ECMA 385-2015 NFC-SEC NFCIP-1 Security Services and Protocol (4th Edition).pdf

1、 Reference numberECMA-123:2009Ecma International 2009ECMA-385 4thEdition / June 2015 NFC-SEC: NFCIP-1 Security Services and Protocol COPYRIGHT PROTECTED DOCUMENT Ecma International 2015 Ecma International 2015 iContents Page 1 Scope 1 2 Conformance . 1 3 Normative references 1 4 Terms and definition

2、s . 1 5 Conventions and notations 2 5.1 Representation of numbers 2 5.2 Names . 3 6 Acronyms . 3 7 General . 4 8 Services 4 8.1 Shared Secret Service (SSE) 5 8.2 Secure Channel Service (SCH) 5 9 Protocol Mechanisms . 5 9.1 Key agreement . 5 9.2 Key confirmation . 5 9.3 PDU security 5 9.4 Termination

3、 5 10 States and Sub-states . 6 11 NFC-SEC-PDUs 7 11.1 Secure Exchange Protocol (SEP) 7 11.2 Protocol Identifier (PID) 8 11.3 NFC-SEC Payload 8 11.4 Terminate (TMN) 8 11.5 Error (ERROR) . 8 12 Protocol Rules . 8 12.1 Protocol and Service Errors . 9 12.2 Interworking Rules 9 12.3 Sequence Integrity 9

4、 12.4 Cryptographic Processing . 10 Annex A (normative) Protocol Machine Specification 11 A.1 SDL Symbols . 11 A.2 Request SDUs 11 A.3 Confirm SDUs 12 A.4 SDL Diagrams 13 A.4.1 Idle State . 13 A.4.2 Select State 14 A.4.3 Established State . 15 A.4.4 Confirmed State . 16 ii Ecma International 2015Int

5、roduction This Standard specifies common NFC Security services and a protocol. This Standard is a part of the NFC Security series of standards. The NFC-SEC cryptography standards of the series complement and use the services and protocol specified in this Standard. The third edition has removed anne

6、x B because it has been included in ISO/IEC 18092:2013 and it allows implementation on generic NFC connections. This fourth edition is fully aligned with ISO/IEC 13157-1:2014. This Ecma Standard has been adopted by the General Assembly of June 2015. Ecma International 2015 iii“COPYRIGHT NOTICE 2015

7、Ecma International This document may be copied, published and distributed to others, and certain derivative works of it may be prepared, copied, published, and distributed, in whole or in part, provided that the above copyright notice and this Copyright License and Disclaimer are included on all suc

8、h copies and derivative works. The only derivative works that are permissible under this Copyright License and Disclaimer are: (i) works which incorporate all or portion of this document for the purpose of providing commentary or explanation (such as an annotated version of the document), (ii) works

9、 which incorporate all or portion of this document for the purpose of incorporating features that provide accessibility, (iii) translations of this document into languages other than English and into different formats and (iv) works by making use of this specification in standard conformant products

10、 by implementing (e.g. by copy and paste wholly or partly) the functionality therein. However, the content of this document itself may not be modified in any way, including by removing the copyright notice or references to Ecma International, except as required to translate it into languages other t

11、han English or into a different format. The official version of an Ecma International document is the English language version on the Ecma International website. In the event of discrepancies between a translated version and the official version, the official version shall govern. The limited permis

12、sions granted above are perpetual and will not be revoked by Ecma International or its successors or assigns. This document and the information contained herein is provided on an “AS IS“ basis and ECMA INTERNATIONAL DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRA

13、NTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.“ iv Ecma International 2015NFC-SEC: NFCIP-1 Security Services and Protocol 1 Scope This Standard specifies the NFC-SEC secure channel an

14、d shared secret services for NFCIP-1 and the PDUs and protocol for those services. NOTE This Standard does not address application specific security mechanisms (as typically needed for smart card related use cases and standardized in the ISO/IEC 7816 series). NFC-SEC may complement application speci

15、fic security mechanisms of ISO/IEC 7816. 2 Conformance Conformant implementations implement one or more of the services specified in this Standard, using the security mechanisms from the NFC-SEC cryptography part identified by the selected Protocol Identifier. 3 Normative references The following re

16、ferenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ECMA-340, Near Field Communication Interface and Protocol (NFCIP-

17、1) ECMA-386, NFC-SEC-01: NFC-SEC Cryptography Standard using ECDH and AES ISO/IEC 7498-1:1994, Information technology - Open Systems Interconnection - Basic Reference Model: The Basic Model ISO 7498-2:1989, Information processing systems - Open Systems Interconnection - Basic Reference Model - Part

18、2: Security Architecture ISO/IEC 10731:1994, Information technology - Open Systems Interconnection - Basic Reference Model - Conventions for the definition of OSI services ISO/IEC 11770-1:1996, Information technology - Security techniques - Key management - Part 1: Framework 4 Terms and definitions

