# Efficient and Secure NFC Authentication for Mobile Payment Ensuring Fair Exchange Protocol

## Abstract

**:**

## 1. Introduction

## 2. Backgrounds

## 3. The Proposed Protocol

#### 3.1. Notations and Assumptions

#### 3.2. Initiation Phase

_{P-S}, DK

_{P-S}, m

_{P-S}} through the secure channel such as transport layer security (TLS). Both P and S can create a set of session keys, SK

_{P-Sj}, where j = 1, …, m

_{P-S}, by using the session key creation technique described in [13].

_{P-TP}, DK

_{P-TP}, m

_{P-TP}} through a secure channel such as TLS. Both P and TP can create a set of session keys SK

_{P-TPj}, where j = 1, …, m

_{P-TP}, by using the session key creation technique described in [13].

_{P-V}, DK

_{P-V}, m

_{P-V}} through a secure channel such as TLS. Both P and V can create a set of session keys SK

_{P-Vj}, where j = 1, …, m

_{P-V}, by using the session key creation technique described in [13].

_{S-TP}, DK

_{S-TP}, m

_{S-TP}} through a secure channel such as TLS. Both S and TP can create a set of session keys, SK

_{S-TPj}, where j = 1, …, m

_{S-TP}, by using the session key creation technique described in [13].

_{S-V}, DK

_{S-V}, m

_{S-V}} through a secure channel such as TLS. Both S and V can create a set of session keys, SK

_{S-Vj}, where j = 1, …, m

_{S-V}, by using the session key creation technique described in [13].

_{TP-V}, DK

_{TP-V}, m

_{TP-V}} through a secure channel such as TLS. Both TP and V can create a set of session keys, SK

_{TP-Vj}, where j = 1, …, m

_{TP-V}, by using the session key creation technique described in [13].

#### 3.3. Registration Phase

_{N-S}, DK

_{N-S}, m

_{N-S}}, {K

_{N-P}, DK

_{N-P}, m

_{N-P}}, {K

_{N-TP}, DK

_{N-TP}, m

_{N-TP}}, and {K

_{N-V}, DK

_{N-V}, m

_{N-V}} between the N and S, between N and P, between N and TP, and between N and V through the secure channel such as TLS. The details of the registration phase are shown as follows:

_{N-Sj}, where j = 1, …, m

_{N-S}, by using the session key creation technique described in [13].

_{N-Pj}, where j = 1, …, m

_{N-P}, by using the session key creation technique described in [15]. Both N and TP can create a set of session keys, SK

_{N-TPj}, where j = 1, …, m

_{N-TP}, by using the session key creation technique described in [13].

_{N-Vj}, where j = 1, …, m

_{N-V}, by using the session key creation technique described in [13].

#### 3.4. Authentication Phase

**M1:****N → P:**ID_{N}, T_{1}, request, h(ID_{N}, T_{1}, Request, SK_{N-Sj}), h(ID_{N}, T_{1}, request, h(ID_{N}, T_{1}, request, SK_{N-Sj}), {h_{N-TP}}_{SKN-TPj}, SK_{N-Pj}), {h_{N-TP}}_{SKN-TPj}**M2:****P → S:**ID_{N}, ID_{P}, T_{1}, request, h(ID_{N}, T_{1}, request, SK_{N-Sj}), h(ID_{P}, h(ID_{N}, T_{1}, request, SK_{N-Sj}), SK_{P-Sj}), {h_{N-TP}}_{SKN-TPj}, {h_{P-TP}}_{SKP-TPj}**M3:****S → TP:**{h_{N-TP}}_{SKN-TPj}, {h_{P-TP}}_{SKP-TPj}, {h_{S-TP}}_{SKS-TPj}**M4:****TP → S:**{h(h_{N-TP}, h_{P-TP}, h_{S-TP})}_{SKN-TPj+1}, {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}_{SKP-TPj+1}, {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}_{SKS-TPj+1}**M5:****S → P:**T_{2}, response, h(T_{1}, T_{2}, response, SK_{N-Sj+1}), h(h(T_{1}, T_{2}, response, SK_{N-Sj+1}), SK_{P-Sj+1}), {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}_{SKN-TPj+1,}{h(h_{N-TP}, h_{P-TP}, h_{S-TP})}_{SKP-TPj+1}**M6:****P → N:**T_{2}, response, h(T_{1}, T_{2}, response, SK_{N-Sj+1}), h(h(T_{1}, T_{2}, response, SK_{N-Sj+1}), {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}_{SKN-TPj+1}, SK_{N-Pj+1}), {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}_{SKN-TPj+1}

_{N}, T

_{1}, Request, SK

_{N-Sj}): the hash value is considered as a message authentication code (MAC), which is an authentication token between N and S, which will be transmitted to S through P, and ensures the integrity of the message. This message P cannot generate since P does not know the session key SK

_{N-Sj}. Hence, only N constructs this message. h(ID

_{N}, T

_{1}, Request, h(ID

_{N}, T

_{1}, Request, SK

_{N-Sj}), {h

_{N-TP}}

_{SKN-TPj}, SK

_{N-Pj}): the hash value is considered as a MAC, which is an authentication token between N and P, and ensures the integrity of the message. Moreover, this message P uses to verify the authenticity of N. N cannot deny that it did not originate this message as the possession of both SK

_{N-Sj}and SK

_{N-Pj}. {h

_{N-TP}}

_{SKN-TPj}: the message encrypted with the session key SK

_{N-TPj}shared between N and TP, which will be transmitted to TP through S. This message P cannot generate because P does not know the session key SK

_{N-TPj}. Therefore, N is original of this message. Note that T

_{1}is generated by N to prevent replay attack.

