1、 Reference numberECMA-123:2009Ecma International 2009ECMA-410 2ndEdition / June 2015 NFC-SEC-03: NFC-SEC Entity Authentication and Key Agreement using Asymmetric Cryptography COPYRIGHT PROTECTED DOCUMENT Ecma International 2015 Ecma International 2015 iContents Page 1 Scope 1 2 Conformance . 1 3 Nor
2、mative references 1 4 Terms and definitions . 2 5 Conventions and notations 3 6 Acronyms . 3 7 General . 4 8 Fields and PDUs for NEAU-A . 5 8.1 Protocol Identifier (PID) 5 8.2 NFC-SEC-PDUs 5 8.3 TTP involving . 6 8.3.1 TTP policy and field . 6 8.3.2 TTP policy negotiation 6 8.4 Entity identifiers 7
3、8.5 Cert field . 7 8.6 Res field 7 9 Primitives . 8 9.1 General requirements . 8 9.2 Entity authentication . 9 9.2.1 Mechanisms . 9 9.2.2 EC curve . 10 9.2.3 ECDSA 10 9.2.4 Certificate validation . 12 9.3 Key agreement . 12 9.4 Key confirmation . 13 9.5 Key Derivation Function (KDF) 13 10 NEAU-A mec
4、hanism 13 10.1 Entity authentication involving a TTP . 13 10.1.1 Protocol overview 13 10.1.2 Preparation . 13 10.1.3 Sender (A) transformation 14 10.1.4 Recipient (B) transformation 15 10.1.5 TTP transformation . 16 10.2 Entity authentication without involving a TTP . 16 10.2.1 Protocol overview 16
5、10.2.2 Preparation . 17 10.2.3 Sender (A) transformation 17 10.2.4 Recipient (B) transformation 18 10.3 Key derivation 19 10.3.1 Sender (A) 19 10.3.2 Recipient (B) 19 11 Data Authenticated Encryption in SCH . 20 Annex A (normative) UDP Port 5111 and TAEP . 21 A.1 UDP and port 5111 . 21 A.1.1 UDP . 2
6、1 A.1.2 Port 5111 21 A.2 TAEP . 22 ii Ecma International 2015A.2.1 TAEP packet format .22 A.2.2 TAEP_REQ and TAEP_RES format 22 Annex B (informative) ECDSA test vectors 23 Bibliography 24 Ecma International 2015 iiiIntroduction The NFC Security series of standards comprise a common services and prot
7、ocol Standard and NFC-SEC cryptography standards. This NFC-SEC cryptography Standard specifies an NFC Entity Authentication (NEAU) mechanism that uses the asymmetric cryptography algorithm (NEAU-A) for mutual authentication of two NFC entities. This Standard addresses entity authentication of two NF
8、C entities possessing certificates and private keys during key agreement and key confirmation for the Shared Secret Service (SSE) and Secure Channel Service (SCH). This Standard adds entity authentication to the services provided by ISO/IEC 13157-3 (ECMA-409) NFC-SEC-02. This 2ndedition refers to th
9、e latest standards. This Ecma Standard has been adopted by the General Assembly of June 2015. iv Ecma International 2015“COPYRIGHT NOTICE 2015 Ecma International This document may be copied, published and distributed to others, and certain derivative works of it may be prepared, copied, published, a
10、nd distributed, in whole or in part, provided that the above copyright notice and this Copyright License and Disclaimer are included on all such copies and derivative works. The only derivative works that are permissible under this Copyright License and Disclaimer are: (i) works which incorporate al
11、l or portion of this document for the purpose of providing commentary or explanation (such as an annotated version of the document), (ii) works which incorporate all or portion of this document for the purpose of incorporating features that provide accessibility, (iii) translations of this document
12、into languages other than English and into different formats and (iv) works by making use of this specification in standard conformant products by implementing (e.g. by copy and paste wholly or partly) the functionality therein. However, the content of this document itself may not be modified in any
13、 way, including by removing the copyright notice or references to Ecma International, except as required to translate it into languages other than English or into a different format. The official version of an Ecma International document is the English language version on the Ecma International webs
14、ite. In the event of discrepancies between a translated version and the official version, the official version shall govern. The limited permissions granted above are perpetual and will not be revoked by Ecma International or its successors or assigns. This document and the information contained her
15、ein is provided on an “AS IS“ basis and ECMA INTERNATIONAL DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PU
16、RPOSE.“ NFC-SEC-03: NFC-SEC Entity Authentication and Key Agreement using Asymmetric Cryptography 1 Scope This Standard specifies the message contents and the cryptographic mechanisms for PID 03. This Standard specifies key agreement and confirmation mechanisms providing mutual authentication, using
17、 asymmetric cryptography, and the transport protocol requirements for the exchange between Sender and TTP. NOTE This Standard adds entity authentication to the services provided by ISO/IEC 13157-3 (ECMA-409) NFC-SEC-02. 2 Conformance Conformant NFC-SEC entities employ the security mechanisms and the
