3onlinesecurity.pdf

An Online Security Protocol for NFC Payment Formally Analyzed by The Scyther Tool

Nour El Madhoun∗, Fouad Guenane†, Guy Pujolle∗

∗Sorbonne Universités, UPMC Univ Paris 06, CNRS, LIP6 UMR 7606, 4 place Jussieu 75005 Paris, France †Devoteam Group, 1 Rue Galvani 91300 Massy, France

Email: {nour.el-madhoun, guy.pujolle}@lip6.fr; [email protected]

Abstract—Nowadays, NFC technology is integrated into bank cards, smartphones and sales point terminals in order to immedi- ately execute payment transactions without any physical contact. EMV is the standard intended to secure both contact (traditional) and contactless-NFC payment operations. In fact, researchers in recent years have detected some security vulnerabilities in this protocol (EMV). Therefore, in this paper, we introduce the risks entailed by the vulnerabilities of EMV and particularly those at stake in the case of NFC payment. Hence, in order to overcome EMV weaknesses, we propose a new security protocol based on an online communication with a trusted entity. The proposal is destined to secure contactless-NFC payment transactions using NFC bank cards that are unconnected client payment devices (without Wi-Fi or 4G). A security verification tool called Scyther is used to analyze the correctness of the proposal.

Index Terms—NFC, EMV, mutual authentication, confidential- ity, NFC bank card, NFC payment terminal.

I. INTRODUCTION

Near Field Communication (NFC) is a wireless proximity

technology operating at 13.56 MHz. It enables interaction

between two electronic devices without contact and within

a short distance (maximum 10 centimeters) [1]. Today, it is

widely used in contactless payment systems: VISA payWave

[2] and MasterCard PayPass [3]. A contactless-NFC payment

operation is executed simply by approaching an NFC bank

card (or an NFC phone) near to an NFC point of sale ter-

minal. In addition, NFC payment applications can be divided

into micro and macro payments. Micro-payment is for small

amounts (maximum limit, 20 Euro in France) with no need to

compose a PIN code or a signature. If the amount is higher

than the authorized limit, the transaction is termed a macro-

payment. In this case, the client must confirm the transaction

by entering a PIN code or a signature [4].

Europay Mastercard Visa (EMV) is the security protocol

implemented for: (1) the classical payment system (inserting

the card into the terminal), (2) the contactless payment system

based on NFC technology. However, researchers have found

security vulnerabilities in this protocol by studying EMV

specifications [5]. Consequently, the work [6] and [7] show

that EMV vulnerabilities represent a big risk in the case of

NFC payment compared to the traditional payment: because

an attacker can, by remotely using NFC radio waves, retrieve

sensitive banking data stored on a victim’s NFC bank card.

In this paper, we propose a new security protocol allowing

to overcome weaknesses that have been emerged in EMV

standard. The proposal is based on an online communication

with an authentication server that is considered a representative

of the confidence and security of issuing and acquiring banks,

and it is connected to them in real time. We suggest that

the proposal is intended primarily to secure contactless-NFC

payment operations using unconnected (without Wi-Fi or 4G)

NFC client payment devices such as NFC bank cards.

Thanks to the asymmetric cryptography, the proposed proto-

col ensures: (1) mutual authentication and (2) non-repudiation

between an NFC bank and an NFC payment terminal, (3) the

integrity of banking data, (4) the validity of the bank card (not

revoked). (5) The encryption of banking data (confidentiality)

is well guaranteed using a symmetric session key calculated

during the authentication steps. We verify formally the cor-

rectness of the proposal by the Scyther tool which provides

formal evidence for security protocols.

This paper is organized as follows. Section II details EMV

protocol and EMV weaknesses whereas section III introduces

the related literature. In section IV, we describe the proposed

security protocol and in section V we discuss some possible

attacks. In section VI, we present Scyther verification results.

The last section provides a brief conclusion.

II. EMV PROTOCOL

EMV Consortium (EMVCo) has initiated EMV as the

international security protocol for contact and contactless-NFC

payment systems. It is a set of security rules for performing a

payment transaction between participants: client’s payment de-

vice, payment terminal, terminal’s acquiring bank and client’s

issuing bank [5].

A. EMV Procedure

To execute a purchase transaction (contact or contactless-

NFC), three EMV security steps are required [8] [9]:

• Card authentication: ensures the payment terminal of the

authenticity of the client’s payment device and integrity

of sensitive banking data. It allows protection against

counterfeit client payment devices.

• Cardholder verification: ensures customer authenticity to

the payment terminal with the verification of a PIN code

or a signature. It allows protection against lost and stolen

client payment devices. This phase is not guaranteed in

the case of NFC micro-payments.

• Transaction authorization: ensures the payment terminal

that the client’s issuing bank authorizes the transaction.

1

In fact, EMV phases can be executed either online or offline

[10] [11]. The mode of execution depends on the connec-

tion availability in payment terminals, for example payment

transactions in a supermarket require an online mode whereas

transactions on an airplane require an offline mode.

• Online mode: first of all requires a connection between

the payment terminal and its acquiring bank, and then

between the latter and the client’s issuing bank. In this

mode, security procedures will be performed by issuing

and acquiring banks.

• Offline mode: means that security procedures will be

made in the payment terminal.

B. EMV weaknesses

In the online mode, the revocation of a client’s payment

device is well checked by the payment terminal thanks to the

connection to banks. However, during an offline transaction,

the payment terminal cannot verify if the client’s payment

device has been revoked. So, a malicious person can use

for example a revoked bank card to perform unauthorized

transactions [12]. This vulnerability will not be processed in

this work. It will be the objective for a future contribution.

Thus, in this paper, we deal with two security vulnerabilities

that have been detected by researchers in the first phase "Card

authentication" of EMV procedure (in both modes) [6] [7]:

• The authenticity of the payment terminal is not ensured

to the client’s payment device.

