ECMA 411-2015 NFC-SEC-04 NFC-SEC Entity Authentication and Key Agreement using Symmetric Cryptography (2nd Edition).pdf

1、 Reference numberECMA-123:2009Ecma International 2009ECMA-411 2ndEdition / June 2015 NFC-SEC-04: NFC-SEC Entity Authentication and Key Agreement using Symmetric Cryptography COPYRIGHT PROTECTED DOCUMENT Ecma International 2015 Ecma International 2015 iContents Page 1 Scope 1 2 Conformance . 1 3 Norm

2、ative references 1 4 Terms and definitions . 2 5 Conventions and notations 2 6 Acronyms . 3 7 General . 3 8 Fields and PDUs for NEAU-S . 4 8.1 Protocol Identifier (PID) 4 8.2 NFC-SEC-PDUs 4 8.3 Entity identifiers 4 9 Primitives . 5 9.1 General requirements . 5 9.2 Entity authentication . 6 9.2.1 Mec

3、hanism . 6 9.2.2 AES . 6 9.2.3 Modes of operation . 6 9.2.4 Message Authentication Code (MAC) . 6 9.3 Key agreement . 6 9.4 Key confirmation . 6 9.4.1 Overview . 6 9.4.2 Key confirmation tag generation . 6 9.4.3 Key confirmation tag verification 6 9.5 Key Derivation Function (KDF) 7 9.5.1 Overview .

4、 7 9.5.2 KDF for MKA and KEIA . 7 9.5.3 KDF for the shared secret Z . 7 9.5.4 KDF for the SSE and SCH . 7 9.6 Data authenticated encryption during authentication . 8 9.6.1 Initial value (IV) 8 9.6.2 Additional Authenticated Data (AAD) 8 9.6.3 NEAU-S payload encryption and MAC generation 8 9.6.4 NEAU

5、-S payload decryption and MAC verification 8 10 NEAU-S mechanism 9 10.1 Protocol overview 9 10.2 Preparation . 9 10.3 Sender (A) transformation 9 10.4 Recipient (B) transformation 10 11 Data Authenticated Encryption in SCH . 11 ii Ecma International 2015Introduction The NFC Security series of standa

6、rds comprise a common services and protocol Standard and NFC-SEC cryptography standards. This NFC-SEC cryptography Standard specifies an NFC Entity Authentication (NEAU) mechanism that uses the symmetric cryptographic algorithm (NEAU-S) for mutual authentication of two NFC entities. This Standard ad

7、dresses entity authentication of two NFC entities possessing a Pre-Shared Authentication Key (PSAK) during the key agreement and confirmation for the Shared Secret Service (SSE) and Secure Channel Service (SCH). This Standard adds entity authentication to the services provided by ISO/IEC 13157-3 (EC

8、MA-409) NFC-SEC-02. This 2ndedition refers to the latest standards and the StarVar generation method for IV in NFC-SEC-02. This Ecma Standard has been adopted by the General Assembly of June 2015. Ecma International 2015 iii“COPYRIGHT NOTICE 2015 Ecma International This document may be copied, publi

9、shed and distributed to others, and certain derivative works of it may be prepared, copied, published, and distributed, in whole or in part, provided that the above copyright notice and this Copyright License and Disclaimer are included on all such copies and derivative works. The only derivative wo

10、rks that are permissible under this Copyright License and Disclaimer are: (i) works which incorporate all or portion of this document for the purpose of providing commentary or explanation (such as an annotated version of the document), (ii) works which incorporate all or portion of this document fo

11、r the purpose of incorporating features that provide accessibility, (iii) translations of this document into languages other than English and into different formats and (iv) works by making use of this specification in standard conformant products by implementing (e.g. by copy and paste wholly or pa

12、rtly) the functionality therein. However, the content of this document itself may not be modified in any way, including by removing the copyright notice or references to Ecma International, except as required to translate it into languages other than English or into a different format. The official

13、version of an Ecma International document is the English language version on the Ecma International website. In the event of discrepancies between a translated version and the official version, the official version shall govern. The limited permissions granted above are perpetual and will not be rev

