CN113891321A - NFC relay attack judgment and security authentication system and method based on space-time evolution - Google Patents
NFC relay attack judgment and security authentication system and method based on space-time evolution Download PDFInfo
- Publication number
- CN113891321A CN113891321A CN202111241213.XA CN202111241213A CN113891321A CN 113891321 A CN113891321 A CN 113891321A CN 202111241213 A CN202111241213 A CN 202111241213A CN 113891321 A CN113891321 A CN 113891321A
- Authority
- CN
- China
- Prior art keywords
- time
- nfc
- communication
- card
- card reader
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000006854 communication Effects 0.000 claims abstract description 87
- 238000004891 communication Methods 0.000 claims abstract description 86
- 238000012795 verification Methods 0.000 claims abstract description 11
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 10
- 230000008569 process Effects 0.000 claims abstract description 9
- 230000008447 perception Effects 0.000 claims abstract description 8
- 238000004088 simulation Methods 0.000 claims description 21
- 230000006870 function Effects 0.000 claims description 17
- 238000004364 calculation method Methods 0.000 claims description 11
- 230000004044 response Effects 0.000 claims description 8
- 230000001413 cellular effect Effects 0.000 claims description 7
- 238000012544 monitoring process Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000011156 evaluation Methods 0.000 claims description 3
- 239000003999 initiator Substances 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims 1
- 230000007123 defense Effects 0.000 abstract description 13
- 238000013459 approach Methods 0.000 abstract description 3
- 238000009434 installation Methods 0.000 abstract description 3
- 238000005516 engineering process Methods 0.000 description 10
- 238000011161 development Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000002860 competitive effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006698 induction Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/61—Time-dependent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/63—Location-dependent; Proximity-dependent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a system and a method for judging and authenticating NFC relay attack based on space-time evolution, which take an access position, communication time and access time as security verification factors comprehensively considered based on a multi-factor space-time perception algorithm and can also provide effective defense against attacks such as tampering verification information, replay attack and the like which may occur in a verification process. Based on the characteristics of diversified application scenes and various types of equipment of NFC, a convenient and easy-to-use software-level defense measure is designed, effective defense can be realized without changing the existing equipment hardware again, and the cost for realizing relay attack defense is reduced. Besides the installation of the APP, other extra work is not needed, the user friendliness and the implementability are greatly improved, and a feasible technical approach is provided for solving the hidden danger of NFC payment.
Description
Technical Field
The invention belongs to the technical Field of wireless Communication information security, and relates to a Near Field Communication (NFC) relay attack judgment and security authentication system and method, in particular to a Near Field Communication relay attack judgment system and method based on space-time evolution, and a security authentication system and method based on space-time evolution and RSA signature encryption.
Background
Near Field Communication (NFC) is an emerging wireless technology that is mainly developed by famous manufacturers such as philips, nokia, sony, etc. The system is integrated and evolved by non-contact Radio Frequency Identification (RFID) and interconnection technology, combines the functions of an induction card reader, an induction card and point-to-point on a single chip, and can perform Identification and data exchange with compatible equipment in short distance, thereby realizing multiple applications such as mobile payment, electronic ticketing, door control, mobile identity Identification, anti-counterfeiting and the like by utilizing a mobile terminal. This technology has evolved from a simple combination of RFID and network technologies under continued research and push to a short-range wireless communication technology applied to many aspects of life, with a rather rapid development.
Two major areas of mobile payment, NFC and two-dimensional code, are occupying the vast majority of the market of mobile payment. Compared with two-dimensional codes, the main advantages of NFC payment are its convenience and security. In the using process, the matching operation can be completed by near-field touch, and the operation time required by payment is extremely short. Meanwhile, the close distance between the two devices required by the NFC payment process ensures stronger safety than the two-dimensional code. It can be said that security and convenience are the root of NFC payment development. With the great popularization of NFC payment technology, NFC security issues are also continuously highlighted. In recent years, a large number of papers have analyzed the feasibility of attacks in NFC payment by using relay attacks, and a hacker in 2017 shows a successful relay attack in a large conference. The security of NFC payments is being greatly compromised by relay attacks.
Common attack patterns for NFC include the following: tampering UID (User Identification), reading sensitive information in the card, relay attack and the like, wherein the destructiveness of the sensitive information in the UID and the reading card is lower under the current security protocol and encryption protection, and the threat to NFC payment is difficult to be caused. The relay attack is the most common problem in the NFC attack form, the attack is extremely harmful, and the existing NFC payment system is difficult to effectively defend the NFC relay attack.
