Journal of Electronic Science and Technology  2017, Vol.15 Issue (3): 240-245   DOI: 10.11989/JEST.1674-862X.60804031   PDF    
http://dx.doi.org/10.11989/JEST.1674-862X.60804031
51K

Article

You-Han Tung, Wen-Shenq Juang
Secure and Efficient Mutual Authentication Scheme for NFC Mobile Devices
Journal of Electronic Science and Technology, 2017, 15(3): 240-245
http://dx.doi.org/10.11989/JEST.1674-862X.60804031

Article History

Manuscript received August. 04, 2016
revised November. 06, 2016
Secure and Efficient Mutual Authentication Scheme for NFC Mobile Devices
You-Han Tung, Wen-Shenq Juang    
Y.-H. Tung and W.-S. Juang (corresponding author) are with the Department of Information Management, National Kaohsiung First University of Science and Technology, Kaohsiung 824 (e-mail: u0324808@nkfust.edu.tw; wsjuang@ccms.nkfust.edu.tw)
Manuscript received August. 04, 2016; revised November. 06, 2016
This work was partially supported by the MOST under Grant No. 105-2221-E-327-036
Wen-Shenq Juang received his M.S. degree in computer science from National Chiao Tung University, Hsinchu in 1993, and his Ph.D. degree in electrical engineering from National Taiwan University, Taipei in 1998. He joined the Department of Information Management, Shih Hsin University, Taipei from 2000 to 2005 as an assistant professor. Now, he is a professor at the Department of Information Management, National Kaohsiung First University of Science and Technology. Dr. Juang’s current research interests include ubiquitous applications, applied cryptography, information security, and electronic commerce
Abstract: As the technology of mobile devices spreads fast, the price of mobile devices is getting cheaper. Most of the people have mobile devices, and these devices have the technology of near field communication (NFC). With the long time development and research, the mobile devices use NFC technology on the payment and authentication applications, and replace the smartcard, the access control card, and the credit card by using the card emulation mode. It helps the development of NFC applications. In recent years, more and more users begin using NFC technology on mobile payment and authentication. Many researches have proposed the related NFC authentication protocols, but their schemes are still lack of some security properties and functions, which are necessary for NFC authentication protocols. In this paper, we propose a secure and efficient NFC authentication scheme between two NFC devices by the help of the authentication server that provides mutual authentication.
Key words: Authentication protocol    information security    mutual authentication    near field communication (NFC)   
1. Introduction

Due to the fast spreading of mobile and near field communication (NFC) technology, more and more telecom carriers have begun the NFC application development. NFC technology[1] consists of two communication modes[2]: Active mode and passive mode, and three operating modes[3]: Card emulation mode, peer-to-peer (P2P) mode, and reader/writer mode. In the card emulation mode, NFC devices can be simulated as all traditional contactless smart cards like access control ID cards. In the P2P mode, NFC devices exchange data like infrared transmission with a shorter transmission distance but a faster data transfer rate. In the reader/writer mode, the NFC device is used as a non-touch card-reader to read an NFC tag.

In Mobile World Congress 2015, Google proposed a mobile payment platform named Android Pay[4], and said that everyone can develop his or her own mobile payment protocol. In response to the Android Pay, many vendors of mobile phones released various kinds of mobile phones and tablets with NFC technology. Many people said that it must raise the trends of “your mobile payment protocol developed by yourself”. Mobile payment involves many participants: Vendors of mobile phones, telecom carriers, financial industries, and shops. It will take a long time to achieve the trend of “your mobile payment protocol developed by yourself”. Many researchers still try to develop a secure mobile payment protocol in recent years.

In this situation, the security of NFC technology becomes the first priority to the development of mobile payment protocols. It causes many threats just in a few seconds in the connection between two NFC devices, such as the replay attack and the man-in-the-middle attack. Therefore, its advance security issue should be solved for all the NFC authentication protocols[5]-[11].

In this paper, we propose a secure and efficient NFC authentication scheme to solve the above security problems. The structure of our scheme consists of two NFC devices, and we use an authentication server to provide the registration and verify the identification of NFC devices during the connection. Each NFC device has its own key to encrypt and decrypt the message, and the authentication server can verify the identification of an NFC device by the authentication message.