_{N}, T

_{1}, request, SK

_{N-Sj}), {h

_{N-TP}}

_{SKN-TPj}, SK

_{N-Pj}) of N, if the message is invalid, P rejects N’s request. If not, P forwards N’s authentication request to S in the message M2. P sends message M2 to S. It contains the following: h(ID

_{P}, h(ID

_{N}, T

_{1}, request, SK

_{N-Sj}), SK

_{P-Sj}): the hash value is considered as a MAC, which is an authentication token between P and S, and ensures the integrity of the message. Besides, this message S uses to verify the authenticity of P. {h

_{P-TP}}

_{SKP-TPj}: the message encrypted with the session key SK

_{P-TPj}shared between P and TP which will be transmitted to TP through S. This message S cannot generate because S does not know the session key SK

_{P-TPj}. Therefore, P is original of this message.

_{P}, h(ID

_{N}, T

_{1}, request, SK

_{N-Sj}), SK

_{P-Sj}) of P, if the message is invalid, S rejects P’s request. If not, S will check the correctness of authentication request message h(ID

_{N}, T

_{1}, request, SK

_{N-Sj}) of N. If the message is successful, S sends response message back to N and P. Otherwise, S rejects P’s request. Then, S sends the message M3 to TP.

_{N-TP}}

_{SKN-TPj}using SK

_{N-TPj}keeps the hash value, decrypts the message {h

_{P-TP}}

_{SKP-Sj}using SK

_{P-TPj}, keeps the hash value, decrypts the message {h

_{S-TP}}

_{SKS-TPj}using SK

_{S-TPj}keeps the hash value. Next, TP encrypts three hash values, encrypts the hash value of h

_{N-TP}, h

_{P-TP}, h

_{S-TP}using SK

_{N-TPj+1}. Encrypts the hash value of h

_{N-TP}, h

_{P-TP}, h

_{S-TP}using SK

_{P-TPj+1}. Encrypts the hash value of h

_{N-TP}, h

_{P-TP}, h

_{S-TP}using SK

_{S-TPj+1}. Then, TP sends messages M4 to S.

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKS-TPj+1}with SK

_{S-TPj+1}and keeps the hash value as proof if a dispute arises. Then, S sends messages M5 to P. The message M5 contains the following: h(T

_{1}, T

_{2}, response, SK

_{N-Sj+1}): the hash value is considered as a message as MAC, which is an authentication token between N and S which will be transmitted to N through P, and ensures the integrity of the message. This message P will not generate since P does not know the session key SK

_{N-Sj+1}. Hence, only S constructs this message. h(h(T

_{1}, T

_{2}, response, SK

_{N-Sj+1}), SK

_{P-Sj+1}): the hash value is considered as MAC, which is an authentication token between P and S, and ensures the integrity of the message. Moreover, the message P uses to verify the authenticity of S. S cannot deny that it did not originate this message as the possession of both SK

_{N-Sj+1}and SK

_{P-Sj+1}. {h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKN-TPj+1}: this message will forward to N via P. {h(h

_{N-TP}, h

_{P-TP}, hS

_{-TP})}

_{SKP-TPj+1}: this message will send to P.

_{1}, T

_{2}, response, SK

_{N-Sj+1}), SK

_{P-Sj+1}) of S, if the message is invalid, P rejects S’s response. Unless, P decrypts the message {h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKP-TPj+1}and keeps the hash value as proof if a dispute arises. Then, P sends the message M6 to N.

_{1}, T

_{2}, response, SK

_{N-Sj+1}), {h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKN-TPj+1}, SK

_{N-Pj+1}) of P, if the message is invalid, N rejects P’s response. Unless, N will verify the authentication result message h(T

_{1}, T

_{2}, Yes/No, SK

_{N-Sj+1}) of S, if the message is invalid, N rejects P’s response. If not, N decrypts the message {h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKN-TPj+1}with SK

_{N-TPj+1}and keeps the hash as proof if a dispute arises. Note that T

_{2}is generated by S to prevent a replay attack.

#### 3.5. Dispute Resolution Phase

#### 3.5.1. N Requests Dispute

_{N-TP}, h

_{P-TP}, h

_{S-TP}) of the transaction to V. Upon receiving the hash value of N, V sends the requested hash value of the TP. After receiving the hash value from the TP, V compares the hash value of N with the hash value from the TP. If the hash values do not match, V rejects N’s request; if not, V sends a notification of dispute resolution to P and S. From Figure 2 shows transaction flow of N request dispute protocol of all parties including N, P, S, V and TP. The details of this protocol are outlined below.

