi, the AS checks if the received I Mi / I PSj in
verification message. Then, Mi sends MSG#2 to PSj as a the pseudonym list or not. So, the AS can determine the
response. Note that: required keys KMi / K PSj for the following steps. After
VM HMAC I Mi N1 N 2, K Mi that, the AS calculates VPS or VM to verify the received
ones. If the received pseudonym is not in the list or the
calculated verification function doesn't equal the
MSG#2:Mi PSj: I Mi ,N1,N2,VM received values then the AS will consider the NFC
mobile or the point of sale is not legitimate and the AS
After PSj receives MSG#2, it computes VPS as a terminates the authentication session. The PSj verifies if
verification message; where: the received APS value equals the calculated value. If
they are not equal, the AS will be considered not
VPS HMAC I PSj N1 N 2, K PSj . legitimate and the PSj terminates the session. In the same
way, The Mi mobile checks whether the calculated AM
Then, PSj sends MSG#3 to AS. equals the received AM. If they are not equal, then the Mi
terminates the session and the AS will be considered not
MSG#3: PSjAS: I PSj I Mj ,N2,N1, VPS,VM legitimate. Note that the PSj device and the Mi device
authenticate each other indirectly by the AS. So we can
After receiving MSG#3, AS extracted from its say that the proposed protocol accomplishes the mutual
database the stored data, K PSj , KMi ,TMi and TPSi related to authentication between the three entities.
1813
Reham Abdellatif Abouhogail and Ahmed H. Ali / Journal of Computer Science 2019, 15 (12): 1809.1819
DOI: 10.3844/jcssp.2019.1809.1819
Data Integrity (Nashwan, 2017) and therefore, he can know all the
mutual messages either old messages (to penetrate the
Data integrity property is satisfied by using MAC backward secrecy) or forward messages (to penetrate the
functions, which are generated by the users’ own keys. forward secrecy) between the legal partners. In the
Privacy proposed protocol, the user's session keys are sent
through a secure channel. Moreover, the user’s session
The privacy property or preserving the anonymity of the keys expire after a valid life time. After the expiration
users are very essential property. Especially, according to period, the users contact the server to take a new session
the payment application. The proposed protocol ensures key. Hence, the new keys are independent on the
that the adversary can't trace the users. The user's real previous keys. Therefore, penetration of the forward or
identity like: IDMi , IDPSj ,......etc. are involved inside their backward secrecy is improbable.
corresponding pseudonyms: I Mi and I PSj ,......etc. Moreover, Non-repudiation
These pseudonyms are changed after their corresponding
valid life times: Tmi , TPSj .......etc. have expired. So the The proposed protocol satisfies the non-
repudiation property, which means that the mobile
proposed protocol satisfies the required privacy property. user can't deny that he performed this operation.
Immunity against Attacks Because the AS server stores the previous identity of
each user for a certain time period. This time period is
In this section, we assume that the adversary can obtain determined according to the database storage and
and retransmit the mutual authentication messages. Then, what suits the provisions and legislation.
we will make an analysis for the important types of attacks
to test the possibility of occurrence of them. Formal Analysis
Man in the Middle Attack In this subsection, a formal analysis using BAN logic
(Burrows et al., 1990) is presented. BAN logic is a logical
The proposed protocol satisfies the mutual analysis method for authentication protocols. Using BAN
authentication between the involved entities. Therefore, logic gives the ability to determine the unnecessary
the adversary can't impersonate the legal users. functions in the protocol. Moreover, it gives the required
Replay Attack trust between the shared parties by proving the mutual
authentication property. Before making our analysis
The adversary can't impersonate the legal users and using BAN logic, the important notations and logical
open a session with them by replaying the messages rules which are used in BAN logic will be presented.
because he doesn't know the legal keys with the
corresponding pseudonyms. So the proposed protocol is Notations (Burrows et al., 1990)
secure against the replay attack. P X P believes X.
Denial of Service Attack P ⊳ X P sees X.
P|X P once said X.
