Abstract—The popularization of the word “Fin-tech” thanks to many non-technical individuals being amazed by the unconventional way of payments, such as mobile payment over NFC. Undoubtedly speaking security/privacy is considered as the most important factor when a new Fin-tech is introduced; at least psychologically, it is. Recently Seo et al. presented an authenticated key agreement protocol for mobile payment over NFC. The protocol intended to provide secure pairing over untrusted devices with client's anonymity and forward secrecy. Unfortunately, in this paper we found that their protocol is indeed very insecure when an attacker has different levels of network controls. We presented the man-in-the-middle attacks and the replay attacks against this protocol. Under these attacks the attackers can successfully impersonate an anonymous client or can tap the communication between two legitimate clients without being detected by anyone. Then we suggested some improvements, with adequate analysis, to avoid these problems.

Index Terms—Key words: Authenticated key agreement, near field communication, security.

Chienming Chen and Weicheng Fang are with Harbin Institute of Technology Shenzhen Graduate School, Shenzhen, China. Kinghang Wang is with Hong Kong University of Science and Technology, Hong Kong, China. Tsuyang Wu is with Fujian Provincial Key Laboratory of Big Data Mining and Applications, Fujian University of Technology, Fuzhou, China; National Demonstration Center for Experimental Electronic Information and Electrical Technology Education, Fujian University of Technology, Fuzhou, China.

Cite:Chienming Chen, Weicheng Fang, Kinghang Wang, Tsuyang Wu, "Attacks and Solutions of an Authenticated Key Agreement Protocol Based on NFC for Mobile Payment," International Journal of Computer and Communication Engineering vol. 6, no. 3, pp. 173-180, 2017.