**M1: N → V:**{h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKN-Vj}

**M2: V → TP:**{h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKV-TPj}

**M3: TP → V:**{h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKV-TPj+1}

**M4: V → P:**{h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKP-Vj}

**M5: V → S:**{h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKS-Vj}

**M6: V → N:**{h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKN-Vj+1}

#### 3.5.2. P Requests Dispute

_{N-TP}, h

_{P-TP}, h

_{S-TP}) of the transaction to V. Upon receiving the hash value of P, V sends the requested hash value of the TP. After receiving the hash value from the TP, V compares the hash value of N with the hash value from the TP. If the hash values do not match, V rejects P’s request; if not, V sends a notification of dispute resolution to N and S. Figure 3 shows the transaction flow of P request dispute protocol of all parties including N, P, S, V and TP. The details of this protocol are outlined below.

**M1: P → V:**{h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKP-Vj}

**M2: V → TP:**{h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKV-TPj}

**M3: TP → V:**{h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKV-TPj+1}

**M4: V → N:**{h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKN-Vj}

**M5: V → S:**{h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKS-Vj}

**M6: V → P:**{h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}

_{SKP-Vj+1}

## 4. Security Analysis

#### 4.1. Message Confidentiality

#### 4.2. Message Integrity

#### 4.3. Mutual Authentication

_{N-Pj}, P cannot generate this message h(ID

_{N}, T

_{1}, request, SK

_{N-Sj}) by itself. This is because P cannot generate h(ID

_{N}, T

_{1}, request, SK

_{N-Sj}) as the session key SK

_{N-Sj}is shared between N and S. Only N knows both SK

_{N-Sj}and SK

_{N-Pj}. Hence this guarantees that N generated this message h(ID

_{N}, T

_{1}, request, h(ID

_{N}, T

_{1}, request, SK

_{N-Sj}), {h

_{N-TP}}

_{SKN-TPj}, SK

_{N-Pj}).

#### 4.4. Non-Repudiation of Transactions

_{N-Pj}, but P cannot generate this message h(ID

_{N}, T

_{1}, Request, SK

_{N-Sj}) by itself because the session key SK

_{N-Sj}is shared between N and S. Only N knows both SK

_{N-Sj}and SK

_{N-PSj}, hence N cannot refuse that it did not originate this message as the possession of SK

_{N-Pj}demonstrates clearly that only N can generate this message h(ID

_{N}, T

_{1}, request, h(ID

_{N}, T

_{1}, request, SK

_{N-Sj}), {h

_{N-TP}}

_{SKN-TPj,}SK

_{N-Pj}).

#### 4.5. Brute Force Attack Prevention

#### 4.6. Replay Attack Prevention

#### 4.7. MITM Attack

#### 4.8. Eavesdropping

#### 4.9. Data Manipulation

## 5. Discussions

#### 5.1. Practicality of the Proposed Protocol

#### 5.2. Performance Analysis

## 6. Formal Security Verification

#### 6.1. Using Scyther

#### 6.2. Using AVISPA

#### 6.3. Using BAN

- R1. Message-meaning rule: $\frac{\mathrm{P}|\equiv \mathrm{P}\stackrel{\mathrm{K}}{\leftrightarrow}\mathrm{Q},\mathrm{P}\u22b2{\left\{\mathrm{X}\right\}}_{\mathrm{K}}}{\mathrm{P}\left|\equiv \mathrm{Q}\right|~\mathrm{X}}$, $\frac{\mathrm{P}|\equiv \mathrm{P}\stackrel{\mathrm{K}}{\leftrightarrow}\mathrm{Q},\mathrm{P}\u22b2{\left(\mathrm{X}\right)}_{\mathrm{K}}}{\mathrm{P}\left|\equiv \mathrm{Q}\right|~\mathrm{X}}$
- R2. Nonce-verification rule: $\frac{\mathrm{P}\left|\equiv \#\left(\mathrm{X}\right),\mathrm{P}\right|\equiv \mathrm{Q}|~\mathrm{X}}{\mathrm{P}\left|\equiv \mathrm{Q}\right|\equiv \mathrm{X}}$
- R3. Jurisdiction rule: $\frac{\mathrm{P}\left|\equiv \mathrm{Q}\Rightarrow \mathrm{X},\mathrm{P}\right|\equiv \mathrm{Q}|\equiv \mathrm{X}}{\mathrm{P}|\equiv \mathrm{X}}$
- R4. Freshness rule: $\frac{\mathrm{P}|\equiv \#\left(\mathrm{X}\right)}{\mathrm{P}|\equiv \#\left(\mathrm{X},\mathrm{Y}\right)}$
- R5. Belief rule: $\frac{\mathrm{P}\left|\equiv \left(\mathrm{X}\right),\mathrm{P}\right|\equiv \mathrm{Y}}{\mathrm{P}|\equiv \left(\mathrm{X},\mathrm{Y}\right)}$
- R6. Decryption rule: $\frac{\mathrm{P}|\equiv \mathrm{Q}\stackrel{\mathrm{K}}{\leftrightarrow}\mathrm{P},\mathrm{P}\u22b2{\left\{\mathrm{X}\right\}}_{\mathrm{K}}}{\mathrm{P}\u22b2\mathrm{X}}$