The proposed protocol presents a fast method to P X P has jurisdiction over X.
check the authorization. The mobile user starts the #(X) The formula X is fresh.
authentication phase by calculating a simple hash {X}K The formula X is encrypted under the key K.
function and comparison as declared in the previous
section. The result of this comparison determines Logical Rules (Burrows et al., 1990)
whether the mobile will continue in the authentication
P | p
k
Q, P X K
process or not. Therefore, the required time to neglect 1. R1: , P Q . This rule is
the fault messages is minimized. So the proposed P | Q | X
protocol has a great immunity against denial of service called the interpretation rule.
attack which preserves its limited resources. P | Q | X ,Y
2. R2: . This rule is called the
Desynchronization Attack P | Q | X , P | Q | Y
message meaning rule.
The proposed protocol doesn't use time
P | X , P | Q ~ X
synchronization. Therefore, it's free from the data 3. R3 : . This rule is called the
desynchronization attack. P | Q | X
nonce verification rule.
Forward and Backward Secrecy of the Key P | Q X , P | Q | X
4. R4: . This rule is called the
Forward and backward secrecy of the user's key P | X
means that the attacker can detect the session keys jurisdiction rule.
1814
Reham Abdellatif Abouhogail and Ahmed H. Ali / Journal of Computer Science 2019, 15 (12): 1809.1819
DOI: 10.3844/jcssp.2019.1809.1819
called the synthetic rule. Using Equation (7) and R5, we obtain:
P| X , Y
7. R7:
P| X P| Y AS # N1, I PS (8)
This is called the belief rule. Using Equation (7 and 8) and R3, we obtain:
The proposed protocol will be transformed into the
following formulas. MSG #1 will be neglected, because AS PS N1, I PS (9)
it’s consisted of plaintext.
To prove that the mutual authentication between the
From Equation (9) and R7:
shared parties is satisfied we have to prove:
AS PS I PS (10)
First: For certain data X, ASPSX and ASX;
where; AS is the Authentication Server and PS is the
Point of Sale. From Equation (9 and 10) and R4, we obtain:
Second: For certain data Y, ASMY and ASY;
where M is the mobile user: AS I PS (11)
M PS : I M ,# N1,# N 2, I M ,# N1,# N 2K (1) From Equations (10 and 11), we prove that AS
m
authenticates PS.
PS AS : I M , I PS , # N1, # N 2, Using Equation (6) and R4, we obtain:
I M , # N1, # N 2 K , I ps , # N1, # N 2 K
(2)
m ps AS M | N 2, I
M (12)
PS M : I M , I PS ,# N1,# N 2K
m
(4) AS # N 2, I M (13)
We have some Initial assumptions: Using Equations (13 and 12) and R3, we obtain:
AS AS M AS M N 2, I M
Km
A1: (14)
A2: M AS
Km
M
A3: PS AS
ps
PS
K
From Equation (14) and R7, we obtain:
AS AS PS
K ps
A4: AS M I M (15)
A5: AS# N1
A6: AS# N2 Using Equation (15), A8 and R4, we obtain:
A7: ASPS IPS
A8: ASM IM AS I M (16)
A9: MAS IM
A10: PSAS IPS From Equations (15 and 16), So AS authenticates M.
A11: PS# N1 By dividing Equation (3) into three parts and by using
A12: M# N2 Equation (4) we can get the following three Equations:
AS M | I M , N1, N 2 (5)
AS M : Im , I ps ,# N1, N 2 (18)
Km
Using Equation (2), A4 and R2, we obtain:
AS PS : I m , I ps ,# N1, N 2
AS PS | I PS , N1, N 2 (6) K ps
(19)
1815
Reham Abdellatif Abouhogail and Ahmed H. Ali / Journal of Computer Science 2019, 15 (12): 1809.1819
DOI: 10.3844/jcssp.2019.1809.1819
From Equation (18), A3 and R2, we obtain: From Equation (29) and R7, we obtain:
Using Equation (27), A11 and R5, we obtain: Table 2: The computation time for different cryptographic
operations (Abouhogail, 2016)
Cryptographic function The used algorithm Time (ms)
PS # I PS , N1 (28) MAC HMAC 0.015
H SHA-2 0.009
Using Equations (28 and 29) and R3, we obtain: Epub RSA 1.420
Es AES 2.100
Dpub RSA 33.300
PS AS I PS , N1 (29) Ds AES 2.200
1816
Reham Abdellatif Abouhogail and Ahmed H. Ali / Journal of Computer Science 2019, 15 (12): 1809.1819
DOI: 10.3844/jcssp.2019.1809.1819
Simulation and Protocol Evaluation API to develop the proposed hashing mechanism
(Kasgar et al., 2013). Table 4 shows the protocol
The proposed protocol was developed using the Java variables for the test scenario as per the abbreviations
Software Development Kit (SDK) and mobile virtual that presented in Table 1.
