FWIW, do you know about Knock? Uses BTLE to pair to an iPhone; physical control of both allows you to log into the Mac. Sorta similar to Chrome OS Smart Unlock with Android 5.0. I'm not endorsing Knock (or Smart Unlock) as safe--and by most accounts Knock has some issues, esp. after a reboot--but IMHO pairing with a phone is probably safer than using an NFC tag, and the smart phone is certainly capable enough to emulate a smart card. -- T
-----Original Message----- From: Henrik Brautaset Aronsen [mailto:henrik.aronsen@gmail.com] On Behalf Of Henrik Brautaset Aronsen Sent: Monday, February 02, 2015 2:17 PM To: Miller, Timothy J. Cc: Yoann Gini; smartcardservices-users@lists.macosforge.org Subject: Re: [SmartcardServices-Users] Store key on NFC tag that is acceptable to sc_auth?
On 02 Feb 2015, at 21:05, Miller, Timothy J. <tmiller@mitre.org> wrote:
I don't see anything in the NTAG data sheet that leads me to believe that a
login solution based on it would be secure against eavesdropping, cloning, and replay attacks. We used to call these "barking bar codes" and for security sensitive operations (such as authentication) they are not safe.
If you're OK with that, well, it's your headache not mine. But I'd never buy
one.
Password ACLs controlling memory write operations is not the same as
what happens in a smart card. For secure use, you need--at a minimum--an IC capable of computing a response to a challenge. Ideally you do this by performing a cryptographic operation using a secret unique to the IC. In NXP's offerings (quickly poking around their offerings), that probably puts you in the SmartMX line, but you'd need a platform that integrates that IC with and NFC controller (e.g., NXP's PT501)--something like the NXP MIFARE platform.
Hi Timothy,
Thanks for the input! I'm totally OK with the security implications. I'm not doing this for a commercial product, it's merely a hobby project of mine. If I could get it to just check the NFC ID, that would be perfect.
Cheers, Henrik