可預防雙重支付的離線小額匿名交易機制 / Anonymous off-line micro-payment protocol with double spending prevention

林承毅

Unknown Date

近年來手機的普及率日漸增加，手機逐漸成為生活中不可或缺的工具，因此許多生活方式逐漸的偏向由手機端完成，例如:找路不需要再透過地圖,上網查資料不需要再透過電腦，人們逐漸地把實體錢包轉向利用手機支付的電子錢包，像是中國支付寶等支付系統。利用手機當作錢包已經是現今手機發展的主要方向，然而對於手機的安全支付議題也日漸重視，近年來有安全晶片的保護下使用者的手機安全也有一定程度的提升，但是在離線交易的情況下惡意使用者的操作依然是可以欺騙安全晶片並製造出雙重支付的問題。 2016年陳等人提出了一個基於NFC系統的匿名行動付款協定，然而該協定中必須要有銀行端的介入才能執行交易。在本論文中，我們基於陳等人的線上交易協定為基礎下發展了本篇論文的新交易協定，此交易協定可以適用於離線以及線上的環境。 離線環境下的雙重支付行為一直交易的過程中難以預防的攻擊，在本篇論文中我們透過安全晶片、符號化和本論文研究的雜湊鍊來預防雙重支付行為，且能保障使用者在交易過程中的匿名性。 / As the coverage of mobile phone has been constantly increased in recent years, the mobile phones have become an indispensable tool in life. Many ways of lives are gradually done through the mobile terminals, for example: No longer need to find the way through the map or search information through the computer, people have also gradually turned to electronic payment via e-wallets instead of paying via physical wallets, such as AliPay in China. Adopting the mobile phone as a wallet is nowadays the main development direction of mobile phones. Meanwhile, people are paying more and more attention to the topics on the security of mobile payment than before. In recent years, under the protection of secure element, the security of users’ mobile phone has been enhanced to a certain extent. In the case of off-line transactions, malicious users are capable of fooling secure element and making double spending. In 2016, Chen et al. proposed a NFC-Based anonymous mobile payment protocol. In that protocol the transaction can only be executed with the involvement of issuer. In this research, we introduce a new protocol which can support both on-line and off-line transactions. Our protocol is modified from that of Chen et al.’s idea. In our protocol, to prevent a malicious user, we use a secure element which stores sensitive information that cannot be altered by the user. In this way, the cheating behavior of a malicious user can be prevented. On the other hand, by using the token techniques, the anonymity of a user can be achieved from the view of a merchant. In this study, we focus on double spending which can make merchant a lot of cost at off-line transaction. We used hash chain to verify the correctness of transactions and prevent the double spending.

雙重支付

NFC

離線交易

安全交易

Token

Double Spending

NFC

Off-line Payment

Secure Payment

Token

Sécurisation de la couche physique des communications sans contact de type RFID et NFC / Secure of the physical layer for contactless communications using RFID and NFC technology

Thevenon, Pierre-Henri

10 November 2011

L'avènement des communications en champ proche pour les transactions entre objets portables téléalimentés de type RFID pose un problème de sécurité. En effet, ces communications supportent non seulement la fonction de transfert d'information, mais aussi celle de transfert de puissance d'alimentation et d'horloge vers l'objet nomade. La sécurité des communications repose sur l'authentification des parties, l'intégrité des données et leur confidentialité. En général ces objets téléalimentés sont dits à ressources rares : c'est-à-dire que leur puissance de calcul et leurs possibilités pour se protéger sont limitées Ces caractéristiques font peser des menaces importantes sur la sécurité du lien sans contact et sur la protection des données personnelles parmi lesquelles quatre sont essentielles : 1) L'espionnage de la communication. 2) L'attaque en relais : L'intégrité de la communication peut être mise en danger par l'utilisation d'un système pouvant relayer à grande distance les commandes d'un lecteur RFID à une carte RFID. Les messages peuvent alors être écoutés, voire modifiés. La détection de la présence de tels dispositifs devient primordiale. 3) L'activation à distance d'une carte RFID. 4) Le déni de service. L'objectif de cette thèse sera de trouver des contre-mesures impliquant la couche physique et évitant la modification des normes actuelles à la fois dans les dispositifs de type étiquettes électroniques RFID et dans les téléphones portables de type NFC. / The arrival of the near field communications for transactions between portable remotely powered devices using RFID technology presents a problem. In fact, these communications provide not only an informative function but also a power and clock transfer function to the contactless device. Communication security is based on authentication protocols, security data integrity and confidentiality. Most of these remotely powered devices have low resources and then low defense against attackers. These features create a threat for contactless communications security and privacy data protection. Four types of attack exist: 1) Eavesdropping 2) Relay attack : Communication integrity can be in danger with the use of systems that can relay RFID reader commands to a RFID card. Transactions can be spied or even worse can be modified in case of a man-in-the-middle attack. 3) Skimming : Activation and reading of a contactless card from a distance. 4) The denial of service. The objective of this thesis is to find countermeasures using the physical layer in RFID contactless devices and in NFC mobile phones while avoiding the modification of actual standards.