19、For the purpose of this Standard, the terms and definitions specified in ECMA-340, ISO/IEC 7498-1, ISO 7498-2, ISO/IEC 10731 and ISO/IEC 11770-1 apply. In addition, the following terms and definitions apply. 4.1 connection (N)-connection as specified in ISO/IEC 7498-1 Ecma International 2015 14.2 en

20、tity (N)-entity as specified in ISO/IEC 7498-1 4.3 link key secret key securing communications across a secure channel 4.4 NFC-SEC User entity using the NFC-SEC service 4.5 protocol (N)-protocol as specified in ISO/IEC 7498-1 4.6 recipient NFC-SEC entity that receives ACT_REQ 4.7 secure channel secu

21、re NFC-SEC connection 4.8 sender NFC-SEC entity that sends ACT_REQ 4.9 service (N)-service as specified in ISO/IEC 7498-1 4.10 shared secret secret shared by two peer NFC-SEC Users 5 Conventions and notations The following conventions and notations apply in this document unless otherwise stated. 5.1

22、 Representation of numbers The following conventions and notations apply in this document unless otherwise stated. Letters and digits in parentheses represent numbers in hexadecimal notation. The setting of bits is denoted by ZERO or ONE. Numbers in binary notation and bit patterns are represented b

23、y sequences of 0 and 1 bits shown with the most significant bit to the left. Within such strings, X may be used to indicate that the setting of a bit is not specified within the string. In octets the lsb is bit number 1, the msb bit number 8; in n-length bit strings the lsb is bit number 1 and the m

24、sb is bit number n. 2 Ecma International 20155.2 Names The names of basic elements, e.g. specific fields, are written with a capital initial letter. 6 Acronyms For the purposes of this Standard, the acronyms specified in ECMA-340 apply. Additionally, the following acronyms apply. ACT_REQ Activation

25、Request PDU ACT_RES Activation Response PDU ENC Encrypted Packet PDU ERROR Error PDU lsb least significant bit LSB Least Significant Byte msb most significant bit MSB Most Significant Byte MSG MesSaGe code PCI Protocol Control Information (see ISO/IEC 7498-1) PDU Protocol Data Unit (see ISO/IEC 7498

26、-1) PID Protocol Identifier RFU Reserved for Future Use SAP Service Access Point SCH Secure Channel service SDL Specification and Description Language (as specified in ITU-T Z.100) SDU Service Data Unit (see ISO/IEC 7498-1) SEP Security Exchange protocol Parameter SN Sequence Number SNV SN variable

27、SSE Shared Secret Service SVC SerVicE code TMN Terminate PDU VFY_REQ Verification Request PDU Ecma International 2015 3VFY_RES Verification Response PDU 7 General NFC-SEC as illustrated in Figure 1 uses the OSI reference model specified in ISO/IEC 7498-1. NFC-SEC UserNFC-SEC UserNFC-SEC-SAPNFC-SAPNF

28、C-SEC connectionNFC connectionNFC-SEC-SDUNFC-SEC-PDUNFC-SEC-PCINFC-SEC entityPeer NFC-SEC entityNFC-SEC protocolNFCNFC-SEC UserNFC-SECFigure 1 NFC-SEC architecture NFC-SEC Users invoke and access the NFC-SEC services through NFC-SEC Service Access Points (NFC-SEC-SAP). NFC-SEC entities obtain NFC-SE

29、C-SDUs (requests) from NFC-SEC Users and return NFC-SEC-SDUs (confirmations) to them. This Standard specifies the Secure Channel Service (SCH) and the Shared Secret Service (SSE). To provide the NFC-SEC services, Peer NFC-SEC entities exchange NFC-SEC-PDUs by conforming to the NFC-SEC protocol over

30、NFC-SEC connections. Peer NFC-SEC entities send and receive NFC-SEC-PDUs through NFC Service Access Points (NFC-SAP). A NFC-SEC-PDU consists of NFC-SEC Protocol Control Information (NFC-SEC-PCI) and a single NFC-SEC-SDU. 8 Services This Clause specifies two services, SSE and SCH, that NFC-SEC provid

31、es to the NFC-SEC User. When invoked, these services enable the cryptographic protected transmission of NFC-SEC User messages between the peer entities by means of a protocol described in Clause 9. Shared secrets established with the services specified below shall be cryptographically uncorrelated f

32、rom any shared secrets established beforehand or afterwards. 4 Ecma International 20158.1 Shared Secret Service (SSE) The SSE establishes a shared secret between two peer NFC-SEC Users, which they can use at their discretion. Invocation of the SSE shall establish a shared secret by the key agreement

33、 and key confirmation mechanisms, according to the NFC-SEC cryptography part that defines the PID. 8.2 Secure Channel Service (SCH) The SCH provides a secure channel. Invocation of the SCH shall establish a link key, by derivation from a shared secret established by the key agreement and key confirm

34、ation mechanisms, and shall subsequently protect all communications in either direction across the channel, according to the NFC-SEC cryptography part that defines the PID. 9 Protocol Mechanisms The NFC-SEC protocol comprises the following mechanisms. Figure 2 specifies the sequence of the protocol