#### 6.3.1. Idealized Form

**M1:****N → P:**ID_{N}, T_{1}, request, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), h(ID_{N}, T_{1}, request, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), {h_{N-TP}}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}}}{\leftrightarrow}$P), {h_{N-TP}}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}}}{\leftrightarrow}$TP**M2:****P → S:**ID_{N}, ID_{P}, T_{1}, request, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), h(ID_{P}, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), $\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}}}{\leftrightarrow}$S), {h_{N-TP}}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}}}{\leftrightarrow}$TP, {h_{P-TP}}P$\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{TPj}}}{\leftrightarrow}$TP**M5:****M5: S →****P:**T_{2}, response, h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), h(h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), $\mathrm{P}\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}+1}}{\leftrightarrow}$S), {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}+1}}{\leftrightarrow}\mathrm{TP}$, {h(h_{N-TP}, h_{P-TP}, h_{S-TP}))}$\mathrm{P}\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{TPj}+1}}{\leftrightarrow}$TP**M6:****M6: P →****N:**T_{2}, response, h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), h(h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}+1}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}+1}}{\leftrightarrow}$P), {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}+1}}{\leftrightarrow}$TP

#### 6.3.2. Initial Assumptions

_{1}) ➔ ➔ A14. P|≡ #(T

_{1})

_{1}) ➔ ➔ A16. N|≡ #(T

_{2})

_{2}) ➔ ➔ A18. S|≡ #(T

_{2})

#### 6.3.3. The Goals of the Analysis

_{N}, T

_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S) from M1

_{N}, T

_{1}, request, h(ID

_{N}, T

_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), {h

_{N-TP}}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}}}{\leftrightarrow}$P) from M1

_{P}, h(ID

_{N}, T

_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), P$\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}}}{\leftrightarrow}$S) from M2

_{1}, T

_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), $\mathrm{P}\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}+1}}{\leftrightarrow}$S) from M5

_{1}, T

_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), {h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}+1}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}+1}}{\leftrightarrow}$P) from M6

_{1}, T

_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S) from M6

#### 6.3.4. Details of the Proof

_{N}, T

_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S) from M1

S⊲ h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S) | 1 |

1, R1: S|≡ h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S) | 2 |

2, R2, R4, A1, A15: S|≡ S has (ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S) | 3 |

3, R5: S|≡ h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S) = h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S) | 4 |

4: S|≡ h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S) | 5 |

_{N}, T

_{1}, request, h(ID

_{N}, T

_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), {h

_{N-TP}}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}}}{\leftrightarrow}$P) from M1

P⊲ h(ID_{N}, T_{1}, request, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), {h_{N-TP}}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}}}{\leftrightarrow}$P) | 1 |

1, R1: P|≡ h(ID_{N}, T_{1}, request, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), {h_{N-TP}}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}}}{\leftrightarrow}$P) | 2 |

2, R2, R4, A5, A14: P|≡ P has (ID_{N}, T_{1}, request, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), {h_{N-TP}}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}}}{\leftrightarrow}$P) | 3 |

3, R5: P|≡ h(ID_{N}, T_{1}, request, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), {h_{N-TP}}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}}}{\leftrightarrow}$P) = h(ID_{N}, T_{1}, request, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), {h_{N-TP}}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}}}{\leftrightarrow}$P) | 4 |

4: P|≡ h(ID_{N}, T_{1}, request, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), {h_{N-TP}}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}}}{\leftrightarrow}$P) | 5 |

_{P}, h(ID

_{N}, T

_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), P$\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}}}{\leftrightarrow}$S) from M2

S⊲ h(ID_{P}, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), P$\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}}}{\leftrightarrow}$S) | 1 |

1, R1: S|≡ h(ID_{P}, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), P$\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}}}{\leftrightarrow}$S) | 2 |

2, R2, R4, A10, A15: S|≡ S has (ID_{P}, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), P$\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}}}{\leftrightarrow}$S) | 3 |

3, R5: S|≡ h(ID_{P}, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), P$\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}}}{\leftrightarrow}$S) = h(ID_{P}, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), P$\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}}}{\leftrightarrow}$S) | 4 |

4: S|≡ h(ID_{P}, h(ID_{N}, T_{1}, request, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}}}{\leftrightarrow}$S), P$\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}}}{\leftrightarrow}$S) | 5 |

_{1}, T

_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), $\mathrm{P}\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}+1}}{\leftrightarrow}$S) from M5

P⊲ h(h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), $\mathrm{P}\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}+1}}{\leftrightarrow}$S) | 1 |

1, R1: P|≡ h(h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), $\mathrm{P}\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}+1}}{\leftrightarrow}$S) | 2 |

2, R2, R4, A11, A17: P|≡ P has (h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), $\mathrm{P}\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}+1}}{\leftrightarrow}$S) | 3 |

3, R5: P|≡ h(h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), $\mathrm{P}\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}+1}}{\leftrightarrow}$S) = h(h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), $\mathrm{P}\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}+1}}{\leftrightarrow}$S) | 4 |

4: P|≡ h(h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), $\mathrm{P}\stackrel{{\mathrm{SK}}_{\mathrm{P}-\mathrm{Sj}+1}}{\leftrightarrow}$S) | 5 |