• The banking data exchanged between the client’s pay-

ment device and the point of sale terminal are not

encrypted and are transferred in clear. In fact, according

to EMV specifications [5], the Primary Account Number

(PAN) is the banking information which must be sent in

clear because it identifies the client’s payment device in

the issuing bank, but we note that the PAN is a sensitive

information and therefore must be protected.

C. Risks

In the case of NFC payment, the communication takes

place in an open environment using NFC radio waves which

represents a major risk, but EMVCo has assumed that within

a maximum reading distance of 10 centimeters, it is difficult

for an attacker to steal private banking data from an NFC bank

card with an unauthenticated NFC reader [5]. The studies [6]

and [7] confirm that the previous assumption is very weak and

show that EMV protocol is not suited to security needs of NFC

payment systems: an attacker who has radio-electronics skills,

is able to use an NFC reader (or an NFC smartphone) equipped

with a special antenna, to remotely steal (from a distance of a

few meters) sensitive banking data from a victim’s NFC bank

card even if the latter is in the bag.

The information that can be retrieved by an attacker are: the

PAN and expiration date. The visual cryptogram (CVV: Card

Verification Value) and the cardholder’s name are not recov-

erable. Hence, the attacker can harm the victim by making

for example fraudulent purchase transactions on the Internet.

Today, there are e-commerce websites that apply the CVV and

other websites do not apply it such as "www.amazon.com",

which leaves a breach for fraudulent transactions (exploitation

of data). As Fig-1 illustrates, we were able to buy sev-

eral items on "www.amazon.com" using banking information:

PAN, expiration date, the good cardholder’s name and without

providing a CVV. In addition, the cardholder’s name is not

verified in many websites where we can add a random name

and confirm transactions. We have also tried to add the same

banking data to "www.amazon.com" but with a random name

and we have succeeded again in buying several items.

Fig. 1. Adding banking data (amazon)

III. RELATED LITERATURE

NFC technology allows to store and manage personal and

monetary data, so it must be able to provide a safe and

secure environment for users. In fact, on the NFC wireless

communication, there are several possible attacks, such as:

data insertion, data modification, eavesdropping, replay at-

tacks, etc. An attacker can insert falsified data during the

NFC communication into the data transmitted, he can also

replace the original data with other information. Therefore,

many research studies have proposed solutions to these attacks:

an approach consists in using a secure communication channel

is introduced in [13] and [14].

For the eavesdropping, an attacker can use a good and

large antenna to intercept data transmitted between two NFC

devices. Hence, the NFC-SEC protocol (NFCIP-1 Security

Services and Protocol) is introduced to enable a symmetric

encryption between NFC devices by exchanging a symmetric

secret key [14]. Thus, Elbagoury et al. [15] have proposed a

solution allowing to prevent eavesdropping by operating the

noisy wireless channel to get a provable key and then distribute

it among participants of the NFC communication. In addition,

a replay attack can be prevented using random numbers

(nonce) [16] or using physical proximity based information

(temperature data) [17].

Recently, the security of contactless-NFC payment systems

has become an interesting topic in scientific research to

provide new security solutions. Urien and Piramuthu [18] have

proposed a framework and new authentication protocols based

on Elliptic Curve Cryptography (ECC) and intended to secure

NFC payment systems using NFC smartphones in a retail store

environment. Thanks to ECC, the proposed protocols allow a

low-complexity (minimal messages, lower storage, etc.) for

NFC smartphone’s resources (memory, space, etc.). However,

when the attacks on bank data can be made in a very simple

and fast way thanks to the NFC radio waves (as presented

2

in the section II-C), the risks are increasing and consequently

they are becoming more dangerous.

Ceipidor et al. [19] have proposed a mutual authentication

protocol between NFC phones and point of sale terminals

allowing to secure NFC payment operations. This protocol

is based on an online communication with an authentication

server that shares symmetric keys with phones and terminals.

It ensures mutual authentication and confidentiality of private

banking data. Therefore, it solves EMV weaknesses but it

lacks ensuring origin non-repudiation, banking data integrity

and the validity of the phone (banking data are not revoked).

In addition, the idea of using a single server that shares secret

symmetric keys with NFC phones and terminals, remains a

little difficult to implement in a real environment.

In our previous work [20], we have proposed a security

protocol that allows to overcome EMV vulnerabilities and is

based on a Cloud infrastructure using asymmetric cryptogra-

phy. It is designed especially for NFC payment transactions

between an NFC payment terminal and an NFC smartphone,

which is a connected object (Wi-Fi or 4G) communicating

through a secure channel with the Cloud. The latter offers

security services for NFC phones. Hence, this protocol enables

a very efficient use of the smartphone’s resources, because its

purpose is to offload the authenticity verification procedure of

the terminal from the NFC phone to the Cloud. It ensures:

mutual authentication and non-repudiation between the NFC

terminal and the NFC smartphone, confidentiality and integrity

of banking data. It lacks ensuring the validity of banking data

that they are not revoked because it is executed in the offline

mode (the payment terminal is not connected to banks).

IV. PROPOSED PROTOCOL

A. Principal

We propose in this study a security protocol that treats EMV

weaknesses founded in the EMV card authentication phase

(see section II-B). Tab-I shows the abbreviations allowing to

simplify future descriptions. The proposal includes three actors

illustrated in Fig-2: Authentication Server (AS), NFC Point

of Sale (POS), NFC Bank Card (C). Each actor represents a

specific role detailed in the next section IV-B. Tab-II details

the security elements we assume each actor has in this work.

We specify several assumptions:

• The proposal is based on an online communication with

an authentication server AS using the asymmetric cryp-

tography (not sharing symmetric keys as [19]) which is

more rapid for authentication purposes compared to the

symmetric cryptography.

• AS is able to execute security functions. The acquiring

banks and the issuing banks trust and rely on this server

for NFC transactions.