Disclosure of Invention
Aiming at the problems of high harm and difficult defense of relay attack, the invention provides an NFC relay attack judgment and security authentication system and method based on space-time evolution.
The invention provides a Near Field Communication (NFC) relay attack judgment system based on space-time evolution, which comprises a plurality of wireless fidelity (WiFi) base stations and a plurality of mobile cellular network base stations;
obtaining the position information of a real card and a card reader through a positioning mode of combining WiFi positioning with mobile cellular network base station positioning, and judging whether relay attack occurs or not according to the distance between the real card and the card reader;
meanwhile, the communication time is used as an index for correcting the local time of the real card and the card reader, the access time and the communication time are comprehensively considered, and the relay attack discrimination with high feasibility time factors is realized.
The invention provides a method for judging NFC relay attack based on space-time evolution, which comprises the following steps:
step A1: obtaining the position information of a real card and a card reader through a positioning mode of combining WiFi positioning with mobile cellular network base station positioning, and substituting the position distance and the positioning precision into a sigmoid function calculation result P if the position distance is larger than the positioning precision1And storing, otherwise, storing a zero value;
step A2: using the communication time as an index for correcting the local time of the real card and the card reader;
if the difference between the time when the device receives the response and the time when the device sends the packet is larger than the communication time allowable threshold value, the difference between the time when the device receives the response and the time when the device sends the packet is obtainedSubstituting communication time allowable threshold value into sigmoid function calculation result P2And storing, otherwise, storing a zero value; the device comprises a real card and a card reader;
if the difference between the access time of the two pieces of equipment is greater than the access time allowable threshold, substituting the difference between the access time of the two pieces of equipment and the access time allowable threshold into a sigmoid function calculation result P3And storing, otherwise, storing a zero value;
step A3: by P1、P2、P3And calculating the comprehensive probability, if the comprehensive probability is greater than the probability allowable threshold, judging that the attack occurs, otherwise, judging that the attack does not occur.
The invention provides a space-time evolution-based NFC security authentication system, which comprises a server, a Card reader, an HCE (Host-based Card Emulation) simulation Card and a client; the client comprises a system layer, a perception layer, a communication layer, an interface layer and an application layer;
the server is used for issuing a digital certificate to the card reader and the HCE analog card;
the card reader is used for the communication initiator to actively send out a request;
the HCE simulation card is used for responding to the card reader;
the system layer is used for establishing connection between the card reader and the HCE simulation card, and the process is mainly completed by the NFC chip and the Android system;
the sensing layer is used for sensing authentication information and comprises a position information acquisition module and a time information acquisition module which are used for respectively acquiring the position and the moment when the NFC of the connection layer is accessed;
the communication layer comprises a secret key management module and an NFC communication module, the secret key management module generates a public key and a private key and requests a digital certificate from the server, and the communication module completes information interaction with the other end of NFC communication and submits the information to the interface layer;
the interface layer is used for extracting information from the communication layer, completing verification and transmitting a verification result to the application layer;
the application layer is used for various NFC-based APPs mainly based on NFC payment.
The invention provides a space-time evolution based NFC security authentication method which is characterized by comprising the following steps:
step B1: the client system layer detects the connection establishment information and obtains the current time t1(ii) a Then, creating Intent and setting the attribute of the Intent as start; setting an Intent starting mode to ensure that the application is started in a new task stack; then adding time information t1 to Intent; finally capturing the Intent;
step B2: when the client finds the NFC equipment, the sensing layer starts a position acquisition module and a time acquisition module to acquire the position and time of NFC access;
step B3: and the NFC communication module is communicated with the other end of the NFC communication, and in the NFC communication, the secret key management module of the communication layer provides secrecy for the communication module based on an RSA algorithm, so that the NFC safety authentication is completed.
The proposed relay attack defense scheme including limiting NFC use and adding extra authentication causes inconvenience to users, while the NFC distance protocol alone using communication delay as a criterion has insufficient reliability due to small delay and device fluctuation.
Based on the characteristics of short communication distance and short interval between communication time and access time of NFC, the invention collects the time-space information on the smart phone, and discloses a system and a method for judging and authenticating the NFC relay attack based on the time-space evolution.