_{1}, T

_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), {h(h

_{N-TP}, h

_{P-TP}, h

_{S-TP})}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}+1}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}+1}}{\leftrightarrow}$P) from M6

N⊲ h(h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}+1}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}+1}}{\leftrightarrow}$P) | 1 |

1, R1: N|≡ h(h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}+1}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}+1}}{\leftrightarrow}$P) | 2 |

2. R2, R4, A8, A16: N|≡ h(h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}+1}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}+1}}{\leftrightarrow}$P) | 3 |

3, R5: N|≡ h(h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}+1}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}+1}}{\leftrightarrow}$P) = h(h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}+1}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}+1}}{\leftrightarrow}$P) | 4 |

4: N|≡ h(h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S), {h(h_{N-TP}, h_{P-TP}, h_{S-TP})}N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{TPj}+1}}{\leftrightarrow}$TP, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Pj}+1}}{\leftrightarrow}$P) | 5 |

_{1}, T

_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S) from M6

N⊲ h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S) | 1 |

1, R1: N|≡ h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S) | 2 |

2, R2, R4, A4, A16: N|≡ N has (T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S) | 3 |

3, R5: N|≡ h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S) = h(T_{1}, T_{2}, response, N$\stackrel{{\mathrm{SK}}_{\mathrm{N}-\mathrm{Sj}+1}}{\leftrightarrow}$S) | 4 |

