ECMA 386-2015 NFC-SEC-01 NFC-SEC Cryptography Standard using ECDH and AES (3rd Edition).pdf

1、 Reference numberECMA-123:2009Ecma International 2009ECMA-386 3rdEdition / June 2015 NFC-SEC-01: NFC-SEC Cryptography Standard using ECDH and AES COPYRIGHT PROTECTED DOCUMENT Ecma International 2015 Ecma International 2015 iContents Page 1 Scope 1 2 Conformance . 1 3 Normative references 1 4 Terms a

2、nd definitions . 1 5 Conventions and notations 2 5.1 Concatenation 2 5.2 Hexadecimal numbers 2 6 Acronyms . 2 7 General . 3 8 Protocol Identifier (PID) 3 9 Primitives . 3 9.1 Key agreement . 4 9.1.1 Curve P-192 4 9.1.2 EC Key Pair Generation Primitive 4 9.1.3 EC Public key validation . 4 9.1.4 ECDH

3、secret value derivation Primitive 4 9.1.5 Random nonces . 4 9.2 Key Derivation Functions . 5 9.2.1 KDF for the SSE . 5 9.2.2 KDF for the SCH 5 9.3 Key Usage 5 9.4 Key Confirmation . 6 9.4.1 Key confirmation tag generation . 6 9.4.2 Key confirmation tag verification 6 9.5 Data Encryption . 6 9.5.1 In

4、itial value of counter (IV) . 6 9.5.2 Encryption 6 9.5.3 Decryption 7 9.6 Data Integrity 7 9.6.1 Protect data integrity . 7 9.6.2 Check data integrity 7 9.7 Message Sequence Integrity 7 10 Data Conversions 7 10.1 Integer-to-Octet-String Conversion . 7 10.2 Octet-String-to-Integer Conversion . 7 10.3

5、 Point-to-Octet-String Conversion 8 10.4 Octet-String-to-Point Conversion 8 11 SSE and SCH service invocation . 8 11.1 Pre-requisites . 9 11.2 Key Agreement 10 11.2.1 Sender (A) Transformation . 10 11.2.2 Recipient (B) Transformation . 10 11.3 Key Derivation . 11 11.3.1 Sender (A) Transformation . 1

6、1 11.3.2 Recipient (B) Transformation . 11 11.4 Key Confirmation . 11 11.4.1 Sender (A) Transformation . 11 ii Ecma International 201511.4.2 Recipient (B) Transformation .12 12 SCH data exchange .12 12.1 Preparation .13 12.2 Data Exchange .13 12.2.1 Send 13 12.2.2 Receive .13 Annex A (normative) AES

7、-XCBC-PRF-128 and AES-XCBC-MAC-96 algorithms 15 A.1 AES-XCBC-PRF-128 15 A.2 AES-XCBC-MAC-9615 Annex B (normative) Fields sizes 17 Annex C (informative) Informative references .19 Ecma International 2015 iiiIntroduction The NFC Security series of standards comprise a common services and protocol Stan

8、dard and NFC-SEC cryptography standards. This NFC-SEC cryptography Standard specifies cryptographic mechanisms that use the Elliptic Curves Diffie-Hellman (ECDH) protocol for key agreement and the AES algorithm for data encryption and integrity. This Standard addresses secure communication of two NF

9、C devices that do not share any common secret data (“keys“) before they start communicating which each other. The 3rdedition ensures to use the latest references to cryptographic standards. This Ecma Standard has been adopted by the General Assembly of June 2015. iv Ecma International 2015“COPYRIGHT

10、 NOTICE 2015 Ecma International This document may be copied, published and distributed to others, and certain derivative works of it may be prepared, copied, published, and distributed, in whole or in part, provided that the above copyright notice and this Copyright License and Disclaimer are includ

11、ed on all such copies and derivative works. The only derivative works that are permissible under this Copyright License and Disclaimer are: (i) works which incorporate all or portion of this document for the purpose of providing commentary or explanation (such as an annotated version of the document