Sans contact

RFID

NFC

Confidentialité

Intégrité

Sans contact

RFID

NFC

Confidentialité

Intégrité

Mobilbetalningstjänster i fysisk butik : En studie ur ett användarperspektiv / Mobile payment services in physical stores : A study from a user perspective

Lindberg, Emma, Molund, Emma

January 2013

I takt med att Internethandeln ökar och fler och fler använder smartphones, introduceras alternativa betallösningar på marknaden. En betalmetod som redan är etablerad är SMS-betalning. Med tanke på detta borde inte steget till att använda mobilbetalningstjänster i fysisk butik vara så stort. Syftet med denna uppsats är att undersöka de huvudfaktorer som påverkar användandet av mobilbetalningstjänster i fysiska butiker. Det huvudsakliga perspektivet ligger på användarna av tjänsterna, snarare än de butiker som erbjuder dem. Både kvalitativa och kvantitativa metoder har användt. Resultaten är baserade på data från en enkätundersökning, intervjuer och användartester. En intressant upptäckt från enkätundersökningen var att även fast människor har erfarenhet av SMS-betalning så verkar det som att få har vetskap om att mobilbetalningstjänster i fysisk butik existerar och därför inte börjat använda dem. I denna studie presenteras någa förslag på faktorer som kan tas i beaktande för att öka kunskapen och användarfrekvensen. De viktigaste faktorerna tycks vara uppfattad nytta, ekonomiska fördelar, uppfattade risker, standardisering och förenlighet med mäniskors existerande beteendemönser. / As Internet shopping increases and more and more people use smartphones, alternative payment solutions are introduced to the market. One payment method that is already established is SMS payment. Given these developments, mobile payment services in physical stores ought not be far from being adopted. The purpose of this essay is to examine the key factors that influence the use of mobile payment services in physical stores. The main focus is the perspective of the users of the services rather than the stores offering them. Both qualitative and quantitative methods have been applied. The results are based on data from a survey, interviews and usability tests. One interesting survey finding was that even though people have first-hand experience of SMS payment it seems that few people have knowledge of mobile payment services in physical stores, and therefore not adopted them. To increase the knowledge and adopting rate a suggestion of factors that can be taken into consideration is introduced in the study. The most important factors seem to be perceived usefulness, economic advantage, perceived risks, standardization and reconcilability with existing behavioural patterns.

Mobile payment services

SMS payment

potential adopters

innovation

smartphone

QR code

NFC

Mobilbetalningstjänster

SMS-betalning

potentiella användare

innovation

smartphone

QR-kod

NFC

Media and Communication Technology

Medieteknik

Application for Customisable Interaction with Physical Objects : A Tool for Speech and Language Therapists

Herault, Romain Christian

January 2015

Physical objects with digital properties are being used more and more by the public. One such term for these artefacts include "the Internet of Things''. Most of these objects are often impossible to further modify or customise, and thus serve just the single purpose intended by their creators. This thesis explores the possibility of customising physical objects in order to provide an affordable and flexible way of interacting with them. A prototype, involving a mobile phone application (Android) and wireless sensor technology (NFC tags), was developed for the medical domain of speech and language therapy. The system, developed in close association with two therapists, allows the customisation of current speech and language exercise and associated material. It is designed to also assist with logging the patient interactions during the conduction of such exercises. The proposed solution has been tested and validated by medical experts, and its user interface evaluated by non-patient users.

