Qualitative Assessment on Effectiveness of Security Approaches towards Safeguarding NFC Devices & Services

ABSTRACT

NFC is used for heterogeneous platform for making the payments, which makes lot of differences in security performance even if they run same application. The third security concern with NFC is that it has all the possibility of catching wrong signals. This means that as RFID is the backbone of NFC so whenever there is any form of electromagnetic signals, it alerts the NFC apps which may not be the desired tag in real sense. Apart from all the above security concern, eavesdropping is another critical security concern in NFC that takes place when the signal is illegally intercepted by the third party when two NFC devices are communicating. In such condition, there is all the possibility that confidential information within the mobile device will be silently be accessed by the intruder without even knowledge of owner of the device. This problem of eavesdropping give rise to another potential problem, i.e., data corruption [7] where the adversary changes or do some sort of tampering with the eavesdropped data. At present, the researchers have presented some valuable contribution towards safeguarding the communication in NFC-based devices. However, still, there is no reported case of strength or effectiveness of any existing approaches of security in the area of NFCs. Therefore, this manuscript contributes towards exploring the effectiveness of existing research approaches of securing NFCs. Section 1.1 discusses the background and brief highlights of research problems identified are addressed in Section 1.2 while proposed solution is presented in 1. 3. Section 2 discusses fundamental information about NFC followed by discussion of existing research contribution along with their addressed problems, applied techniques, advantages and limitation in Section 3. Existing research trend highlighting most frequently used techniques for offering security features in NFCs is discussed in Section 4 followed by highlights of significant research gap from existing research contribution in Section 5. Finally, conclusion is briefed in Section 6.

Background
This section briefs the existing studies that have been carried out towards addressing the security issues in NFC-based device, applications, and services. The work of Jianli et al. [8] designed an security system model for NFC device using two dimensional code encryption and found that it provides the boot passward for the mobile phone. Senthil Kumar and Mathivanan [9] presented the password protected NFC card which provides the personal code and is secure one. Paramsivam and Arivazhagan [10] presented the NFC based digital technique to mitigate the coin shortage issue.
Instead of various manuscripts highlighting about security threats of NFC, there is only two standard literature that has reported security challenges in NFC. The work carried out by Chen et al. [11] have presented a discussion of different forms of threats in NFC and briefed that majority of the attacks in NFC are generated from card emulation mode (denial of service, relay attack) as well as reader-writer mode (ticket cloning, phishing). Similarly, we have reviewed the work presented by Nyikes [12] who have discussed significant security challenges associated with RFID that is an essential backbone of NFC architecture. However, apart from these, there is little standard manuscript towards highlighting the security emergence of NFCs.

Research Problem
With upcoming communication and entertainment devices going much advance in wireless communication system, the incorporation of NFC is increasing day by day. From the prior section, it is now known that there is few number of standard review-based literature aimed towards exploring the effectiveness of existing security approaches of NFC. At the same time, there is presence of very less number of literatures that talk about implementation scheme of strengthing the security of NFCs. Hence, the biggest research problem is that it is not necessary that adoption of cryptographic algorithm that has proven its robustness in other wireless field needs to be equally of similar cadre in NFCs. In fact, usage of elliptical curve causes various computational complexities that have never been found discussed in any of the existing research studies.

Proposed Solution
The study focuses on discussing the existing techniques and approaches for strengthing the security features of NFC devices, application, and services. At present, there are very much scattered form of literature with diverse security techniques; it is quite challenging to explore the study effectiveness. Therefore, we filter only manuscripts from reputed and standard publishers that have been published during 2010-2017. The inclusion criteria of the existing studies are only security or cryptographic based approaches in NFC whereas the exclusion criteria are other generic RFID based security system. It is because NFC uses a specific RFID structure that is very different from generic RFID structure. The proposed study essentially explores the effectiveness of existing security approaches of the NFC and also discusses the specific problems that have been focused on by the researchers. The proposed system also explores various techniques applied to solve such problems followed by brief identification of the limitation of each of the significant approaches of existing system. After reviewing the research trend, the proposed system also contributes to extract the research gap from the existing security approaches in NFC.