4: N|≡ h(T_{1}, T_{2}, response, NS) | 5 |

## 7. Conclusions

## Funding

## Conflicts of Interest

## References

- Coskun, V.; Ozdenizci, B.; Ok, K. The survey on near field communication. Sensors
**2015**, 15, 13348–13405. [Google Scholar] [CrossRef] [PubMed] - Singh, N.K. Near-field Communication (NFC). Inf. Technol. Libr.
**2020**, 39, 2259–2294. [Google Scholar] - Thammarat, C.; Chokngamwong, R.; Techapanupreeda, C.; Kungpisdan, S. A secure lightweight protocol for NFC communications with mutual authentication based on limited-use of session keys. In Proceedings of the 29th Information Networking, Krong Siem Reap, Cambodia, 12–14 January 2015; pp. 133–138. [Google Scholar]
- Singh, M.M.; Adzman, K.A.A.K.; Hassan, R. Near Field Communication (NFC) technology security vulnerabilities and countermeasures. Int. J. Eng. Technol.
**2017**, 7, 298–305. [Google Scholar] - El Madhoun, N.; Guenane, F.; Pujolle, G. A cloud-based secure authentication protocol for contactless-NFC payment. In Proceedings of the 2015 IEEE 4th International Conference on Cloud Networking (CloudNet), Niagara Falls, ON, Canada, 5–7 October 2015; pp. 328–330. [Google Scholar]
- Badra, M.; Badra, R.B. A lightweight security protocol for NFC-based mobile payments. Procedia Comput. Sci.
**2016**, 83, 705–711. [Google Scholar] [CrossRef] [Green Version] - Sethia, D.; Gupta, D.; Saran, H. NFC secure element-based mutual authentication and attestation for IoT access. IEEE Trans. Consum. Electron.
**2018**, 64, 470–479. [Google Scholar] [CrossRef] - Sethia, D.; Gupta, D.; Saran, H.; Agrawal, R.; Gaur, A. Mutual authentication protocol for secure NFC based mobile healthcard. IADIS Int. J. Comput. Sci. Inf. Syst.
**2016**, 11, 195–202. [Google Scholar] - Al-Haj, A.; Al-Tameemi, M.A. Providing security for NFC-based payment systems using a management authentication server. In Proceedings of the 2018 4th International Conference on Information Management (ICIM), Oxford, UK, 25–27 May 2018; pp. 184–187. [Google Scholar]
- Thammarat, C.; Kurutach, W. A secure fair exchange for SMS-based mobile payment protocols based on symmetric encryption algorithms with formal verification. Wirel. Commun. Mob. Comput.
**2018**, 2018, 6953160. [Google Scholar] [CrossRef] [Green Version] - Thammarat, C.; Kurutach, W.; Phoomvuthisarn, S. A secure lightweight and fair exchange protocol for NFC mobile payment based on limited-use of session keys. In Proceedings of the 2017 17th International Symposium on Communications and Information Technologies (ISCIT), Cairns, Australia, 25–27 September 2017; pp. 1–6. [Google Scholar]
- Thammarat, C.; Kurutach, W. A lightweight and secure NFC-base mobile payment protocol ensuring fair exchange based on a hybrid encryption algorithm with formal verification. Int. J. Commun. Syst.
**2019**, 32, e3991. [Google Scholar] [CrossRef] - Kungpisdan, S.; Metheekul, S. A secure offline key generation with protection against key compromise. In Proceedings of the 13th World Multiconference on Systemics, Cybernetics, and Informatics, Orlando, FL, USA, 10–13 July 2009. [Google Scholar]
- Dandash, O.; Wang, Y.; Le, P.D. Fraudulent internet banking payments prevention using dynamic key. J. Netw.
**2008**, 3, 25–34. [Google Scholar] [CrossRef] [Green Version] - Ngo, H.H.; Wu, X.; Le, P.D.; Wilson, C.; Srinivasan, B. Dynamic key cryptography and applications. Int. J. Netw. Secur.
**2010**, 10, 161–174. [Google Scholar] - Zheng, X.; Yang, L.; Ma, J.; Shi, G.; Meng, D. TrustPAY: Trusted mobile payment on security-enhanced ARM TrustZone platforms. In Proceedings of the 2016 IEEE Symposium on Computers and Communication (ISCC), Messina, Italy, 27–30 June 2016; pp. 456–462. [Google Scholar]
- Potlapally, N.R.; Ravi, S.; Raghunathan, A.; Jha, N.K. A study of the energy consumption characteristics of cryptographic algorithms and security protocols. Trans. IEEE. Mob. Comput.
**2006**, 5, 128–143. [Google Scholar] [CrossRef] - Zhang, L.; Ma, M. Secure and efficient scheme for fast initial link setup against key reinstallation attacks in IEEE 802.11 ah networks. Int. J. Commun. Syst.
**2020**, 33, e4192. [Google Scholar] [CrossRef] - Gupta, A.; Tripathi, M.; Sharma, A. A provably secure and efficient anonymous mutual authentication and key agreement protocol for wearable devices in WBAN. Comput. Commun.
**2020**, 160, 311–325. [Google Scholar] [CrossRef] - Cremers, C. The scyther tool: Verification, falsification, and analysis of security protocols. In International Conference on Computer Aided Verification; Springer: Berlin/Heidelberg, Germany, 2008; pp. 414–418. [Google Scholar]
- Cremers, C.; Sjouke, M. Operational Semantics and Verification of Security Protocols; Springer Science & Business Media: Berlin/Heidelberg, Germany, 2012. [Google Scholar]
- Shehada, D.; Yeun, C.Y.; Zemerly, M.J.; Qutayri, M.L.; Hammadi, Y.L.; Damiani, E.; Hu, J. BROSMAP: A novel broadcast based secure mobile agent protocol for distributed service applications. Secur. Commun. Netw.
**2017**, 2017, 414–418. [Google Scholar] [CrossRef] [Green Version] - Genge, B.; Haller, P.; Duka, A.V. Engineering security-aware control applications for data authentication in smart industrial cyber–physical systems. Future Gener. Comput. Syst.
**2019**, 91, 206–222. [Google Scholar] [CrossRef] - Armando, A.; Basin, D.; Boichut, Y.; Chevalier, Y.; Compagna, L.; Cuellar, J.; Drielsma, P.H.; Heám, P.C.; Kouchnarenko, O.; Mantovani, J.; et al. The AVISPA tool for the automated validation of internet security protocols and applications. In International Conference on Computer Aided Verification; Springer: Berlin/Heidelberg, Germany, 2005; pp. 281–285. [Google Scholar]
- Khedr, W.I. Improved keylogging and shoulder-surfing resistant visual two-factor authentication protocol. J. Inf. Secur. Appl.
**2018**, 39, 41–57. [Google Scholar] [CrossRef] - Cao, J.; Li, H.; Ma, M.; Li, F. UPPGHA: Uniform privacy preservation group handover authentication mechanism for mMTC in LTE-A networks. Secur. Commun. Netw.
**2018**, 6854612. [Google Scholar] [CrossRef] [Green Version] - Burrows, M.; Abadi, M.; Needham, R. A logic of authentication. ACM Trans. Comput. Syst.
**1990**, 8, 18–36. [Google Scholar] [CrossRef] - Chandrakar, P.; Om, H. A secure and robust anonymous three-factor remote user authentication scheme for multi-server environment using ECC. Comput. Commun.
**2017**, 110, 26–34. [Google Scholar] [CrossRef] - Kumari, S.; Das, A.K.; Wazid, M.; Li, X.; Wu, F.; Choo, K.K.R.; Khan, M.K. On the design of a secure user authentication and key agreement scheme for wireless sensor networks. Concurr. Comput. Pract. Exp.
**2017**, 29, e3930. [Google Scholar] [CrossRef]

**Figure 10.**The result of on-the-fly model-checker (OFMC) and constraint—logic-based attack searcher (CL−AtSe) of verification using the automated validation of internet security protocols and applications (AVISPA).

Notation | Description |
---|---|

N | A user utilizing an NFC-enabled smartphone in card emulation mode |

P | A sales station providing NFC equipment |

S | An authentication server |

TP | A trusted third party. TP by itself is not involved in the transaction but helps to keep a record of all transactions that have taken place for each engaged party for future verification. Note that TP is a semi-TP. Semi-TP may misbehave on its own. However, it will not collide with any of the participating parties. |

V | The external party is a party that is not relevant to the particular transaction |

{DK_{A-B}, K_{A-B}, m_{A-B}} | The key distribution parameters that are shared between the parties, where K_{A-B} is a long-term key, DK_{A-B} is a distributed key and m_{A-B} is a random number. m_{A-B} is used to specify the number of keys that will be generated. |