12、), (ii) works which incorporate all or portion of this document for the purpose of incorporating features that provide accessibility, (iii) translations of this document into languages other than English and into different formats and (iv) works by making use of this specification in standard confor

13、mant products by implementing (e.g. by copy and paste wholly or partly) the functionality therein. However, the content of this document itself may not be modified in any way, including by removing the copyright notice or references to Ecma International, except as required to translate it into lang

14、uages other than English or into a different format. The official version of an Ecma International document is the English language version on the Ecma International website. In the event of discrepancies between a translated version and the official version, the official version shall govern. The l

15、imited permissions granted above are perpetual and will not be revoked by Ecma International or its successors or assigns. This document and the information contained herein is provided on an “AS IS“ basis and ECMA INTERNATIONAL DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED

16、 TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.“ NFC-SEC-01: NFC-SEC Cryptography Standard using ECDH and AES 1 Scope This Standard specifies the message contents and the

17、cryptographic methods for PID 01. This Standard specifies cryptographic mechanisms that use the Elliptic Curves Diffie-Hellman (ECDH) protocol for key agreement and the AES algorithm for data encryption and integrity. 2 Conformance Conformant implementations employ the security mechanisms specified

18、in this NFC-SEC cryptography Standard (identified by PID 01) and conform to ECMA-385. The NFC-SEC security services shall be established through the protocol specified in ECMA-385 and the mechanisms specified in this Standard. 3 Normative references The following referenced documents are indispensab

19、le for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ECMA-340, Near Field Communication Interface and Protocol (NFCIP-1) ECMA-385, NFC-SEC: NFCIP-1 Secu

20、rity Services and Protocol ISO/IEC 10116, Information technology - Security techniques - Modes of operation for an n-bit block cipher ISO/IEC 11770-3, Information technology - Security techniques - Key management - Part 3: Mechanisms using asymmetric techniques ISO/IEC 15946-1, Information technolog

21、y - Security techniques - Cryptographic techniques based on elliptic curves - Part 1: General ISO/IEC 18031, Information technology - Security techniques - Random bit generation ISO/IEC 18033-3, Information technology - Security techniques - Encryption algorithms - Part 3: Block ciphers IEEE 1363, I

22、EEE Standard Specifications for Public-Key Cryptography FIPS 186-4, Digital Signature Standard (DSS) 4 Terms and definitions For the purposes of this Standard, all terms and definitions from ECMA-385 apply. Ecma International 2015 15 Conventions and notations The conventions and notations of ECMA-38

23、5 as well as the following apply in this document unless otherwise stated. 5.1 Concatenation A | B represents the concatenation of the fields A and B: content of A followed by content of B. 5.2 Hexadecimal numbers (XY) denotes a hexadecimal number XY (i.e. with the Radix of 16) and each pair of char

24、acters is encoded in one octet. 6 Acronyms For the purposes of this Standard, all acronyms from ECMA-385 apply. Additionally, the following acronyms apply. A Sender, as specified in ECMA-385 AES Advanced Encryption Standard B Receiver, as specified in ECMA-385 dASenders private EC key dBRecipients p

25、rivate EC key DataLen Length of the UserData EC Elliptic Curve ECDH Elliptic Curve Diffie-Hellman EncData Encrypted data G The base point on EC IDA Sender nfcid3 IDB Recipient nfcid3 IDR Any Recipient identification number (e.g. IDB) IDS Any Sender identification number (e.g. IDA) IV Initial Value K

26、 Key KDF Key Derivation Function KE Encryption Key KI Integrity Key MAC Message Authentication Code MacA/MacB Integrity protection value of Sender/ Recipient MacTagAKey confirmation tag from Sender MacTagBKey confirmation tag from Recipient MK Master Key NA / NB Nonce generated by Sender/Recipient 2

