DREU at UMass Amherst 2011: Security of NFC payments

Research Blog

• Week 10

  
  10 weeks of DREU went by very fast and memorable with all the challenging work in the lab, field trips with fellow REU students, and workshops I had a chance to attend during this internship. What I find most valuable, is that I leant not only how to approach problems and look for solutions, but how to successfully communicate and collaborate. Here at UMass I was lucky to be surrounded by the people I got to admire for what they do and who they are. I realized you have to love what you do; otherwise you would not put enough time and thought into something you are indifferent to. I learnt you have to trust yourself and believe in your work, but more importantly, you should listen more than you speak. Apart from the technical knowledge I gained, I found those simple discoveries very valuable.
  
  
  DREU is a great chance to get a feel of a graduate school. For all the things I've learnt I have to thank Professor Fu, Andres Molina-Markham and my project partner, DREU student Erin McBride.






• Week 9

  Android Application Development

  Android applications are written in Java, however, in addition to Java knowledge Android development takes a good understanding of its activities.
  
  Activities
  Activity is the container or a form for your application. An application has to have at least one activity, and in case it has several activities, each of them are independent.
  
  Intents
  Intents start activities, and connect various parts of the Android system. Basically, it is an action that needs to be performed, and the data that has to be delivered.
  
  To write an application you have to learn how to launch activities, how to coordinate them in one application, and how to manage their life cycles. The last is as important, because it defines the runtime of your application. The four essential states are Active, Paused, Stopped, and Resumed. Loss of screen's focus, change in it's orientation, and many other subtle changes trigger the change of state, resource reallocation, and reinitialization that crashes application during the runtime.
  
  I found that Android Application Development for Dummies and Android Developers website make a good resource combination.
  
  Android Application Development for Dummies
  This book provides a detailed walk through the framework installation, application building and application export/publishing. It assumes readers have no knowledge of Android platform and thoroughly explains activities, intents, and activities' life cycles. Programming examples come with long comments as well. This is not a reference book.
  
  Android Developers website
  Most of the time I referred to Android Developers website. It has a good Notepad Tutorial series that concisely give you everything you need to know to start your own application. It also provides API, and sample code for illustrations. It is not very well documented, but is a great reference.
  
  Soon everything will make sense and will appear simple:
  Intent i = new Intent(this, activity.class);
  i.putExtra(name, value);
  startActivityForResult(i, activityCode);
  
  @Override
  public void onPause(){
  super.onPause();
  adapter.disableForegroundDispatch(this);
  }
  etc.
  
  Firmware updates Some technologies have certain firmware requirements. NFC requires an update to 2.3. Firmware updates are easy given good instructions. Follow this and you will not get lost.
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  

• Week 8

  SPQR lab weekly meetings:
  
  Every week SPQR, the lab Erin and I joined, has lunch meetings, where Computer Science, and Electrical and Computer Engineering people who work in security and privacy research discuss their projects, ideas and progress. It is a great undergraduate experience to sit at the round table, listen about exciting work, and learn to present yourself and what you are doing.
  
  This week Gesine and Andres presented their practice talks for the Pay-as-you-Go workshop. I've attended interesting talks/presentations, but I have never participated in the process of talk preparation or polishing. A couple of things I took away with me:
  • A successful talk takes a lot of attention to its audience. You have to build on audiences background, make sure your examples are well understood, and the overall direction of the talk is towards the interest the audience has in your work. 
  • "What makes a mature speaker, is the ability to listen to all the talks that come before his own, and refer to them during his own presentation, dynamically adjusting it." (Prof. Burleson) 
  
  Pay-as-you-Go:
  
  As part of the SPQR lab, I attended Pay-as-you-Go workshop devoted to security and privacy in Integrated Transportation Payment Systems (ITPS). A team from three institutions (UMass Amherst, UMassDartmouth, Brown University) and Transportation authorities explored how to increase the security of payments, without collecting data that could violate user's privacy. This Pay-as-you-Go project requires multi-disciplinary effort and faces a lot of real world challenges - transportation payments devices have to be very cheap, cryptographic protocols have to be secure, while being lightweight to fit on constraint computational platforms. Finally, there is a challenge of successfully deploying novelty into the system that is used by millions.
  
  This workshop was a great example of a dialog and cooperation between researchers, and academia and industry.
  
  UMass REU Poster Session:
  
  This week UMass REU students had a poster session, where we presented our poster, and chatted about our work with fellow students or visitors that were interested in our projects. As many REU students were done with their program, this was also the last day to have lunch together, and take group pictures. It has been a great experience to get to know people from different states and countries, and realize that each of us is having the same challenges and every day struggles learning new things.
  
  
























• Week 7

  Card Emulation
  Card emulation mode is not trivial. The emulation is handled by the special hardware component called Secure Element (SE), which is activated under special privileges. Due to the sensitivity of payments transactions, by default the phone/tag is not available to external readers (the phone can recognize its own tag however).  It is possible to tweak the android source, remove required privileges, and thus to activate SE. However, following http://source.android.com/source/initializing.html and http://threadeds.blogspot.com/2009/02/getting-started-with-google-android-on.html guidelines, both Erin and I could not recompile the code and successfully flash the system with the new image file.  It could be possible to emulate a card with external hardware, but due to the time constraints we decided to adjust our plan and use a card + terminal node, where the phone would send back assumed commands from the terminal.
  