The structure of this paper is as follows. In Section 2, we introduce the related technology. In Section 3, we review the related work. In Section 4, we introduce and describe our proposed scheme. In Section 5, we analyze the security and performance, and compare our scheme with related work. We conclude and give future work in Section 6.

2. Related Technology

In order to enable the reader be easier to read our proposed scheme and more understanding of NFC technology, in this section, we will introduce the NFC technology.

NFC[1] is a high frequency wireless and short-range (for up to four centimeters) communication technology. The technology enables a simple and small-amount data transfer between two electronic devices. NFC has the active mode and the passive mode[2].

• Active mode:

In the active mode, both of the NFC devices have full bidirectional data exchange and their own power supply. In this mode, NFC devices communicate through their radio frequency (RF) field.

• Passive mode:

In the passive mode, the initiator device communicates and exchanges the data from the NFC target. The NFC target does not need any power supply, like a Taipei Mass Rapid Transportation (MRT) card or an NFC tag.

In addition to two NFC communication modes, NFC also has three operating modes including the card emulation mode, the P2P mode, and the reader/writer mode[3].

• Card emulation mode:

In the card emulation mode, the NFC device can be simulated as all traditional contactless smart cards like ticket, Access Control ID Card, etc. In this mode, the power is supplied by the non-touch card-reader. It means that the simulated smart card acts without the user device power and is still workable when the user device has no power.

• P2P mode:

In the P2P mode, the NFC devices exchange data like infrared transmission by a shorter transmission distance but a faster data transfer rate. For example, two NFC devices exchange pictures or music between friends. This mode is on the ISO 18092 standard.

• Reader/writer mode:

In the reader/writer mode, the NFC device can be used as a non-touch card-reader to read an NFC tag. For example, read the tag from the exhibition poster for more information. This mode is compliant with the ISO/IEC 14443, 15693, and Felica technology.

3. Review of Related Work

To solve the security problem and the privacy issues of NFC, in recent years, many researchers have proposed many secure protocols for NFC communications. These secure protocols base on the hash functions and nonces. This section will review the related work.

3.1 Lee et al.’s Scheme

Lee et al.[12] proposed a secure protocol for NFC communications based on the hash function and nonces. In their protocol, all the NFC devices are verified by the third-party authentication server. There are two sub-protocols in this protocol: Registration protocol and authentication protocol. The detail is shown as the following.

• The used notations

Ux: User x, where $x = {\rm{ }}1,\,2,\,\cdot\cdot\cdot,m$ .

UIDx: An identity of user x.

AuC: The authentication center.

EpukAuC: The public key of the authentication center.

Ni: A nonce used to prevent the reply attack.

h(m): The hash value of the message m.

{}EpukAuC: The encryption using the public key of the authentication center.

• Registration protocol

Step 1. Ux→AuC: UIDx, Password, User Information

Ux registers itself by sending UIDx, Password, and User Information to AuC.

Step 2. AuC→Ux: URx1

After receiving the message on Step 1, AuC confirms the registration of Ux and returns the user authentication number URx1 to Ux, where ${\rm{URx}}1 = h\left( {{\rm{UI}}{{\rm{D}}_x},h\left( x \right)} \right)$ .

• Authentication protocol

Step 1. ${U_1} \to {U_2}:{Q_1}$

U1 authenticates itself by sending Q1 to U2, where ${Q_1} = {\{ {\rm{UI}}{{\rm{D}}_1},{\rm{URx}}1,{N_1}\} _{{\rm{EpukAuC}}}}$ .

Step 2. ${U_2} \to {\rm{AuC}}:{Q_2}$

After receiving the message on Step 1, U2 sends Q2 to AuC, where ${Q_2} = {\{ {Q_1},{\rm{UI}}{{\rm{D}}_1},{N_2},{\rm{UI}}{{\rm{D}}_2},{\rm{URx}}2\} _{{\rm{EpukAuC}}}}$ .

