Author: Andreas Schildbach 2015-02-23 09:49:17
Published on: 2015-02-23T09:49:17+00:00
The email thread discusses the issue of privacy loss in a payment system that uses NFC as a trust anchor. It is suggested that using DHKE or similar encryption methods could improve the security of the session and prevent decryption from recordings. However, the dilemma of exchanging the secret still remains. The discussion revolves around considerations such as whether NFC communication can be considered private or not, what options are available for establishing trusted links, and how an eavesdropper can monitor communication even if it is assumed private.One possible solution proposed is to send a public key of the payee over the NFC connection instead of a session key and use that public key to encrypt a session key and send it back via Bluetooth to initiate an encrypted Bluetooth connection for the remaining communication. While this method is not foolproof, it does reduce the privacy loss significantly and makes it harder for attackers to carry out attacks.The email also touches on the issue of trust anchors required by the payer and the payee, and whether they are necessary for short-range communication. There is a debate on whether attackers would be better off replacing the entire POS internals than carrying out an attack on short-range communication. Finally, the email acknowledges that cryptography experts may have more insights into this topic.
Updated on: 2023-06-09T17:54:35.410046+00:00