Computer Sciences

Datavetenskap (datalogi)

Self-Tuning NFC Circuits

Li, Yimeng

January 2017

Contactless automatic identification procedures which are called RFID systems (Radio-frequency Identification) have become very popular in recent years for transferring power and data. With the development of RFID technology, the demand of easy transmitting of short data packages has made NFC (Near-field Communication) technology wildly used especially in mobile applications. The communication between a mobile and a tag is achieved through a magnetic field generated by the mobile’s NFC interface. In order to get a maximal power transmission, the tag circuit is designed to operate at the resonance frequency of 13.56 MHz, which is equal to the operation frequency of the mobile’s NFC interface. As mutual inductances provided by different kinds of mobiles exist divergence, optimal power transfer cannot be reached every time. This thesis focuses on the optimization of power transfer during the communications between tags and mobiles with uncertain NFC coils. By incorporating a self-tuning parallel variable capacitance compensation circuitry the resonance frequency of an NFC tag circuit can be self-tuned to 13.56 MHz to ensure an optimal power transmission. This thesis presents both theoretical and experimental analysis of this improved self-tuning NFC circuitry in detail and demonstrates that by digitally tuning a parallel capacitor circuit, the energy transferred to an NFC tag can be optimized when facing different kinds of NFC-enabled mobile phones.

Parallel capacitance compensation

RFID system

NFC

Self-tuning NFC

Digitally tunable capacitor

Annan elektroteknik och elektronik

Towards more secure contact and NFC payment transactions : new security mechanisms and extension for small merchants / Vers des transactions de paiement avec contact et sans contact (NFC) plus sécurisées : de nouveaux mécanismes de sécurité et une extension pour les petits commerçants

El Madhoun, Nour

09 July 2018

EMV est la norme implémentée pour sécuriser une transaction d'achat avec contact ou sans contact (NFC) entre un appareil de paiement d'un client et un PoS. Elle représente un ensemble de messages de sécurité échangés entre les acteurs de la transaction, garantissant plusieurs propriétés de sécurité importantes. En effet, plusieurs chercheurs ont analysé le fonctionnement de la norme EMV afin de vérifier sa fiabilité: ils ont identifié plusieurs vulnérabilités de sécurité qui représentent aujourd'hui des risques majeurs pour notre sécurité au quotidien. Par conséquent, nous sommes intéressés à proposer de nouvelles solutions qui visent à améliorer la fiabilité d’EMV. Dans un premier temps, nous présentons un aperçu du système de sécurité EMV et nous étudions ses vulnérabilités identifiées dans la littérature. En particulier, il existe deux vulnérabilités de sécurité EMV, qui mènent à des risques dangereux menaçant à la fois les clients et les commerçants. Par conséquent, nous sommes intéressés dans la deuxième étape à répondre à ces deux faiblesses. Nous examinons d'abord une sélection des travaux qui ont été conçus pour résoudre ces vulnérabilités. Ensuite, afin d'obtenir de meilleurs résultats par rapport à ces travaux, nous proposons un nouveau système pour le paiement avec contact et NFC qui intègre 4 mécanismes de sécurité innovants. Enfin, dans la troisième étape, nous adaptons notre premier mécanisme de sécurité dans le contexte d'une nouvelle architecture de paiement NFC. Cette architecture est particulièrement destinée aux petits commerçants, leur permettant de profiter de leurs smartphones NFC pour une utilisation directe en tant que des lecteurs NFC. / EMV is the standard implemented to secure the communication, between a client’s payment device and a PoS, during a contact or NFC purchase transaction. It represents a set of security messages, exchanged between the transaction actors, guaranteeing several important security properties. Indeed, researchers in various studies, have analyzed the operation of this standard in order to verify its reliability: unfortunately, they have identified several security vulnerabilities that, today, represent major risks for our day to day safety. Consequently, in this thesis, we are interested in proposing new solutions that improve the reliability of this standard. In the first stage, we introduce an overview of the EMV security payment system and we survey its vulnerabilities identified in literature. In particular, there are two EMV security vulnerabilities that lead to dangerous risks threatening both clients and merchants: (1) the confidentiality of banking data is not guaranteed, (2) the authentication of the PoS is not ensured to the client’s device. Therefore, our interests move in the second stage to address these two weaknesses. We first review a selection of the related works that have been implemented to solve these vulnerabilities, and then, in order to obtain better results than the related works, we propose a new secure contact and NFC payment system that includes four innovative security mechanisms. Finally, in the third stage, we adapt our first security mechanism in the context of a new NFC payment architecture. This architecture is especially destined for small merchants, allowing them to take advantage of their NFC smartphones for use directly as NFC readers.