Step 3. ${\rm{AuC}} \to {U_2}:{R_1},{R_2},{R_3}$

After receiving the message on Step 2, AuC checks and verifies Q2 with its private key. Then AuC returns R1, R2, and R3 to U2, where ${R_1} = h\left( {{\rm{UI}}{{\rm{D}}_1},{N_2}} \right)$ xor ${N_2},{R_2} = h({\rm{UI}}{{\rm{D}}_2},{N_1},{N_2})$ xor N1, and R3=N1 xor N2.

Step 4. ${U_2} \to {U_1}:{R_1},{R_3}$

After receiving the message on Step 3, U2 verifies R2. Then U2 forwards R1 and R3 to U1 when the verification is successful.

Step 5. ${U_1} \to {U_2}:h\left( {{N_1},{N_2},{\rm{UI}}{{\rm{D}}_1}} \right)$

After receiving the message on Step 4, U1 verifies R1. Then U1 returns $h\left( {{N_1},{N_2},{\rm{UI}}{{\rm{D}}_1}} \right)$ to U2 to complete the authentication when the verification is successful.

3.2 Ceipidor et al.’s Scheme

Ceipidor et al.[13] proposed a secure protocol for NFC communications between NFC devices and a point of sale (POS) based on mutual authentication. There are three parties in this protocol: POS, NFC devices, and the authentication server. The detail is shown below.

• Authentication protocol

Step 1. ${\rm{POS}} \to N:{\{ {\rm{TS}},{R_1}\} _{{\rm{KP}}}}$

When the user N and the POS start the connecting, POS encrypts the timestamp TS and the nonce R1 with its shared key KP, which is a shared key between N and POS. Then POS sends it to N.

Step 2. $N \to {\rm{POS}}:{\rm{I}}{{\rm{D}}_N},{\{ {R_2},{\{ {\rm{TS}},{R_1}\} _{{\rm{KP}}}}\} _{{\rm{KN}}}}$

After receiving the message on Step 1, N encrypts the message and the nonce R2 with its shared key KN, and sends it with IDN, an identity of N, back to POS.

Step 3. ${\rm{POS}} \to {\rm{AS}}:{\rm{I}}{{\rm{D}}_P},{\rm{ I}}{{\rm{D}}_N},{\{ {R_2},{\{ {\rm{TS}},{R_1}\} _{{\rm{KP}}}}\} _{{\rm{KN}}}}$

After receiving the message on Step 2, POS sends the message received from N and IDP, an identity of POS, to the authentication server AS.

Step 4. ${\rm{AS}} \to {\rm{POS}}:{\{ K,{\rm{I}}{{\rm{D}}_N},{\rm{TS}}\} _{{\rm{KP}}}},{\{ K,{\rm{I}}{{\rm{D}}_P},{R_2}\} _{{\rm{KN}}}}$

After receiving the message on Step 3, AS generates a session key K and encrypts K, IDN, and TS with KP, encrypts K, IDP, and R2 with KN, and sends the both encrypted messages to POS.

Step 5. ${\rm{POS}} \to N:{\{ {R_3}\} _K},{\{ K,{\rm{I}}{{\rm{D}}_P},{R_2}\} _{{\rm{KN}}}}$

After receiving the message on Step 4, POS decrypts the received message from AS and checks TS using KP. If it is valid, POS encrypts K, IDP, and R2 with KN, encrypts the nonce R3 with K, and sends both encrypted messages to N.

Step 6. $N \to {\rm{POS}}:{\{ {R_3}-1,{R_4}\} _K}$

After receiving the message on Step 5, N decrypts both the received messages from POS using KN and K. Then, N encrypts R3–1 and R4 using K and sends it back to POS.

Step 7. ${\rm{POS}} \to N:{\{ {R_4} - 1\} _K}$

After receiving the message on Step 6, POS decrypts the received message from POS using K and verifies R4. If the verification is confirmed, POS encrypts R4–1 using K, and sends it back to N. The authentication is completed.

3.3 Thammarat et al.’s Scheme

Thammarat et al.[14] proposed a secure protocol for NFC communications. There are two sub-protocols in this protocol: NFCAuthv1 and NFCAuthv2. NFCAuthv1 is the authentication protocol between an NFC device and an authentication server. NFCAuthv2 is the authentication protocol of an NFC device, a POS, and an authentication server. The detail is shown as the below:

• NFCAuthv1

Step 1. N→AS: IDN, Request, n1

The NFC device N sends the Request, the nonce n1 and IDN, an identity of N, to the authentication server AS.

