Standards body ECMA International has published updates to five NFC standards — ECMA-385, ECMA-386, ECMA-409, ECMA-410 and ECMA-411. The new standards are designed “to ensure the security of NFC communication and the confidentiality, integrity and authenticity of data transfer between devices,” says Reinhard Meindl, acting chairman of ECMA TC47 and senior principal at NXP Semiconductors.
“What all these new standards have in common is an application independent and secure transport layer that will protect NFC devices communicating,” Meindl explains.
“They can effectively deal with typical security threats, such as forgery, data destruction, tampering and MITM [man-in-the-middle] attacks.”
“ECMA-385 specifies the NFC-SEC secure channel and shared secret services for NFCIP-1 and the PDUs and protocol for those services,” the organisation says.
“The NFC-SEC cryptography standards identified in the PID registry complement and use the services and protocol specified in this standard. This fourth edition introduces full alignment with ISO/IEC 13157-1:2014.
“ECMA-386 specifies cryptographic mechanisms that use the elliptic curve Diffie-Hellman (ECDH) protocol for key agreement and the AES algorithm for data encryption and integrity. This third edition [uses] the latest references to cryptographic standards.
“ECMA-409 specifies cryptographic mechanisms that use the elliptic curve Diffie-Hellman (ECDH) protocol with a key length of 256 bits for key agreement and the AES algorithm in GCM mode to provide data authenticated encryption.
“This second edition introduces references to the latest JTC1/SC27 standards and updates the generation method for StartVar in compliance with ISO/IEC 19772:2009/Cor.1:2014 which also complies with NIST SP 800-38B.”
“ECMA-410 specifies key agreement and confirmation mechanisms providing mutual authentication, using asymmetric cryptography, and the transport protocol requirements for the exchange between sender and TTP,” the organisation adds.
“This second edition introduces references to the latest JTC1/SC27 standards, including ISO/IEC 9798-3/Amd.1, which specifies mechanisms involving an online trusted third party.
“ECMA-411 specifies key agreement and confirmation mechanisms providing mutual authentication, using symmetric cryptography. This second edition introduces references to the latest JTC1/SC27 standards and the StartVar generation method for IV in NFC-SEC-02.”
These new standards will be submitted to ISO/IEC JTC 1 for approval as international standards under the ISO/IEC fast-track procedure, ECMA says. Earlier versions of ECMA-385 and ECMA-386 are already available as ISO/IEC 13157-1 and ISO/IEC 13157-2.