Near-field communication (NFC) allows electronic devices to communicate over short distances (typically a few cm), enabling applications such as contactless payment and identification, as well as for other more general applications involving sharing of data between devices. NFC uses electromagnetic induction, requiring a pair of loop antennas typically operating over the RF ISM band around 13.56 MHz and in accordance with the ISO/IEC 18000-3 standard.
Communication using NFC is generally initiated by a reader device, which transmits a carrier field, prompting any target device within range to respond. Typically a target device, which may for example be a smart card, will draw the electrical power required to respond from the carrier field. The target and reader devices can then communicate with each other, for as long as the devices are within range.
Standard reader applications, for example NFC Forum Type 4 Tag readers implemented on smartphones, do not implement any security as they are not aware of any application specific keys and do not implement any authentication and/or secure messaging protocol. They therefore have limited use in assessing the authenticity of a tag read operation. The data could be encoded with a static system level encryption and/or a message authentication code (MAC) or signature upon personalization of the tag. This type of encryption may allow confidentiality, but could still create a unique tracker allowing traceability, raising privacy concerns. The use of a MAC or signature allows integrity and authenticity checking but, because it is static, it can easily be read out by an attacker and played at another time or repeated multiple times to a reader that may not be able to distinguish between a valid tag and a signal generated by an attacker.
One application of NFC technology is in enabling a reader device, which may for example be provided on a mobile device such as a mobile telephone (i.e. a smart phone), to access information stored on a target device. An example of this type is disclosed in U.S. Pat. No. 8,750,514, where a smart poster comprising an NFC device communicates with a mobile device. The NFC device provides a uniform resource identifier (URI) to the mobile device, which then communicates with a server identified by the URI to access further content. Information transmitted by the NFC device to the mobile device includes a counter value, which enables the server to determine how many executed read access have been performed, and enables the NFC device and the server to be authenticated. This does not, however, necessarily overcome the privacy concerns, since an attacker can read the counter as well as other data that may be confidential or can be related to the tag owner.
A further problem with generic reader applications, such as those according to the NFC Forum Type 4 Tag Operation Specification, is that the reader may not be able to authenticate the data read because it does not possess application specific keys.