• The proposal is mainly destined to secure NFC payment

transactions in the case of using unconnected NFC bank

cards (without Wi-Fi or 4G), that are able to communicate

with other devices only via NFC radio waves.

• The NFC payment terminals and NFC bank cards trust

the server AS.

• We suggest to use an identifier IdC which is different

from PAN (keep PAN secret) to identify an NFC bank

card C in AS and its issuing bank. IdC cannot be used

for purchases on the Internet

• POS can communicate directly with AS, but C can

communicate with AS only through POS.

• AS must register identifiers of all NFC bank cards assum-

ing that the issuing banks have already agreed to this.

TABLE I ABBREVIATIONS

Abbreviation Description

POS NFC Point Of Sale

C NFC Bank Card

AS Authentication Server

CAi Certification Authority (i=1,2,3)

IssBank Card’s Issuing Bank

AcqBank Terminal’s Acquiring Bank

Hash(M) One way hashing function of M = m1,m2..

BankData Banking data stored on the Card

TD Transaction Data generated by POS (Unique)

Certificate(X) Certificate of X

pubKey(X) Public Key of X

secKey(X) Secret Key of X

K(POS,C) Symmetric session Key generated by AS to exchange information between POS and Card

K(AS,POS) Session Key allows to protect information exchange between AS and POS

B. Actors

1) Authentication Server (AS): it is a trusted entity not

only able to authenticate NFC bank cards to NFC payment

terminals, but also to authenticate the latter to NFC bank cards.

It is considered as a representative of confidence and security

of issuing and acquiring banks where it is connected to them

in real time. We assume that this server:

• Is available at any time and from any location.

• Stores a list of trusted certification authorities.

• Contains a security application that allows the verification

of certificates and digital signatures.

2) NFC Payment Terminal (POS): it is used to perform

NFC payment operations in shops for example. It is a con-

nected device and can communicate directly with AS for

security purposes, instead of communicating with its acquiring

bank and then the latter contacts the issuing bank. It connects

to AS through a secure channel TLS (Transport Layer Security)

[21]. At each connection, they (POS and AS) authenticate each

other and exchange a new session key K(AS,POS).

3) NFC Bank Card (C): to make purchases with an NFC

bank card C, the user needs only to approach it to POS. In fact,

C stores the server’s certificate and to communicate (through

the terminal POS) for security purposes with the server (AS),

it uses the server’s public key.

C. Details of the Protocol

This section describes all the steps of exchanged messages

of the proposed protocol illustrated in Fig-2.

3

Fig. 2. The proposed NFC security protocol

1) C Authentication request (POS->C):

• In the first step, POS sends to C in cleartext: transaction

data TD (date, hour, random values, etc.) that is unique for

each transaction and serves to prevent replay attacks, an

authentication request for C RequestC, Certificate(POS),

Certificate(AcqBank) and SignaturePOS.

– SignaturePOS is a signature generated by

secKey(POS) of ’POS, C, TD, RequestC’ message

after its hash.

• Certificate(POS), Certificate(AcqBank) and Signature-

POS allow to authenticate POS, guarantee the integrity

of ’POS, C, TD, RequestC’ message and ensure that

POS cannot deny having sent SignaturePOS in the future

(non-repudiation of origin).

• C does not have an application allowing the verification of

the authenticity of POS, but in the next step, it will send

the received message (1) to AS through POS to execute

an authentication verification procedure for POS.

2) POS Authentication and session requests (C->POS):

• (1) is the received message from POS requesting C au-

thentication and providing evidence authenticating POS:

Certificate(POS), Certificate(AcqBank), SignaturePOS.

• To prevent replay attacks, C generates a random num-

ber RandomC by hashing its identifier IdC and TD:

Hash(IdC,TD). Thus, C sends to AS through POS:

TABLE II WHAT HAS EACH ACTOR

Actor Owns

AS - pubKey(AS)/secKey(AS)

- Certificate(AS) signed by secKey(CA1) of CA1

POS - Certificate(AS)

- pubKey(POS)/secKey(POS)

- Certificate(POS) signed by secKey(AcqBank)

- Certificate(AcqBank) signed by secKey(CA2) of CA2

C - BankData: IdC, PAN, name, expiration date, etc.

- Certificate(AS)

- pubKey(C)/secKey(C)

- Certificate(C) signed by secKey(IssBank)

- Certificate(IssBank) signed by secKey(CA3) of CA3

- An electronic signature of BankData generated by secKey(IssBank): {Hash(BankData)}secKey(IssBank)

– Its identifier IdC in AS in cleartext.

– Information encrypted with pubKey(AS): the received

message (1), RandomC, an authentication request

for POS RequestPOS and a payment session request

4

RequestS. The latter asks AS to generate a session

key to begin a payment transaction. It also sends

Certificate(C), Certificate(IssBank) and SignatureC

encrypted with pubKey(AS).

– SignatureC is a signature generated by secKey(C)

of ’C, POS, AS, RandomC, RequestPOS, Request-

Session’ message after its hash.

• Certificate(C), Certificate(IssBank) and SignatureC al-

low to authenticate C, guarantee the integrity of ’C, POS,

AS, RandomC, RequestPOS, RequestSession’ message

and ensure that C cannot deny having sent SignatureC

in the future (non-repudiation of origin).

3) POS and C Authentication requests (POS->AS):

• POS cannot decipher the received message (2) because it

does not have the secret key of AS. Then, it sends to AS

in an encrypted text with the session key K(AS,POS) of

the current connection TLS: TD and the message (2).

• AS deciphers (3) with K(AS,POS), obtains TD and (2). It

checks TD validity and if it is not valid, then it will not

respond to POS. Otherwise, it deciphers the message (2)

with its secret key secKey(AS) and obtains the content.