14、oked by Ecma International or its successors or assigns. This document and the information contained herein is provided on an “AS IS“ basis and ECMA INTERNATIONAL DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT I

15、NFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.“ iv Ecma International 2015NFC-SEC-04: NFC-SEC Entity Authentication and Key Agreement using Symmetric Cryptography 1 Scope This Standard specifies the message contents and the cryptographi

16、c mechanisms for PID 04. This Standard specifies key agreement and confirmation mechanisms providing mutual authentication, using symmetric cryptography. NOTE This Standard adds entity authentication to the services provided by ISO/IEC 13157-3 (ECMA-409) NFC-SEC-02. 2 Conformance Conformant implemen

17、tations employ the security mechanisms specified in this NFC-SEC cryptography Standard (identified by PID 04) and conform to ISO/IEC 13157-1 (ECMA-385). The NFC-SEC security services shall be established through the protocol specified in ISO/IEC 13157-1 (ECMA-385) and the mechanisms specified in thi

18、s Standard. 3 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 7498-1

19、:1994, Information technology - Open Systems Interconnection - Basic Reference Model: The Basic Model ISO/IEC 9798-1:2010, Information technology - Security techniques - Entity authentication - Part 1: General ISO/IEC 9798-2:2008, Information technology - Security techniques - Entity authentication

20、- Part 2: Mechanisms using symmetric encipherment algorithms ISO/IEC 11770-1:2010, Information technology - Security techniques - Key management - Part 1: Framework ISO/IEC 11770-2:2008, Information technology - Security techniques - Key management - Part 2: Mechanisms using symmetric techniques ISO

21、/IEC 11770-3, Information technology - Security techniques - Key management - Part 3: Mechanisms using asymmetric techniques ISO/IEC 13157-1, Information technology - Telecommunications and information exchange between systems - NFC Security - Part 1: NFC-SEC NFCIP-1 security services and protocol (

22、ECMA-385) ISO/IEC 13157-2, Information technology - Telecommunications and information exchange between systems - NFC Security - Part 2: NFC-SEC cryptography standard using ECDH and AES (ECMA-386) Ecma International 2015 1ISO/IEC 13157-3, Information technology - Telecommunications and information e

23、xchange between systems - NFC Security - Part 3: NFC-SEC Cryptography Standard using ECDH-256 and AES-GCM (ECMA-409) ISO/IEC 14443-3, Identification cards - Contactless integrated circuit cards - Proximity cards - Part 3: Initialization and anticollision ISO/IEC 18031:2011, Information technology -

24、Security techniques - Random bit generation ISO/IEC 18031:2011/Cor.1:2014, Information technology - Security techniques - Random bit generation - Technical Corrigendum 1 ISO/IEC 18033-3:2010, Information technology - Security techniques - Encryption algorithms - Part 3: Block ciphers ISO/IEC 18092,

25、Information technology - Telecommunications and information exchange between systems - Near Field Communication - Interface and Protocol (NFCIP-1) (ECMA-340) ISO/IEC 19772:2009, Information technology - Security techniques - Authenticated encryption ISO/IEC 19772:2009/Cor.1:2014, Information technol

26、ogy - Security techniques - Authenticated encryption - Technical Corrigendum 1 4 Terms and definitions Clause 4 of ISO/IEC 13157-3 (ECMA-409) applies. Additionally, the following terms and definitions apply. 4.1 entity authentication corroboration that an entity is the one claimed ISO/IEC 9798-1: 20

27、10 4.2 n-entity-title a name that is used to identify unambiguously an n-entity ISO/IEC 7498-1: 1994 4.3 symmetric cryptography (symmetric cryptographic technique) cryptographic technique that uses the same secret key for both the originators and the recipients transformation ISO/IEC 9798-1: 2010 5

28、Conventions and notations Clause 5 of ISO/IEC 13157-3 (ECMA-409) applies. Additionally, the following conversions and notations following apply. exclusive OR For any message field “F”, F denotes the value placed in the field upon sending, F the value upon receipt. 2 Ecma International 20156 Acronyms