ID_{A} | An identity of user A. |

SK_{A-B} | A session key shared between party A and party B. |

{msg}_{SK} | A message msg symmetrically encrypted with key SK. |

h(msg) | Hash value of message msg. |

h(msg, SK_{A-B}) | A message authentication code (MAC) value of message msg with key SK_{A-B} |

Request | A message is considered a request message like payment, billing, ticketing, loyalty services, identification or access control, and so on. |

Response | A message is considered a response message like payment, billing, ticketing, loyalty services, identification or access control, and so on. |

T_{1} | The timestamp is given when authentication is requested. |

T_{2} | The timestamp is given when a feedback message is provided. |

msg_{1}, mag_{2} | The concatenation of message msg_{1} and message msg_{2} |

h_{N-TP} | h(ID_{N}, T_{1}, request) denotes hash value of ID_{N}, T_{1}, request |

h_{P-TP} | h(ID_{N}, ID_{P}, T_{1}, request) denotes hash value of ID_{N}, ID_{P}, T_{1}, request |

h_{S-TP} | h(ID_{N}, ID_{P}, T_{1}, T_{2}, response) denotes hash value of ID_{N}, ID_{P}, T_{1}, T_{2}, response |

Protocol | A1 | A2 | A3 | A4 |
---|---|---|---|---|

[5] | No Fairness | No | Without TP | No |

[6] | Weak Fairness | Yes | Online TP | No |

[7] | No Fairness | No | Without TP | No |

[8] | No Fairness | No | Without TP | No |

[9] | No Fairness | No | Without TP | No |

Our protocol | Strong | Yes | Online | Yes |

[5] | [6] | [7] | [8] | [9] | Our Protocol | |
---|---|---|---|---|---|---|

B1 | Y | Y | Y | Y | Y | Y |

B2 | Y | N | Y | Y | Y | Y |

B3 | Y | N | Y | Y | Y | Y |

B4 | N | N | Y | Y | Y | Y |

B5 | N | Y | N | Y | N | Y |

B6 | Y | Y | Y | Y | Y | Y |

B7 | Y | Y | Y | Y | Y | Y |

B8 | Y | Y | Y | Y | Y | Y |

B9 | Y | Y | Y | Y | Y | Y |

**Table 4.**Protocol comparisons of cryptographic operations cost, energy consumption, and time consumption.

Protocol | Cryptographic Operations | Energy Consumption | Total | Time Consumption | Total | ||||
---|---|---|---|---|---|---|---|---|---|

C1 | C2 | C3 | C4 | C5 | C6 | ||||

[5] | TS7 + TA4 + TH3 = 14 | 8.47 | 2186 | 2.28 | 2196.75 | 11.97 | 60.84 | 3.84 | 76.65 |

[6] | TS1 + TA1 + TH0 = 2 | 1.21 | 546.5 | 0 | 547.71 | 1.71 | 15.21 | 0 | 16.92 |

[7] | TS6 + TA0 + TH5 = 11 | 7.26 | 0 | 3.8 | 11.06 | 10.26 | 0 | 6.4 | 16.66 |

[8] | TS0 + TA5 + TH2 = 7 | 0 | 2732.5 | 1.52 | 2734.02 | 0 | 76.05 | 2.56 | 78.61 |

[9] | TS2 + TA2 + TH2 = 6 | 2.42 | 1093 | 1.52 | 1096.94 | 3.42 | 30.42 | 2.56 | 36.4 |

Our Protocol | TS6 + TA0 + TH10 = 16 | 7.26 | 0 | 7.6 | 14.86 | 10.26 | 0 | 12.8 | 23.06 |

Symbol | Definition | Bits |
---|---|---|

P/S/C/IB/AB/ID_{SE}/IDr/IDc/ID_C/ID_R/IDm/ID_{N}/ID_{P} | Identity number | 80 |

RP_{1}/RP_{2}/RS_{1}/RS_{2}/RV_{SE}/RV_{POS}/RAND_C/RAND_R/RM/RS/RBIs | Random number | 80 |

TS/T_{1}/T_{2} | Time-stamp | 80 |

Cert(P)/Cert(S)/Cert(AB)/Cert(IB)/CertPOS/CertBAq | Certification | 1024 |

ReqS/ReqP/ReqM/ReqPOS/ReqK/ReqM2 | Authentication request message | 128 |

ReqSession | Session request | 128 |

Confirm/ConfirmPOS/ConfirmM | Confirmation authenticity message | 56 |

H/h | One way hashing function | 160 |

KMaster | Master session key | 128 |

X | Banking data stored on the secure element | - |

Cert_{POS} | Certification | 1024 |

session_key/SK_{POS-SE}/KUD/KDS/KUS/KS/kpm | Symmetric session key | 128 |

IdVU/IdVD | Virtual identity | 80 |

NU/ND | Nonce | 128 |

pwb | Password | 128 |

KPbr/KPbc | Public key | 1024 |

Loc_C/Loc_R | Location information | 80 |

TData | - | - |

BankData | Banking Data | 1024 |

Request | Authentication request message | 128 |

Response | Authentication response message | 128 |

Protocol | Communication Cost (bits) |
---|---|

[5] | (1) + (2) + (3) + (4) + (5) + (6) + (7) = (80 + 80 + 80 + 80 + 1024 + 1024 + 128 + 160) + (80 + 80 + 80 + 80 + 1024 + 1024 + 128 + 160 + 80 + 80 + 128 + 128) + (80 + 80 + 80 + 80 + 80 + 80 + 56 + 1024 + 128) + (80 + 80 + 80 + 80 + 128 + 1024 + 1024 + 160 + 80 + 80 + 80 + 80 + 80) + (80 + 80 + 80) + (80 + 80 + 80 + 80) + (80 + 80 + 80 + 80 + 160) = 11,521 |

