1、 Reference numberECMA-123:2009Ecma International 2009ECMA-409 2ndEdition / June 2015 NFC-SEC-02: NFC-SEC Cryptography Standard using ECDH-256 and AES-GCM COPYRIGHT PROTECTED DOCUMENT Ecma International 2015 Ecma International 2015 iContents Page 1 Scope 1 2 Conformance . 1 3 Normative references 1 4
2、 Terms and definitions . 2 5 Conventions and notations 2 6 Acronyms . 2 7 General . 2 8 Protocol Identifier (PID) 2 9 Primitives . 2 9.1 Key agreement . 3 9.1.1 Curve P- 256 . 3 9.1.2 EC Key Pair Generation Primitive 3 9.1.3 EC Public key validation . 3 9.1.4 ECDH secret value derivation Primitive 3
3、 9.1.5 Random nonces . 3 9.2 Key Derivation Functions . 3 9.2.1 KDF for the SSE . 4 9.2.2 KDF for the SCH 4 9.3 Key Usage 4 9.4 Key Confirmation . 4 9.4.1 Key confirmation tag generation . 5 9.4.2 Key confirmation tag verification 5 9.5 Data Authenticated Encryption 5 9.5.1 Starting Variable (StartV
4、ar) 5 9.5.2 Additional Authenticated Data (AAD) 5 9.5.3 Generation-Encryption 5 9.5.4 Decryption-Verification . 5 9.6 Data Integrity 6 9.7 Message Sequence Integrity 6 10 Data Conversions 6 11 SSE and SCH service invocation . 6 12 SCH data exchange . 6 12.1 Preparation . 6 12.2 Data Exchange . 7 12.
5、2.1 Send 7 12.2.2 Receive . 7 Annex A (normative) Fields sizes . 9 ii Ecma International 2015Introduction The NFC Security series of standards comprise a common services and protocol Standard and NFC-SEC cryptography standards. This NFC-SEC cryptography Standard specifies cryptographic mechanisms th
6、at use the Elliptic Curves Diffie-Hellman (ECDH-256) protocol for key agreement and the AES algorithm in GCM mode to provide data authenticated encryption. This Standard addresses secure communication of two NFC devices that do not share any common secret data (“keys“) before they start communicatin
7、g which each other. It is based on ISO/IEC 13157-2 (ECMA-386) with some adaptations to address actual cryptography standards. This 2ndedition refers to the latest standards and updates the generation method for StartVar in compliance with ISO/IEC 19772:2009/Cor.1:2014 which also complies with NIST S
8、P 800-38B. This Ecma Standard has been adopted by the General Assembly of June 2015. Ecma International 2015 iii“COPYRIGHT NOTICE 2015 Ecma International This document may be copied, published and distributed to others, and certain derivative works of it may be prepared, copied, published, and distr
9、ibuted, in whole or in part, provided that the above copyright notice and this Copyright License and Disclaimer are included on all such copies and derivative works. The only derivative works that are permissible under this Copyright License and Disclaimer are: (i) works which incorporate all or por
10、tion of this document for the purpose of providing commentary or explanation (such as an annotated version of the document), (ii) works which incorporate all or portion of this document for the purpose of incorporating features that provide accessibility, (iii) translations of this document into lan
11、guages other than English and into different formats and (iv) works by making use of this specification in standard conformant products by implementing (e.g. by copy and paste wholly or partly) the functionality therein. However, the content of this document itself may not be modified in any way, in
12、cluding by removing the copyright notice or references to Ecma International, except as required to translate it into languages other than English or into a different format. The official version of an Ecma International document is the English language version on the Ecma International website. In