35、mechanisms. 9.1 Key agreement The peer NFC-SEC entities shall establish a shared secret using ACT_REQ and ACT_RES, according to the NFC-SEC cryptography part that defines the PID. 9.2 Key confirmation The peer NFC-SEC entities shall verify their agreed shared secret using VFY_REQ and VFY_RES, accord

36、ing to the NFC-SEC cryptography part that defines the PID. 9.3 PDU security PDU security is a mechanism of SCH service only. The peer NFC-SEC entities shall protect data exchange using ENC, according to the NFC-SEC cryptography part that defines the PID. This mechanism shall comprise one or more of

37、the following, as specified in the respective NFC-SEC cryptography standard: Sequence Integrity, conforming to the requirements of 12.3; Confidentiality; Data integrity; Origin authentication. 9.4 Termination The peer NFC-SEC entities shall terminate SSE and SCH using TMN. Ecma International 2015 5K

38、ey confirmation9.2PDU security9.3ServiceTermination9.4SCHSSEKey agreement9.1Figure 2 General flow of the NFC-SEC services 10 States and Sub-states The NFC-SEC protocol machine in Annex A specifies the state transitions for the states and sub-states in Table 1. 6 Ecma International 2015Table 1 State

39、State DescriptionIdle NFC-SEC is ready to start a new service upon request from the NFC-SEC User or the peer NFC-SEC Entity. Select NFC-SEC is awaiting an ACT_RES. Established An NFC-SEC Service is requested. The established state contains two sub-states In the Established_Sender sub-state it is awa

40、iting a VFY_RES. In the Established_Recipient Sub-state it is awaiting a VFY_REQ. Confirmed An NFC-SEC service is established. The Confirmed State contains two sub-states, In the Confirmed _SSE sub-state, the shared secret is ready to be retrieved. In the Confirmed _SCH sub-state, secure data exchan

41、ge is ready. Upon transition to the Idle state any shared secret and link key shall be destroyed. 11 NFC-SEC-PDUs Secure data shall be conveyed in the NFC-SEC Payload field of the NFC-SEC-PDU as specified in Figure 3. SEP PID NFC-SEC Payload Figure 3 Structure of NFC-SEC PDU Table 2 specifies the NF

42、C-SEC-PDUs fields for the NFC-SEC commands as mandatory (m), prohibited (p), conditional (c). The conditionality (c) is further specified in 11.3. Table 2 NFC-SEC-PDU Fields NFC-SEC commands SEP PID NFC-SEC Payload ACT_REQ m m c ACT_RES m p c VFY_REQ m p c VFY_RES m p c ENC m p c TMN m p p ERROR m p

43、 c 11.1 Secure Exchange Protocol (SEP) The 1-byte Secure Exchange Protocol (SEP) field is specified as follows: The value of 00b in the SVC indicates that the PDU is part of an SSE exchange. The value of 01b in the SVC indicates that the PDU is part of an SCH exchange. The MSG code identifies the PD

44、U type as specified in Table 3. All other codes are RFU. Ecma International 2015 7 The RFU bits shall be set ZERO. Receivers shall reject PDUs with RFU bits set to ONE. Figure 4 specifies the bit assignment. msb lsb Bit 8 Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 RFU SVC MSG Figure 4 Bit assignment

45、of SEP Table 3 PDU types and their MSG codes Code NFC-SEC command Description 0000 ACT_REQ Activation request to request a new service. 0001 ACT_RES Activation response, to accept a service request. 0010 VFY_REQ Verification request to submit check values for verification of the Senders shared secre

46、t. 0011 VFY_RES Verification response to submit check values for verification of the Recipients shared secret. 0100 ENC Encrypted packet for secure data exchange. 0110 TMN Terminate request to terminate a service. 1111 ERROR Error an Indication of an error. Other RFU 11.2 Protocol Identifier (PID) E

47、ach NFC-SEC cryptography part of this Standard defines a distinct 8-bit PID that is only included in ACT_REQ. 11.3 NFC-SEC Payload The TMN PDU shall contain no NFC-SEC Payload field. The NFC-SEC Payload field shall consist of an integer number of octets. Its use in the ERROR PDU is specified in the

48、Error sub-clause below. Its use, structure and encoding in all other PDUs is specified in NFC-SEC cryptography part that defines the PID. 11.4 Terminate (TMN) The TMN PDU consists of the SEP field only as specified in Table 2. 11.5 Error (ERROR) The ERROR PDU starts with the SEP field and, if it con

49、tains a payload, this payload shall contain a zero-terminated octet string in the NFC-SEC Payload field. 12 Protocol Rules This Clause specifies rules for the NFC-SEC protocol. 8 Ecma International 201512.1 Protocol and Service Errors When a NFC-SEC entity receives a PDU in a state where it is not allowed, it shall respond with an ERROR PDU. When a NFC-SEC entity receives a PDU that it does not support or with invalid contents as specified in NFC-SEC cryptography standard, it shall respond with an ERROR PDU. W