[6] | (1) + (2) + (3) + (4) = (80 + 80) + (80 + 80 + 1024 + 80) + (128 + 128) + (80 + 128) = 1888 |

[7] | (1) + (2) + (3) + (4) + (5) = (80 + 128 + 128 + 160) + (80 + 80 + 128 + 128) + (128 + 128 + 160 + 160) + (128 + 128 + 160) + (160) = 2064 |

[8] | (1) + (2) + (3) + (4) = (1024 + 80 + 160) + (1024 + 80 + 160 + 80 + 80 + 80) + (80 + 80 + 80 + 80 + 80) + (128 + 80 + 80) = 3456 |

[9] | (1) + (2) + (3) + (4) + (5) + (6) = (128 + 1024 + 1024 + 160) + (128 + 1024 + 1024 + 160 + 80 + 128 + 128 + 80) + (80 + 80 + 56 + 128 + 80 + 80 + 56 + 128 + 1024 + 160) + (80 + 80 + 56 + 128 + 80 + 80 + 1024 + 160) + (80 + 80 + 56 + 1024 + 160 + 128) + (80 + 80 + 80 + 56) = 10,472 |

Our Protocol | (1) + (2) + (3) + (4) + (5) + (6) = (80 + 80 + 128 + 160 + 160 + 160) + (80 + 80 + 80 + 128 + 160 + 160 + 160 + 160) + (160 + 160 + 160) + (160 + 160 + 160) + (80 + 128 + 160 + 160 + 160) + (80 + 128 + 160 + 160 + 160) = 4112 |

Protocol | Storage Cost (bits) |
---|---|

NFC-Enabled Smartphone | |

[5] | (1) + (2) + (3) + (4) + (5) + (6) + (7) = (80 + 80 + 80 + 80 + 1024 + 1024 + 128 + 160) + (80 + 80 + 80 + 80 + 1024 + 1024 + 128 + 160 + 80 + 80 + 128 + 128) + (80 + 80 + 80 + 80 + 80 + 80 + 56 + 1024 + 128) + (80 + 80 + 80 + 80 + 128 + 1024 + 1024 + 160 + 80 + 80 + 80 + 80 + 80) + (80 + 80 + 80) + (80 + 80 + 80 + 80) + (80 + 80 + 80 + 80 + 160) = 11,521 |

[6] | (1) + (4) = (80 + 80) + (80 + 128) = 368 |

[7] | (1) + (4) + (5) = (80 + 128 + 128 + 160) + (128 + 128 + 160) + (160) = 1072 |

[8] | (1) + (2) + (3) + (4) = (1024 + 80 + 160) + (1024 + 80 + 160 + 80 + 80 + 80) + (80 + 80 + 80 + 80 + 80) + (128 + 80 + 80) = 3456 |

[9] | (1) + (2) + (3) + (4) = (128 + 1024 + 1024 + 160) + (128 + 1024 + 1024 + 160 + 80 + 128 + 128 + 80) + (80 + 80 + 56 + 128 + 80 + 80 + 56 + 128 + 1024 + 160) + (80 + 80 + 56 + 128 + 80 + 80 + 1024 + 160) = 8648 |

Our Protocol | (1) + (6) = (80 + 80 + 128 + 160 + 160 + 160) + (80 + 128 + 160 + 160 + 160) = 1456 |

Symbol | Definitions |
---|---|

X, Y | Statement |

P, Q | Parties |

P|≡X | P believes in X |

P⊲X | P sees X |

P|~X | P once said X |

P|⇒X | P has the jurisdiction over X |

#(X) | The formula X is fresh |

P$\stackrel{\mathrm{X}}{\leftrightarrow}$Q | P and Q may use the shared key K to communicate |

P$\stackrel{\mathrm{X}}{\iff}$Q | The formula Y is a secret known only to P and Q |

{X}_{K} | The formula X is encrypted under the key K |

(X)_{K} | The hash value of X using K as a key |

© 2020 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Thammarat, C.
Efficient and Secure NFC Authentication for Mobile Payment Ensuring Fair Exchange Protocol. *Symmetry* **2020**, *12*, 1649.
https://doi.org/10.3390/sym12101649

**AMA Style**

Thammarat C.
Efficient and Secure NFC Authentication for Mobile Payment Ensuring Fair Exchange Protocol. *Symmetry*. 2020; 12(10):1649.
https://doi.org/10.3390/sym12101649

**Chicago/Turabian Style**

Thammarat, Chalee.
2020. "Efficient and Secure NFC Authentication for Mobile Payment Ensuring Fair Exchange Protocol" *Symmetry* 12, no. 10: 1649.
https://doi.org/10.3390/sym12101649