Acquéreur

Carte bancaire

Sans contact

EMV

Vulnérabilités EMV

NFC

Émetteur

Petit commerçant

Buyer

Bank card

Contactless

EMV

EMV Vulnérabilities

NFC

Issuer

Small merchants

Security of NFC applications

Pham, Thi Van Anh

January 2013

Near Field Communication (NFC) refers to a communication technology that enables an effortless connection and data transfers between two devices by putting them in a close proximity. Besides contactless payment and ticketing applications, which were the original key drivers of this technology, a large number of novel use cases can benefit from this rapidly developing technology, as has been illustrated in various NFC-enabled application proposals and pilot trials. Typical NFC-enabled systems combine NFC tags, NFC-enabled mobile phones, and online servers. This thesis explores the trust relationships, security requirements, and security protocol design in these complex systems. We study how to apply the security features of different types of NFC tags to secure NFC applications. We first examine potential weaknesses and problems in some novel use cases where NFC can be employed. Thereafter, we analyze the requirements and propose our system design to secure each use case. In addition, we developed proof-of-concept implementations for two of our proposed protocols: an NFCenabled security-guard monitoring system and an NFC-enabled restaurant menu. For the former use case, we also formally verified our proposed security protocol.  Our analysis shows that among the discussed tags, the NFC tags based on secure memory cards have the least capability and flexibility. Their built-in three-pass mutual authentication can be used to prove the freshness of the event when the tag is tapped. The programmable contactless smart cards are more flexible because they can be programmed to implement new security protocols. In addition, they are able to keep track of a sequence number and can be used in systems that do not require application-specific software on the mobile phone. The sequence number enforces the order of events, thus providing a certain level of replay prevention. The most powerful type of tag is the emulated card since it provides a clock, greater computational capacity, and possibly its own Internet connection, naturally at higher cost of deployment. / Near Field Communication (NFC) hänvisar till en kommunikationsteknik som möjliggör en enkel anslutning och dataöverföring mellan två enheter genom att sätta dem i en närhet. Förutom kontaktlös betalning och biljetthantering ansökningar, vilket var den ursprungliga viktiga drivkrafter för denna teknik, kan ett stort antal nya användningsfall dra nytta av denna snabbt växande teknik, som har visats i olika NFC-aktiverade program förslag och pilotförsök. Typiska NFC-applikationer kombinerar NFC-taggar, NFC-kompatibla mobiltelefoner och online-servrar. Denna avhandling utforskar förtroenderelationer, säkerhetskrav och säkerhetsprotokoll utformning i dessa komplexa system. Vi studerar hur man kan tillämpa de säkerhetsfunktioner för olika typer av NFC-taggar för att säkra NFC-applikationer. Vi undersöker först potentiella svagheter och problem i vissa nya användningsfall där NFC kan användas.  Därefter analyserar vi de krav och föreslå vårt system design för att säkra varje användningsfall. Dessutom utvecklade vi proof-of-concept implementationer för två av våra föreslagna protokoll: en NFC-aktiverad säkerhet-guard övervakningssystem och en NFC-aktiverad restaurang meny. Dessutom, för fd bruk fallet, kontrollerade vi formellt vår föreslagna säkerhetsprotokoll. Vår analys visar att bland de diskuterade taggar, NFC taggar som baseras på säkra minneskort har minst kapacitet och dlexibilitet. Deras inbyggda trepass ömsesidig autentisering kan användas för att bevisa färskhet av händelsen när taggen tappas. De programmerbara beröringsfria smarta kort är mer flexibla eftersom de kan programmeras för att genomföra nya säkerhetsprotokoll.  Dessutom kan de hålla reda på ett löpnummer och kan användas i system som inte kräver ansökan-specik mjukvara på mobiltelefonen. Sekvensnumret framtvingar ordning av händelser, vilket ger en viss nivå av replay förebyggande. Den mest kraftfulla typen av taggen är den emulerade kortet eftersom det ger en klocka, större beräkningskapacitet, och möjligen sin egen Internet-anslutning, naturligtvis till högre kostnad för utplacering.

