Preventing Man-in-the-Middle Attacks in Near Field Communication by Out-of-Band Key Exchange

Abstract

Near Field Communication (NFC) is an RFID based proximity communication technology. The extensive use of NFC technology for popular and sensitive applications such as financial transactions and content sharing necessitates the implementation of secure transmission standards for data exchange. NFC-SEC is one such set of cryptographic standards that extends NFC to provide better security. However, NFC is still susceptible to Man-in-the-Middle (MITM) attacks due to the lack of device authentication, which in turn allows for masquerading and other attacks. Inclusion of a certification authority has commonly been proposed to resolve this issue at the cost of significant additional communication overhead. In this thesis, we first demonstrate a practical MITM attack on an NFC-SEC communication session. We then present NonceCrypt, a light-weight countermeasure against this class of attacks. NonceCrypt addresses the vulnerability of NFC-SEC by an added step of authentication over a secure out-of-band communication channel. We implement NonceCrypt on an Arduino platform and evaluate its implementation cost and runtime overhead in a set of experiments. Results indicate that the increase memory and time overhead for this scheme are negligible. It avoids involving any additional entities in the communication and is based on a flexible implementation scheme that can be used for both smartphones and contactless cards.