27、 Ecma International 2015NAA / NBB Nonce generated by the pair of NFC-SEC entities NonceSSenders nonce NonceRRecipients noncePK Public KeyPKRRecipients Public KeyPKSSenders Public Key PRNG Pseudo Random Number Generator QA / QBCompressed EC public key of Sender / Recipient QA/ QB Decompressed EC publ

28、ic key of Sender / Recipient RNG Random Number Generator SharedSecret Shared secret UserData NFC-SEC User data z Unsigned integer representation of the Shared Secret Z Octet string representation of z The acronyms used in Clauses 9 and 10 not listed above are formal parameters. 7 General This Standa

29、rd specifies mechanisms for the Shared Secret Service (SSE) and the Secure Channel Service (SCH) in ECMA-385. To enable secure communication between NFC devices that do not share any common secret data (“keys“) before they start communicating with each other, public key cryptography is used to estab

30、lish a shared secret between these devices, and more specifically the Elliptic Curve Diffie-Hellman key exchange scheme. This shared secret is used to establish the SSE and the SCH. 8 Protocol Identifier (PID) This Standard shall use the one octet protocol identifier PID with value 1. 9 Primitives T

31、his Clause specifies cryptographic primitives. Clauses 11 and 12 specify the actual use of these primitives. Table 1 summarizes the features. Ecma International 2015 3Table 1 Summary of features Supported services SSE (see ECMA-385) SCH (see ECMA-385) Key agreement ECDH P-192 KDF AES-XCBC-PRF-128 Ke

32、y confirmation AES-XCBC-MAC-96 Data encryption AES128-CTR IV Init: AES-XCBC-PRF-128 Data integrity AES-XCBC-MAC-96 Sequence integrity SN (see ECMA-385) Encryption order Encryption (9.5) before MAC calculation (9.6) 9.1 Key agreement Peer NFC-SEC entities shall agree on a shared secret using Key agre

33、ement mechanism 4 from ISO/IEC 11770-3 and the Elliptic Curves Diffie-Hellman primitives from IEEE 1363 as further specified below. 9.1.1 Curve P-192 Curve P-192 as specified in FIPS 186-4 shall be used. 9.1.2 EC Key Pair Generation Primitive The private key d shall be obtained from a random or pseu

34、do-random process conforming to ISO/IEC 18031. a) Obtain the private key, d, from a random or pseudo-random process conforming to ISO/IEC 18031. b) Compute the public key, PK, as a point on EC, PK = dG. 9.1.3 EC Public key validation The EC public key shall be validated as specified in Public Key Va

35、lidation of ISO/IEC 15946-1. 9.1.4 ECDH secret value derivation Primitive The ECDH primitive as specified in 7.2.1 ECSVDP-DH of IEEE 1363 shall output the valid shared secret z and invalid otherwise. 9.1.5 Random nonces Each peer NFC-SEC entity should send fresh random nonces with the EC public key

36、of the entity. The nonces are used to provide more entropy to the keys derived from the shared secret (z), and to facilitate the EC key pair management. The correct generation of these nonces is under the responsibility of the entity. The entity should guarantee that the nonces it generates have 96

37、bits of entropy valid for the duration of the protocol. The nonces used in an NFC-SEC transaction shall be cryptographically uncorrelated with the nonces from a previous transaction. 4 Ecma International 2015See ISO/IEC 18031 for further recommendations on random number generation. 9.2 Key Derivatio

38、n Functions Two Key Derivation Functions (KDF) are specified; one for the SSE and one for the SCH. The KDFs shall use AES in XCBC-PRF-128 mode as specified in A.1. For the following sections KDF is: KDF (K, S) = AES-XCBC-PRF-128K(S) The random source (nonces + shared secret z obtained from 9.1.4) us

39、ed for the SCH shall be different from the random source used for the SSE. 9.2.1 KDF for the SSE The KDF for the SSE is: MKSSE= KDF-SSE (NonceS, NonceR, SharedSecret, IDS, IDR) Detail of the KDF-SSE function: S = (NonceS063 | NonceR063) SKEYSEED = KDF (S, SharedSecret) MKSSE= KDF (SKEYSEED, S | IDS|