13、the event of discrepancies between a translated version and the official version, the official version shall govern. The limited permissions granted above are perpetual and will not be revoked by Ecma International or its successors or assigns. This document and the information contained herein is p
14、rovided on an “AS IS“ basis and ECMA INTERNATIONAL DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.“
15、iv Ecma International 2015NFC-SEC-02: NFC-SEC Cryptography Standard using ECDH-256 and AES-GCM 1 Scope This Standard specifies the message contents and the cryptographic methods for PID 02. This Standard specifies cryptographic mechanisms that use the Elliptic Curves Diffie-Hellman (ECDH) protocol w
16、ith a key length of 256 bits for key agreement and the AES algorithm in GCM mode to provide data authenticated encryption. 2 Conformance Conformant implementations employ the security mechanisms specified in this NFC-SEC cryptography Standard (identified by PID 02) and conform to ISO/IEC 13157-1 (EC
17、MA-385). The NFC-SEC security services shall be established through the protocol specified in ISO/IEC 13157-1 (ECMA-385) and the mechanisms specified in this Standard. 3 Normative references The following referenced documents are indispensable for the application of this document. For dated referenc
18、es, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 9797-1:2011, Information technology - Security techniques - Message Authentication Codes (MACs) - Part 1: Mechanisms using a block cipher ISO/IEC 1177
19、0-3, Information technology - Security techniques - Key management - Part 3: Mechanisms using asymmetric techniques ISO/IEC 13157-1, Information technology - Telecommunications and information exchange between systems - NFC Security - Part 1: NFC-SEC NFCIP-1 security services and protocol (ECMA-385)
20、 ISO/IEC 13157-2, Information technology - Telecommunications and information exchange between systems - NFC Security - Part 2: NFC-SEC cryptography standard using ECDH and AES (ECMA-386) ISO/IEC 18031:2011, Information technology - Security techniques - Random bit generation ISO/IEC 18031:2011/Cor.
21、1:2014, Information technology - Security techniques - Random bit generation - Technical Corrigendum 1 ISO/IEC 18033-3:2010, Information technology - Security techniques - Encryption algorithms - Part 3: Block ciphers ISO/IEC 19772:2009, Information technology - Security techniques - Authenticated e
22、ncryption ISO/IEC 19772:2009/Cor.1:2014, Information technology - Security techniques - Authenticated encryption - Technical Corrigendum 1 Ecma International 2015 1FIPS 186-4, Digital Signature Standard (DSS) 4 Terms and definitions Clause 4 of ISO/IEC 13157-2 (ECMA-386) applies. 5 Conventions and n
23、otations Clause 5 of ISO/IEC 13157-2 (ECMA-386) applies. 6 Acronyms Clause 6 of ISO/IEC 13157-2 (ECMA-386) applies. Additionally, the following acronyms apply. AAD Additional Authenticated Data GCM CMAC Galois Counter Mode Cipher-based MAC 7 General Clause 7 of ISO/IEC 13157-2 (ECMA-386) applies. 8
24、Protocol Identifier (PID) This Standard shall use the one octet protocol identifier PID with value 2. 9 Primitives This Clause specifies cryptographic primitives. Clauses 11 and 12 specify the actual use of these primitives. Table 1 summarizes the features. 2 Ecma International 2015Table 1 Summary o
25、f features Supported servicesSSE (see ISO/IEC 13157-1 (ECMA-385) SCH (see ISO/IEC 13157-1 (ECMA-385) Key agreement ECDH P-256 KDF AES-CMAC-PRF-128 Key confirmation AES-CMAC-96 Data authenticated encryption AES128-GCM Sequence integritySN (see ISO/IEC 13157-1 (ECMA-385) Encryption order Authenticated
26、 encryption (MAC then encrypt) 9.1 Key agreement Clause 9.1 of ISO/IEC 13157-2 (ECMA-386) applies. 9.1.1 Curve P- 256 Curve P-256 as specified in D.1.2.3 Curve P-256 of FIPS 186-4 shall be used. 9.1.2 EC Key Pair Generation Primitive Clause 9.1.2 of ISO/IEC 13157-2 (ECMA-386) applies. 9.1.3 EC Publi
27、c key validation Clause 9.1.3 of ISO/IEC 13157-2 (ECMA-386) applies. 9.1.4 ECDH secret value derivation Primitive Clause 9.1.4 of ISO/IEC 13157-2 (ECMA-386) applies. 9.1.5 Random nonces Each peer NFC-SEC entity shall send fresh random nonces with the EC public key of the entity. The entity shall gua
28、rantee that the nonces it generates have 128 bits of entropy valid for the duration of the protocol. The nonces used in an NFC-SEC transaction shall be cryptographically uncorrelated with the nonces from a previous transaction, see also ISO/IEC 18031. 9.2 Key Derivation Functions Two Key Derivation
29、Functions (KDF) are specified; one for the SSE and one for the SCH. The PRF shall be AES in CMAC mode as specified in MAC algorithm 5 of ISO/IEC 9797-1, used with 128 bits output length, denoted AES-CMAC-PRF-128. For the following sections PRF is: PRF (K, S) = AES-CMAC-PRF-128K (S) Ecma Internationa
30、l 2015 3The random source (nonces and the SharedSecret z obtained from 9.1.4) used for the SCH shall be different from the random source used for the SSE. 9.2.1 KDF for the SSE The KDF for the SSE is: MKSSE= KDF-SSE (NonceS, NonceR, IDS, IDR, SharedSecret) Detail of the KDF-SSE function: Seed = (Non
31、ceS164 | NonceR164) SKEYSEED = PRF (Seed, SharedSecret) MKSSE= PRF (SKEYSEED, Seed | IDS| IDR| (01) 9.2.2 KDF for the SCH The KDF for the SCH is: MKSCH, KSCH = KDF-SCH (NonceS, NonceR, IDS, IDR, SharedSecret) Detail of the KDF-SCH function: Seed = (NonceS164 |NonceR164) SKEYSEED = PRF (Seed, SharedS
32、ecret) MKSCH= PRF (SKEYSEED, Seed | IDS| IDR| (01) KSCH= PRF (SKEYSEED, MKSCH| Seed | IDS| IDR| (02) 9.3 Key Usage Each derived key MKSCH, KSCHand MKSSEshall be used only for the purpose specified in Table 2. The Keys MKSCH, KSCH, and MKSSEshall be different for each NFC-SEC transaction. Table 2 Key
33、 usage Key Key description Key usage MKSCHMaster Key for SCH Key Verification for the Secure Channel Keys KSCHAuthenticated Encryption Key for SCH Authenticated Encryption of data packets sent through SCH MKSSEMaster Key for SSE Master Key for SSE used as Shared secret to be passed to the upper laye
34、r and as Key Verification 9.4 Key Confirmation When a key is derived using one of the KDF processes specified in 9.2 both NFC-SEC entities check that they indeed have the same key. Each entity shall generate a key confirmation tag as specified in 9.4.1 and shall send it to the peer entity. Entities
35、shall verify the key confirmation tag upon reception as specified in 9.4.2. 4 Ecma International 2015This key confirmation mechanism is according to 9, Key Confirmation, of ISO/IEC 11770-3. 9.4.1 Key confirmation tag generation MacTag, the Key confirmation tag, equals MAC-KC (K, MsgID, IDS, IDR, PKS
36、, PKR) and shall be calculated using AES-CMAC-96K(MsgID | IDS| IDR| PKS| PKR), specified in MAC algorithm 5 of ISO/IEC 9797-1 with 96-bit truncated output in msb-first order, with key K. The MsgID field is specified at each invocation of MAC-KC. 9.4.2 Key confirmation tag verification Clause 9.4.2 o
37、f ISO/IEC 13157-2 (ECMA-386) applies. 9.5 Data Authenticated Encryption The underlying block cipher used is AES as specified in 5.1 AES of ISO/IEC 18033-3 with a block size of 128 bits. The data authenticated encryption mode shall be GCM mode as specified in 11 Authenticated encryption mechanism 6 (
38、GCM) of ISO/IEC 19772. 9.5.1 Starting Variable (StartVar) To ensure that Starting Variable StartVar is distinct for every message to be protected, it shall be generated by both entities from the nonces in the following way: StartVal shall be generated using bit 17112 of AES-CMAC-PRF-128MK(MK, KSCH |
39、 NA | NB | (03), with the key MK. 9.5.2 Additional Authenticated Data (AAD) This data is only authenticated, but not encrypted. AAD = SEP | PID | S3 | S2 | S1 The 3-octect value of SNV equals S3 | S2 | S1 where S1 is the LSB and S3 is the MSB. For the NFC-SEC-PDUs where PID is prohibited (see Table
40、2 NFC-SEC-PDU Fields of ISO/IEC 13157-1 (ECMA-385), PID is replaced by one byte (00). 9.5.3 Generation-Encryption The data shall be authenticated and encrypted using the Secure Channel Key KSCHas specified in 11.6 Encryption procedure of ISO/IEC 19772 with t = 96: AuthEncData = GEN-ENCKSCH (AAD, Sta
41、rtVar, Data) 9.5.4 Decryption-Verification The authenticated and encrypted data shall be decrypted and verified using the Secure Channel Key KSCHas specified in 11.7 Decryption procedure of ISO/IEC 19772 with t = 96: DEC-VERKSCH (AAD, StartVar, AuthEncData) shall return Data if valid INVALID otherwi
42、se Ecma International 2015 59.6 Data Integrity The requirements in 9.5.3 and 9.5.4 provide data integrity. 9.7 Message Sequence Integrity Clause 9.7 of ISO/IEC 13157-2 (ECMA-386) applies. 10 Data Conversions Clause 10 of ISO/IEC 13157-2 (ECMA-386) applies. 11 SSE and SCH service invocation Clause 11
43、 of ISO/IEC 13157-2 (ECMA-386) applies. 12 SCH data exchange After invocation of the SCH as specified in 11, the data exchange between two NFC-SEC entities uses the protocol specified in ISO/IEC 13157-1 (ECMA-385) as illustrated in Figure 1 and further specified in this Clause. Figure 1 SCH: protoco
44、l overview 12.1 Preparation NFC-SEC entities A and B shall initialise the Sequence Number variable (SNV) as specified in 9.7. NFC-SEC senders shall initialise the Starting Variable (StartVar) as specified in 9.5.1. 6 Ecma International 201512.2 Data Exchange 12.2.1 Send To send data, the sending NFC
45、-SEC peer entity AA (A or B) shall perform the following steps: 1. Receive UserData from the SendData SDU. 2. If SNV = 224-1, then set the PDU content valid to false in the Protocol Machine, otherwise proceed to the next step. 3. Increment the SNV as specified in 12.3 of ISO/IEC 13157-1 (ECMA-385).
46、4. Compute StartVar as specified in 9.5.1. 5. Compute AAD as specified in 9.5.3. 6. Compute AuthEncData = GEN-ENCKSCH(AAD, StartVar, Data) as specified in 9.5.3. 7. Send S3 | S2 | S1 | AuthEncData as the payload of the ENC PDU. 12.2.2 Receive To receive data, the receiving NFC-SEC peer entity BB (A
47、or B) shall perform the following steps: 1. Receive S3 | S2 | S1 | AuthEncData from the payload of the ENC PDU. 2. If SNV = 224-1, then set the PDU content valid to false in the Protocol Machine, otherwise proceed to the next step. 3. Check the sequence integrity as specified in 12.3 of ISO/IEC 1315
48、7-1 (ECMA-385). 4. Compute StartVar as specified in 9.5.1. 5. Compute AAD as specified in 9.5.3. 6. Compute DEC-VERKSCH(AAD, StartVar, AuthEncData) as specified in 9.5.4. If it is invalid, then set the PDU content valid to false in the Protocol Machine, otherwise proceed to the next step. 7. Set Use
49、rData into the DataAvailable SDU. Ecma International 2015 78 Ecma International 2015 Ecma International 2015 9Annex A (normative) Fields sizes Table A.1 Fields sizes Field SizeNA 128 bits NB 128 bits dA256 bits dB256 bits QA512 bits QB512 bits QA 264 bits QB 264 bits Z 256 bits MK 128 bits K 128 bits MacTagA96 bits MacTagB96 bits StartVar 96 bits SN 24 bits Ecma International 2015