• In fact, AS and POS have already authenticated each other

during the TLS session and they communicate securely

using K(AS,POS) session key, so AS will proceed to

authenticate the NFC bank card C to POS, and if it leads

to successful results, then it executes another verification

procedure (different from TLS procedure) authenticating

POS to C because:

– It has received an POS authentication request Re-

questPOS from C (message (2)).

– C has received evidence authenticating POS (mes-

sage (1)) but it could not verify POS authenticity

and it trusts in fact AS to execute security functions.

• Therefore, AS proceeds classically in order to authenticate

the card C to POS. It checks that:

– Certificate(C) and Certificate(IssBank) are valid to-

day (validity period) and not revoked.

– The issuing CA3 of Certificate(IssBank) is a trusted

certification authority.

– pubKey(CA3) validates the signature contained in

Certificate(IssBank).

– pubKey(IssBank) validates the signature contained in

Certificate(C).

– pubKey(C) validates SignatureC.

• If AS can successfully authenticate C, then it proceeds to

authenticate POS to C. It checks that:

– Certificate(POS) and Certificate(AcqBank) are valid

today (validity period) and not revoked.

– The issuing CA2 of Certificate(AcqBank) is a trusted

certification authority.

– pubKey(CA2) validates the signature contained in

Certificate(AcqBank).

– pubKey(AcqBank) validates the signature contained

in Certificate(POS).

– pubKey(POS) validates SignaturePOS.

4) C Authenticity and session confirmations (AS->POS):

• If AS leads to successful results of POS authenticity, then

it generates a session key K(POS,C) that serves to start

a new secure payment transaction between POS and C.

• Thus, it sends to POS in an encrypted text with

K(AS,POS) Conf1 and Conf2 respectively confirming the

authenticity of C and POS, and mainly containing the

session key K(POS,C) (see Fig-2).

• POS deciphers the received message, checks TD and

RandomC, authenticates C with AuthC message, obtains

K(POS,C), Conf2 and Certificate(IssBank). The latter is

verified and confirmed by AS, and serves for POS to

verify the signature of banking data in step (6) (see

section IV-C6). Conf2 cannot be deciphered by POS

because it is encrypted with pubKey(C) and it is destined

in reality from AS to C passing by POS. It mainly

contains a confirmation message of the POS authenticity

AuthPOS, K(POS,C) session key and SignatureAS.

– SignatureAS is a signature generated by secKey(AS)

of ’POS, C, AS, K(POS,C), TD, RandomC, AuthPOS’

message after its hash.

5) POS Authenticity and session confirmations(POS->C):

• In this step, POS sends to C Conf2 received from AS, and

confirms to C that it starts a payment transaction session

by sending a new random value RandomPOS (serves to

prevent replay attacks) in a ciphertext with the session

key K(POS,C).

• C also receives (5), deciphers Conf2 with its secret

key secKey(C), checks TD and RandomC and obtains

K(POS,C), AuthPOS, SignatureAS.

• In fact, C trusts AS and stores Certificate(AS) containing

pubKey(AS), it verifies SignatureAS using pubKey(AS)

in order to authenticate AS, guarantee the integrity of

’POS, C, AS, K(POS,C), TD, RandomC, AuthPOS’ and

ensure that AS cannot deny having sent SignatureAS in

the future (non-repudiation of origin).

• C also confirms the authenticity of POS with AuthPOS,

deciphers {RandomC, TD, RandomPOS}K(POS,C) using

K(POS,C) session key and obtains RandomPOS.

6) Exchange of the banking data and Confirmation to POS

(C->POS):

• C starts with POS a secured payment session using the

session key K(POS,C) by sending: RandomPOS-1 (calcu-

lated from RandomPOS), the banking data BankData and

their electronic signature. The latter is the electronic sig-

nature of BankData by secKey(IssBank) ensuring banking

data integrity for POS.

• Therefore, POS decrypts (6), checks RandomPOS-1 and

obtains BankData and their signature. POS also checks

the signature using pubKey(IssBank) obtained in step (4).

D. Results

During an NFC payment transaction, if C and POS execute

all steps of the proposed protocol, then we ensure that:

5

• They are mutually authenticated. In step (4), POS con-

firms the authenticity of C. In step (5), C confirms the

authenticity of POS.

• They cannot deny (non-repudiation of origin) having sent

the electronic signatures (SignaturePOS and SignatureC)

in the future.

• The integrity of private banking data BankData stored on

C is ensured (step (6)) using the electronic signature.

• The confidentiality of private banking data BankData is

ensured using a symmetric session key (step (6)).

• The validity of C that the banking data are not revoked

is well ensured to POS by verifying the revocation of

certificates in step (3).

V. DISCUSSIONS

In this section, we discuss some possible attacks:

1) Malicious reader MalPOS: which wants to pose as POS

to communicate with C. Possible attacks:

• In step (1), MalPOS sends to C: its TDmalpos, Certifi-

cate(POS), Certificate(AcqBank), RequestC and its sig-

nature SignatureMalPOS generated by its secret key

secKey(MalPOS). In step (3), AS rejects POS authentic-

ity because it could not verify SignatureMalPOS with

pubKey(POS) (obtained from Certificate(POS)).

• If MalPOS replays the message (1), then this is can be

detected by TD validity in step (3).

2) Malicious card MalC: which wants to pose as C to

communicate with POS. Possible attacks:

• In step (2), MalC sends to AS mainly through POS:

Certificate(C), Certificate(IssBank) and its signature Sig-

natureMalC generated by its secret key secKey(MalC).

POS receives MalC message believing that it is from C,

sends it to AS but the latter rejects C authenticity be-

cause it could not verify SignatureMalC with pubKey(C)

(obtained from Certificate(C)).

• If MalC replays the message (2), then this is can be

detected by TD validity in step (3).

3) Bank data integrity: is satisfied using the electronic

signature of banking data generated by the issuing bank’s

secret key secKey(IssBank) and stored on the NFC bank card C

during its construction. It is verified by POS using the issuing

bank’s public key pubKey(IssBank) in step (6).