Step 2. ${\rm{AS}} \to N:{n_2},h({\rm{I}}{{\rm{D}}_N},{n_1},{n_2},{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_j}}})$

After receiving the message on Step 1, AS sends the nonce n2 and the message authentication code $h({\rm{I}}{{\rm{D}}_N},{n_1},{n_2},{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_j}}})$ back to N, where ${\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_j}}}$ is the session key shared between N and AS.

Step 3. $N \to {\rm{AS}}:{n_3},h({\rm{I}}{{\rm{D}}_N},{n_1},{n_2},{n_3},{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_{j + 1}}}})$

After receiving the message on Step 2, N verifies the authentication code and then sends the nonce n3 and the message authentication code $h({\rm{I}}{{\rm{D}}_N},{n_1},{n_2},{n_3},{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_{j + 1}}}})$ back to AS.

Step 4. AS→N: Accept/Reject, n4, $h({\rm{Accept}}/{\rm{Reject}},$ $ {\rm{I}}{{\rm{D}}_N},{n_1},{n_2},{n_3},{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_{j + 1}}}})$

After receiving the message on Step 3, if the verification is successful, AS sends the result, the nonce n4, and the message authentication code $h({\rm{Accept}}/{\rm{Reject}},{\rm{I}}{{\rm{D}}_N},{n_1},{n_2},{n_3},{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_{j + 1}}}})$ back to N. Otherwise, AS rejects N’s request. The authentication of NFCAuthv1 is completed.

• NFCAuthv2

Step 1. N→POS: IDN, n1, T1, ${\{ {\{ {\rm{Request, }}{T_1}\} _{{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_j}}}}}\} _{{\rm{S}}{{\rm{K}}_{N{\rm{ - PO}}{{\rm{S}}_j}}}}}$ , $h{\rm{(}}{n_{\rm{1}}}{\rm{, S}}{{\rm{K}}_{N{\rm{ - PO}}{{\rm{S}}_j}}}{\rm{)}}$ , $h({\rm{Request}},{T_1},{\rm{ I}}{{\rm{D}}_N},{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_j}}})$

N encrypts Request and the timestamp T1 with the session key ${\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_j}}}$ and encrypts again with the session key ${\rm{S}}{{\rm{K}}_{N{\rm{ - PO}}{{\rm{S}}_j}}}$ . Then, N sends the encryption message, the nonce n1, the timestamp T1, the message authentication codes $h({n_1},{\rm{S}}{{\rm{K}}_{N{\rm{ - PO}}{{\rm{S}}_j}}})$ and $h({\rm{Request}},{T_1},{\rm{I}}{{\rm{D}}_N},{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_j}}})$ , and IDN, an identity of N, to POS.

Step 2. POS→AS: IDN, IDPOS, ${\{ {\rm{Request, }}{T_1}\} _{{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_j}}}}}$ , $h({\rm{Request}},$ ${T\!_1},{\rm{I}}{{\rm{D}}_N}\!,{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_j}}}\!)\!$ , $h({\rm{I}}{{\rm{D}}_P},{\{ {\{ {\rm{Request}},{T_1}\} _{{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_j\!\!}}}}}\} _{{\rm{S}}{{\rm{K}}_{N{\rm{ - PO}}{{\rm{S}}_j}}}}}\!,{\rm{S}}{{\rm{K}}_{{\rm{POS - A}}{{\rm{S}}_j}}}\!)$

After receiving the message on Step 1, POS verifies the identification of N. Then, POS sends ${\{ {\rm{Request, }}{T_1}\} _{{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_j}}}}}$ , the message authentication codes $h({\rm{Request}},{T_1},{\rm{I}}{{\rm{D}}_N},{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_j}}})$ and $h({\rm{I}}{{\rm{D}}_P},{\{ {\{ {\rm{Request, }}{T_1}\} _{{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_j}}}}}\} _{{\rm{S}}{{\rm{K}}_{N{\rm{ - PO}}{{\rm{S}}_j}}}}},{\rm{S}}{{\rm{K}}_{{\rm{POS - A}}{{\rm{S}}_j}}})$ , IDN, and IDPOS, an identity of POS, to AS.