NFC

security protocol

DESFire

Java card

card emulation

restaurant

vending machine

class attendance

security guard

NFC

säkerhetsprotokoll

DESFire

Java kort

kort emulering

restaurang

varuautomat

säkerhetsvakt

Communication Systems

Kommunikationssystem

Communication Protocol for a Cyber-Physical System : Using Bluetooth, NFC and cloud

Persson, Mathias

January 2015

The focus of this thesis is to utilize many of today’s current technologies to design a communication protocol that allows different devices to be incorporated into a system that can facilitate the flow of information between a user and a world of digital data. The protocol will take advantage of individual benefits from NFC, Bluetooth and cloud computing in its design to make the underlying complexity as transparent to the user as possible. Some of the main problems, such as security and reliability, are discussed and how they are incorporated into the core design of the protocol. The protocol is then applied to a case study to see how it can be utilized to create an integrity preserving system for managing medical records in a healthcare environment. The results from the case study gives merit to guidelines provided by the protocol specifications, making a system implementation based on the protocol theoretically possible. A real system implementation is required to verify the results extracted from the case study. / Denna uppsats fokuserar på att använda många av dagens teknologier för att konstruera ett kommunikationsprotokoll som möjliggör för olika enheter att inkorporeras i ett system som underlättar informationsflödet mellan en användare och en värld av digital data. Protokollet utnyttjar olika individuella fördelar hos NFC, Bluetooth and molntjänster i dess design för att göra den underliggande komplexiteten så transparant som möjligt för användaren. Några av de främsta problemen, så som säkerhet och tillförlitlighet, diskuteras och hur de inkorporeras i hjärtat av protokollet. Protokollet appliceras sedan i en fallstudie för att se hur det kan användas för att skapa ett system för sjukjournaler som bevarar integriteten hos patienter. Resultatet från fallstudien pekar mot att de riktlinjer som gavs av protokollspecifikationerna fungerar för att göra en systemimplementation på en teoretisk nivå. En verklig systemimplementation skulle behövas för att verifiera de resultat som framgår ur fallstudien.

