ISO IEC 13157-5-2016 Information technology - Telecommunications and information exchange between systems - NFC Security - Part 5 NFC-SEC entity authentication .pdf

1、Information technology Telecommunications and information exchange between systems NFC Security Part 5: NFC-SEC entity authentication and key agreement using symmetric cryptography Technologies de linformation Tlcommunications et change dinformation entre systmes Scurit NFC Partie 5: Authentificatio

2、n dentit NFC-SEC et accord de cls utilisant une cryptographie symtrique INTERNATIONAL STANDARD ISO/IEC 13157-5 Reference number ISO/IEC 13157-5:2016(E) First edition 11 ISO/IEC 2016 ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in Switzerland All rights res

3、erved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either I

4、SO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 13157-5:2016(E)ISO/IEC 13157-5:2016(E) ISO/IEC 2016 All ri

5、ghts reserved iii Contents Page Foreword iv Introduction . v 1 Scope 1 2 Conformance . 1 3 Normative references 1 4 Terms and definitions . 1 5 Conventions and notations 2 6 Acronyms . 3 7 General . 3 8 Fields and PDUs for NEAU-S . 4 8.1 Protocol Identifier (PID) 4 8.2 NFC-SEC-PDUs 4 8.3 Entity iden

6、tifiers 4 9 Primitives . 5 9.1 General requirements . 5 9.2 Entity authentication . 6 9.2.1 Mechanism . 6 9.2.2 AES . 6 9.2.3 Modes of operation . 6 9.2.4 Message Authentication Code (MAC) . 6 9.3 Key agreement . 6 9.4 Key confirmation . 6 9.4.1 Overview . 6 9.4.2 Key confirmation tag generation . 6

7、 9.4.3 Key confirmation tag verification 6 9.5 Key Derivation Function (KDF) 7 9.5.1 Overview . 7 9.5.2 KDF for MKA and KEIA . 7 9.5.3 KDF for the shared secret Z . 7 9.5.4 KDF for the SSE and SCH . 7 9.6 Data authenticated encryption during authentication . 8 9.6.1 Initial values (IV) 8 9.6.2 Addit

8、ional Authenticated Data (AAD) 8 9.6.3 NEAU-S payload encryption and MAC generation 8 9.6.4 NEAU-S payload decryption and MAC verification 8 10 NEAU-S mechanism 9 10.1 Protocol overview 9 10.2 Preparation . 9 10.3 Sender (A) transformation 9 10.4 Recipient (B) transformation 10 11 Data Authenticated

9、 Encryption in SCH . 11 iv ISO/IEC 2016 All rights reserved ISO/IEC 13157-5:2016(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of

10、 ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizat

11、ions, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenan

12、ce are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is

13、drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction

14、 and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conform

15、ity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. ISO/IEC 13157-5 was prepared by Ecma International (as ECMA-411) and was adopted, under a specia

16、l “fast-track procedure”, by Joint Technical Committee ISO/IEC JTC 1, Information technology, in parallel with its approval by national bodies of ISO and IEC. ISO/IEC 13157 consists of the following parts, under the general title Information technology Telecommunications and information exchange bet

17、ween systems NFC Security: Part 1: NFC-SEC NFCIP-1 security services and protocol Part 2: NFC-SEC cryptography standard using ECDH and AES Part 3: NFC-SEC cryptography standard using ECDH-256 and AES-GCM Part 4: NFC-SEC entity authentication and key agreement using asymmetric cryptography Part 5: NF

18、C-SEC entity authentication and key agreement using symmetric cryptography. ISO/IEC 13157-5:2016(E) ISO/IEC 2016 All rights reserved v Introduction The NFC Security series of standards comprise a common services and protocol Standard and NFC- SEC cryptography standards. This NFC-SEC cryptography Sta

19、ndard specifies an NFC Entity Authentication (NEAU) mechanism that uses the symmetric cryptographic algorithm (NEAU-S) for mutual authentication of two NFC entities. This International Standard addresses entity authentication of two NFC entities possessing a Pre- Shared Authentication Key (PSAK) dur

20、ing the key agreement and confirmation for the Shared Secret Service (SSE) and Secure Channel Service (SCH). This International Standard adds entity authentication to the services provided by ISO/IEC 13157-3 (ECMA-409) NFC-SEC-02. This International Standard refers to the latest standards and the St

21、arVar generation method for IV in NFC- SEC-02. The holders of these patent rights have assured the ISO and IEC that they are willing to negotiate licences under reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect, the statements of the holders