Step 3. AS→POS: Accept/Reject, $h({\rm{Accept}}/{\rm{Reject}},$ ${\rm{S}}{{\rm{K}}_{{\rm{POS - A}}{{\rm{S}}_{j + 1}}}})$ , $h({\rm{Accept}}/{\rm{Reject}},{T_1},{T_2},{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_{j + 1}}}})$

After receiving the message on Step 2, AS sends the result, the message authentication codes $h({\rm{Accept}}/{\rm{Reject}},$ ${\rm{S}}{{\rm{K}}_{{\rm{POS - A}}{{\rm{S}}_{j + 1}}}})$ and $h({\rm{Accept}}/{\rm{Reject}},{T_1},{T_2},{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_{j + 1}}}})$ back to AS.

Step 4. POS→N: Accept/Reject, T2, n2, $h({n_1},{n_2},{\rm{S}}{{\rm{K}}_{N{\rm{ - PO}}{{\rm{S}}_{j + 1}}}})$ , $h({\rm{Accept}}/{\rm{Reject}},{T_1},{T_2},{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_{j + 1}}}})$

After receiving the message on Step 3, POS verifies the result. Then, POS sends the timestamp T2, the nonce n2, and the message authentication codes $h({n_1},{n_2},{\rm{S}}{{\rm{K}}_{N{\rm{ - PO}}{{\rm{S}}_{j + 1}}}})$ and $h({\rm{Accept}}/{\rm{Reject}},{T_1},{T_2},{\rm{S}}{{\rm{K}}_{N{\rm{ - A}}{{\rm{S}}_{j + 1}}}})$ back to N. The authentication of NFCAuthv2 is finished.

4. Our Proposed Scheme

We propose a secure and efficient NFC security scheme. We improve the data integrity problem of Lee et al.’s scheme and solve the time-synchronization problem of Thammarat et al. and Ceipidor et al.’s schemes. Our proposed scheme bases on the hash function, the nonces, the message authentication code, and a limited lifetime key to prevent the brute force attack. Our scheme consists of two phase: Registration phase and authentication phase. Table 1 presents the used notations in our scheme.

Table 1 Used notations in our scheme
Notations Explanation
NFCi The NFC devices, where $i = 1,\,2,{\rm{ }}\cdot\cdot\cdot,\,m$ .
AS The authentication sever.
${\rm{I}}{{\rm{D}}_{{N_i}}}$ The identity of an NFC user, where $i = 1,\,2,{\rm{ }}\cdot\cdot\cdot,\,m$ .
NR A nonce random number.
ASK The master key generated by the authentication server.
${K_{{N_i}}}$ The NFC device key generated by the authentication server, where $i = 1,\,2,{\rm{ }}\cdot\cdot\cdot,\,m$ .
MAC(x, k) The message authentication code (MAC) generated by the message x with the key k.
LTi The valid lifetime of the user i’s security token.
|| The string concatenation operator.
4.1 Registration Phase

In the registration phase, each NFC device has to sign itself on the authentication sever. We assume that the registration phase is on a secure environment. The detail of the registration phase is as follows:

Step 1. ${\rm{NF}}{{\rm{C}}_i} \to {\rm AS}:{\rm{I}}{{\rm{D}}_{{N_i}}},{N_1}$

The NFC device NFCi generates N1, and sends it and ${\rm{I}}{{\rm{D}}_{{N_i}}}$ to the authentication sever AS. Note that ${\rm{I}}{{\rm{D}}_{{N_i}}}$ is the identity of NFC device i.

Step 2. ${\rm{AS}} \to {\rm{NF}}{{\rm{C}}_i}:{K_{{N_i}}},{N_2},{\rm{L}}{{\rm{T}}_i}$

After Step 1, AS generates N2, computes and stores ${K_{{N_i}}}$ . Then, AS sends ${K_{{N_i}}}$ , N2, and LTi back to NFCi. Note that ${K_{{N_i}}} = h\left( {{\rm{I}}{{\rm{D}}_{{N_i}}}||A{S_K}||L{T_i}} \right)$ .