4) Bank data confidentiality: is satisfied using the symmet-

ric session key K(POS,C) after authentication steps.

VI. SCYTHER VERIFICATION

A. Overview

We have chosen the Scyther tool in order to verify the

correctness of the security protocol proposed in this paper.

Scyther is an effective tool for verification, falsification, and

analysis of security protocols to identify potential attacks and

vulnerabilities. It can be freely downloaded at [22]. Studies in

[23] have extensively investigated the performance of Scyther

compared to other verification tools. Scyther is based on a

development model algorithm providing infinite representa-

tions of traces. It can verify protocols using specific Scyther

claims with an unbounded number of sessions and guaranteed

termination. Also, it is able to detect several possible attacks

and generates a graph for each attack found corresponding to

the mentioned claim [24].

TABLE III VARIABLE SYMBOLS SPDL

Symbol Signification Symbol Signification

P POS C Card

AS Authentication Server

IB IssBank

AB AcqBank H(M) Hash(M)

TD Transaction Data X BankData

pk(X) pubKey(X) sk(X) secKey(X)

kpc K(POS,C) k(AS,P) K(AS,POS)

Fig. 3. The proposed protocol written in SPDL (step (1) to (3))

B. Implementation

The language used to write protocols in Scyther is Security

Protocol Description Language (SPDL) which is based on

the operational semantics found in [25]. Hence, we wrote

the proposed protocol in SPDL language to verify authentica-

tion (with non-repudiation) and confidentiality Scyther claims

whether hold or not. Tab-III presents the correspondence

between the variables declared in the program SPDL and

abbreviations presented in Tab-I. Fig-3 illustrates the proto-

col implementation in SPDL language, it shows a part of

exchanged messages (step (1) to (3)).

6

C. Scyther claims

As illustrated in Fig-4, the protocol successfully guaran-

tees all Scyther claims for P, C, AS and no attacks are

found. Authentication claims: Alive, Weakagree, Niagree and

Nisynch are used to detect replay, reflection and man in the

middle attacks. Secret and SKR (Session Key Reveal) are

confidentiality claims. Formal definitions for all Scyther claims

can be found in [25] and [26].

Fig. 4. Verification results

VII. CONCLUSION

In this paper, we introduced a new security protocol for

NFC payment transactions allowing to solve EMV security

weaknesses. We have based this solution on an online com-

munication with an authentication server that is considered as

a trusted security center for terminals, cards and banks. The

protocol ensures: mutual authentication and non-repudiation

(compared to [19]) between an NFC bank card and an NFC

point of sale, integrity (compared to [19]) and confidentiality

of private banking informaion, the validity of banking data that

they are not revoked (compared to [20]). We have successfully

analyzed the protocol correctness using the Scyther tool.

In fact, the proposal of this paper and the protocol that we

have proposed in [20] use the authentication with certificates

and signatures whereas they are different in: objective, pay-

ment environment (online/offline), payment actors, the content

of the messages exchanged and results. Thus, we note that our

proposal can be implemented with a connected object such as

an NFC smartphone instead of an NFC bank card, but in this

case, the advantage of the connection interface (Wi-Fi or 4G)

available in the mobile will not be considered. It can also be

implemented to secure contact payment communications.

REFERENCES

[1] NFC Forum, http://nfc-forum.org/, last connection (07/05/2015). [2] VISA payWave, http://www.visa.ca/fr/personal/visa-paywave/index.jsp,

last connection (07/05/2015). [3] MasterCard PayPass, http://www.mastercard.com/contactless/index.html,

last connection (07/05/2015). [4] M. Pasquet, J. Reynaud, and C. Rosenberger, “Secure payment with nfc

mobile phone in the smarttouch project,” IEEE International Symposium on Collaborative Technologies and Systems (CTS), pp. 121–126, 2008.

[5] EMV Books - Integrated Circuit Card Specifications for Payment Systems, Book 1: Application Independent ICC to Terminal Interface Requirements, Book 2: Security and Key Management, Book 3: Ap- plication Specification, Book 4: Cardholder Attendant and Acquirer Interface Requirements, Version 4.3, EMVCo, http://www.emvco.com/, November 2011.

[6] M. Emms and A. van Moorsel, “Practical attack on contactless payment cards,” HCI2011 Workshop Heath, Wealth and Identity Theft, 2011.

[7] R. Lifchitz, “Hacking the nfc credit cards for fun and debit,” Hackito Ergo Sum conference, April 2012.

[8] O. Ogundele, P. Zavarsky, R. Ruhl, and D. Lindskog, “Fraud reduction on emv payment cards by the implementation of stringent security fea- tures,” International Journal of Intelligent Computing Research (IJICR), 2012.

[9] S. J. Murdoch, S. Drimer, R. Anderson, and M. Bond, “Chip and pin is broken,” IEEE Symposium on Security and Privacy (SP), pp. 433–446, 2010.

[10] M. Ward, “Emv card payments–an update,” Elsevier Information Secu- rity Technical Report, pp. 89–92, 2006.

[11] J. De Ruiter and E. Poll, “Formal analysis of the emv protocol suite,” Springer Theory of Security and Applications, pp. 113–129, 2012.

[12] M. Levi, P. Bissell, T. Richardson, and C. P. Unit, “The prevention of cheque and credit card fraud,” Citeseer, 1991.

[13] N. A. Chattha, “Nfc-vulnerabilities and defense,” IEEE Conference on Information Assurance and Cyber Security (CIACS), pp. 35–38, 2014.

[14] H. Eun, H. Lee, and H. Oh, “Conditional privacy preserving security protocol for nfc applications,” IEEE Transactions on Consumer Elec- tronics, pp. 153–160, 2013.

