The NFC Forum released two specifications that offer cryptology security for NFC.
The new NFC specifications provide security for NFC-enabled mobile devices by using a cryptographic framework to enable development of secure NFC applications protecting the confidentiality and the privacy of NFC communications.
The specifications can be used to improve the security of applications involving smartphones, among many other uses.
The NFC Authentication Protocol 1.0 Specification (NAP 1.0) provides a framework for using cryptography to establish a secure channel and authentication as well as the bonding between two devices using a shared, secret key for communicating personal data and messages between devices.
The Logical Link Control Protocol Technical Specification 1.4 (LLCP 1.4) is the first NFC Forum technical specification to take advantage of NAP 1.0’s secured data transfer.
It describes how the processes defined in NAP 1.0 are mapped on LLCP 1.4 for communication between two devices. The devices do not have to be on-line at the time authentication takes place.
“These specifications are important because the standardized framework simplifies development of secure NFC applications,” said Mike McCamon, executive director, NFC Forum.
“This approach with these specifications avoids the need for proprietary implementations in the market which may lead to market fragmentation and confusion.”
The specifications help protect the privacy and confidentiality of personal data and messages shared electronically by establishing a secure communications channel.
In addition, the authentication and bonding mechanisms allow for the establishment of trust and the pairing of an NFC-device, like a smartphone or wearable, to create different applications.
NAP 1.0: Application authentication and secured data transfer
NAP 1.0 describes the basic mechanism for applications needing an authentication and/or a secured data transfer.
It provides mechanisms for cryptographically authenticated NFC connections in reader/writer mode and peer mode and describes the principals of the bonding and application process.
NAP 1.0 supports three mechanisms:
- Establishment of a secure channel between two NFC devices to prevent eavesdropping when these two NFC devices are communicating with each other.
- The authentication process allows NFC devices to build up trust with each other for NFC communication. It prevents an NFC device from exchanging information with another unauthorized NFC-enabled device.
- The bonding process allows two NFC devices to be paired together and establish a common secret key during a registration phase. This allows for a faster authentication process and a faster setup of a secure channel.
LLCP 1.4: Peer-to-peer secure data transfer
LLCP 1.4 is the first NFC Forum technical specification to take advantage of NAP 1.0 for secured data transfer. The LLCP 1.4 describes how the processes defined in NAP 1.0 are mapped on LLCP for peer-to-peer communication between two devices.
LLCP 1.4 can setup as either an ad-hoc secure data transfer or a secured data transfer after the two devices have been bonded. It uses NAP 1.0 for secure data transfer, replacing the secure data transfer defined by LLCP 1.3 specification.