After receiving the message, NFCi stores ${K_{{N_i}}}$ and LTi, and the registration phase is completed.

4.2 Authentication Phase

After the registration phase, each NFC device has its own key, which is between itself and the authentication sever. In this phase, we assume that the authentication is between two NFC devices: NFC1 and NFC2. The detail of the authentication phase is as follows.

Step 1. ${\rm{NF}}{{\rm{C}}_2} \to {\rm{NF}}{{\rm{C}}_1}:{N_2},{\rm{I}}{{\rm{D}}_{{N_2}}}$

When both NFC devices start the connecting, NFC2 generates N2 and sends it with ${\rm{I}}{{\rm{D}}_{{N_2}}}$ to NFC1 as a challenge. Note that N2 is a nonce random number and ${\rm{I}}{{\rm{D}}_{{N_2}}}$ is an identity of the NFC device NFC2.

Step 2. ${\rm{NF}}{{\rm{C}}_1} \to {\rm{NF}}{{\rm{C}}_2}:{\rm{I}}{{\rm{D}}_{{N_1}}},{N_1},R$

NFC1 generates N1 and computes R as a message authentication code to insure the data integrity. Then, NFC1 sends R, N1, and ${\rm{I}}{{\rm{D}}_{{N_1}}}$ to NFC2 as a response. Note that $R = {\rm{MAC}}({\rm{I}}{{\rm{D}}_{{N_1}}}||{N_1}||{N_2},{K_{{N_1}}})$ , where N1 is a nonce random number and ${\rm{I}}{{\rm{D}}_{{N_1}}}$ is an identity of the NFC device NFC1.

Step 3. ${\rm{NF}}{{\rm{C}}_2} \to {\rm{AS}}:{\rm{I}}{{\rm{D}}_{{N_1}}},{\rm{I}}{{\rm{D}}_{{N_2}}},{N_1},{N_2},R,{\rm{RR}}$

After Step 2, NFC2 generates RR as a message authentication code to insure the data integrity, where ${\rm{RR}} = {\rm{MAC}}({\rm{I}}{{\rm{D}}_{{N_1}}}||{\rm{I}}{{\rm{D}}_{{N_2}}}||{N_1}||{N_2}||R,{K_{{N_2}}})$ . Then, NFC2 sends RR, NFC2, the received message N1, and R received from NFC1 to AS.

Step 4. ${\rm{AS}} \to {\rm{NF}}{{\rm{C}}_2}:{\rm{R}}{{\rm{S}}_{{N_1}}},{\rm{R}}{{\rm{S}}_{{N_2}}}$

After receiving the message, AS computes R1 and RR1 and checks whether the values are the same as R and RR to verify the identification of two NFC devices NFC1 and NFC2. Note that ${R_1} = {\rm{MAC}}({\rm{I}}{{\rm{D}}_{{N_1}}}||{N_1}||{N_2},{K_{{N_1}}})$ and ${\rm{R}}{{\rm{R}}_1} = {\rm{MAC}}({\rm{I}}{{\rm{D}}_{{N_1}}}||{\rm{I}}{{\rm{D}}_{{N_2}}}||{N_1}||{N_2}||R,{K_{{N_2}}})$ .

If the verification is successful, AS computes ${\rm{R}}{{\rm{S}}_{{N_1}}}$ and ${\rm{R}}{{\rm{S}}_{{N_2}}}$ . Then, AS sends ${\rm{R}}{{\rm{S}}_{{N_1}}}$ and ${\rm{R}}{{\rm{S}}_{{N_2}}}$ back to NFC2. Note that ${\rm{R}}{{\rm{S}}_{{N_1}}} = {\rm{MAC}}({\rm{I}}{{\rm{D}}_{{N_1}}}||{\rm{I}}{{\rm{D}}_{{N_2}}}||{N_1}||{N_2},{K_{{N_1}}})$ and ${\rm{R}}{{\rm{S}}_{{N_2}}} = {\rm{MAC}}({\rm{I}}{{\rm{D}}_{{N_1}}}||{\rm{I}}{{\rm{D}}_{{N_2}}}||{N_1}||{N_2},{K_{{N_2}}})$ .

