[SmartcardServices-Users] Store key on NFC tag that is acceptable to sc_auth?

Miller, Timothy J. tmiller at mitre.org
Mon Feb 2 12:27:22 PST 2015 

FWIW, do you know about Knock?  Uses BTLE to pair to an iPhone; physical control of both allows you to log into the Mac.  Sorta similar to Chrome OS Smart Unlock with Android 5.0.  

I'm not endorsing Knock (or Smart Unlock) as safe--and by most accounts Knock has some issues, esp. after a reboot--but IMHO pairing with a phone is probably safer than using an NFC tag, and the smart phone is certainly capable enough to emulate a smart card.

-- T 

> -----Original Message-----
> From: Henrik Brautaset Aronsen [mailto:henrik.aronsen at gmail.com] On
> Behalf Of Henrik Brautaset Aronsen
> Sent: Monday, February 02, 2015 2:17 PM
> To: Miller, Timothy J.
> Cc: Yoann Gini; smartcardservices-users at lists.macosforge.org
> Subject: Re: [SmartcardServices-Users] Store key on NFC tag that is
> acceptable to sc_auth?
> 
> On 02 Feb 2015, at 21:05, Miller, Timothy J. <tmiller at mitre.org> wrote:
> >
> > I don't see anything in the NTAG data sheet that leads me to believe that a
> login solution based on it would be secure against eavesdropping, cloning,
> and replay attacks.  We used to call these "barking bar codes" and for security
> sensitive operations (such as authentication) they are not safe.
> >
> > If you're OK with that, well, it's your headache not mine.  But I'd never buy
> one.
> >
> > Password ACLs controlling memory write operations is not the same as
> what happens in a smart card.  For secure use, you need--at a minimum--an
> IC capable of computing a response to a challenge.  Ideally you do this by
> performing a cryptographic operation using a secret unique to the IC.  In
> NXP's offerings (quickly poking around their offerings), that probably puts
> you in the SmartMX line, but you'd need a platform that integrates that IC
> with and NFC controller (e.g., NXP's PT501)--something like the NXP MIFARE
> platform.
> 
> Hi Timothy,
> 
> Thanks for the input!  I'm totally OK with the security implications.  I'm not
> doing this for a commercial product, it's merely a hobby project of mine.  If I
> could get it to just check the NFC ID, that would be perfect.
> 
> Cheers,
> Henrik

More information about the SmartcardServices-Users mailing list