This question is specifically about MIFARE Ultralight C/EV1, or MIFARE DESFire EV1, or even NTAG cards. I want to implement a system of tokens, so that each time a normal user reads one of those cards they'll get one available token; that token will "pop out" from the NFC card they're reading. In other words, every time that NFC chip is read, it will issue a different usable token from the card's storage. Is this possible to implement?
Is it possible to implement a token queue in NFC cards?
what kind of "tokens"? Your question is very vague, perhaps provide a concrete example with a step by step process of what you are trying to achieve with a specific code example. –
Ease
Is a monotonic counter value (which is available in many CL cards) usable as a 'token'? What requirements are there for the 'tokens' (non-predictable, unique for particular card, etc...). Should the authenticity of card (and it's token) be checked (i.e. does your system need to be protected from card cloning/emulation)? I have a feeling that you want to have those 'token emitting' cards placed somewhere and your users will come there with their readers (NFC phones) and collect those tokens (just like geocaching) -- is this the case? –
Shanty
Exactly @vlp, you guessed right. I haven't put much thought about the token generation, but the system should be safe from cloning and prediction. –
Entanglement
Are your users online when 'collecting' the token? If so your server could communicate with the card (user's NFC reader would relay the communication) to prove that user is in the vicinity of the card (server would have the card keys to authenticate card validity). You can then freely generate 'token' for the user on your server. –
Shanty
Yes @vlp, I thought of having user to read the card, get the token and verify it online to prove himself he is right at that place. I also thought of someone else who will have write access to fill the card with the new tokens generated from the server to be later verified with. –
Entanglement
Have a look at this article. There is used a technique to generate random numbers of a cards. –
Harwill
UPDATE 2020/06/07>
NTAG 424 supports "Secure Dynamic Messaging" which might be applicable for your use case. You can store any NDEF message with a "dynamic part" which is optionally encrypted and authenticated.
Citing section 9.3 of NTAG 424 datasheet:
The Secure Dynamic Messaging (SDM) allows for confidential and integrity protected data exchange, without requiring a preceding authentication. NT4H2421Tx supports SDM for reading from one of the StandardData files on the PICC. Secure Dynamic Messaging allows adding security to the data read, while still being able to access it with standard NDEF readers. The typical use case is an NDEF holding a URI and some metadata, where SDM allows this meta-data to be communicated confidentiality and integrity protected toward a backend server.
But please note that this solution is not resistant to some specific tail-replay scenarios, citing:
When using SDM, residual risks coming with the Secure Dynamic Messaging for Reading have to be taken into account. As SDM allows free reading of the secured message, i.e. without any up-front reader authentication, anybody can read out the message. This means that also a potential attacker is able to read out and store one or multiple messages, and play them at a later point in time to the verifier. If this residual risk is not acceptable for the system’s use case, the legacy mutual authentication (using challenge response protocol) and subsequent secure messaging should be applied. This would require using an own application and operating outside a standard NDEF read operation. Other risk mitigation may be applied for SDM to limit the residual risk, without completely removing it:
Track SDMReadCtr per tag at the verifying side. Reject SDMReadCtr values that have been seen before or that are played out-of-order. This is a minimum requirement any verifier should implement.
Limit the time window of an attacker by requiring tags to be presented regularly (e.g. at least once a day) in combination with the previous mitigation.
Read out the SDM-protected file more than once. This does not protect against attackers that have read out the valid tag also multiple times and play the received responses in the same sequence.
(Note that above-mentioned legacy mutual authentication protocol is what I described in the original answer below)
There is an interesting project implementing the backend server (with tag personalization instructions).
The original answer follows:
Common non-programmable smart cards usually provide one of (or some combination) of the following:
fuse bits -- a memory area where values of individual bits can change only in one way (either from zero to one or from one to zero, but never both of them)
monotonic counter -- an integer value stored on card which can change only in a single direction after the personalisation (either increase or decrease, but never both of them)
electronic purse -- an integer value which can be decreased by one entity and increased by another entity (both entities proving themselves by a distinct secret key)
None of those functions directly provide any unpredictable tokens (see note 1).
Another aspect is that your 'token collectors' would have to possess a key allowing card write access (to be able to modify counters/purse) -- which allows them to easily deplete all remaining fuse bits or counter/purse values (effectively resulting in a denial of service condition for other 'token collectors'). Access control can't be fine-grained to allow only single token collection (which is probably what you want).