Step 5. ${\rm{NF}}{{\rm{C}}_2} \to {\rm{NF}}{{\rm{C}}_1}:{\rm{R}}{{\rm{S}}_{{N_1}}}$

After receiving the message, NFC2 computes ${\rm{R}}{{\rm{S}}_{{N_{21}}}}$ and checks whether the value is the same as the received message ${\rm{R}}{{\rm{S}}_{{N_2}}}$ to verify the data integrity. Note that ${\rm{R}}{{\rm{S}}_{{N_{21}}}} = {\rm{MAC}}({\rm{I}}{{\rm{D}}_{{N_1}}}||{\rm{I}}{{\rm{D}}_{{N_2}}}||{N_1}||{N_2},{K_{{N_2}}})$ .

NFC2 then sends the message ${\rm{R}}{{\rm{S}}_{{N_1}}}$ to NFC1.

After receiving the message, NFC1 computes ${\rm{R}}{{\rm{S}}_{{N_{11}}}}$ and checks whether the value is the same as the received message ${\rm{R}}{{\rm{S}}_{{N_1}}}$ to verify the data integrity. Note that ${\rm{R}}{{\rm{S}}_{{N_{11}}}} = {\rm{MAC}}({\rm{I}}{{\rm{D}}_{{N_1}}}||{\rm{I}}{{\rm{D}}_{{N_2}}}||{N_1}||{N_2},{K_{{N_2}}})$ . The authentication phase is completed.

5. Discussion

In this section, we will discuss the security analysis and performance analysis of our proposed scheme.

5.1 Security Analysis

In this subsection, we discuss and compare the security of our scheme with other related schemes. The security analysis includes six security properties: Mutual authentication (S1), preventing the brute force attack (S2), preventing the replay attack (S3), preventing the man-in-the-middle attack (S4), no time-synchronization problem (S5), and ensuring the data integrity (S6). Table 2 presents the comparison between our scheme and other related schemes.

Table 2 Comparison of security analysis
Schemes S1 S2 S3 S4 S5 S6
Our scheme Yes Yes Yes Yes Yes Yes
Lee et al.’s[12] N/A No N/A N/A Yes No
Ceipidor et al.’s[13] Yes No N/A N/A No N/A
Thammarat et al.’s[14] Yes Yes Yes Yes No Yes
Note that N/A represents the original research claimed that the scheme can provide this security property, but other research claimed that the scheme is still lack of this security property.

• Mutual authentication

Each NFC device and the authentication server have the shared key to generate the message authentication code. The NFC device NFC2 chooses the challenge nonce N2, and the response RSN2 is generated by the authentication server after the authentication server verified the message authentication codes R and RR. Finally, the response RSN2 is verified by the NFC device NFC2. In addition, the NFC device NFC1 chooses the challenge nonce N1. The response RSN1 is generated by the authentication server after the authentication server verifies the message authentication codes R and RR. Finally, the response RSN1 is verified by the NFC device NFC1. Our proposed scheme uses the challenge-response process by the help of the authentication server to do the mutual authentication between two NFC devices NFC1 and NFC2.

• Preventing the brute force attack

The entropy of the used key of the NFC device in our scheme is very large. In addition, we assume that the used hash function is secure. According to this, our scheme has the ability to prevent the brute force attack.

• Preventing the replay attack

According to the nonce random numbers and the challenge-response process for providing the mutual authentication, our proposed scheme has the ability to prevent the replay attack.

• Preventing the man-in-the-middle attack

Our proposed scheme has the security property of the mutual authentication. According to this security property and the use of message authentication codes, the scheme we proposed has the ability to prevent the man-in-the-middle attack.

• No time-synchronization problem

Our scheme does not use the timestamp in the registration phase and the authentication phase. Therefore, our proposed scheme does not have the time- synchronization problem.

• Ensuring the data integrity

In the authentication phase of our scheme, the NFC devices generate the message authentication code by using their own unique keys. The message authentication code not only provides the mutual authentication between the NFC devices and authentication server, but also ensures the data integrity.