SECURITY CHALLENGES IN NFC
The NFC-based application suffers from various security challenges. In present time, a standard known as NFC-SEC is used for securing NFC-devices from adversaries by incorporating Secured Channel Services (SCH) and Shared Secret Service (SSE) [13]. The integrity and confidentiality are maintained by SCH with the aid of generated key from a module called as SSE. Adoption of Elliptical Curve Cryptography and Diffie Hellman is used for developing a key agreement between two NFC devices that demands both private and public keys. The core modules of NFC environment are Trusted Service Manager (TSM) and Secure Element (SE). TSM plays the role of certificate authority while SE is all about safeguarding the valuable data. It is also believed that SE offers higher degree of tamper resistance along with the trusted third party, i.e., TSM. Majority of the security issues arises in the Logical Link Control Protocol in standard architecture of NFC devices ( Figure 1). It has been seen that majority of the NFC application uses mobile payment system where both the forms of keys are mandatorily required to be constructed on the basis of elliptical curve cryptography. A public key in compressed form, as well as random number, is concatenated for forwarding from user 1 to user-2 who generates another random number. Applying elliptical curve, the significant point is considered as the secret key of different value for both users. A secret key is extracted using the identity of devices, arbitrary numbers, and confidential value. A new NFC tag is generated and exchanged with each other for validating the secret key. The public key, identity-based information, and secret key are used for generating such NFC tags. The identification of the NFC can be carried out using identity, but they can only access the partial information about it. The updating operation of NFC is independent of any messages or its connectivity. One of the biggest challenging factors here is the usage of the public key which is fixed for the devices. Hence, an adversary can easily collect it from the history of communication. For this purpose, NFCbased devices and services suffer from different ranges of applications, e.g., man-in-middle attack, eavesdropping, data corruption, data modification, data insertion, etc. Although some of the suggestion 1217 mechanism to safeguard intrusions on NFC is disabling mobile NFC when it is not required, adoption of secure socket layer, and using password locking system do exist, but presence of lethal adversaries have outrun the existing security system.

EXISTING SECURITY APPROACHES IN NFC
This section discusses about the existing security approaches towards NFC. Usage of homographic encryption system is seen implemented most recently by Diaz et al. [14] in order to secure the communication system of airport exclusively focusing on the baggage control system. Another recent work has been carried out by Majumder et al. [15] have discussed a novel cloaking system to secure the electronic payment system, e.g., Samsung pay, google wallet, PayPal, etc. The paper has also discussed about existing research work towards payment system on NFC along with their verification techniques. Similar direction of research towards payment-based application was carried out by Park et al. [16] Madhoun [17] where the authors have presented a mutual authentication mechanism over NFC enabled mobile device. The technique implements lattice-based convolution scheme for multiplication operation. Study towards mutual authentication scheme was also carried out by Fan et al. [18], [19] that implements logical operation of XOR for resisting denial-of-service attacks. Adoption of key management towards securing NFC-based devices was seen in the work presented by Jin et al. [20] where the authors have presented a key agreement scheme that ensures energy efficiency using software-defined radio testbed. Literatures have also witnessed the usage of pseudonyms towards secure authentication of NFC application as seen in the work carried out by Odelu et al. [21]. The technique presented by the author uses simulation-based scheme to ensure the reduced size of the pseudonyms. The presented technique has proved that existing pseudonym-based approaches are all shrouded with security loopholes towards addressing impersonation attacks. This technique is claimed to offer similar form of security performance for a longer duration of time. The work carried out by Ozdenizci et al. [22] has introduced a tokenization scheme for ensuring identity verification of NFC services using host card emulation. The technique also implements a unique token generation process followed by encrypted storage of data. Rios et al. [23] have presented a technique where the assessment outcomes of any examination could be rendered anonymous with an integration of QR code and NFC applications. Eldefrawy and Khan [24] have presented a scheme that supports validation mechanism for banknote using NFC device where the RFID is inserted within the banknote for performing authentication. Adoption of pseudonym towards securing the communication system was seen in the work carried out by He et al. [25], where the authors have focused on addressing privacy problems. The authors have investigation prior technique and performed a security analysis with respect to anonymity of user, mutual authentication, and security of session key. Rasua et al. [26] have introduced a protocol for analyzing attacks on the wireless network using experimental methodology. Ren et al. [27] have discussed various studies towards usage of NFC application that uses barcode. The author has also discussed the possible challenges encountered in an NFC-based application that uses barcodes.
Literature has witnessed that usage of mobile payment based application in more in NFC technologies. One such study was introduced by Chang [28] that developed a unique authorization control for the user's mobile device. An application environment is created for assisting NFC-based mobile payment system. The technique also introduces a model for access control where different policies are maintained for judging the access request of a user. Usage of asymmetric encryption on NFC application was witnessed in work carried out by Plos et al. [29] using hardware profiles of RFID. The encryption was carried out using Advanced Encryption Standard (AES), digital signatures, and Elliptical Curve Cryptography (ECC). The complete implementation has been carried out in hardware platform where different cryptosystems were assessed. Study towards protecting privacy in NFC-based application was seen in the work of Eun et al. [30] where conditional approach is specified. The authors have implemented multiple pseudonyms for ensuring optimal privacy. Gummeson et al. [31] for addressing security breaches on the user NFC enabled mobile devices. The study has implemented a design of form-factor that is adhered to the mobile device meant for jamming any form os illegitimate communication. At the same time, the authors have also ensured energy efficient mechanism towards mobile device battery. There is various applications that has the supportability of assisting in peer-to-peer based communication system in literature. The works carried out by Nandakumar et al. [32] have implemented an acoustic-based approach for truncating the dependencies on the NFC-based mobile hardware. The authors have also assessed the security effectiveness using different forms of attacks. The study carried out by Matos et al. [33] has presented a technique for securing various hotspots for the NFC devices. As such hotspots are accessible to many users; therefore chances are more for the intrusion, e.g., eavesdropping, man-in-middle attack. The architecture presented offer passive authentication using public keys as well as effective implementation. The next section tabulates the summary of existing approaches of securing NFC devices as shown in Table 1.