29、 Clause 6 of ISO/IEC 13157-3 (ECMA-409) applies. Additionally, the following acronyms apply. KEIA Encryption and Integrity Key in Authentication MKA Master Key in Authentication NEAU-S NEAU using Symmetric Cryptography PSAK Pre-Shared Authentication Key TLV Type-length-value UID Unique Identifier IS

30、O/IEC 14443-3 ZSEED The Seed of Z 7 General This Standard specifies the NFC Entity Authentication using Symmetric cryptography (NEAU-S), using the key agreement and confirmation protocol in ISO/IEC 13157-1 (ECMA-385). To enable a key agreement and confirmation mechanism providing mutual authenticati

31、on between NFC entities before they start the Shared Secret Service (SSE) and the Secure Channel Service (SCH), the Pre-Shared Authentication Key (PSAK), as a credential, between these entities is used in the entity authentication. After successful NEAU-S completion, a shared secret Z that is used t

32、o establish the SSE and the SCH will be generated. Three-pass authentication per ISO/IEC 9798-2, mechanism 4, and key establishment per ISO/IEC 11770-2, mechanism 6, are used in NEAU-S. The relationship between NEAU-S and ISO/IEC 13157-1 (ECMA-385) is shown in Figure 1. Ecma International 2015 3Key

33、ConfirmationISO/IEC 13157-1 (ECMA-385) Clause 9.2ServiceTerminationISO/IEC 13157-1 (ECMA-385) Clause 9.4SCHSSEKey AgreementISO/IEC 13157-1 (ECMA-385) Clause 9.1NEAU-SPDU securityISO/IEC 13157-1 (ECMA-385) Clause 9.3and Clause 12 of ISO/IEC 13157-3(ECMA-409)Figure 1 The use of the NFC-SEC protocol by

34、 NEAU-S 8 Fields and PDUs for NEAU-S 8.1 Protocol Identifier (PID) This Standard shall use the one octet protocol identifier PID with value 4. 8.2 NFC-SEC-PDUs The peer NFC-SEC entities shall establish a shared secret Z using ACT_REQ, ACT_RES, VFY_REQ and VFY_RES according to the NEAU-S mechanism. 8

35、.3 Entity identifiers The n-entity-title of the Senders and Recipients n-entity shall be used as IDSand IDR, respectively. Figure 2 specifies the encoding of IDSand IDR in the TLV format. 4 Ecma International 2015Figure 2 ID format 1. The Type subfield specifies the type of the ID and shall be 1 oct

36、et in length. The values are: a) 1: Value subfield contains Sender (A) identification number, IDS; b) 2: Value subfield contains Recipient (B) identification number, IDR; c) All other values are RFU. 2. The 2-octet Length subfield contains the length in number of octets of the Value subfield, in the

37、 range of 1 to 65535. 9 Primitives 9.1 General requirements Clause 9 specifies cryptographic primitives of NEAU-S. Clause 10 specifies the actual use of these primitives. Table 1 specifies the size and description of parameters. Table 1 NEAU-S parameters Parameter Field Size Description PSAK Variabl

38、e Pre-Shared authentication key available to the Sender (A) and the Recipient (B). MKA 128 bits Master key used in the entity authentication and derived from the PSAK. KEIA 128 bits Encryption and integrity key used in the entity authentication and derived from the MKA. MAC 96 bits Message authentic

39、ation code. IDSVariable The Sender (A) identification number. IDRVariable The Recipient (B) identification number. NA 128 bits See Clause 6 of ISO/IEC 13157-2 (ECMA-386). NB 128 bits See Clause 6 of ISO/IEC 13157-2 (ECMA-386). Z 256 bits See Clause 6 of ISO/IEC 13157-2 (ECMA-386). ZSEEDS256 bits The

