CN113891321A - NFC relay attack judgment and security authentication system and method based on space-time evolution - Google Patents

NFC relay attack judgment and security authentication system and method based on space-time evolution Download PDF

Info

Publication number
CN113891321A
CN113891321A CN202111241213.XA CN202111241213A CN113891321A CN 113891321 A CN113891321 A CN 113891321A CN 202111241213 A CN202111241213 A CN 202111241213A CN 113891321 A CN113891321 A CN 113891321A
Authority
CN
China
Prior art keywords
time
nfc
communication
card
card reader
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111241213.XA
Other languages
Chinese (zh)
Other versions
CN113891321B (en
Inventor
陈晶
何琨
杜瑞颖
罗夕安
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Original Assignee
Wuhan University WHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU filed Critical Wuhan University WHU
Priority to CN202311666026.5A priority Critical patent/CN117692903A/en
Priority to CN202111241213.XA priority patent/CN113891321B/en
Publication of CN113891321A publication Critical patent/CN113891321A/en
Application granted granted Critical
Publication of CN113891321B publication Critical patent/CN113891321B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/61Time-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a system and a method for judging and authenticating NFC relay attack based on space-time evolution, which take an access position, communication time and access time as security verification factors comprehensively considered based on a multi-factor space-time perception algorithm and can also provide effective defense against attacks such as tampering verification information, replay attack and the like which may occur in a verification process. Based on the characteristics of diversified application scenes and various types of equipment of NFC, a convenient and easy-to-use software-level defense measure is designed, effective defense can be realized without changing the existing equipment hardware again, and the cost for realizing relay attack defense is reduced. Besides the installation of the APP, other extra work is not needed, the user friendliness and the implementability are greatly improved, and a feasible technical approach is provided for solving the hidden danger of NFC payment.