18、 transport protocol requirements specified in this NFC-SEC cryptography Standard (identified by PID 03) and conform to ISO/IEC 13157-1 (ECMA-385). Conformant TTP implementations employ the security mechanisms and the transport protocol requirements specified in this NFC-SEC cryptography Standard (id
19、entified by PID 03). The NFC-SEC security services shall be established through the protocol specified in ISO/IEC 13157-1 (ECMA-385) and the mechanisms specified in this Standard. 3 Normative references The following referenced documents are indispensable for the application of this document. For da
20、ted references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 7498-1:1994, Information technology - Open Systems Interconnection - Basic Reference Model: The Basic Model ISO/IEC 9798-1:2010, Informati
21、on technology - Security techniques - Entity authentication - Part 1: General ISO/IEC 9798-3:1998, Information technology - Security techniques - Entity authentication - Part 3: Mechanisms using digital signature techniques ISO/IEC 9798-3:1998/Amd.1:2010, Information technology - Security techniques
22、 - Entity authentication - Part 3: Mechanisms using digital signature techniques - AMENDMENT 1 ISO/IEC 10118-3:2004, Information technology - Security techniques - Hash-functions - Part 3: Dedicated hash-functions ISO/IEC 11770-3, Information technology - Security techniques - Key management - Part
23、3: Mechanisms using asymmetric techniques ISO/IEC 13157-1, Information technology - Telecommunications and information exchange between systems - NFC Security - Part 1: NFC-SEC NFCIP-1 security services and protocol (ECMA-385) ISO/IEC 13157-2, Information technology - Telecommunications and informat
24、ion exchange between systems - NFC Security - Part 2: NFC-SEC cryptography standard using ECDH and AES (ECMA-386) Ecma International 2015 1ISO/IEC 13157-3, Information technology - Telecommunications and information exchange between systems - NFC Security - Part 3: NFC-SEC Cryptography Standard usin
25、g ECDH-256 and AES-GCM (ECMA-409) ISO/IEC 14443-3, Identification cards - Contactless integrated circuit cards - Proximity cards - Part 3: Initialization and anticollision ISO/IEC 14888-3:2006, Information technology - Security techniques - Digital signatures with appendix - Part 3: Discrete logarit
26、hm based mechanisms ISO/IEC 18031:2011, Information technology - Security techniques - Random bit generation ISO/IEC 18031:2011/Cor.1:2014, Information technology - Security techniques - Random bit generation - Technical Corrigendum 1 ISO/IEC 18092, Information technology - Telecommunications and in
27、formation exchange between systems - Near Field Communication - Interface and Protocol (NFCIP-1) (ECMA-340) ITU-T Recommendation X.509, ISO/IEC 9594-8, Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks. 4 Terms and definitions Clau
28、se 4 of ISO/IEC 13157-3 (ECMA-409) applies. Additionally, the following terms and definitions apply. 4.1 asymmetric cryptography (asymmetric cryptographic technique) cryptographic technique that uses two related transformations: a public transformation (defined by the public key) and a private trans
29、formation (defined by the private key) NOTE The two transformations have the property that, given the public transformation, it is computationally infeasible to derive the private transformation. ISO/IEC 9798-1: 2010 4.2 certificate public key information of an entity signed by the certification aut
30、hority and thereby rendered unforgeable ISO/IEC 9798-1: 2010 4.3 digital signature (signature) data appended to, or a cryptographic transformation of, a data unit that allows the recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the re
31、cipient ISO/IEC 9798-1: 2010 4.4 entity authentication corroboration that an entity is the one claimed ISO/IEC 9798-1: 2010 4.5 n-entity-title a name that is used to identify unambiguously an n-entity ISO/IEC 7498-1: 1994 2 Ecma International 20154.6 trusted third party security authority or its age
32、nt, trusted by other entities with respect to security related activities ISO/IEC 9798-1: 2010 NOTE In this Standard, a trusted third party is trusted by a Sender and Recipient for the purposes of certificate validation. 5 Conventions and notations Clause 5 of ISO/IEC 13157-3 (ECMA-409) applies. For
33、 any message field “F”, F denotes the value placed in the field upon sending, F the value upon receipt. 6 Acronyms Clause 6 of ISO/IEC 13157-3 (ECMA-409) applies. Additionally, the following acronyms apply. CertA Certificate of A CertB Certificate of B CertTTP Certificate of TTP CPA Public Key of Ce
34、rtificate of A CPB Public Key of Certificate of B CPTTP Public Key of Certificate of TTP CSA Private Key corresponding to Certificate of A CSB Private Key corresponding to Certificate of B CSTTP Private Key corresponding to Certificate of TTP Dual_EC_DRBG Dual Elliptic Curve Deterministic Random Bit