22、 of these patent rights are registered with ISO and IEC. Information on the declared patents may be obtained from: Patent Holder: China IWNCOMM Co., Ltd. Address: A201, QinFengGe, Xian Software Park, No. 68, Keji 2 ndRoad, Xian Hi-Tech Industrial, Development Zone, Xian, Shaanxi, P. R. China 710075

23、INTERNATIONAL STANDARD ISO/IEC 13157-5:2016(E) ISO/IEC 2016 All rights reserved 1 Information technology Telecommunications and information exchange between systems NFC Security Part 5: NFC-SEC entity authentication and key agreement using symmetric cryptography 1 Scope This International Standard s

24、pecifies the message contents and the cryptographic mechanisms for PID 04. This International Standard specifies key agreement and confirmation mechanisms providing mutual authentication, using symmetric cryptography. NOTE This International Standard adds entity authentication to the services provid

25、ed by ISO/IEC 13157-3 (ECMA- 409) NFC-SEC-02. 2 Conformance Conformant implementations employ the security mechanisms specified in this NFC-SEC cryptography Standard (identified by PID 04) and conform to ISO/IEC 13157-1 (ECMA-385). The NFC-SEC security services shall be established through the proto

26、col specified in ISO/IEC 13157-1 (ECMA-385) and the mechanisms specified in this International Standard. 3 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the

27、 latest edition of the referenced document (including any amendments) applies. ISO/IEC 7498-1:1994, Information technology - Open Systems Interconnection - Basic Reference Model: The Basic Model ISO/IEC 9798-1:2010, Information technology - Security techniques - Entity authentication - Part 1: Gener

28、al ISO/IEC 9798-2, Information technology - Security techniques - Entity authentication - Part 2: Mechanisms using symmetric encipherment algorithms ISO/IEC 11770-1:2010, Information technology - Security techniques - Key management - Part 1: Framework ISO/IEC 11770-2:2008, Information technology -

29、Security techniques - Key management - Part 2: Mechanisms using symmetric techniques ISO/IEC 11770-3, Information technology - Security techniques - Key management - Part 3: Mechanisms using asymmetric techniques 2 ISO/IEC 2016 All rights reserved ISO/IEC 13157-5:2016(E) ISO/IEC 13157-1, Information

30、 technology - Telecommunications and information exchange between systems - NFC Security - Part 1: NFC-SEC NFCIP-1 security services and protocol (ECMA-385) ISO/IEC 13157-2, Information technology - Telecommunications and information exchange between systems - NFC Security - Part 2: NFC-SEC cryptogr

31、aphy standard using ECDH and AES (ECMA-386) ISO/IEC 13157-3, Information technology - Telecommunications and information exchange between systems - NFC Security - Part 3: NFC-SEC cryptography standard using ECDH-256 and AES-GCM (ECMA-409) ISO/IEC 14443-3, Identification cards - Contactless integrate

32、d circuit cards - Proximity cards - Part 3: Initialization and anticollision ISO/IEC 18031:2011, Information technology - Security techniques - Random bit generation ISO/IEC 18031:2011/Cor.1:2014, Information technology - Security techniques - Random bit generation - Technical Corrigendum 1 ISO/IEC

33、18033-3:2010, Information technology - Security techniques - Encryption algorithms - Part 3: Block ciphers ISO/IEC 18092, Information technology - Telecommunications and information exchange between systems - Near Field Communication - Interface and Protocol (NFCIP-1) (ECMA-340) ISO/IEC 19772:2009,

34、Information technology - Security techniques - Authenticated encryption ISO/IEC 19772:2009/Cor.1:2014, Information technology - Security techniques - Authenticated encryption - Technical Corrigendum 1 4 Terms and definitions For the purposes of this document, the terms and definitions given in Claus

35、e 4 of ISO/IEC 13157-3 (ECMA-409) and the following apply. 4.1 entity authentication corroboration that an entity is the one claimed ISO/IEC 9798-1: 2010 4.2 n-entity-title a name that is used to identify unambiguously an n-entity ISO/IEC 7498-1: 1994 4.3 symmetric cryptography (symmetric cryptograp

36、hic technique) cryptographic technique that uses the same secret key for both the originators and the recipients transformation ISO/IEC 9798-1: 2010 5 Conventions and notations Clause 5 of ISO/IEC 13157-3 (ECMA-409) applies. Additionally, the following conversions and notations following apply. ISO/