Description

NFC relay attack judgment and security authentication system and method based on space-time evolution
Technical Field
The invention belongs to the technical Field of wireless Communication information security, and relates to a Near Field Communication (NFC) relay attack judgment and security authentication system and method, in particular to a Near Field Communication relay attack judgment system and method based on space-time evolution, and a security authentication system and method based on space-time evolution and RSA signature encryption.
Background
Near Field Communication (NFC) is an emerging wireless technology that is mainly developed by famous manufacturers such as philips, nokia, sony, etc. The system is integrated and evolved by non-contact Radio Frequency Identification (RFID) and interconnection technology, combines the functions of an induction card reader, an induction card and point-to-point on a single chip, and can perform Identification and data exchange with compatible equipment in short distance, thereby realizing multiple applications such as mobile payment, electronic ticketing, door control, mobile identity Identification, anti-counterfeiting and the like by utilizing a mobile terminal. This technology has evolved from a simple combination of RFID and network technologies under continued research and push to a short-range wireless communication technology applied to many aspects of life, with a rather rapid development.
Two major areas of mobile payment, NFC and two-dimensional code, are occupying the vast majority of the market of mobile payment. Compared with two-dimensional codes, the main advantages of NFC payment are its convenience and security. In the using process, the matching operation can be completed by near-field touch, and the operation time required by payment is extremely short. Meanwhile, the close distance between the two devices required by the NFC payment process ensures stronger safety than the two-dimensional code. It can be said that security and convenience are the root of NFC payment development. With the great popularization of NFC payment technology, NFC security issues are also continuously highlighted. In recent years, a large number of papers have analyzed the feasibility of attacks in NFC payment by using relay attacks, and a hacker in 2017 shows a successful relay attack in a large conference. The security of NFC payments is being greatly compromised by relay attacks.
Common attack patterns for NFC include the following: tampering UID (User Identification), reading sensitive information in the card, relay attack and the like, wherein the destructiveness of the sensitive information in the UID and the reading card is lower under the current security protocol and encryption protection, and the threat to NFC payment is difficult to be caused. The relay attack is the most common problem in the NFC attack form, the attack is extremely harmful, and the existing NFC payment system is difficult to effectively defend the NFC relay attack.
Disclosure of Invention
Aiming at the problems of high harm and difficult defense of relay attack, the invention provides an NFC relay attack judgment and security authentication system and method based on space-time evolution.
The invention provides a Near Field Communication (NFC) relay attack judgment system based on space-time evolution, which comprises a plurality of wireless fidelity (WiFi) base stations and a plurality of mobile cellular network base stations;
obtaining the position information of a real card and a card reader through a positioning mode of combining WiFi positioning with mobile cellular network base station positioning, and judging whether relay attack occurs or not according to the distance between the real card and the card reader;
meanwhile, the communication time is used as an index for correcting the local time of the real card and the card reader, the access time and the communication time are comprehensively considered, and the relay attack discrimination with high feasibility time factors is realized.
The invention provides a method for judging NFC relay attack based on space-time evolution, which comprises the following steps:
step A1: obtaining the position information of a real card and a card reader through a positioning mode of combining WiFi positioning with mobile cellular network base station positioning, and substituting the position distance and the positioning precision into a sigmoid function calculation result P if the position distance is larger than the positioning precision1And storing, otherwise, storing a zero value;
step A2: using the communication time as an index for correcting the local time of the real card and the card reader;
if the difference between the time when the device receives the response and the time when the device sends the packet is larger than the communication time allowable threshold value, the difference between the time when the device receives the response and the time when the device sends the packet is obtainedSubstituting communication time allowable threshold value into sigmoid function calculation result P2And storing, otherwise, storing a zero value; the device comprises a real card and a card reader;
if the difference between the access time of the two pieces of equipment is greater than the access time allowable threshold, substituting the difference between the access time of the two pieces of equipment and the access time allowable threshold into a sigmoid function calculation result P3And storing, otherwise, storing a zero value;
step A3: by P1、P2、P3And calculating the comprehensive probability, if the comprehensive probability is greater than the probability allowable threshold, judging that the attack occurs, otherwise, judging that the attack does not occur.
The invention provides a space-time evolution-based NFC security authentication system, which comprises a server, a Card reader, an HCE (Host-based Card Emulation) simulation Card and a client; the client comprises a system layer, a perception layer, a communication layer, an interface layer and an application layer;
the server is used for issuing a digital certificate to the card reader and the HCE analog card;
the card reader is used for the communication initiator to actively send out a request;
the HCE simulation card is used for responding to the card reader;
the system layer is used for establishing connection between the card reader and the HCE simulation card, and the process is mainly completed by the NFC chip and the Android system;
the sensing layer is used for sensing authentication information and comprises a position information acquisition module and a time information acquisition module which are used for respectively acquiring the position and the moment when the NFC of the connection layer is accessed;
the communication layer comprises a secret key management module and an NFC communication module, the secret key management module generates a public key and a private key and requests a digital certificate from the server, and the communication module completes information interaction with the other end of NFC communication and submits the information to the interface layer;
the interface layer is used for extracting information from the communication layer, completing verification and transmitting a verification result to the application layer;
the application layer is used for various NFC-based APPs mainly based on NFC payment.
The invention provides a space-time evolution based NFC security authentication method which is characterized by comprising the following steps:
step B1: the client system layer detects the connection establishment information and obtains the current time t1(ii) a Then, creating Intent and setting the attribute of the Intent as start; setting an Intent starting mode to ensure that the application is started in a new task stack; then adding time information t1 to Intent; finally capturing the Intent;
step B2: when the client finds the NFC equipment, the sensing layer starts a position acquisition module and a time acquisition module to acquire the position and time of NFC access;
step B3: and the NFC communication module is communicated with the other end of the NFC communication, and in the NFC communication, the secret key management module of the communication layer provides secrecy for the communication module based on an RSA algorithm, so that the NFC safety authentication is completed.
The proposed relay attack defense scheme including limiting NFC use and adding extra authentication causes inconvenience to users, while the NFC distance protocol alone using communication delay as a criterion has insufficient reliability due to small delay and device fluctuation.
Based on the characteristics of short communication distance and short interval between communication time and access time of NFC, the invention collects the time-space information on the smart phone, and discloses a system and a method for judging and authenticating the NFC relay attack based on the time-space evolution.