The method can be easily deployed in the Android equipment of the user by installing the client, can help various NFC equipment to provide effective protection for NFC communication on the basis of not modifying hardware on the premise of not needing user interaction, prevents relay attack in the NFC payment process, guarantees safe driving and protects navigation for NFC safety payment, greatly reduces potential risk of NFC payment, and is safe, effective and high in feasibility.
The invention also protects the two most competitive advantages of NFC payment in the mobile payment field while making effective defense: convenience and safety. The NFC payment application with the system is more competitive in the market and can be conveniently deployed to NFC equipment such as a smart phone. Therefore, the system has wide application and huge market demand and development potential.
Drawings
Fig. 1 is a frame diagram of an NFC security authentication system based on spatio-temporal evolution according to an embodiment of the present invention.
Fig. 2 is a block diagram of key management according to an embodiment of the present invention.
Fig. 3 is a flowchart of NFC communication according to an embodiment of the present invention.
Detailed Description
In order to facilitate the understanding and implementation of the present invention for those of ordinary skill in the art, the present invention is further described in detail with reference to the accompanying drawings and examples, it is to be understood that the embodiments described herein are merely illustrative and explanatory of the present invention and are not restrictive thereof.
The invention designs an NFC safety authentication system and method based on space-time evolution, a protection mechanism with high accuracy and strong defensiveness, and high-efficiency protection is carried out on the NFC payment process of a user. The technology is based on a multi-factor space-time perception algorithm, the access position, the communication time and the access time are comprehensively considered as safety verification factors, and meanwhile, effective defense can be provided for attacks such as tampering verification information, replay attack and the like which may occur in a verification process. Based on the characteristics of diversified application scenes and various types of equipment of NFC, a convenient and easy-to-use software-level defense measure is designed, effective defense can be realized without changing the existing equipment hardware again, and the cost for realizing relay attack defense is reduced. Due to the fact that other extra work is not needed except for installation of the APP, user friendliness and feasibility are greatly improved, and a feasible technical approach is provided for solving hidden danger of NFC payment.
Referring to fig. 1, the NFC security authentication system based on spatio-temporal evolution of the present embodiment includes a server, a card reader, an HCE analog card (a mobile phone with HCE function), and a client. The server issues digital certificates to the card reader and the HCE analog card, the card reader and the HCE analog card are two real participants of NFC communication, and the APP is installed to achieve NFC safety authentication. The card reader actively makes a request as an initiator of the communication, to which the HCE emulation card responds.
The client of the embodiment comprises a system layer, a perception layer, a communication layer, an interface layer and an application layer.
The NFC safety authentication method based on the spatio-temporal evolution is based on a multi-factor spatio-temporal perception algorithm, and the access position, the communication time and the access time are comprehensively considered as safety verification factors. The invention adopts a positioning mode of combining WiFi positioning with mobile cellular network base station positioning to obtain the position information of a real card and a card reader, and judges whether relay attack occurs according to the distance between the real card and the card reader. The method has an obvious effect on defending the relay attack at a longer distance, is limited by positioning accuracy and is not sufficient to be used as a unique standard for judging whether the relay attack occurs, so that the communication time is simultaneously used as an index for correcting the local time of the equipment, the access time and the communication time are comprehensively considered, and the time factor relay attack discrimination with higher feasibility is realized.
A multi-factor space-time perception algorithm is designed by acquiring spatial information and time information, the algorithm comprehensively considers three factors of equipment access time difference, data packet round-trip time difference (namely communication time) and geographic position distance, a threshold is given for each evaluation index, if the current value exceeds the set threshold, attack probability under the index is obtained according to a formula, three probabilities are respectively calculated, and a probability addition formula is used for obtaining the comprehensive attack probability. If the comprehensive attack probability exceeds the set allowable probability, the attack is considered to occur, and the method specifically comprises the following steps:
input values are as follows: distance between positions σ d, access time t of device A1Access time t of device B2Time t of packet transmission by device A3Time t of packet reception by device B4Time t at which device A receives a response5。
Step 1: if the position spacing sigma d is larger than the positioning precision d, the position spacing and the positioning are carried outPrecision substitution sigmoid function f (x) 1/(1+ e-x), where x (s-s)m)/smS represents a certain evaluation index value, smA threshold value set for the index is indicated, and the result is calculated
Otherwise P1=0;
Step 2: if the difference t between the time when the device receives the response and the time when the device sends the packet5-t3If the time is greater than the communication time allowable threshold t, the difference between the time when the device receives the response and the time when the device sends the packet is t5-t3Substituting the communication time allowable threshold t into the sigmoid function calculation result
Otherwise P2=0;
And step 3: if the access time difference between the two devices
If the access time is greater than the access time allowed threshold t', the access time difference of the two devices is obtained
Substituting the access time allowable threshold t' into the sigmoid function calculation result
And save, otherwise P3=0;
And 4, step 4: for the three probabilities calculated in the steps 1, 2 and 3, pairwise the probabilities are mutually incompatible, and the probability addition is used for calculating the relay attack occurrence probability P (P) of the three probabilities1+P2+P3-P1*P2-P2*P3-P1*P3+P1*P2*P3;
And 5: if the probability P calculated in the step 4 is larger than the probability allowable threshold value P0If not, judging that the attack occurs.
