[SmartcardServices-Users] Store key on NFC tag that is acceptable to sc_auth?
Henrik Brautaset Aronsen
henrik at synth.no
Mon Feb 2 12:16:48 PST 2015
On 02 Feb 2015, at 21:05, Miller, Timothy J. <tmiller at mitre.org> wrote:
>
> I don't see anything in the NTAG data sheet that leads me to believe that a login solution based on it would be secure against eavesdropping, cloning, and replay attacks. We used to call these "barking bar codes" and for security sensitive operations (such as authentication) they are not safe.
>
> If you're OK with that, well, it's your headache not mine. But I'd never buy one.
>
> Password ACLs controlling memory write operations is not the same as what happens in a smart card. For secure use, you need--at a minimum--an IC capable of computing a response to a challenge. Ideally you do this by performing a cryptographic operation using a secret unique to the IC. In NXP's offerings (quickly poking around their offerings), that probably puts you in the SmartMX line, but you'd need a platform that integrates that IC with and NFC controller (e.g., NXP's PT501)--something like the NXP MIFARE platform.
Hi Timothy,
Thanks for the input! I'm totally OK with the security implications. I'm not doing this for a commercial product, it's merely a hobby project of mine. If I could get it to just check the NFC ID, that would be perfect.
Cheers,
Henrik
More information about the SmartcardServices-Users
mailing list