The method can be easily deployed in the Android equipment of the user by installing the client, can help various NFC equipment to provide effective protection for NFC communication on the basis of not modifying hardware on the premise of not needing user interaction, prevents relay attack in the NFC payment process, guarantees safe driving and protects navigation for NFC safety payment, greatly reduces potential risk of NFC payment, and is safe, effective and high in feasibility.
The invention also protects the two most competitive advantages of NFC payment in the mobile payment field while making effective defense: convenience and safety. The NFC payment application with the system is more competitive in the market and can be conveniently deployed to NFC equipment such as a smart phone. Therefore, the system has wide application and huge market demand and development potential.
Drawings
Fig. 1 is a frame diagram of an NFC security authentication system based on spatio-temporal evolution according to an embodiment of the present invention.
Fig. 2 is a block diagram of key management according to an embodiment of the present invention.
Fig. 3 is a flowchart of NFC communication according to an embodiment of the present invention.
Detailed Description
In order to facilitate the understanding and implementation of the present invention for those of ordinary skill in the art, the present invention is further described in detail with reference to the accompanying drawings and examples, it is to be understood that the embodiments described herein are merely illustrative and explanatory of the present invention and are not restrictive thereof.
The invention designs an NFC safety authentication system and method based on space-time evolution, a protection mechanism with high accuracy and strong defensiveness, and high-efficiency protection is carried out on the NFC payment process of a user. The technology is based on a multi-factor space-time perception algorithm, the access position, the communication time and the access time are comprehensively considered as safety verification factors, and meanwhile, effective defense can be provided for attacks such as tampering verification information, replay attack and the like which may occur in a verification process. Based on the characteristics of diversified application scenes and various types of equipment of NFC, a convenient and easy-to-use software-level defense measure is designed, effective defense can be realized without changing the existing equipment hardware again, and the cost for realizing relay attack defense is reduced. Due to the fact that other extra work is not needed except for installation of the APP, user friendliness and feasibility are greatly improved, and a feasible technical approach is provided for solving hidden danger of NFC payment.
Referring to fig. 1, the NFC security authentication system based on spatio-temporal evolution of the present embodiment includes a server, a card reader, an HCE analog card (a mobile phone with HCE function), and a client. The server issues digital certificates to the card reader and the HCE analog card, the card reader and the HCE analog card are two real participants of NFC communication, and the APP is installed to achieve NFC safety authentication. The card reader actively makes a request as an initiator of the communication, to which the HCE emulation card responds.
The client of the embodiment comprises a system layer, a perception layer, a communication layer, an interface layer and an application layer.
The NFC safety authentication method based on the spatio-temporal evolution is based on a multi-factor spatio-temporal perception algorithm, and the access position, the communication time and the access time are comprehensively considered as safety verification factors. The invention adopts a positioning mode of combining WiFi positioning with mobile cellular network base station positioning to obtain the position information of a real card and a card reader, and judges whether relay attack occurs according to the distance between the real card and the card reader. The method has an obvious effect on defending the relay attack at a longer distance, is limited by positioning accuracy and is not sufficient to be used as a unique standard for judging whether the relay attack occurs, so that the communication time is simultaneously used as an index for correcting the local time of the equipment, the access time and the communication time are comprehensively considered, and the time factor relay attack discrimination with higher feasibility is realized.
A multi-factor space-time perception algorithm is designed by acquiring spatial information and time information, the algorithm comprehensively considers three factors of equipment access time difference, data packet round-trip time difference (namely communication time) and geographic position distance, a threshold is given for each evaluation index, if the current value exceeds the set threshold, attack probability under the index is obtained according to a formula, three probabilities are respectively calculated, and a probability addition formula is used for obtaining the comprehensive attack probability. If the comprehensive attack probability exceeds the set allowable probability, the attack is considered to occur, and the method specifically comprises the following steps:
input values are as follows: distance between positions σ d, access time t of device A1Access time t of device B2Time t of packet transmission by device A3Time t of packet reception by device B4Time t at which device A receives a response5
Step 1: if the position spacing sigma d is larger than the positioning precision d, the position spacing and the positioning are carried outPrecision substitution sigmoid function f (x) 1/(1+ e-x), where x (s-s)m)/smS represents a certain evaluation index value, smA threshold value set for the index is indicated, and the result is calculated
Figure BDA0003319609770000051
Otherwise P1=0;
Step 2: if the difference t between the time when the device receives the response and the time when the device sends the packet5-t3If the time is greater than the communication time allowable threshold t, the difference between the time when the device receives the response and the time when the device sends the packet is t5-t3Substituting the communication time allowable threshold t into the sigmoid function calculation result
Figure BDA0003319609770000052
Otherwise P2=0;
And step 3: if the access time difference between the two devices
Figure BDA0003319609770000053
If the access time is greater than the access time allowed threshold t', the access time difference of the two devices is obtained
Figure BDA0003319609770000054
Substituting the access time allowable threshold t' into the sigmoid function calculation result
Figure BDA0003319609770000055
And save, otherwise P3=0;
And 4, step 4: for the three probabilities calculated in the steps 1, 2 and 3, pairwise the probabilities are mutually incompatible, and the probability addition is used for calculating the relay attack occurrence probability P (P) of the three probabilities1+P2+P3-P1*P2-P2*P3-P1*P3+P1*P2*P3
And 5: if the probability P calculated in the step 4 is larger than the probability allowable threshold value P0If not, judging that the attack occurs.
In summary, when the distance between two attackers is far, whether relay attack occurs can be judged through the distance difference between the two communication parties, and when the distance between the attackers is close, both the communication time factor and the access time factor are combined. The communication time is usually short, the time axis calibration precision is high, and the access time can realize effective judgment on relay attack. When the communication time is prolonged due to bad network conditions of the attacker, the communication time plays a decisive role in judging whether the relay attack occurs. The comprehensive effect of distance and time realizes the effective defense of relay attack under any condition.
In the NFC safety authentication method of the space-time evolution of the multi-factor space-time perception algorithm, a system layer mainly comprises an NFC connection module which is responsible for establishing the connection between a card reader and an HCE simulation card, and because the Android system NFC function does not provide a corresponding interface to inform an application when the HCE mode NFC connection is established, the application realizes the interface. The implementation method comprises the following steps: when starting the HCE function, the Android system calls an onHostEmulantionactive () method in an Android.
Step 1: detecting the connection establishment information and obtaining the current time t1
Step 2: creating Intent and setting the attribute of the Intent as start;
and step 3: setting an Intent starting mode to ensure that the application is started in a new task stack;
and 4, step 4: adding time information t to Intent1