With a programmable smart card you can (semi) easily implement any operation semantics you need -- have a look at Java Card (programmable smartcards are more expensive though).
Given your 'token collectors' are online while reading the card then probably the simplest way is to use the card only to prove that 'token collector' is in its proximity and generate the 'token' on the server.
To prove the proximity to the card the 'token collector' would use his/her NFC phone to relay mutual authentication commands between the server and card. He/she does not need to know any of card keys for that.
Any smartcard with mutual authentication (e.g. Ultralight-C or DESFire) is usable in this scenario (see notes 2 and 3).
Communication for DESFire would look similarly to this:
Good luck!
Note 1: Actually there are cards which can generate an unpredictable 'balance certificate' for their electronic purse, but I am not aware of any CL card supporting this.
Note 2: Cards with password based authentication are not suitable as 'token collectors' could easily intercept the password being sent to the card. MIFARE Classic is not suitable as well as encryption key needs to be loaded directly to the reader (relaying is not possible).
Note 3: Notice that by performing this relayed authentication you grant the 'token collector' all access rights bound to the respective key (although he/she does not know the value of the session key). Thus Ultralight-C is not a good choice as you would technically give him/her a complete access to the card. Similarly do not use DESFire card master key for relayed authentication -- create a new application with 2 application keys (with random values known only to you) and use the second key (not application master key) for relayed authentication. Remember to change the card master key as well.
Note 4: DESFire EV2 has protection for command relaying so you would have to test if it works in your scenario.
So, if I understood this correctly - I would need to allow write access to everyone to modify the counter, since there isn't any solution of simply loading tokens into NFC card manually and then reading them one-by-one as per transaction? I also have a concern for such requirements in your solution, as this technique won't work on iOS devices because of the limited access to the cards (where it's only allowed to read them, and only if they're in the NFC Forum format, as described here). –
Entanglement
@MikiSoft I am not aware of any such solution without programmable smart card. It all depends on you threat model. If your 'token collectors' are mostly honest (and no money is involved -- e.g. in a fun/hobby project) then the simplest way is to store NTAG with url to the card. This way you don't need any extra application for 'token collecting' -- the 'token collectors' will simply be redirected to a fixed url on your server where you can give them the 'token'. You can enhance this by asking them for some 'password' which might be printed/written on the card... or nearby (for a weak proof... –
Shanty
...of their presence at the correct place). From time to time you can change those passwords. For the few unhonest collectors -- they can do harm just be damaging or stealing the cards and there is probably nothing to do about it. If it is a serious project (game, loyalty program...) then you should consider using programmable smartcards. –
Shanty
A poor man's solution would be to use any writable token as a "scratch pad" -- i.e. your server would give the 'token collector' a key for a single (random) block of the card memory. He would read it and post it's contents (to be checked by the server for the expected value). Then server would send a new data to be written to this block. This way you give any single collector r/w access for a single block (or file), so unhonest collector will not be able to do much damage (he/she cannot change block he does not have keys for). Read values cannot be reused as they are different every time... –
Shanty
and known only to you and the previous collector....If block value given by the collector mismatches to the expected one then there are two cases -- the current collector is dishonest or the previous collector who was reading the same block was dishonest (he/she did not write the correct value). You can check for honesty of the current collector by asking him to read another random block. If he/she is able to read it then he/she is in the vicinity of the card and (probably) is honest. Single card can have several blocks (each with a different keys) so a single mischievous collector should... –
Shanty
...not be able to take this solution down with a logical attack. This scheme is much more complex to implement but might provide better performance given only r/w access. If iOS does not allow write access at all then there is no way other than programming some card (e.g. Java Card) to give a different NDEF tag (with a dynamic url) every time it is tapped. There are some NDEF implementations available (here, here -- I have no direct experience with any of them) and you would have to... –
Shanty
...extend them with the 'dynamic' functionality. By that you get 'application-less token collection' as dynamic urls get opened in the standard browser. I hope it does make some sense to you. If not (which is probable) please let me know...Good luck! –
Shanty
Thank you very much for the detailed answer! I have one last question though - how Android/iPhone devices can make contact with programmable smart cards (Java Cards) even if they give NDEF output, because their standard probably isn't supported by any phone manufacturer? I suppose they operate on the same radio frequencies as NFC and therefore can be made to work with the phones too on the way you proposed. –
Entanglement
@MikiSoft Java Card implementation should follow NFC Forum Type 4 tag specification so it should work (I have never tried), see this question. –
Shanty
© 2022 - 2024 — McMap. All rights reserved.