In summary, when the distance between two attackers is far, whether relay attack occurs can be judged through the distance difference between the two communication parties, and when the distance between the attackers is close, both the communication time factor and the access time factor are combined. The communication time is usually short, the time axis calibration precision is high, and the access time can realize effective judgment on relay attack. When the communication time is prolonged due to bad network conditions of the attacker, the communication time plays a decisive role in judging whether the relay attack occurs. The comprehensive effect of distance and time realizes the effective defense of relay attack under any condition.
In the NFC safety authentication method of the space-time evolution of the multi-factor space-time perception algorithm, a system layer mainly comprises an NFC connection module which is responsible for establishing the connection between a card reader and an HCE simulation card, and because the Android system NFC function does not provide a corresponding interface to inform an application when the HCE mode NFC connection is established, the application realizes the interface. The implementation method comprises the following steps: when starting the HCE function, the Android system calls an onHostEmulantionactive () method in an Android.
Step 1: detecting the connection establishment information and obtaining the current time t1;
Step 2: creating Intent and setting the attribute of the Intent as start;
and step 3: setting an Intent starting mode to ensure that the application is started in a new task stack;
and 4, step 4: adding time information t to Intent1;
And 5: the Intent is captured and the application starts.
In the sensing layer, the position information and the time information are acquired. Firstly, when a client discovers an NFC device, the client needs to inform the application program, so as to start a location acquisition module and a time acquisition module to acquire a location and time when the NFC device accesses, and the specific method is as follows:
because the application program in the card reader is positioned at the foreground, the foreground issuing system is directly started in the main thread, and the steps are as follows:
inputting: information carrying Tag
Step 1: starting a foreground issuing system in a main thread to monitor all types of NFC tags;
step 2: detecting a current Tag object;
and step 3: the Tag is analyzed through a security authentication module;
and 4, step 4: and acquiring and returning the information in the Tag.
The simulation card informs the application program discovery equipment of an interface realized by using a connection layer, and the specific method is that an intention filter is set for the receiveActivity activity of the application program, and the Action attribute of the filter is set to' NFC.
The sensing layer needs to realize a position acquisition module to acquire current position information at the same time, and the realization method comprises the following steps:
step 1: adding WiFi permission and operator permission;
step 2: creating an AMapLocationclient class object to start position service;
and step 3: setting a monitoring interface and monitoring a startLocation () method;
and 4, step 4: when the monitoring method is called, current position information is obtained;
and 5: and returning the current position information.
The sensing layer simultaneously realizes a time acquisition module, the time acquisition module acquires the time for finding the NFC equipment of the other party, after the receiveActivity is started in the simulation card APP, the intent for starting the APP is analyzed, and a getLongExtra () method is called to acquire a time key value put in the intent, namely the access time; in the card reader APP, when the OnNewIntent method is started, a System currentTimeMillis () method is directly called to obtain the current system time, namely the access time.
The communication layer is the core of the NFC safety authentication mechanism and is divided into a key management module and an NFC communication module.
Referring to fig. 2, the key management module provides security for the communication module based on the RSA algorithm, and specifically includes functions of generating a local public key and private key pair and requesting a digital certificate, which are shown as a flow thereof. Firstly, a user locally generates a public key and a private key; then, the (public key, user ID, random number) is encrypted by using the server public key and then is sent to the server locally; then, the server calculates a Hash code of the public key and the user ID (Identity document), and encrypts the Hash code by using a server private key; and finally, encrypting the Hash code by using a server private key, forming an identity certificate by the encrypted Hash code, the public key and the ID, encrypting the identity certificate and the random number +1 by using the local public key, and returning the identity certificate to the local. The method comprises the following implementation steps:
inputting: a user id;
step 1: setting the type of the key pair generator as RSA;
step 2: setting the RSA key length;
and step 3: generating an RSA key pair;
and 4, step 4: combining the user id and the public key into a byte array info;
and 5: setting a hash code calculation method SHA-256;
step 6: calculating a hash code of the info;
and 7: converting the generated hash code into a hexadecimal 64-bit string hash;
and 8: string uses a server private key to encrypt;
and step 9: the encrypted information and the info form a digital certificate;
step 10: the user saves the digital certificate.
