Friday, 25 January 2013

Elliptic Curve Certificates and Signatures for NFC-enabled mobile phones

The Near Field Communication (NFC) Forum finalized its Signature Record Type Definition (RTD) to protect against manipulation of NFC Data Exchange Format (NDEF) data. The choice of digital certificate and signature type has a major impact on tag memory usage, cost and device performance. The Smart Poster RTD, gives example NDEF message sizes ranging from 23 to 69 bytes. With digital signatures and certificates this can balloon to over 1000 bytes, depending on the type of signature and certificate(s) forcing the use of larger and more expensive tags. 

The paper proposes further use of elliptic curve cryptography; specifically ECQV certificates and ECPVS signatures in addition to the ECDSA signature scheme. These technologies were designed with efficiency as a primary goal, and are well adapted to the constraints of NFC tags. For the same level of security, ECQV+ECPVS provides a 10 fold reduction in storage overhead compared to RSA signatures and certificates (from about 1000 to 100 bytes). 

Both ECQV and ECPVS are standards based, compatible with the NFC Forum Signature RTD and the ITU X.509 standard for Public Key Infrastructure (PKI). ECPVS can provide an additional confidentiality feature that allows portions of the data to be encrypted under a separate key. We introduce the reader to an NFC PKI architecture, scenarios for tag issuers, memory utilization and performance data for the various schemes specified in the Signature RTD.

Digital Signatures are necessary in providing trust in the NFC ecosystem where users are expected to make wireless connections to unknown readers, tags and peers. They provide the user with a level of comfort that the data they receive has been signed by a trusted third party and more importantly, prevent a bad user experience with a malicious tag. 

They can also accommodate almost any application scenario including coupons and tickets.

The signature RTD gives implementers choices for digital signature and certificate types. With modern processors found on smart phones the choice of signature type does not impact performance as signing and verifying is less than 10ms. However, the choice does have a major impact on memory utilization. ECDSA uses approximately 50% less memory than RSA and can fit on most tag types. If we utilize ECDSA with ECQV certificates we use 90% less memory than RSA.

Signatures with message recovery such as ECPVS and keyed ECPVS can be used for message confidentiality where needed. If there is enough demand for confidentiality then the NFC forum can easily add this signature type to the Signature RTD given its extensible design.