And 5: the Intent is captured and the application starts.
In the sensing layer, the position information and the time information are acquired. Firstly, when a client discovers an NFC device, the client needs to inform the application program, so as to start a location acquisition module and a time acquisition module to acquire a location and time when the NFC device accesses, and the specific method is as follows:
because the application program in the card reader is positioned at the foreground, the foreground issuing system is directly started in the main thread, and the steps are as follows:
inputting: information carrying Tag
Step 1: starting a foreground issuing system in a main thread to monitor all types of NFC tags;
step 2: detecting a current Tag object;
and step 3: the Tag is analyzed through a security authentication module;
and 4, step 4: and acquiring and returning the information in the Tag.
The simulation card informs the application program discovery equipment of an interface realized by using a connection layer, and the specific method is that an intention filter is set for the receiveActivity activity of the application program, and the Action attribute of the filter is set to' NFC.
The sensing layer needs to realize a position acquisition module to acquire current position information at the same time, and the realization method comprises the following steps:
step 1: adding WiFi permission and operator permission;
step 2: creating an AMapLocationclient class object to start position service;
and step 3: setting a monitoring interface and monitoring a startLocation () method;
and 4, step 4: when the monitoring method is called, current position information is obtained;
and 5: and returning the current position information.
The sensing layer simultaneously realizes a time acquisition module, the time acquisition module acquires the time for finding the NFC equipment of the other party, after the receiveActivity is started in the simulation card APP, the intent for starting the APP is analyzed, and a getLongExtra () method is called to acquire a time key value put in the intent, namely the access time; in the card reader APP, when the OnNewIntent method is started, a System currentTimeMillis () method is directly called to obtain the current system time, namely the access time.
The communication layer is the core of the NFC safety authentication mechanism and is divided into a key management module and an NFC communication module.
Referring to fig. 2, the key management module provides security for the communication module based on the RSA algorithm, and specifically includes functions of generating a local public key and private key pair and requesting a digital certificate, which are shown as a flow thereof. Firstly, a user locally generates a public key and a private key; then, the (public key, user ID, random number) is encrypted by using the server public key and then is sent to the server locally; then, the server calculates a Hash code of the public key and the user ID (Identity document), and encrypts the Hash code by using a server private key; and finally, encrypting the Hash code by using a server private key, forming an identity certificate by the encrypted Hash code, the public key and the ID, encrypting the identity certificate and the random number +1 by using the local public key, and returning the identity certificate to the local. The method comprises the following implementation steps:
inputting: a user id;
step 1: setting the type of the key pair generator as RSA;
step 2: setting the RSA key length;
and step 3: generating an RSA key pair;
and 4, step 4: combining the user id and the public key into a byte array info;
and 5: setting a hash code calculation method SHA-256;
step 6: calculating a hash code of the info;
and 7: converting the generated hash code into a hexadecimal 64-bit string hash;
and 8: string uses a server private key to encrypt;
and step 9: the encrypted information and the info form a digital certificate;
step 10: the user saves the digital certificate.
Referring to fig. 3, a complete flow of the communication module is shown in a picture, and the NFC communication module communicates with the other end of the NFC communication module, so as to complete NFC security authentication. The communication process exchanges digital certificates and carries out digital signature to ensure the safety of communication.
Firstly, the card reader sends a SELECT command to the analog card to SELECT a client; the simulation card returns a simulation card identity certificate to the card reader; the card reader receives the identity certificate, decrypts the identity certificate by using the analog card public key, verifies the integrity of the identity certificate, and if the identity certificate is incomplete, attacks occur and communication is interrupted; then, the card reader sends a card reader identity certificate to the simulation card; the simulation card receives the identity certificate, decrypts the identity certificate by using a server public key, verifies the integrity of the identity certificate, and if the identity certificate is incomplete, attacks occur and communication is interrupted; then, the analog card returns security authentication information acquired by the sensing layer to the card reader, wherein the security authentication information comprises position information and time information, and digital signature is carried out by using an analog card private key; the card reader receives the security authentication information returned by the analog card, decrypts the information by using the analog card public key, and if the information is incomplete, attacks occur and communication is interrupted; the card reader submits the identity authentication information to an interface layer security authentication module; the card reader security authentication module returns an authentication result to the communication layer; the card reader encrypts the authentication result by using a card reader secret key and sends the authentication result to the analog card; the simulation card receives the authentication result sent by the card reader, decrypts the authentication result by using the public key of the card reader, attacks if the information is incomplete, and interrupts communication; and finally, submitting the authentication result to a security authentication module, and ending the communication.
The concrete implementation is as follows:
digital signature: because the authentication information is short, the technology does not use the abstract when realizing the digital signature, and directly encrypts the authentication information by using a private key to finish the digital signature.
Data transmission and reception of the card reader: the card reader analyzes Tag in the onNewIntent method, calls IsoDepisoDep to obtain an IsoDep type object, calls a connect method to obtain connection, and then sends a command by using a tranceive method and obtains a return result. The first command sent is a SELECT command, followed by a data command.
Data processing of the analog card: the simulation card HCEService service registers AID which is the same as AID sent by the card reader, when the simulation card receives a SELECT command, HCEService service of the application program is automatically called to process, subsequent data are all sent to a processCommandPud method in the HCEService service, and the method completes processing of the data.
Command format: to distinguish between authentication messages in different phases, an extra header is added to the data portion. The APDU command can be divided into three parts: command header, data. The SELECT command header is '00A 40400', the data command header is '00 CA 0000', the data carried by the SELECT command is AID, the data header is not needed, and the data command uses '0' and '1' as the data header, which respectively indicate that the data part is a card reader identity certificate and a security authentication result.
The invention does not need to carry out other extra work except the installation of the APP (Application), greatly improves the user friendliness and the implementability, and provides a feasible technical approach for solving the hidden danger of NFC payment. The invention realizes the safe and easy-to-use NFC safety authentication technology, greatly enhances the safety of NFC and ensures the high-quality experience of users while protecting the core competitiveness of NFC conveniently and quickly. The defense technology can be easily deployed in the existing NFC equipment, the security problem that NFC payment is limited to be widely applied is solved, the contribution force is created for the safe electronic commerce environment of China, and key technical support is provided for the domestic novel safe payment.
It should be understood that the above description of the preferred embodiments is given for clarity and not for any purpose of limitation, and that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (10)