5.2 Performance Analysis

In this subsection, we discuss and compare the performance of our scheme. The operations in performance analysis consist of symmetric encryption operation, symmetric decryption operation, asymmetric encryption operation, asymmetric decryption operation, hash function operation, and transmitted messages. Table 3 presents the comparison among our scheme and other schemes.

Table 3 Comparison of performance analysis
Schemes P1 P2 P3 P4 P5 P6
Our scheme 9 7
Lee et al.’s[12] 4 4 1 1 3 6
Ceipidor et al.’s[13] 2 2 3 5
Thammarat et al.’s[14] 3 3 9 8
Note that P1 in this table represents the number of symmetric encryption operations; P2 represents the number of symmetric decryption operations; P3 represents the number of asymmetric encryption operations; P4 represents the number of asymmetric decryption operations; P5 represents the number of hash function operations; P6 represents the number of transmitted messages.
6. Conclusions

In this paper, we have proposed a secure and efficient NFC authentication scheme which can provide the mutual authentication for mobile devices. We used the authentication server to provide the mutual authentication between two NFC devices and the authentication code to ensure the data integrity and improve the weaknesses of other schemes. In our scheme, we reduced the number of exchanged messages to make the NFC authentication more efficient. In addition, we also solved the time-synchronization problem in distributed environments, and provided a more secure and efficient NFC authentication scheme between any two NFC devices.

References
[1] Introduction to NFC, Forum. Nokia, 2011, pp. 1-30.
[2] E. Haselsteiner and K. Breitfu, " Security in near field communication (NFC),” in Proc. of the Workshop on RFID Security, 2006, pp. 1-11.
[3] G. Madlmayr, J. Langer, C. Kantner, and J. Scharinger, " NFC devices: Security and privacy,” in Proc. of the 3rd Intl. Conf. on Availability, Reliability and Security, 2008, pp. 642-647.
[4] Buzzorange. (March 2015). [Online]. Available: http://buzzorange.com/techorange/2015/03/03/android-pay-2/
[5] S. D. Kaul and A. K. Awasthi, " Security enhancement of an improved remote user authentication scheme with key agreement,” Wireless Personal Communications, vol. 89, no. 2, pp. 621-637, 2016.
[6] W. Huo, Q. Dong, and Y. Chen, " ECC-based RFID/NFC mutual authentication protocol,” in Proc. of the 2nd Intl. Workshop on Materials Engineering and Computer Sciences, 2015, pp. 169-177.
[7] Z.-Y. Lin, " The study of NFC identity authentication and digital content protection mechanisms in cloud environment,” M.S. thesis, Department of Information Management, National Kaohsiung First University of Science and Technology, Kaohsiung, 2014.
[8] Y. Lu, L. Li, H. Peng, and Y. Yang, " A secure and efficient mutual authentication scheme for session initiation protocol,” Peer-to-Peer Networking and Applications, vol. 9, no. 2, pp. 449-459, 2016.
[9] H. Arshad and M. Nikooghadam, " An efficient and secure authentication and key agreement scheme for session initiation protocol using ECC,” Multimedia Tools and Applications, vol. 75, no. 1, pp. 181-197, 2016.
[10] P. Rogaway and T. Shrimpton, " Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance,” Intl. Workshop on Fast Software Encryption, vol. 27, no. 4, pp. 371-388, 2004.
[11] R. C. Merkle, " One way hash functions and DES,” in Proc. of Conf. on the Theory and Application of Cryptology, 1990, pp. 428-446.
[12] Y.-S. Lee, E. Kim and M.-S. Jung, " A NFC based authentication method for defense of the Man in the Middle attack,” in Proc. of the 3rd Intl. Conf. on Computer Science and Information Technology, 2013, pp. 10-14.
[13] U. B. Ceipidor, C. M. Medaglia, S. Sposato, and A. Moroni, " KerNeeS: A protocol for mutual authentication between NFC phones and POS terminals for secure payment transactions,” in Proc. of the 9th Intl. ISC Conf. on Information Security and Cryptology, 2012, pp. 115-120.
[14] C. Thammarat, R. Chokngamwong, and C. Techapanupreeda, " A secure lightweight protocol for NFC communications with mutual authentication based on limited-use of session keys,” in Proc. of Intl. Conf. on Information Networking, 2015, pp. 133-138.