40、 Senders seed for the derivation of the shared secret Z. ZSEEDR256 bits The Recipients seed for the derivation of the shared secret Z. MK 128 bits See Clause 6 of ISO/IEC 13157-2 (ECMA-386). K 128 bits See Clause 6 of ISO/IEC 13157-2 (ECMA-386). IV 96 bits Initial value of counter. Ecma Internationa

41、l 2015 5ISO/IEC 18031 shall be used to generate the random nonces and keys, with the exception of Dual_EC_DRBG. 9.2 Entity authentication 9.2.1 Mechanism Peer NFC-SEC entities achieve mutual authentication per ISO/IEC 9798-2, mechanism 4 by use of the PSAK which shall be known to them prior to the c

42、ommencement of the NEAU-S mechanism. 9.2.2 AES AES per 5.1 of ISO/IEC 18033-3 shall be used for encryption, decryption and MACing during the entity authentication. 9.2.3 Modes of operation In the NEAU-S mechanism, the data authenticated encryption mode shall be GCM mode per 11 Authenticated encrypti

43、on mechanism 6 (GCM) of ISO/IEC 19772. 9.2.4 Message Authentication Code (MAC) MACing shall be used for integrity protection of the payload of ACT_RES, VFY_REQ and VFY_RES. 9.3 Key agreement The shared secret Z shall be established using key establishment from ISO/IEC 11770-2, mechanism 6, which req

44、uires both entities to contribute their seeds. 9.4 Key confirmation 9.4.1 Overview The MK shall be derived using the KDF per 9.2 of ISO/IEC 13157-3 (ECMA-409). This key confirmation mechanism is according to Clause 9 of ISO/IEC 11770-3. The MAC used for Key Confirmation (MacTag) shall be AES in CMAC

45、-96 mode per ISO/IEC 13157-3 (ECMA-409). 9.4.2 Key confirmation tag generation The MacTagAin VFY_REQ shall be: MacTagA= AES-CMAC-96MK (MK, (02) | IDS | IDR | NA | NB), using AES-CMAC-96MKper ISO/IEC 13157-3 (ECMA-409), with key MK. The MacTagBin VFY_RES shall be: MacTagB= AES-CMAC-96MK (MK, (03) | I

46、DR | IDS | NB | NA), using AES-CMAC-96MKper ISO/IEC 13157-3 (ECMA-409), with key MK. 9.4.3 Key confirmation tag verification The MacTagA shall be checked by evaluating the equation: MacTagA = AES-CMAC-96MK(MK, (02) | IDS | IDR | NA | NB) 6 Ecma International 2015The MacTagB shall be checked by evalu

47、ating the equation: MacTagB = AES-CMAC-96MK(MK, (03) | IDR | IDS | NB | NA) 9.5 Key Derivation Function (KDF) 9.5.1 Overview Four KDFs are specified in NEAU-S for generating: MKA and KEIA; the shared secret Z; key of SSE and key of SCH. 9.5.2 KDF for MKA and KEIA The PRF shall be CMAC per 9.2 of ISO

48、/IEC 13157-3 (ECMA-409), used with 128 bits output length. It will be denoted AES-CMAC-PRF-128. For the following sections PRF is: PRF (K, S) = AES-CMAC-PRF-128K(S) The KDF for the MKA and KEIA shall be: MKA, KEIA = KDF-MKA- KEIA (NA, NB, IDS, IDR, PSAK) Detail of the KDF-MKA- KEIA function: Seed =

49、(NA 164 | NB 164) SKEYSEED = PRF(Seed, PSAK) MKA = PRF (SKEYSEED, Seed | IDS| IDR| (01) KEIA = PRF (SKEYSEED, MKA | Seed | IDS| IDR| (02) The keys MKA and KEIA shall be different for each NEAU-S invocation. 9.5.3 KDF for the shared secret Z The value of the shared secret Z shall be generated per a) of Annex C of ISO/IEC 11770-2: Z = ZSEEDS ZSEEDR9.5.4 KDF for the SSE and SCH 9.2.1 and 9.2.2 of ISO/IEC 13157-3 (ECMA-409) apply. Ecma International 2015 79.6 D