machine simulator in additional to the Java Application The proposed protocol was implemented and
Programming Interface (API) to verify and evaluate the evaluated using the most recent Java API taking into
proposed protocol (Coskun et al., 2013). The consideration the time consumption for each part of the
implementation was simulated on a local host. The code to enhance the authentication process time. The
language used to write the protocol is a Java tool which implementation and evaluation of the proposed protocol
is a platform-independent tool (Cheon, 2019). Figure 4 show the efficiency of the protocol.
shows the used component and the development
environment consists of two Integrated Development
Environment (IDE): One platform-specific IDE and one
for developing NFC mobile proposed protocol. Thus, a Prototype project
combination of many tools is used for multiplatform
application development.
A Custom application was configured in the
development environment by composing platform-
specific IDEs and tools as shown in Fig. 4. The
proposed prototype consists of two developed Java IDE tool Android
applications as shown in details in Fig. 4, the first studio tool
application is an android application that developed
using android studio tool and this application will be
installed into customer mobile application, the second
application was developed using Java technologies
that developed using java IDE tool , this program will Java project
Android
be installed at system servers to generate needed keys project
as per proposed protocol, the proposed system was
developed based on java pre-define library and used to
develop NFC based applications. Library project
We performed a small case study to evaluate the
proposed protocol, as the proposed protocol totally
depends on the hash function for all its variables, so Fig. 4: Project development environment
we used NFC Message-Digest Algorithm 5 (MD5)
1817
Reham Abdellatif Abouhogail and Ahmed H. Ali / Journal of Computer Science 2019, 15 (12): 1809.1819
DOI: 10.3844/jcssp.2019.1809.1819
1818
Reham Abdellatif Abouhogail and Ahmed H. Ali / Journal of Computer Science 2019, 15 (12): 1809.1819
DOI: 10.3844/jcssp.2019.1809.1819
Nashwan, S., 2017. Secure authentication protocol for Timalsina, S.K., R. Bhusal and S. Moh, 2012. NFC and
NFC mobile payment systems. Int. J. Comput. Sci. its application to mobile payment: Overview and
Netw. Security, 17: 256-263. comparison. Proceedings of the 8th International
Odelu, V., A.K. Das and A. Goswami, 2016. SEAP: Conference on Information Science and Digital
Secure and efficient authentication protocol for NFC Content Technology, Jun. 26-28, IEEE Xplore
applications using pseudonyms. IEEE Trans. Press, Jeju, South Korea.
Consumer Electron., 62: 30-38. Tung, Y.H. and W.S. Juang, 2017. Secure and efficient
DOI: 10.1109/TCE.2016.7448560 mutual authentication scheme for NFC mobile
Thammarat, C. and W. Kurutach, 2019. A lightweight devices. J. Electronic Sci. Technol., 15: 240-245.
and secure NFC‐base mobile payment protocol DOI: 10.11989/JEST.1674-862X.60804031
Ukalkar, G.V., 2017. Survey on NFC in healthcare
ensuring fair exchange based on a hybrid encryption
sector. Int. J. Innovative Res. Comput. Commun.
algorithm with formal verification. Int. J. Commun.
Eng., 5: 1823-1826.
Syst., 32: e3991-e3991. DOI: 10.1002/dac.3991
Thammarat, C., R. Chokngamwong and C.
Techapanupreeda, 2015. A secure lightweight
protocol for NFC communications with mutual
authentication based on limited-use of session keys.
Proceedings of the International Conference on
Information Networking, Jan. 12-14, IEEE Xplore
Press, Cambodia, pp: 133-138.
DOI: 10.1109/ICOIN.2015.7057870
1819