[15] A. Elbagoury, A. Mohsen, M. Ramadan, and M. Youssef, “Practical provably secure key sharing for near field communication devices,” IEEE International Conference on Computing, Networking and Communica-

tions (ICNC), pp. 750–755, 2013. [16] M. S. Jung, “A study on electronic-money technology using near field

communication,” Multidisciplinary Digital Publishing Institute Symme- try, pp. 1–14, 2014.

[17] P. Urien and S. Piramuthu, “Elliptic curve-based rfid/nfc authentication with temperature sensor input for relay attacks,” Elsevier Decision Support Systems, pp. 28–36, 2014.

[18] ——, “Framework and authentication protocols for smartphone, nfc, and rfid in retail transactions,” IEEE Eighth International Conference on Intelligent Sensors, Sensor Networks and Information Processing, pp. 77–82, 2013.

[19] U. B. Ceipidor, C. M. Medaglia, A. Marino, S. Sposato, and A. Moroni, “Kernees: A protocol for mutual authentication between nfc phones and pos terminals for secure payment transactions,” IEEE 9th International ISC Conference on Information Security and Cryptology (ISCISC), pp. 115–120, 2012.

[20] N. El Madhoun, F. Guenane, and G. Pujolle, “A cloud-based secure authentication protocol for contactless-nfc payment,” IEEE 4th Interna- tional Conference on Cloud Networking (CloudNet), pp. 328–330, 2015.

[21] T. Dierks, “The transport layer security (tls) protocol version 1.2,” 2008. [22] Scyther Website, http://www.cs.ox.ac.uk/people/cas.cremers/scyther/,

last connection (07/05/2015). [23] C. Cremers and P. Lafourcade, “Comparing state spaces in automatic

protocol verification,” International Workshop on Automated Verification of Critical Systems (AVoCS), 2007.

[24] C. J. Cremers, “The scyther tool: Verification, falsification, and analysis of security protocols,” Springer Computer Aided Verification, 2008.

[25] C. Cremers and S. Mauw, “Operational semantics and verification of security protocols,” Springer Science & Business Media, 2012.

[26] G. Lowe, “A hierarchy of authentication specifications,” IEEE 10th Computer Security Foundations Workshop, pp. 31–43, 1997.