Referring to fig. 3, a complete flow of the communication module is shown in a picture, and the NFC communication module communicates with the other end of the NFC communication module, so as to complete NFC security authentication. The communication process exchanges digital certificates and carries out digital signature to ensure the safety of communication.
Firstly, the card reader sends a SELECT command to the analog card to SELECT a client; the simulation card returns a simulation card identity certificate to the card reader; the card reader receives the identity certificate, decrypts the identity certificate by using the analog card public key, verifies the integrity of the identity certificate, and if the identity certificate is incomplete, attacks occur and communication is interrupted; then, the card reader sends a card reader identity certificate to the simulation card; the simulation card receives the identity certificate, decrypts the identity certificate by using a server public key, verifies the integrity of the identity certificate, and if the identity certificate is incomplete, attacks occur and communication is interrupted; then, the analog card returns security authentication information acquired by the sensing layer to the card reader, wherein the security authentication information comprises position information and time information, and digital signature is carried out by using an analog card private key; the card reader receives the security authentication information returned by the analog card, decrypts the information by using the analog card public key, and if the information is incomplete, attacks occur and communication is interrupted; the card reader submits the identity authentication information to an interface layer security authentication module; the card reader security authentication module returns an authentication result to the communication layer; the card reader encrypts the authentication result by using a card reader secret key and sends the authentication result to the analog card; the simulation card receives the authentication result sent by the card reader, decrypts the authentication result by using the public key of the card reader, attacks if the information is incomplete, and interrupts communication; and finally, submitting the authentication result to a security authentication module, and ending the communication.
The concrete implementation is as follows:
digital signature: because the authentication information is short, the technology does not use the abstract when realizing the digital signature, and directly encrypts the authentication information by using a private key to finish the digital signature.
Data transmission and reception of the card reader: the card reader analyzes Tag in the onNewIntent method, calls IsoDepisoDep to obtain an IsoDep type object, calls a connect method to obtain connection, and then sends a command by using a tranceive method and obtains a return result. The first command sent is a SELECT command, followed by a data command.
Data processing of the analog card: the simulation card HCEService service registers AID which is the same as AID sent by the card reader, when the simulation card receives a SELECT command, HCEService service of the application program is automatically called to process, subsequent data are all sent to a processCommandPud method in the HCEService service, and the method completes processing of the data.
Command format: to distinguish between authentication messages in different phases, an extra header is added to the data portion. The APDU command can be divided into three parts: command header, data. The SELECT command header is '00A 40400', the data command header is '00 CA 0000', the data carried by the SELECT command is AID, the data header is not needed, and the data command uses '0' and '1' as the data header, which respectively indicate that the data part is a card reader identity certificate and a security authentication result.
The invention does not need to carry out other extra work except the installation of the APP (Application), greatly improves the user friendliness and the implementability, and provides a feasible technical approach for solving the hidden danger of NFC payment. The invention realizes the safe and easy-to-use NFC safety authentication technology, greatly enhances the safety of NFC and ensures the high-quality experience of users while protecting the core competitiveness of NFC conveniently and quickly. The defense technology can be easily deployed in the existing NFC equipment, the security problem that NFC payment is limited to be widely applied is solved, the contribution force is created for the safe electronic commerce environment of China, and key technical support is provided for the domestic novel safe payment.
It should be understood that the above description of the preferred embodiments is given for clarity and not for any purpose of limitation, and that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. An NFC relay attack decision system based on space-time evolution is characterized in that: the system comprises a plurality of WiFi base stations and a plurality of mobile cellular network base stations;
obtaining the position information of a real card and a card reader through a positioning mode of combining WiFi positioning with mobile cellular network base station positioning, and judging whether relay attack occurs or not according to the distance between the real card and the card reader;
meanwhile, the communication time is used as an index for correcting the local time of the real card and the card reader, the access time and the communication time are comprehensively considered, and time factor relay attack discrimination is realized.