  We made 2 devices communicate and relay messages through internet. This "bridge" loosens the security assumption of near field communication. The app should be user friendly for the demo at the poster session we have next week.






• Week 6

  
  This week all REU students at UMass went for a field trip to visit Microsoft, Google and MIT Science Museum. This has been a greet opportunity to see how it is to work in the industry.
  
  
  • Google has definitely charmed all of us; somehow it makes everybody comfortable. It believes that small changes in the working environment are necessary to keep you excited, and excitement is what drives your work. Every week they either repaint a wall, put a new couch, or find a new place for it. Walls are decorated by Googlers themselves; creativity is in everything. For someone who is just about to start a professional career, Google gives inspiration and sets a high bar for personal achievements.
  • Microsoft visit started with a long wait to enter the building. The space was organized very differently - everybody has its own room with a closed door. Wall colors are dark, and while we were on a tour, we didn't meet any people outside in the corridors or in larger rooms. The culture is definitely different and seemed less collaborative.






• Week 5

  
  Working on fake tag and card emulation. Android developers supply some source code (FakeTagsActivity)  that generates tag broadcasts and emulates NFC enabled devices. Once the off-the-shelf contactless credit card reader recognizes the phone-card, I will implement IsoDep tag technology and the the protocol so that the phone can emulate cards communication. A phone acting as a card might help us to:
  - identify the flow of communication/queries between the commercial reader and the card. - explore the security of credentials, and whether a phone can undetectably pretend to be someone else's "wallet".






• Week 4

  Trip to MIT:
  
  Had a fun trip with our lab students to Cambridge, MIT for Adi Shamir's talk "New Cryptanalytic Attacks on Secret Key Cryptosystems", which could be one of the most lively talks I've visited. It described the techniques that were used to breach AES, GOST (Russian block cipher), and other systems that successfully resisted attacks for many years. A good amount of time was devoted to GOST scheme and the Russian psychology that reflected the system's design in "simple","not sophisticated" constructions and "clean math". In 2011 GOST has been discovered as "a deeply flawed cipher", and is now considered to be broken with the complexity of 2^228.
  
  Project update:
  
  This week has been about reading and understanding specifications of the communication between a credit card and the reader, Android Near Field Communication programming,and Android Activities in general. Neither is intuitive. Turns out, the change in screen orientation is the configurational change that destroys the current activity associated with the tag and reinstantiates the application. You would expect this landscape/portrait change to be handled in a more delicate way, wouldn't you?
  
  Next week should be more of a programming momentum.






• Week 3

  RFIDsec 2011

  RFIDsec, the workshop devoted to the security of RFID, and contactless devices, will definitely be one of the brightest moments of my 10 week REU experience. This year the conference was held at the UMass Amherst (the first time in the US) and organized by our mentor Dr. Fu. We were really lucky to be involved with it by helping with what we could do and attending all its activities: technical tutorials, poster sessions, talks, and social events. Discussed problems included on-tag cryptography, physical enhancements of RFID, and its attacks.
  
  The keynote speaker was Adi Shamir - academic who's inventions and contributions students study in the books. This slide from his talk "Minimalism in Cryptography" and the minimalistic bed in particular (in the lower right corner of the slide) won hearts of almost everybody, including me.
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  Speaking about how to maintain audience's attention, Ravi Pappu said during his "The Physics of RFID" tutorial, that according to researchers, you should put a funny video on the 22nd minute of your talk. And so he did:
  
  
  As a foreigner, I share the pain of pronouncing "th".
  
  RFIDsec has been both an educational and inspiring experience. I am glad it happened in the early years of my education.






• Week 2

  Security of NFC payments: Project's Motivation.

  The growth of Near Field Communication (NFC) equipped smartphones suggests that contactless mobile payment systems will be widely used in the near future. The phone is about to replace a credit card in the PayPass system and charge users by being waved near the reader. For example, Google's ambition to replace a wallet full of plastic cards led to the Google Wallet application, that would virtually fit all your cards in your NFC-enabled Android. Sensitivity of banking information and the large number of potential users encouraged us to study the security of NFC contactless communication using Android phone.
  
  Build-in NFC chip allows the phone to be not only a banking card, but a reader as well. It is interesting to know whether contactless credit cards are indeed secured against malicious actions. Is it possible to lift critical information of the card by just standing near the wallet?
  
  

























• Week 1

  Hello

  My name is Olga Korobova, and I am a senior Computer Science student at the UMass Amherst.
  
  This blog is devoted to my summer REU project at the UMass Amherst with Dr. Fu, his Ph.D. student Andres Molina-Markham, and Erin McBride, DREU student from the University of Oregon. Here I will write about my undergraduate research experience, and share what I have learnt from RFIDsec, a workshop devoted to security and privacy in Radio Frequency Identification, that this year takes place in Amherst, MA.