7

<< /ASCII85EncodePages false /AllowTransparency false /AutoPositionEPSFiles false /AutoRotatePages /None /Binding /Left /CalGrayProfile (Gray Gamma 2.2) /CalRGBProfile (sRGB IEC61966-2.1) /CalCMYKProfile (U.S. Web Coated \050SWOP\051 v2) /sRGBProfile (sRGB IEC61966-2.1) /CannotEmbedFontPolicy /Warning /CompatibilityLevel 1.4 /CompressObjects /Off /CompressPages true /ConvertImagesToIndexed true /PassThroughJPEGImages true /CreateJobTicket false /DefaultRenderingIntent /Default /DetectBlends true /DetectCurves 0.0000 /ColorConversionStrategy /LeaveColorUnchanged /DoThumbnails false /EmbedAllFonts true /EmbedOpenType false /ParseICCProfilesInComments true /EmbedJobOptions true /DSCReportingLevel 0 /EmitDSCWarnings false /EndPage -1 /ImageMemory 1048576 /LockDistillerParams true /MaxSubsetPct 100 /Optimize false /OPM 0 /ParseDSCComments false /ParseDSCCommentsForDocInfo false /PreserveCopyPage true /PreserveDICMYKValues true /PreserveEPSInfo false /PreserveFlatness true /PreserveHalftoneInfo true /PreserveOPIComments false /PreserveOverprintSettings true /StartPage 1 /SubsetFonts false /TransferFunctionInfo /Remove /UCRandBGInfo /Preserve /UsePrologue false /ColorSettingsFile () /AlwaysEmbed [ true /Arial-Black /Arial-BoldItalicMT /Arial-BoldMT /Arial-ItalicMT /ArialMT /ArialNarrow /ArialNarrow-Bold /ArialNarrow-BoldItalic /ArialNarrow-Italic /ArialUnicodeMS /BookAntiqua /BookAntiqua-Bold /BookAntiqua-BoldItalic /BookAntiqua-Italic /BookmanOldStyle /BookmanOldStyle-Bold /BookmanOldStyle-BoldItalic /BookmanOldStyle-Italic /BookshelfSymbolSeven /Century /CenturyGothic /CenturyGothic-Bold /CenturyGothic-BoldItalic /CenturyGothic-Italic /CenturySchoolbook /CenturySchoolbook-Bold /CenturySchoolbook-BoldItalic /CenturySchoolbook-Italic /ComicSansMS /ComicSansMS-Bold /CourierNewPS-BoldItalicMT /CourierNewPS-BoldMT /CourierNewPS-ItalicMT /CourierNewPSMT /EstrangeloEdessa /FranklinGothic-Medium /FranklinGothic-MediumItalic /Garamond /Garamond-Bold /Garamond-Italic /Gautami /Georgia /Georgia-Bold /Georgia-BoldItalic /Georgia-Italic /Haettenschweiler /Impact /Kartika /Latha /LetterGothicMT /LetterGothicMT-Bold /LetterGothicMT-BoldOblique /LetterGothicMT-Oblique /LucidaConsole /LucidaSans /LucidaSans-Demi /LucidaSans-DemiItalic /LucidaSans-Italic /LucidaSansUnicode /Mangal-Regular /MicrosoftSansSerif /MonotypeCorsiva /MSReferenceSansSerif /MSReferenceSpecialty /MVBoli /PalatinoLinotype-Bold /PalatinoLinotype-BoldItalic /PalatinoLinotype-Italic /PalatinoLinotype-Roman /Raavi /Shruti /Sylfaen /SymbolMT /Tahoma /Tahoma-Bold /TimesNewRomanMT-ExtraBold /TimesNewRomanPS-BoldItalicMT /TimesNewRomanPS-BoldMT /TimesNewRomanPS-ItalicMT /TimesNewRomanPSMT /Trebuchet-BoldItalic /TrebuchetMS /TrebuchetMS-Bold /TrebuchetMS-Italic /Tunga-Regular /Verdana /Verdana-Bold /Verdana-BoldItalic /Verdana-Italic /Vrinda /Webdings /Wingdings2 /Wingdings3 /Wingdings-Regular /ZWAdobeF ] /NeverEmbed [ true ] /AntiAliasColorImages false /CropColorImages true /ColorImageMinResolution 200 /ColorImageMinResolutionPolicy /OK /DownsampleColorImages true /ColorImageDownsampleType /Bicubic /ColorImageResolution 300 /ColorImageDepth -1 /ColorImageMinDownsampleDepth 1 /ColorImageDownsampleThreshold 1.50000 /EncodeColorImages true /ColorImageFilter /DCTEncode /AutoFilterColorImages false /ColorImageAutoFilterStrategy /JPEG /ColorACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /ColorImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /JPEG2000ColorACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /JPEG2000ColorImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 200 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages false /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /GrayImageDict << /QFactor 0.76 /HSamples [2 1 1 2] /VSamples [2 1 1 2] >> /JPEG2000GrayACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /JPEG2000GrayImageDict << /TileWidth 256 /TileHeight 256 /Quality 15 >> /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 400 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 600 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict << /K -1 >> /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False /CreateJDFFile false /Description << /CHS <FEFF4f7f75288fd94e9b8bbe5b9a521b5efa7684002000410064006f006200650020005000440046002065876863900275284e8e55464e1a65876863768467e5770b548c62535370300260a853ef4ee54f7f75280020004100630072006f0062006100740020548c002000410064006f00620065002000520065006100640065007200200035002e003000204ee553ca66f49ad87248672c676562535f00521b5efa768400200050004400460020658768633002> /CHT <FEFF4f7f752890194e9b8a2d7f6e5efa7acb7684002000410064006f006200650020005000440046002065874ef69069752865bc666e901a554652d965874ef6768467e5770b548c52175370300260a853ef4ee54f7f75280020004100630072006f0062006100740020548c002000410064006f00620065002000520065006100640065007200200035002e003000204ee553ca66f49ad87248672c4f86958b555f5df25efa7acb76840020005000440046002065874ef63002> /DAN <FEFF004200720075006700200069006e0064007300740069006c006c0069006e006700650072006e0065002000740069006c0020006100740020006f007000720065007400740065002000410064006f006200650020005000440046002d0064006f006b0075006d0065006e007400650072002c0020006400650072002000650067006e006500720020007300690067002000740069006c00200064006500740061006c006a006500720065007400200073006b00e60072006d007600690073006e0069006e00670020006f00670020007500640073006b007200690076006e0069006e006700200061006600200066006f0072007200650074006e0069006e006700730064006f006b0075006d0065006e007400650072002e0020004400650020006f007000720065007400740065006400650020005000440046002d0064006f006b0075006d0065006e0074006500720020006b0061006e002000e50062006e00650073002000690020004100630072006f00620061007400200065006c006c006500720020004100630072006f006200610074002000520065006100640065007200200035002e00300020006f00670020006e0079006500720065002e> /DEU <FEFF00560065007200770065006e00640065006e0020005300690065002000640069006500730065002000450069006e007300740065006c006c0075006e00670065006e0020007a0075006d002000450072007300740065006c006c0065006e00200076006f006e002000410064006f006200650020005000440046002d0044006f006b0075006d0065006e00740065006e002c00200075006d002000650069006e00650020007a0075007600650072006c00e40073007300690067006500200041006e007a006500690067006500200075006e00640020004100750073006700610062006500200076006f006e00200047006500730063006800e40066007400730064006f006b0075006d0065006e00740065006e0020007a0075002000650072007a00690065006c0065006e002e00200044006900650020005000440046002d0044006f006b0075006d0065006e007400650020006b00f6006e006e0065006e0020006d006900740020004100630072006f00620061007400200075006e0064002000520065006100640065007200200035002e003000200075006e00640020006800f600680065007200200067006500f600660066006e00650074002000770065007200640065006e002e> /ESP <FEFF005500740069006c0069006300650020006500730074006100200063006f006e0066006900670075007200610063006900f3006e0020007000610072006100200063007200650061007200200064006f00630075006d0065006e0074006f0073002000640065002000410064006f00620065002000500044004600200061006400650063007500610064006f007300200070006100720061002000760069007300750061006c0069007a00610063006900f3006e0020006500200069006d0070007200650073006900f3006e00200064006500200063006f006e006600690061006e007a006100200064006500200064006f00630075006d0065006e0074006f007300200063006f006d00650072006300690061006c00650073002e002000530065002000700075006500640065006e00200061006200720069007200200064006f00630075006d0065006e0074006f00730020005000440046002000630072006500610064006f007300200063006f006e0020004100630072006f006200610074002c002000410064006f00620065002000520065006100640065007200200035002e003000200079002000760065007200730069006f006e0065007300200070006f00730074006500720069006f007200650073002e> /FRA <FEFF005500740069006c006900730065007a00200063006500730020006f007000740069006f006e00730020006100660069006e00200064006500200063007200e900650072002000640065007300200064006f00630075006d0065006e00740073002000410064006f006200650020005000440046002000700072006f00660065007300730069006f006e006e0065006c007300200066006900610062006c0065007300200070006f007500720020006c0061002000760069007300750061006c00690073006100740069006f006e0020006500740020006c00270069006d007000720065007300730069006f006e002e0020004c0065007300200064006f00630075006d0065006e00740073002000500044004600200063007200e900e90073002000700065007500760065006e0074002000ea0074007200650020006f007500760065007200740073002000640061006e00730020004100630072006f006200610074002c002000610069006e00730069002000710075002700410064006f00620065002000520065006100640065007200200035002e0030002000650074002000760065007200730069006f006e007300200075006c007400e90072006900650075007200650073002e> /ITA (Utilizzare queste impostazioni per creare documenti Adobe PDF adatti per visualizzare e stampare documenti aziendali in modo affidabile. I documenti PDF creati possono essere aperti con Acrobat e Adobe Reader 5.0 e versioni successive.) /JPN <FEFF30d330b830cd30b9658766f8306e8868793a304a3088307353705237306b90693057305f002000410064006f0062006500200050004400460020658766f8306e4f5c6210306b4f7f75283057307e305930023053306e8a2d5b9a30674f5c62103055308c305f0020005000440046002030d530a130a430eb306f3001004100630072006f0062006100740020304a30883073002000410064006f00620065002000520065006100640065007200200035002e003000204ee5964d3067958b304f30533068304c3067304d307e305930023053306e8a2d5b9a3067306f30d530a930f330c8306e57cb30818fbc307f3092884c3044307e30593002> /KOR <FEFFc7740020c124c815c7440020c0acc6a9d558c5ec0020be44c988b2c8c2a40020bb38c11cb97c0020c548c815c801c73cb85c0020bcf4ace00020c778c1c4d558b2940020b3700020ac00c7a50020c801d569d55c002000410064006f0062006500200050004400460020bb38c11cb97c0020c791c131d569b2c8b2e4002e0020c774b807ac8c0020c791c131b41c00200050004400460020bb38c11cb2940020004100630072006f0062006100740020bc0f002000410064006f00620065002000520065006100640065007200200035002e00300020c774c0c1c5d0c11c0020c5f40020c2180020c788c2b5b2c8b2e4002e> /NLD (Gebruik deze instellingen om Adobe PDF-documenten te maken waarmee zakelijke documenten betrouwbaar kunnen worden weergegeven en afgedrukt. De gemaakte PDF-documenten kunnen worden geopend met Acrobat en Adobe Reader 5.0 en hoger.) /NOR <FEFF004200720075006b00200064006900730073006500200069006e006e007300740069006c006c0069006e00670065006e0065002000740069006c002000e50020006f0070007000720065007400740065002000410064006f006200650020005000440046002d0064006f006b0075006d0065006e00740065007200200073006f006d002000650072002000650067006e0065007400200066006f00720020007000e5006c006900740065006c006900670020007600690073006e0069006e00670020006f00670020007500740073006b007200690066007400200061007600200066006f0072007200650074006e0069006e006700730064006f006b0075006d0065006e007400650072002e0020005000440046002d0064006f006b0075006d0065006e00740065006e00650020006b0061006e002000e50070006e00650073002000690020004100630072006f00620061007400200065006c006c00650072002000410064006f00620065002000520065006100640065007200200035002e003000200065006c006c00650072002e> /PTB <FEFF005500740069006c0069007a006500200065007300730061007300200063006f006e00660069006700750072006100e700f50065007300200064006500200066006f0072006d00610020006100200063007200690061007200200064006f00630075006d0065006e0074006f0073002000410064006f00620065002000500044004600200061006400650071007500610064006f00730020007000610072006100200061002000760069007300750061006c0069007a006100e700e3006f002000650020006100200069006d0070007200650073007300e3006f00200063006f006e0066006900e1007600650069007300200064006500200064006f00630075006d0065006e0074006f007300200063006f006d0065007200630069006100690073002e0020004f007300200064006f00630075006d0065006e0074006f00730020005000440046002000630072006900610064006f007300200070006f00640065006d0020007300650072002000610062006500720074006f007300200063006f006d0020006f0020004100630072006f006200610074002000650020006f002000410064006f00620065002000520065006100640065007200200035002e0030002000650020007600650072007300f50065007300200070006f00730074006500720069006f007200650073002e> /SUO <FEFF004b00e40079007400e40020006e00e40069007400e4002000610073006500740075006b007300690061002c0020006b0075006e0020006c0075006f0074002000410064006f0062006500200050004400460020002d0064006f006b0075006d0065006e007400740065006a0061002c0020006a006f0074006b006100200073006f0070006900760061007400200079007200690074007900730061007300690061006b00690072006a006f006a0065006e0020006c0075006f00740065007400740061007600610061006e0020006e00e400790074007400e4006d0069007300650065006e0020006a0061002000740075006c006f007300740061006d0069007300650065006e002e0020004c0075006f0064007500740020005000440046002d0064006f006b0075006d0065006e00740069007400200076006f0069006400610061006e0020006100760061007400610020004100630072006f0062006100740069006c006c00610020006a0061002000410064006f00620065002000520065006100640065007200200035002e0030003a006c006c00610020006a006100200075007500640065006d006d0069006c006c0061002e> /SVE <FEFF0041006e007600e4006e00640020006400650020006800e4007200200069006e0073007400e4006c006c006e0069006e006700610072006e00610020006f006d002000640075002000760069006c006c00200073006b006100700061002000410064006f006200650020005000440046002d0064006f006b0075006d0065006e007400200073006f006d00200070006100730073006100720020006600f60072002000740069006c006c006600f60072006c00690074006c006900670020007600690073006e0069006e00670020006f006300680020007500740073006b007200690066007400650072002000610076002000610066006600e4007200730064006f006b0075006d0065006e0074002e002000200053006b006100700061006400650020005000440046002d0064006f006b0075006d0065006e00740020006b0061006e002000f600700070006e00610073002000690020004100630072006f0062006100740020006f00630068002000410064006f00620065002000520065006100640065007200200035002e00300020006f00630068002000730065006e006100720065002e> /ENU (Use these settings to create PDFs that match the "Required" settings for PDF Specification 4.01) >> >> setdistillerparams << /HWResolution [600 600] /PageSize [612.000 792.000] >> setpagedevice