2. An NFC relay attack judgment method based on space-time evolution is characterized by comprising the following steps:
step A1: obtaining the position information of a real card and a card reader through a positioning mode of combining WiFi positioning with mobile cellular network base station positioning, and substituting the position distance and the positioning precision into a sigmoid function calculation result P if the position distance is larger than the positioning precision1And storing, otherwise, storing a zero value;
step A2: using the communication time as an index for correcting the local time of the real card and the card reader;
if the difference between the time when the device receives the response and the time when the device sends the packet is larger than the communication time allowable threshold, substituting the difference between the time when the device receives the response and the time when the device sends the packet and the communication time allowable threshold into the sigmoid function calculation result P2And storing, otherwise, storing a zero value; the device comprises a real card and a card reader;
if the difference between the access time of the two pieces of equipment is greater than the access time allowable threshold, substituting the difference between the access time of the two pieces of equipment and the access time allowable threshold into a sigmoid function calculation result P3And storing, otherwise, storing a zero value;
step A3: by P1、P2、P3And calculating the comprehensive probability, if the comprehensive probability is greater than the probability allowable threshold, judging that the attack occurs, otherwise, judging that the attack does not occur.
3. The NFC relay attack decision method based on spatio-temporal evolution according to claim 2, characterized in that: if the distance between the positions of the equipment A and the equipment B is sigma d, the equipment A accesses the time t1Access time t of device B2Time t of packet transmission by device A3Time t of packet reception by device B4Time t at which device A receives a response5;
If the position distance σ d is greater than the positioning accuracy d, the position distance and the positioning accuracy are substituted into a sigmoid function f (x) 1/(1+ e-x), where x (s-s)m)/smS represents a certain evaluation index value, smA threshold value set for the index is indicated, and the result is calculated
Otherwise P1=0;
If the difference t between the time when the device receives the response and the time when the device sends the packet5-t3If the time is greater than the communication time allowable threshold t, the difference between the time when the device receives the response and the time when the device sends the packet is t5-t3Substituting the communication time allowable threshold t into the sigmoid function calculation result
Otherwise P2=0;
If the access time difference between the two devices
If the access time is greater than the access time allowed threshold t', the access time difference of the two devices is obtained
Substituting the access time allowable threshold t' into the sigmoid function calculation result
And save, otherwise P3=0;
The probability of occurrence of relay attack P ═ P1+P2+P3-P1*P2-P2*P3-P1*P3+P1*P2*P3。
4. An NFC security authentication system based on space-time evolution is characterized in that: the system comprises a server, a card reader, an HCE simulation card and a client; the client comprises a system layer, a perception layer, a communication layer, an interface layer and an application layer;
the server is used for issuing a digital certificate to the card reader and the HCE analog card;
the card reader is used for the communication initiator to actively send out a request;
the HCE simulation card is used for responding to the card reader;
the system layer is used for establishing the connection between the card reader and the HCE simulation card;
the sensing layer is used for sensing authentication information and comprises a position information acquisition module and a time information acquisition module which are used for respectively acquiring the position and the moment when the NFC of the connection layer is accessed;
the communication layer comprises a secret key management module and an NFC communication module, the secret key management module generates a public key and a private key and requests a digital certificate from the server, and the communication module completes information interaction with the other end of NFC communication and submits the information to the interface layer;
the interface layer is used for extracting information from the communication layer, completing verification and transmitting a verification result to the application layer;
the application layer is used for various NFC-based APPs mainly based on NFC payment.
5. An NFC security authentication method based on space-time evolution is characterized by comprising the following steps:
step B1: the client system layer detects the connection establishment information and obtains the current time t1(ii) a Then, creating Intent and setting the attribute of the Intent as start; setting an Intent starting mode to ensure that the application is started in a new task stack; then adding time information t1 to Intent; finally capturing the Intent;
step B2: when the client finds the NFC equipment, the sensing layer starts a position acquisition module and a time acquisition module to acquire the position and time of NFC access;
step B3: and the NFC communication module is communicated with the other end of the NFC communication, and in the NFC communication, the secret key management module of the communication layer provides secrecy for the communication module based on an RSA algorithm, so that the NFC safety authentication is completed.
6. The spatiotemporal evolution-based NFC security authentication method according to claim 5, characterized in that: in step B2, the card reader monitors all types of NFC tags according to the Tag carrying information; after the current Tag object is detected, the current Tag is analyzed through a security authentication module; obtaining and returning the information in the Tag;
the emulation card notifies the application to discover the device using an interface implemented by the connectivity layer.
