NFC-based mobile transaction has come into limelight in recent years thanks to the rapid development of NFC and mobile technologies. In these applications, the NFC-chip is in the card emulation mode to simulate a credit card. Because many sensitive information is exchanged during the communication of the mobile transaction, mutual authentication is required in order to verify the legality of each communicating party. Recently, Part and Lee introduced an anonymous authentication scheme based on NTRU. It is aimed to protect user information in NFC mobile payment systems without directly using private financial information of users. However, we found a security flaw in their new scheme. In this paper, we show that their scheme is insecure against an eavesdropping attack. An attacker, without any secret information, can impersonate the user against a service provider and pass the authentication procedure. This may result in a serious problem in which an attacker can enjoy a service such as an on-line shopping on behalf of the real user without the permission of the real user. An improved scheme will be left as our future work.
18th Asia-Pacific Network Operations and Management Symposium, APNOMS 2016: Management of Softwarized Infrastructure - Proceedings