RESEARCH TREND
The existing research work towards addressing security problems in NFC-based application is not much in number. We explored that there are only 35 journals, 287 conference papers, two early access articles published from 2010 to 2017. Figure 2 highlights that existing research trends are more inclined towards usage of cryptographic protocol, pseudonyms, mutual authentication, and privacy preservation based approaches to offer security features in NFC-based application. It was also explored that majority of the security approaches have mainly focused on mobile payment system using either barcode based or QR code based authentication mechanism. However, usage of cryptographic-based approaches are mainly found to be using elliptical curve cryptography, digital signatures, symmetric/asymmetric encryption.

RESEARCH GAP
Following are the significant research gap identified after reviewing the existing security approaches in NFC-based applications: a. Incompatible Encryption Usage: Majority of the existing system make use of encryption mechanism that is not typically designed to handle the faster authentication demands of NFCbased application. Usage of pseudonyms, symmetric/asymmetric encryption, Elliptical Curve Cryptography consumes good amount of resources and is highly iterative process. Hence, its applicability towards RFID based authentication in NFC calls for extremely faster authentication process, which is missing in existing research approaches. b. Complex Cryptographic Usage: Existing cryptographic technique towards securing NFC devices have higher key sizes and complex memory management that causes delay during the authentication process. Adoption of lightweight algorithmic approach is entirely missing from the existing literature towards cost-effective computational processing of security algorithms in NFC devices./ c. Symptomatic approach: The existing security approaches are highly symptomatic in its security characteristics that will not be applicable if the investigation environment is altered as well as the adversary is altered. Moreover, existing approaches don't offer resiliency towards various other forms of lethal threats, e.g., key compromisation issue, replay attack, card emulation, compromised gateway, etc. d. Fewer significant studies: At present research work towards securing NFC based applications are not even more than 100 journals since last seven years. On the other side, the approach of cryptography has been making highly progressive features in network and security, but very few of them have been found towards NFC. Majority of the work have used more or less similar security strategies. Another issue is that there has been considerably less number of consideration of applications. It has to be known that NFC applications are highly vast and every application demands different form of security. e. Less Work being Benchmarked: At present, none of the existing research-based approaches are found to be benchmarked or being compared with standard security protocols in NFC or RFID based applications. Existing studies also don't emphasize on the computational complexity associated with the key management. Hence, there is no standard evidence of any significant algorithm that has been proven to be highly resistive against malicious threats in NFC-based applications and services.

CONCLUSION & FUTURE WORK
After reviewing the existing research-based approaches in NFC for strengthing the security feature, we concluded that there are problems associated with the usage of cryptographic algorithm in NFC. It is quite obvious that usage of complex cryptographic policies may lead to potential encryption, which is good for security, but it may not offer better communication performance too for much upcoming application that requires streaming of data. Therefore, our next level of research work will focus on applying certain lightweight cryptographic approaches, e.g., the hummingbird that has never been tried for securing communication in NFC. As hummingbird harnesses the potential of both stream and block cipher, so there is a fair chance of minimizing any form of computational complexity associated with cryptographic algorithm in NFC.