37、IEC 13157-5:2016(E) ISO/IEC 2016 All rights reserved 3 exclusive OR For any message field “F”, F denotes the value placed in the field upon sending, F the value upon receipt. 6 Acronyms Clause 6 of ISO/IEC 13157-3 (ECMA-409) applies. Additionally, the following acronyms apply. KEIA Encryption and In

38、tegrity Key in Authentication MKA Master Key in Authentication NEAU-S NEAU using Symmetric Cryptography PSAK Pre-Shared Authentication Key TLV Type-length-value UID Unique Identifier ISO/IEC 14443-3 ZSEED The Seed of Z 7 General This International Standard specifies the NFC Entity Authentication usi

39、ng Symmetric cryptography (NEAU-S), using the key agreement and confirmation protocol in ISO/IEC 13157-1 (ECMA-385). To enable a key agreement and confirmation mechanism providing mutual authentication between NFC entities before they start the Shared Secret Service (SSE) and the Secure Channel Serv

40、ice (SCH), the Pre- Shared Authentication Key (PSAK), as a credential, between these entities is used in the entity authentication. After successful NEAU-S completion, a shared secret Z that is used to establish the SSE and the SCH will be generated. Three-pass authentication per ISO/IEC 9798-2, mec

41、hanism 4, and key establishment per ISO/IEC 11770-2, mechanism 6, are used in NEAU-S. The relationship between NEAU-S and ISO/IEC 13157-1 (ECMA-385) is shown in Figure 1. ISO/IEC 13157-5:2016(E) 4 ISO/IEC 2016 All rights reserved Key Confirmation ISO/IEC 13157-1 (ECMA-385) Clause 9.2 Service Termina

42、tion ISO/IEC 13157-1 (ECMA-385) Clause 9.4 SCH SSE Key Agreement ISO/IEC 13157-1 (ECMA-385) Clause 9.1 NEAU-S PDU security ISO/IEC 13157-1 (ECMA-385) Clause 9.3 and Clause 12 of ISO/IEC 13157-3 (ECMA-409) Figure 1 The use of the NFC-SEC protocol by NEAU-S 8 Fields and PDUs for NEAU-S 8.1 Protocol Id

43、entifier (PID) This International Standard shall use the one octet protocol identifier PID with value 4. 8.2 NFC-SEC-PDUs The peer NFC-SEC entities shall establish a shared secret Z using ACT_REQ, ACT_RES, VFY_REQ and VFY_RES according to the NEAU-S mechanism. 8.3 Entity identifiers The n-entity-tit

44、le of the Senders and Recipients n-entity shall be used as ID Sand ID R , respectively. Figure 2 specifies the encoding of ID Sand ID R in the TLV format. ISO/IEC 13157-5:2016(E) ISO/IEC 2016 All rights reserved 5 Figure 2 ID format 1. The Type subfield specifies the type of the ID and shall be 1 oc

45、tet in length. The values are: a) 1: Value subfield contains Sender (A) identification number, ID S ; b) 2: Value subfield contains Recipient (B) identification number, ID R ; c) All other values are RFU. 2. The 2-octet Length subfield contains the length in number of octets of the Value subfield, i

46、n the range of 1 to 65535. 9 Primitives 9.1 General requirements Clause 9 specifies cryptographic primitives of NEAU-S. Clause 10 specifies the actual use of these primitives. Table 1 specifies the size and description of parameters. Table 1 NEAU-S parameters Parameter Field Size Description PSAK Va

47、riable Pre-Shared authentication key available to the Sender (A) and the Recipient (B). MKA 128 bits Master key used in the entity authentication and derived from the PSAK. KEIA 128 bits Encryption and integrity key used in the entity authentication and derived from the MKA. MAC 96 bits Message auth

48、entication code. ID SVariable The Sender (A) identification number. ID RVariable The Recipient (B) identification number. NA 128 bits See Clause 6 of ISO/IEC 13157-2 (ECMA-386). NB 128 bits See Clause 6 of ISO/IEC 13157-2 (ECMA-386). Z 256 bits See Clause 6 of ISO/IEC 13157-2 (ECMA-386). ZSEED S256

49、bits The Senders seed for the derivation of the shared secret Z. ZSEED R256 bits The Recipients seed for the derivation of the shared secret Z. MK 128 bits See Clause 6 of ISO/IEC 13157-2 (ECMA-386). K 128 bits See Clause 6 of ISO/IEC 13157-2 (ECMA-386). IV 96 bits Initial value of counter. ISO/IEC 13157-5:2016(E) 6 ISO/IEC 2016 All rights reserved ISO/IEC 18031 shall be used to generate the r