7. The spatiotemporal evolution-based NFC security authentication method according to claim 5, characterized in that: in step B2, when the location acquisition module finds the opposite device, it first adds the WiFi right and the operator right; then, an AMaplLocation client class object is created to start position service, a monitoring interface is set, and a startLocation () method is monitored; when the monitoring method is called, acquiring current position information and returning the current position information;
the method comprises the steps that a time acquisition module acquires the time of finding the NFC equipment of the opposite side, and in an analog card, a getLongExtra () method is called to acquire a time key value put in the time acquisition module, namely access time; in the card reader, when the OnNewIntent method is started, the System currentTimeMillis () method is directly called to obtain the current system time, namely the access time.
8. The spatiotemporal evolution-based NFC security authentication method according to claim 5, characterized in that: in step B3, in NFC communication, a key management module of a communication layer provides confidentiality for communication based on an RSA algorithm, including generating a local public key and private key pair and requesting a digital certificate;
the specific implementation process is as follows: firstly, a public key and a private key are locally generated by a user; then (public key, user ID, random number) is encrypted by using a server public key and then is sent to the server locally; then the server calculates the Hash code of the public key and the user ID, and encrypts the Hash code by using a server private key; and finally, encrypting the Hash code by using a server private key, forming an identity certificate by the encrypted Hash code, the public key and the ID, encrypting the identity certificate and the random number +1 by using the local public key, and returning the identity certificate to the local.
9. The NFC security authentication method based on spatio-temporal evolution according to any one of claims 5 to 8, characterized in that the specific implementation of step B3 comprises the following sub-steps:
step B3.1: the card reader sends a SELECT command to the analog card to SELECT the client;
step B3.2: the simulation card returns a simulation card identity certificate to the card reader;
step B3.3: the card reader receives the identity certificate, decrypts the identity certificate by using the analog card public key, verifies the integrity of the identity certificate, and if the identity certificate is incomplete, attacks occur and communication is interrupted;
step B3.4: the card reader sends a card reader identity certificate to the simulation card;
step B3.5: the simulation card receives the identity certificate, decrypts the identity certificate by using a server public key, verifies the integrity of the identity certificate, and if the identity certificate is incomplete, attacks occur and communication is interrupted;
step B3.6: the analog card returns the security authentication information acquired by the sensing layer to the card reader, and a digital signature is carried out by using an analog card private key; the safety authentication information comprises position information and time information;
step B3.7: the card reader receives the security authentication information returned by the analog card, decrypts the information by using the analog card public key, and if the information is incomplete, attacks occur and communication is interrupted;
step B3.8: the card reader submits the identity authentication information to an interface layer security authentication module;
step B3.9: the card reader security authentication module returns an authentication result to the communication layer;
step B3.10: the card reader encrypts the authentication result by using a card reader secret key and sends the authentication result to the analog card;
step B3.11: the simulation card receives the authentication result sent by the card reader, decrypts the authentication result by using the public key of the card reader, and if the information is incomplete, attacks occur and communication is interrupted;
step B3.12: and submitting the authentication result to a security authentication module, and finishing communication.
