Utvärdering av Near Field Communication och Certified Wireless USB: Säkerhet vid utveckling av applikationer

Sammanfattning: Today’s society is one where technological advances are made daily, which increases the need to stop and assess the risks against users’ integrity when integrating new technology in contemporary systems all the greater. We have taken two technologies, Near Field Communication and Certified Wireless USB, whose envisioned area of use is to be integrated into mobile phones, and evaluated what security threats are revealed for the respective technologies. The threats against security have been identified through research of the standards and existing reports for each technology. Practical experiments have not been conducted on account of us not having access to any equipment to run such trials. The result of our studies is indecisive; pitched against Certified Wireless USB’s rigorous and robust security measures, implemented on hardware level, Near Field Communication’s lack of any such security implementations shines all the brighter. The real difference can be traced to the philosophy behind the technologies – Certified Wireless USB can be perceived as a complete product, while Near Field Communication bears more resemblance to a tool. In order to safely use a tool, knowledge about its use is required, thus in order to securely use Near Field Communication we propose two solutions; secure channel and secure identification, which developers can implement on a software level. Furthermore, we suggest that the implementation of security should be based on an incremental model where the security measures are scaled up in direct correlation with the sensitivity of the information managed. Our results imply that Near Field Communication does not have the inherent security that it should have in order to be safely and securely integrated into any system as it is. Therefore, measures have to be taken in order to implement this technology securely on a software level. For Certified Wireless USB it implies that nothing further is needed to achieve a secure implementation as the only weakness it displays is against Side Channel attacks, which are so complicated (and require direct access to the system) that we have deemed them unlikely to be attempted.