Cyber-Physical Systems

Cloud Computing

Communication Protocol

Healthcare

Medical Records

Bluetooth

NFC

Cyberfysiska System

Molntjänster

Kommunikationsprotokoll

Sjukvård

Sjukjournaler

Bluetooth

NFC

Computer and Information Sciences

Data- och informationsvetenskap

Secure Authentication in Near Field Communication based Access Control Systems

Jakobsson, Anders

January 2015

Today there exist a myriad of different types of access control systems that use a smart card or mobile device as a key. The mobile device enabled smart locks, as they are often referred to, operate using either WiFi or Bluetooth. This thesis has explored the use of a third emerging wireless technology called Near Field Communication (NFC). NFC technology is a relatively new technology that is on the rise and is included in almost every new mobile device. Using a NFC enabled mobile device, a highly secure access control system was developed on a Raspberry Pi Linux platform. Several different authentication protocols, mobile operating systems and NFC modes of operation where analyzed and evaluated, to ensure that the system was as secure as possible. Eventually the system was implemented using the Secure Remote Password authentication protocol on top of a NFC card emulation scheme with the client application running on the Android operating system. The final system was a secure and responsive system that would be easy to deploy in many different situations. This project shows that NFC enables a mobile device to act as akey in a secure access control system and as the user base for NFC grows larger sowill the likelihood that we will come to see more of these types of systems. / Idag finns det flera olika typer av inpasserings system som använder någon form av ”smart card” eller mobil enhet som nyckel. De smarta låsen, som det oftast kallas, som använder sig av en mobile enhet, använder antingen Wi-­‐‑Fi eller Bluetooth för att kommunicera med inpasserings systemet. I den här uppsatsen kommer en relativt ny teknologi som kalls Near Field Communication (NFC) att utforskas. Användandet av NFC är på uppgång och det finns inkluderat i nästan varje ny mobil enhet som släpps på marknaden idag. Ett inpasserings system med hög säkerhet utvecklades genom att använda en mobile enhet med NFC kapabilitet tillsammans med en Raspberry Pi Linux plattform. Flera olika typer av autentiserings protokoll, mobila operativsystem och NFC användnings moder, analyserades och utvärderades för att säkerställa att systemet var så säkert som möjligt. Tillslut valdes ett autentiserings protokoll vid namn, Secure Remote Password (SRP), som integrerades ovanpå ett kort emulerings NFC ramverk som finns tillgängligt i Android operativsystemet. Det slutgiltiga systemet har hög säkerhet och är snabbt och responsivt och kan användas i flera olika situationer. NFC tillåter en mobile enhet att agera nyckel i ett inpasseringssystem och användandet kommer bara öka med den expanderande användare basen.

NFC

SRP

Authentication

Android

Raspberry Pi

NXP

NFC

SRP

Authentication

Android

Raspberry Pi

NXP

Elektroteknik och elektronik

Utvinning av data ur mobiltelefoner : En valideringsstudie av forensiska verktyg

Andersson, Roland

January 2016

Den vetenskapliga aspekten i de flesta forensiska discipliner är välgrundad och prövad under ett långt tidsperspektiv. Det ökande användandet av digital teknik har gjort att en ny forensisk disciplin har vuxit fram och den vetenskapliga grunden i detta nya forensiska område är i många avseenden fortfarande outforskat. Inom det svenskarättsväsendet krävs att de forensiska metoder som används inom en brottsutredning ska vara kvalitetssäkrade och i största mån vara ackrediterade av ettackrediteringsorgan. Det finns idag få relevanta studier kring validering av forensiska metoder som hanterar småskaliga enheter som smarta mobiler. I denna rapport analyseras de metoder som används för att utvinna data från mobiltelefon och hur dessa metoder kan anses vara forensiskt korrekta. Rapporten presenterar ett nytt ramverk för att validera de metoder som används av ett forensisk verktyg. Ramverket är kvalitetssäkrat genom att utgå ifrån tidigare vetenskaplig studier och är praktiskt testad i laboratoriemiljö. Ramverket ska kunna användas direkt inom en forensisk verksamhet som kräver validering. / The scientific aspect in most forensic disciplines is well founded and examined under a long-term perspective. The increasing use of digital technology has enabled a new forensic discipline and the scientific basis of the digital forensic field is in many respects still unexplored. The Swedish legal system requires that the forensic methods used in a criminal investigation should be quality assured and in the largest extent be accredited by an accreditation body. There are few relevant studies on the validation of forensic methods that handle small scale devices such as smartphones. This report analyzes the methods used to extract data from a mobile phone and how these methods can be considered forensically sound. The report presents a new framework for validating the methods used by a forensic tool. The framework is quality assured by referring to previous scientific studies and practically tested in a laboratory environment. The framework can be used directly in a forensic organization that requires validation.

forensik

forensiska verktyg

forensisk process

testramverk

validering

Nationellt Forensiskt Centrum

NFC

Swedac