10. The NFC security authentication method based on spatio-temporal evolution according to any one of claims 5 to 8, characterized in that the interface layer extracts both-side time and space information from the communication layer and the sensing layer, completes the judgment on whether the relay attack occurs or not, and sends an alarm to the system or the application layer.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111241213.XA CN113891321B (en) | 2021-10-25 | 2021-10-25 | NFC relay attack judgment and safety authentication system and method based on space-time evolution |
| CN202311666026.5A CN117692903A (en) | 2021-10-25 | 2021-10-25 | NFC relay attack judgment and safety authentication system and method based on space-time evolution |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111241213.XA CN113891321B (en) | 2021-10-25 | 2021-10-25 | NFC relay attack judgment and safety authentication system and method based on space-time evolution |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311666026.5A Division CN117692903A (en) | 2021-10-25 | 2021-10-25 | NFC relay attack judgment and safety authentication system and method based on space-time evolution |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113891321A true CN113891321A (en) | 2022-01-04 |
| CN113891321B CN113891321B (en) | 2024-01-05 |
Family
ID=79013899
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311666026.5A Pending CN117692903A (en) | 2021-10-25 | 2021-10-25 | NFC relay attack judgment and safety authentication system and method based on space-time evolution |
| CN202111241213.XA Active CN113891321B (en) | 2021-10-25 | 2021-10-25 | NFC relay attack judgment and safety authentication system and method based on space-time evolution |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311666026.5A Pending CN117692903A (en) | 2021-10-25 | 2021-10-25 | NFC relay attack judgment and safety authentication system and method based on space-time evolution |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN117692903A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150082427A1 (en) * | 2013-09-17 | 2015-03-19 | Ologn Technologies Ag | Systems, Methods and Apparatuses for Prevention of Relay Attacks |
| CN104821945A (en) * | 2015-04-30 | 2015-08-05 | 南京邮电大学 | Defensive system of relay attack of near-field mobile payment and realization method thereof |
| CN107111814A (en) * | 2014-12-17 | 2017-08-29 | 耐瑞唯信有限公司 | Protection passes through the contactless payment performed by mobile device |
| KR20190076479A (en) * | 2017-12-22 | 2019-07-02 | 한국과학기술원 | Apparatus and method for analyzing feature of impersonation attack using deep running in wireless wi-fi network |
| US10521984B1 (en) * | 2015-03-31 | 2019-12-31 | Amazon Technologies, Inc. | Challenge-response badge |
-
2021
- 2021-10-25 CN CN202311666026.5A patent/CN117692903A/en active Pending
- 2021-10-25 CN CN202111241213.XA patent/CN113891321B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150082427A1 (en) * | 2013-09-17 | 2015-03-19 | Ologn Technologies Ag | Systems, Methods and Apparatuses for Prevention of Relay Attacks |
| CN107111814A (en) * | 2014-12-17 | 2017-08-29 | 耐瑞唯信有限公司 | Protection passes through the contactless payment performed by mobile device |
| US10521984B1 (en) * | 2015-03-31 | 2019-12-31 | Amazon Technologies, Inc. | Challenge-response badge |
| CN104821945A (en) * | 2015-04-30 | 2015-08-05 | 南京邮电大学 | Defensive system of relay attack of near-field mobile payment and realization method thereof |
| KR20190076479A (en) * | 2017-12-22 | 2019-07-02 | 한국과학기술원 | Apparatus and method for analyzing feature of impersonation attack using deep running in wireless wi-fi network |
Non-Patent Citations (1)
| Title |
|---|
| 谢俊等: "信息技术", pages: 13 - 20 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117692903A (en) | 2024-03-12 |
| CN113891321B (en) | 2024-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10645581B2 (en) | Method and apparatus for remote portable wireless device authentication | |
| US10567428B2 (en) | Secure wireless ranging | |
| KR101485230B1 (en) | Secure multi-uim authentication and key exchange | |
| KR100922906B1 (en) | Bootstrapping authentication using distinguished random challenges | |
| JP5407147B2 (en) | Method, mobile terminal, processing apparatus and program for executing verification process | |
| CN102761870B (en) | Terminal authentication and service authentication method, system and terminal | |
| CN103415008A (en) | Encryption communication method and encryption communication system | |
| CN110278084B (en) | eID establishing method, related device and system | |
| KR100847145B1 (en) | Method for detecting illegal Access Point | |
| CN106888097B (en) | Identity authentication method based on zero-knowledge proof in HCE mode | |
| KR101281099B1 (en) | An Authentication method for preventing damages from lost and stolen smart phones | |
| CN105325021B (en) | Method and apparatus for remote portable wireless device authentication | |
| CN110278083A (en) | ID authentication request treating method and apparatus, equipment replacement method and apparatus | |
| CN107786978B (en) | NFC authentication system based on quantum encryption | |
| EP2965488B1 (en) | Method and system for preparing a communication between a user device and a server | |
| CN111404666A (en) | Key generation method, terminal equipment and network equipment | |
| CN113891321B (en) | NFC relay attack judgment and safety authentication system and method based on space-time evolution | |
| WO2013152653A1 (en) | Air interface security method and device | |
| KR20220144150A (en) | Method and apparatus for payment using ultra wide band | |
| CN115802353A (en) | WPA2 protocol-based method and device for decrypting WPA3 protocol hotspot password | |
| KR100958615B1 (en) | Integrated wireless communication device and operation method thereof | |
| Ashraf et al. | A SIM-based electronic transaction authentication system | |
| CN117793715A (en) | Wireless network access method, device, equipment and medium | |
| Ashraff et al. | A Conceptual Framework for a SIM-based Electronic Transaction Authentication System | |
| JP2019016841A (en) | Base station device, communication system, and communication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |