On Feb 2, 2015, at 12:16 PM, Henrik Brautaset Aronsen <henrik@synth.no> wrote:
On 02 Feb 2015, at 21:05, Miller, Timothy J. <tmiller@mitre.org> wrote:
I don't see anything in the NTAG data sheet that leads me to believe that a login solution based on it would be secure against eavesdropping, cloning, and replay attacks. We used to call these "barking bar codes" and for security sensitive operations (such as authentication) they are not safe.
If you're OK with that, well, it's your headache not mine. But I'd never buy one.
Password ACLs controlling memory write operations is not the same as what happens in a smart card. For secure use, you need--at a minimum--an IC capable of computing a response to a challenge. Ideally you do this by performing a cryptographic operation using a secret unique to the IC. In NXP's offerings (quickly poking around their offerings), that probably puts you in the SmartMX line, but you'd need a platform that integrates that IC with and NFC controller (e.g., NXP's PT501)--something like the NXP MIFARE platform.
Hi Timothy,
Thanks for the input! I'm totally OK with the security implications. I'm not doing this for a commercial product, it's merely a hobby project of mine. If I could get it to just check the NFC ID, that would be perfect.
Cheers,
Henrik