1.一种基于时空演化的NFC中继攻击判定系统,其特征在于:包括若干WiFi基站和若干移动蜂窝网基站;1. An NFC relay attack determination system based on space-time evolution, characterized in that: comprising several WiFi base stations and several mobile cellular network base stations; 通过WiFi定位结合移动蜂窝网基站定位的定位方式获取真实卡和读卡器的位置信息,根据两者的距离远近来判别是否发生了中继攻击;Obtain the location information of the real card and the card reader through the positioning method of WiFi positioning combined with the positioning of the mobile cellular network base station, and determine whether a relay attack has occurred according to the distance between the two; 同时,使用通信时间作为校正真实卡和读卡器本地时间的指标,综合考虑接入时间与通信时间,实现时间因素中继攻击辨别。At the same time, the communication time is used as an index for correcting the local time of the real card and the card reader, and the access time and the communication time are comprehensively considered to realize the time factor relay attack identification. 2.一种基于时空演化的NFC中继攻击判定方法,其特征在于,包括以下步骤:2. a NFC relay attack determination method based on space-time evolution, is characterized in that, comprises the following steps: 步骤A1:通过WiFi定位结合移动蜂窝网基站定位的定位方式获取真实卡和读卡器的位置信息,若位置间距大于定位精度,则将位置间距和定位精度代入sigmoid函数计算结果P1并保存,否则保存零值;Step A1: Obtain the position information of the real card and the card reader through the positioning method of WiFi positioning combined with the positioning of the mobile cellular network base station. If the position spacing is greater than the positioning accuracy, then substitute the position spacing and positioning accuracy into the sigmoid function calculation result P 1 and save it, Otherwise save the zero value; 步骤A2:使用通信时间作为校正真实卡和读卡器本地时间的指标;Step A2: use the communication time as an index for correcting the local time of the real card and the card reader; 若设备接收到响应的时间与设备发包时间之差大于通信时间允许阈值,则将设备接收到响应的时间与设备发包时间之差与通信时间允许阈值代入sigmoid函数计算结果P2并保存,否则保存零值;所述设备包括真实卡和读卡器;If the difference between the time when the device receives the response and the time when the device sends the packet is greater than the allowable threshold of the communication time, the difference between the time when the device receives the response and the time when the device sends the packet and the allowable threshold of the communication time are substituted into the calculation result P 2 of the sigmoid function and saved, otherwise it is saved zero value; the device includes a real card and a card reader; 若双方设备接入时间差大于接入时间允许阈值,则将双方设备接入时间差与接入时间允许阈值代入sigmoid函数计算结果P3并保存,否则保存零值;If the access time difference between the two devices is greater than the access time allowable threshold, then substitute the access time difference between the two devices and the access time allowable threshold into the sigmoid function calculation result P3 and save it, otherwise save the zero value; 步骤A3:通过P1、P2、P3计算综合概率,若综合概率大于概率允许阈值,则判定发生攻击,否则判定未发生攻击。Step A3: Calculate the comprehensive probability through P 1 , P 2 , and P 3 , if the comprehensive probability is greater than the allowable threshold of the probability, it is determined that an attack has occurred, otherwise, it is determined that an attack has not occurred. 3.根据权利要求2所述的基于时空演化的NFC中继攻击判定方法,其特征在于:若设备A和设备B位置间距σd,设备A接入时间t1,设备B接入时间t2,设备A发包时间t3,设备B收包时间t4,设备A接收到响应的时间t53. The NFC relay attack determination method based on space-time evolution according to claim 2, characterized in that: if the position distance σd between device A and device B, device A access time t 1 , device B access time t 2 , The time t 3 when the device A sends the packet, the time t 4 when the device B receives the packet, and the time t 5 when the device A receives the response; 若位置间距σd大于定位精度d,则将位置间距和定位精度代入sigmoid函数f(x)=1/(1+e-x),其中x=(s-sm)/sm,s表示某一评价指标值,sm表示该指标所设的阈值,计算结果
Figure FDA0003319609760000011
否则P1=0;If the position spacing σd is greater than the positioning accuracy d, then substitute the position spacing and positioning accuracy into the sigmoid function f(x)=1/(1+ex), where x=(ss m )/s m , and s represents a certain evaluation index value , s m represents the threshold set by the indicator, the calculation result
Figure FDA0003319609760000011
otherwise P 1 =0; 若设备接收到响应的时间与设备发包时间之差t5-t3大于通信时间允许阈值t,则将设备接收到响应的时间与设备发包时间之差σt=t5-t3与通信时间允许阈值t代入sigmoid函数计算结果
Figure FDA0003319609760000012
否则P2=0;If the difference t 5 -t 3 between the time when the device receives the response and the time when the device sends the packet is greater than the communication time allowable threshold t, then the difference between the time when the device receives the response and the time when the device sends the packet σt=t 5 -t 3 and the communication time allow The threshold value t is substituted into the calculation result of the sigmoid function
Figure FDA0003319609760000012
otherwise P 2 =0; 若双方设备接入时间差
Figure FDA0003319609760000021
大于接入时间允许阈值t′,则将双方设备接入时间差
Figure FDA0003319609760000022
与接入时间允许阈值t′代入sigmoid函数计算结果
Figure FDA0003319609760000023
并保存,否则P3=0;If the access time of the two devices is different
Figure FDA0003319609760000021
is greater than the access time allowable threshold t', the access time difference between the two devices will be
Figure FDA0003319609760000022