35、 Generator ECDSA Elliptic Curve Digital Signature Algorithm IP Internet Protocol k Fresh random value in ECDSA NEAU NFC Entity Authentication NEAU-A NEAU using Asymmetric Cryptography OCSP Online Certificate Status Protocol q 224-bit prime number of a divisor of the curve order in ECDSA r, s Digital
36、 Signature value of ECDSA ResA Validation result of A ResB Validation result of B SHA Secure Hash Algorithm SigA Digital Signature generated by A SigB Digital Signature generated by B SigTTP Digital Signature generated by TTP TTP PolicyX TTP policy of entity X see 8.3 TLV Type-length-value Ecma Inte
37、rnational 2015 3UDP User Datagram Protocol UID Unique Identifier ISO/IEC 14443-3 TAEP Tri-element Authentication Extensible Protocol TAEP_REQ TAEP Request PDU TAEP_RES TAEP Response PDU TTP Trusted Third Party involved in the authentication 7 General This Standard specifies the NFC Entity Authentica
38、tion using Asymmetric cryptography (NEAU-A), using the key agreement and confirmation protocol of ISO/IEC 13157-1 (ECMA-385). NEAU-A specifies negotiation of authentication either involving a TTP per 6.2 of ISO/IEC 9798-3 or without TTP per 5.2.2 of ISO/IEC 9798-3. Authentication credentials shall b
39、e Public Key Certificates conforming to ISO/IEC 9594-8 / ITU X.509. NOTE It is outside the scope of this Standard how the certificates and the related private keys are issued and established. The relationship between NEAU-A and ISO/IEC 13157-1 (ECMA-385) is shown in Figure 1. 4 Ecma International 20
40、15Figure 1 The use of the NFC-SEC protocol by NEAU-A 8 Fields and PDUs for NEAU-A 8.1 Protocol Identifier (PID) This Standard shall use the one octet protocol identifier PID with value 3. 8.2 NFC-SEC-PDUs Peer NFC-SEC entities shall establish a shared secret Z using ACT_REQ, ACT_RES, VFY_REQ and VFY
41、_RES according to the NEAU-A mechanism. Ecma International 2015 58.3 TTP involving 8.3.1 TTP policy and field TTP PolicyXspecifies the entity policy regarding the involvement of the TTP in NEAU-A. The payload of ACT_REQ and ACT_RES shall contain the 1-octect TTP field encoding the TTP PolicyXas foll
42、ows: a) 0: TTP to be involved; b) 1: TTP not to be involved; c) 2: No preference; d) All other values are RFU. 8.3.2 TTP policy negotiation The NEAU-A mechanism provides a method for TTP policy negotiation. Peer NFC-SEC entities shall negotiate whether or not to involve the TTP, in accordance with t
43、heir TTP PolicyX. The Sender (A) shall include a TTP field in the ACT_REQ with the value (0, 1 or 2) according to its TTP PolicyA. If the TTP is unavailable (see 10.1.2) then the values 0 and 2 are prohibited. The value 2 shall be replaced by 1, and if the value is 0 then PDU content valid shall be
44、set to false. Upon receiving the ACT-REQ, the Recipient (B) shall perform policy negotiation as specified in Table 1; if the Result is False then the Recipient shall set PDU content valid to false, for the Result of 0 or 1, the Recipient (B) shall set the TTP field in the ACT-RES to the Result and s
45、hall continue with step 3 of 10.1.4 or step 4 of 10.2.4 respectively. The Sender (A) shall validate the TTP field in the ACT-RES: y If it equals 2, then set PDU content valid to false; Otherwise, evaluate Table 1; if the Result is False then set PDU content valid to false, for the Result of 0 or 1 c
46、ontinue with step 6 of 10.1.3 or 10.2.3 respectively. Table 1 Results of the TTP policy negotiation TTP FieldTTP Policy Result 0 TTP to be involved 0 0 TTP not to be involved False 0 No preference 0 1 TTP to be involved False 1 TTP not to be involved 1 1 No preference 1 2 TTP to be involved 0 2 TTP
47、not to be involved 1 2 No preference 0 6 Ecma International 20158.4 Entity identifiers The n-entity-title of the Senders and Recipients n-entity shall be used as IDSand IDR, respectively. Figure 2 specifies the encoding of IDSand IDR in the TLV format. Figure 2 ID format 1. The Type subfield specifi
48、es the type of the ID and shall be 1 octet in length. The values are: a) 1: Value subfield contains Sender (A) identification number, IDS; b) 2: Value subfield contains Recipient (B) identification number, IDR; c) All other values are RFU. 2. The 2-octet Length subfield contains the length in number
49、 of octets of the Value subfield, in the range of 1 to 65535. 8.5 Cert field Figure 3 specifies the encoding of CertA, CertBand CertTTP in the TLV format. Figure 3 Cert format 1. The Cert Type subfield specifies the type of the certificate and shall be 1 octet in length. The values are: a) 0: Value subfield contains certificate of Sender (A), CertA; b) 1: Value subfield contains certificate of Recipient (B), CertB; c) 2: Value subfield contains certificate of TTP, CertTTP; d) All other values