40、 IDR| (01) 9.2.2 KDF for the SCH The KDF for the SCH is: MKSCH, KESCH, KISCH = KDF-SCH (NonceS, NonceR, SharedSecret, IDS, IDR) Detail of the KDF-SCH function: S = (NonceS063 |NonceR063) SKEYSEED = KDF(S, SharedSecret) MKSCH= KDF (SKEYSEED, S | IDS| IDR| (01) KESCH= KDF (SKEYSEED, MKSCH| S | IDS| ID

41、R| (02) KISCH= KDF (SKEYSEED, KESCH| S | IDS| IDR| (03) 9.3 Key Usage Each derived key MKSCH, KESCH, KISCHand MKSSEshould be used only for the purpose specified in Table 2. The Keys MKSCH, KESCH, KISCHand MKSSEshall be different for each NFC-SEC transaction. Ecma International 2015 5Table 2 Key usag

42、e Key Key description Key usage MKSCHMaster Key for SCH Key Verification for the Secure Channel Keys KESCHEncryption Key for SCH Encryption of data packets sent through SCH KISCHIntegrity protection Key for SCH Integrity protection of data packets sent through SCH MKSSEMaster Key for SSE Master Key

43、for SSE used as Shared secret to be passed to the upper layer and as Key Verification 9.4 Key Confirmation When a key is derived using one of the KDF processes described in 9.2 both NFC-SEC entities check that they indeed have the same key. Each entity shall generate a key confirmation tag as specif

44、ied in 9.4.1 and shall send it to the peer entity. Entities shall verify the key confirmation tag upon reception as specified in 9.4.2. This key confirmation mechanism is according to 9 Key Confirmation of ISO/IEC 11770-3. The MAC used for Key Confirmation (MacTag) shall be AES in XCBC-MAC-96 mode a

45、s specified in A.2. 9.4.1 Key confirmation tag generation MacTag, the Key confirmation tag, equals MAC-KC (K, MsgID, IDS, IDR, PKS, PKR) and shall be calculated using AES-XCBC-MAC-96K(MsgID | IDS| IDR| PKS| PKR), specified in Annex A.2, with key K. 9.4.2 Key confirmation tag verification status, the

46、 return value of MAC-KC-VER (K, MsgID, IDS, IDR, PKS, PKR, MacTag) is true if MacTag equals MAC-KC (K, MsgID, IDS, IDR, PKS, PKR) 9.5 Data Encryption The data encryption algorithm used is AES as specified in 5.1 AES of ISO/IEC 18033-3. The data encryption mode shall be CTR mode as specified in 10 Co

47、unter (CTR) Mode of ISO/IEC 10116. 9.5.1 Initial value of counter (IV) To avoid having to send the initial value of the counter, it shall be computed by both entities from the nonces. IV, the initial value of the counter, equals MAC-IV (MK, KI, NonceS, NonceR) and shall be calculated using AES-XCBC-

48、PRF-128MK (KI | NonceS | NonceR | (04), specified in Annex A.1, with key MK. 9.5.2 Encryption The data shall be encrypted using the Encryption Key KE as specified in 10.2 Encryption of ISO/IEC 10116: EncData = ENCKE (Data) 6 Ecma International 2015Since the mode is CTR, no padding of the data shall

49、be applied. 9.5.3 Decryption The encrypted data shall be decrypted using the Encryption Key KE as specified in 10.3 Decryption of ISO/IEC 10116: Data = DECKE (EncData) 9.6 Data Integrity Integrity of all data transferred on the SCH shall be preserved through a MAC. The MAC used for Data Integrity shall be AES in XCBC-MAC-96 mode as specified in A.2. 9.6.1 Protect data integrity Mac, the Message Authentication Code, equals MAC-DI (KI, SN, DataLen, EncData) and shall be calculated using AES-XCBC-MAC-96