Substitute the allowable threshold t' of the access time into the calculation result of the sigmoid function
Figure FDA0003319609760000023
and save, otherwise P 3 =0; 则中继攻击发生概率P=P1+P2+P3-P1*P2-P2*P3-P1*P3+P1*P2*P3Then the probability of occurrence of relay attack P=P 1 +P 2 +P 3 -P 1 *P 2 -P 2 *P 3 -P 1 *P 3 +P 1 *P 2 *P 3 . 4.一种基于时空演化的NFC安全认证系统,其特征在于:包括服务器、读卡器、HCE模拟卡和客户端;所述客户端包括系统层、感知层、通信层、接口层和应用层;4. A NFC security authentication system based on space-time evolution, is characterized in that: comprise server, card reader, HCE simulation card and client; Described client comprises system layer, perception layer, communication layer, interface layer and application layer ; 所述服务器,用于向读卡器与HCE模拟卡发布数字证书;The server is used to issue a digital certificate to the card reader and the HCE analog card; 所述读卡器,用于通信发起者主动发出请求;The card reader is used for the communication initiator to actively issue a request; 所述HCE模拟卡,用于对读卡器进行响应;The HCE simulation card is used to respond to the card reader; 所述系统层,用于建立读卡器与HCE模拟卡的连接;The system layer is used to establish the connection between the card reader and the HCE analog card; 所述感知层,用于感知认证信息,包括位置信息采集模块与时间信息采集模块,分别采集连接层NFC接入时的位置与时刻;The perception layer is used for perceiving authentication information, including a location information collection module and a time information collection module, which respectively collect the location and time of the connection layer NFC access; 所述通信层,包括秘钥管理模块与NFC通信模块,秘钥管理模块生成公钥私钥,向服务器请求数字证书,通信模块完成与NFC通信的另一端的信息交互,并将信息提交给接口层;The communication layer includes a key management module and an NFC communication module. The key management module generates a public key and a private key, requests a digital certificate from the server, and the communication module completes the information exchange with the other end of the NFC communication, and submits the information to the interface Floor; 所述接口层,用于从通信层提取信息,完成验证,将验证结果传递给应用层;The interface layer is used to extract information from the communication layer, complete the verification, and transmit the verification result to the application layer; 所述应用层,用于包括以NFC支付为主的各种基于NFC的APP。The application layer is used to include various NFC-based APPs mainly based on NFC payment. 5.一种基于时空演化的NFC安全认证方法,其特征在于,包括以下步骤:5. a NFC security authentication method based on space-time evolution, is characterized in that, comprises the following steps: 步骤B1:客户端系统层检测到连接建立信息,获取当前时间t1;然后创建Intent,设置其属性为start;设置Intent的启动模式,保证应用启动在新任务栈中;接着向Intent中添加时间信息t1;最后捕获该Intent;Step B1: the client system layer detects the connection establishment information and obtains the current time t 1 ; then creates an Intent, and sets its attribute to start; sets the startup mode of the Intent to ensure that the application starts in the new task stack; then adds the time to the Intent Information t1; finally capture the Intent; 步骤B2:当客户端发现NFC设备时,感知层启动位置采集模块与时间采集模块采集NFC接入时的位置与时间;Step B2: when the client discovers the NFC device, the perception layer starts the location collection module and the time collection module to collect the location and time of the NFC access; 步骤B3:NFC通信模块与NFC通信的另一端进行通信,在NFC通信中,通信层的秘钥管理模块基于RSA算法为通信模块提供保密,从而完成NFC安全认证。Step B3: The NFC communication module communicates with the other end of the NFC communication. In the NFC communication, the key management module of the communication layer provides the communication module with confidentiality based on the RSA algorithm, thereby completing the NFC security authentication. 6.根据权利要求5所述的基于时空演化的NFC安全认证方法,其特征在于:步骤B2中,读卡器根据携带Tag的信息,监测所有类型的NFC Tag;检测到当前Tag对象后,让当前Tag通过安全认证模块进行解析;获取并返回Tag中的信息;6. The NFC security authentication method based on space-time evolution according to claim 5, characterized in that: in step B2, the card reader monitors all types of NFC Tag according to the information carrying the Tag; The current Tag is parsed by the security authentication module; the information in the Tag is obtained and returned; 模拟卡使用连接层实现的接口通知应用程序发现设备。The emulated card uses the interface implemented by the connection layer to notify the application to discover the device. 7.根据权利要求5所述的基于时空演化的NFC安全认证方法,其特征在于:步骤B2中,位置采集模块在发现对方设备时,首先添加WiFi权限与运营商权限;然后创建AMapLocationClient类对象启动位置服务,设置监听接口,监听startLocation()方法;当调用监听方法时,获取当前位置信息,并返回当前位置信息;7. The NFC security authentication method based on space-time evolution according to claim 5, is characterized in that: in step B2, when the location acquisition module discovers the counterpart device, firstly adds WiFi authority and operator authority; Then create AMapLocationClient class object to start Location service, set the monitoring interface, and monitor the startLocation() method; when the monitoring method is called, obtain the current location information and return the current location information; 时间采集模块采集发现对方NFC设备的时间,在模拟卡中,调用getLongExtra()方法获取放入其中的time键键值,即为接入时间;在读卡器中,OnNewIntent方法启动时直接调用System.currentTimeMillis()方法获取当前系统时间,即为接入时间。The time acquisition module collects the time when the other party's NFC device is discovered. In the analog card, the getLongExtra() method is called to obtain the time key value placed in it, which is the access time; in the card reader, the OnNewIntent method directly calls System. The currentTimeMillis() method obtains the current system time, which is the access time. 8.根据权利要求5所述的基于时空演化的NFC安全认证方法,其特征在于:步骤B3中,在NFC通信中,通信层的秘钥管理模块基于RSA算法为通信提供保密,包括本地公钥私钥对生成、请求数字证书;8. The NFC security authentication method based on space-time evolution according to claim 5, it is characterized in that: in step B3, in NFC communication, the key management module of communication layer provides security for communication based on RSA algorithm, including local public key Generate private key pair and request digital certificate; 具体实现过程为:首先用户本地生成公钥与私钥;然后本地将(公钥,用户ID,随机数)使用服务器公钥加密后发送到服务器;接着服务器计算公钥与用户ID的Hash码,使用服务器私钥对Hash码加密;最后Hash码使用服务器私钥加密,加密后的Hash码与公钥、ID组成身份证书,与随机数+1一起使用本地公钥加密并返回到本地。The specific implementation process is as follows: first, the user generates the public key and private key locally; then the local (public key, user ID, random number) is encrypted with the server public key and sent to the server; then the server calculates the hash code of the public key and the user ID, Use the server's private key to encrypt the Hash code; finally, the Hash code is encrypted with the server's private key. The encrypted Hash code, public key and ID form an identity certificate, which is encrypted with the local public key together with the random number + 1 and returned to the local. 9.根据权利要求5-8任意一项所述的基于时空演化的NFC安全认证方法,其特征在于,步骤B3的具体实现包括以下子步骤:9. The NFC security authentication method based on space-time evolution according to any one of claims 5-8, wherein the specific implementation of step B3 comprises the following sub-steps: 步骤B3.1:读卡器向模拟卡发送SELECT命令选中客户端;Step B3.1: The card reader sends the SELECT command to the analog card to select the client; 步骤B3.2:模拟卡向读卡器返回模拟卡身份证书;Step B3.2: The simulated card returns the simulated card identity certificate to the card reader; 步骤B3.3:读卡器接收到身份证书,使用模拟卡公钥解密身份证书,验证身份证书完整性,若不完整,则发生攻击,中断通信;Step B3.3: The card reader receives the identity certificate, decrypts the identity certificate with the public key of the simulated card, and verifies the integrity of the identity certificate. If it is not complete, an attack will occur and communication will be interrupted; 步骤B3.4:读卡器向模拟卡发送读卡器身份证书;Step B3.4: The card reader sends the card reader identity certificate to the analog card; 步骤B3.5:模拟卡收到身份证书,使用服务器公钥解密身份证书,验证身份证书完整性,若不完整,则发生攻击,中断通信;Step B3.5: The simulated card receives the identity certificate, decrypts the identity certificate with the server public key, and verifies the integrity of the identity certificate. If it is not complete, an attack will occur and communication will be interrupted; 步骤B3.6:模拟卡向读卡器返回感知层获取到的安全认证信息,使用模拟卡私钥进行数字签名;所述安全认证信息包含位置信息与时间信息;Step B3.6: the analog card returns the security authentication information obtained by the perception layer to the card reader, and uses the private key of the analog card to perform a digital signature; the security authentication information includes location information and time information; 步骤B3.7:读卡器收到模拟卡返回的安全认证信息,使用模拟卡公钥解密,若信息不完整,则发生攻击,中断通信;Step B3.7: The card reader receives the security authentication information returned by the analog card, and decrypts it with the public key of the analog card. If the information is incomplete, an attack will occur and the communication will be interrupted; 步骤B3.8:读卡器将身份认证信息递交给接口层安全认证模块;Step B3.8: The card reader submits the identity authentication information to the interface layer security authentication module; 步骤B3.9:读卡器安全认证模块将认证结果返回给通信层;Step B3.9: The card reader security authentication module returns the authentication result to the communication layer; 步骤B3.10:读卡器将认证结果使用读卡器秘钥加密,发送给模拟卡;Step B3.10: The card reader encrypts the authentication result with the card reader key and sends it to the analog card; 步骤B3.11:模拟卡收到读卡器发送来的认证结果,使用读卡器公钥解密,若信息不完整,则发生攻击,中断通信;Step B3.11: The simulated card receives the authentication result sent by the card reader, and decrypts it with the public key of the card reader. If the information is incomplete, an attack will occur and the communication will be interrupted; 步骤B3.12:将认证结果提交给安全认证模块,通信结束。Step B3.12: Submit the authentication result to the security authentication module, and the communication ends. 10.根据权利要求5-8任意一项所述的基于时空演化的NFC安全认证方法,其特征在于,接口层从通信层与感知层中提取双方时间与空间信息,完成对中继攻击发生与否的判断,并向系统或应用层发出警报。10. The NFC security authentication method based on space-time evolution according to any one of claims 5-8, wherein the interface layer extracts both time and space information from the communication layer and the perception layer, and completes the detection of the occurrence and No judgment, and alert the system or application layer.
CN202111241213.XA 2021-10-25 2021-10-25 NFC relay attack judgment and safety authentication system and method based on space-time evolution Active CN113891321B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202311666026.5A CN117692903A (en) 2021-10-25 2021-10-25 NFC relay attack judgment and safety authentication system and method based on space-time evolution
CN202111241213.XA CN113891321B (en) 2021-10-25 2021-10-25 NFC relay attack judgment and safety authentication system and method based on space-time evolution

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111241213.XA CN113891321B (en) 2021-10-25 2021-10-25 NFC relay attack judgment and safety authentication system and method based on space-time evolution

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202311666026.5A Division CN117692903A (en) 2021-10-25 2021-10-25 NFC relay attack judgment and safety authentication system and method based on space-time evolution

Publications (2)

Publication Number Publication Date
CN113891321A true CN113891321A (en) 2022-01-04
CN113891321B CN113891321B (en) 2024-01-05

Family

ID=79013899

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202311666026.5A Pending CN117692903A (en) 2021-10-25 2021-10-25 NFC relay attack judgment and safety authentication system and method based on space-time evolution
CN202111241213.XA Active CN113891321B (en) 2021-10-25 2021-10-25 NFC relay attack judgment and safety authentication system and method based on space-time evolution

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202311666026.5A Pending CN117692903A (en) 2021-10-25 2021-10-25 NFC relay attack judgment and safety authentication system and method based on space-time evolution

Country Status (1)

Country Link
CN (2) CN117692903A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150082427A1 (en) * 2013-09-17 2015-03-19 Ologn Technologies Ag Systems, Methods and Apparatuses for Prevention of Relay Attacks
CN104821945A (en) * 2015-04-30 2015-08-05 南京邮电大学 Defensive system of relay attack of near-field mobile payment and realization method thereof
CN107111814A (en) * 2014-12-17 2017-08-29 耐瑞唯信有限公司 Protection passes through the contactless payment performed by mobile device
KR20190076479A (en) * 2017-12-22 2019-07-02 한국과학기술원 Apparatus and method for analyzing feature of impersonation attack using deep running in wireless wi-fi network
US10521984B1 (en) * 2015-03-31 2019-12-31 Amazon Technologies, Inc. Challenge-response badge

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150082427A1 (en) * 2013-09-17 2015-03-19 Ologn Technologies Ag Systems, Methods and Apparatuses for Prevention of Relay Attacks
CN107111814A (en) * 2014-12-17 2017-08-29 耐瑞唯信有限公司 Protection passes through the contactless payment performed by mobile device
US10521984B1 (en) * 2015-03-31 2019-12-31 Amazon Technologies, Inc. Challenge-response badge
CN104821945A (en) * 2015-04-30 2015-08-05 南京邮电大学 Defensive system of relay attack of near-field mobile payment and realization method thereof
KR20190076479A (en) * 2017-12-22 2019-07-02 한국과학기술원 Apparatus and method for analyzing feature of impersonation attack using deep running in wireless wi-fi network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
谢俊等: "信息技术", pages: 13 - 20 *

Also Published As

Publication number Publication date
CN117692903A (en) 2024-03-12
CN113891321B (en) 2024-01-05

Similar Documents

Publication Publication Date Title
CN104065653B (en) A kind of interactive auth method, device, system and relevant device
US10567428B2 (en) Secure wireless ranging
JP4545197B2 (en) Wireless network system and communication method using the same
US20200067705A1 (en) Methods, apparatuses, and computer program products for frictionless electronic signature management
CN106330442B (en) Identity authentication method, device and system
CN107148019B (en) It is a kind of for connecting the method and apparatus of wireless access point
US9445269B2 (en) Terminal identity verification and service authentication method, system and terminal
JP2012530311A5 (en)
CN110278084B (en) eID establishing method, related device and system
CN103415008A (en) Encryption communication method and encryption communication system
JP2015537476A (en) Fingerprint authentication system and fingerprint authentication method based on NFC
WO2017185450A1 (en) Method and system for authenticating terminal
CN105164689A (en) User authentication
KR20070091266A (en) Bootstrap authentication using distinct random attempts
JP7135569B2 (en) Terminal registration system and terminal registration method
KR20160131572A (en) Method and apparatus for certificating information related payment in a mobile communication system
CN106888097B (en) Identity authentication method based on zero-knowledge proof in HCE mode
CN110278083A (en) ID authentication request treating method and apparatus, equipment replacement method and apparatus
CN112425116B (en) Intelligent door lock wireless communication method, intelligent door lock, gateway and communication equipment
EP2974418A1 (en) Method and apparatus for remote portable wireless device authentication
KR101348079B1 (en) System for digital signing using portable terminal
CN107786978B (en) NFC authentication system based on quantum encryption
CN107437997B (en) Radio frequency communication device and method
KR100901279B1 (en) Chapter 4 Method and system for authenticating network access using challenge messages.
EP2965488B1 (en) Method and system for preparing a communication between a user device and a server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant