×

Discussion Board

Results 1 to 11 of 11

Thread: security issue

  1. #1
    Nokia Developer Champion
    Join Date
    Sep 2007
    Posts
    915

    security issue

    Hello,

    I have made application which read and writes NDEF message. But i could not find any way i can make my application secure. Like if i write one NDEF message to the card then is there any mechanism that other reader cannot read that card.

  2. #2
    Regular Contributor
    Join Date
    Jul 2007
    Posts
    50

    Re: security issue

    NDEF has no security feature that I know of.

    The following is what I gathered from reading the documentation and the forums. The answer below might not give the optimal solution and there might be other solutions that I'm not aware of, but these work.

    If you want a secure tag you have two ways:
    1. Manually encrypt the content of the tag. This will prevent a user without the key from reading the tag's content, but it won't prevent him from rewriting the tag.
    2. Use a secure tag such as Mifare Classic (actually not so secure since it has been broken) or a smartcard if security is critical.

    If you use Mifare Classic, you'll have once again two ways:
    1. Go purely with Mifare Classic. You create an Application, write the data in the data blocks and configure the trailer block properly.
    2. Write the data in NDEF and then protect it by configuring the trailer block. When you write NDEF data on a Mifare card, it turns the Mifare card in a NDEF tag : it writes the NDEF data somewhere on the card with a known key (I don't remember what it is, but it should be fairly easy to find) for both reading and writing. You'll then have to search the sectors to find the one with data and configure its trailer block.

    The second solution has the advantage of having a NDEF-formatted tag that can be read by any NDEF reader which can be useful if you want your tag's content to be readable by any reader but want to prevent rewriting. The drawback is that it restrict to one application per tag (since the whole tag is considered as a single NDEF tag).

    The 6212 SDK documentation (and examples) and the Mifare classic documentation (linked in the SDK) has all the information you'll need to write on Mifare cards and configure the trailer block properly but let me know if you have any issue.

  3. #3
    Nokia Developer Champion
    Join Date
    Sep 2007
    Posts
    915

    Re: security issue

    Quote Originally Posted by Pybel View Post
    NDEF has no security feature that I know of.

    The following is what I gathered from reading the documentation and the forums. The answer below might not give the optimal solution and there might be other solutions that I'm not aware of, but these work.

    If you want a secure tag you have two ways:
    1. Manually encrypt the content of the tag. This will prevent a user without the key from reading the tag's content, but it won't prevent him from rewriting the tag.
    2. Use a secure tag such as Mifare Classic (actually not so secure since it has been broken) or a smartcard if security is critical.

    If you use Mifare Classic, you'll have once again two ways:
    1. Go purely with Mifare Classic. You create an Application, write the data in the data blocks and configure the trailer block properly.
    2. Write the data in NDEF and then protect it by configuring the trailer block. When you write NDEF data on a Mifare card, it turns the Mifare card in a NDEF tag : it writes the NDEF data somewhere on the card with a known key (I don't remember what it is, but it should be fairly easy to find) for both reading and writing. You'll then have to search the sectors to find the one with data and configure its trailer block.

    The second solution has the advantage of having a NDEF-formatted tag that can be read by any NDEF reader which can be useful if you want your tag's content to be readable by any reader but want to prevent rewriting. The drawback is that it restrict to one application per tag (since the whole tag is considered as a single NDEF tag).

    The 6212 SDK documentation (and examples) and the Mifare classic documentation (linked in the SDK) has all the information you'll need to write on Mifare cards and configure the trailer block properly but let me know if you have any issue.
    Dear pyble

    Thanks for your reply. But i want that no other reader should be able to read the data of my Mifair card. Is it possible ? I do not want that any other application or reader can read the data of the card which my application has written. Is it possible if yes how ?

  4. #4
    Regular Contributor
    Join Date
    Jul 2007
    Posts
    50

    Re: security issue

    Yes it's possible with solution "2.1": use Mifare classic without NDEF.
    There's a good example in the 6212 SDK (MFStandardExample). Just make sure to read the SDK documentation about Mifare classic architecture and security.

    Basically the idea is that your Mifare card is made of different sectors (16 on 1K tags, 40 on 4K). These sectors have 4 blocks (the last 8 of a 4K tag have 16). The first 3 blocks are data blocks where you can write whatever you want. The last block is the trailer block. It holds the A Key, 3 access bits for each sector and the B Key. The access bits can be changed to tell which key is used for reading and writing each block.

    So what you'll need to do is write the data in your tag then change the trailer block to allow data reading only with the reading Key (and make sure that the Key writing/reading and access bits writing are protected too: you don't want the user to be able to read or replace the key he needs to read the data or to grant himself access to the data). Just be careful not to lock your tag when editing the trailer block!

    You'll find all the details you need (especially the way you need to configure the access bits) in the 6212 SDK and The Mifare Specifications

  5. #5
    Nokia Developer Champion
    Join Date
    Sep 2007
    Posts
    915

    Re: security issue

    Quote Originally Posted by Pybel View Post
    Yes it's possible with solution "2.1": use Mifare classic without NDEF.
    There's a good example in the 6212 SDK (MFStandardExample). Just make sure to read the SDK documentation about Mifare classic architecture and security.

    Basically the idea is that your Mifare card is made of different sectors (16 on 1K tags, 40 on 4K). These sectors have 4 blocks (the last 8 of a 4K tag have 16). The first 3 blocks are data blocks where you can write whatever you want. The last block is the trailer block. It holds the A Key, 3 access bits for each sector and the B Key. The access bits can be changed to tell which key is used for reading and writing each block.

    So what you'll need to do is write the data in your tag then change the trailer block to allow data reading only with the reading Key (and make sure that the Key writing/reading and access bits writing are protected too: you don't want the user to be able to read or replace the key he needs to read the data or to grant himself access to the data). Just be careful not to lock your tag when editing the trailer block!

    You'll find all the details you need (especially the way you need to configure the access bits) in the 6212 SDK and The Mifare Specifications
    Thanks for your support. But we will use purely sector and track vise operation by 2.1 way. So will there be any dis advantage of not using NFC and NDEFMessage.

  6. #6
    Nokia Developer Champion
    Join Date
    Sep 2007
    Posts
    915

    Re: security issue

    Another thing which i want to ask you is it possible that some one duplicate the card or make clone of the card even if we use method 2.1

  7. #7
    Regular Contributor
    Join Date
    Jul 2007
    Posts
    50

    Re: security issue

    Theoretically, the Mifare Classic security should prevent reading the data you protected so it should prevent cloning the card. But since Mifare Classic security has been broken, there are known tools and ways to read the data or duplicate the card. A "normal" user won't be able to do it with his NFC phone, but someone with a little knowledge and hardware could do it. (Video example)

    So if you expect people to try to crack your security, don't use Mifare Classic cards.

  8. #8
    Nokia Developer Champion
    Join Date
    Sep 2007
    Posts
    915

    Re: security issue

    Quote Originally Posted by Pybel View Post
    Theoretically, the Mifare Classic security should prevent reading the data you protected so it should prevent cloning the card. But since Mifare Classic security has been broken, there are known tools and ways to read the data or duplicate the card. A "normal" user won't be able to do it with his NFC phone, but someone with a little knowledge and hardware could do it. (Video example)

    So if you expect people to try to crack your security, don't use Mifare Classic cards.
    Thanks pybel for your reply. So is there any other approach we can reduce cloning or duplication of card.

  9. #9
    Regular Contributor
    Join Date
    Jul 2007
    Posts
    50

    Re: security issue

    Because of this vulnerability, Mifare Classic tag can always be duplicated (with the right hardware and software) no matter what you write on the card. Once again, this requires specific hardware and software so if you don't expect people to try hard to crack your tags, it doesn't really matter. It's as if you used a insecure lock on a door: a burglar would be able to pick it easily, but it'd still prevent most people from entering.

    The only solution would be to use another type of secure tag such as Mifare Ultralight C, but there are no JSR-257 extensions in the Nokia SDK to deal with them as easily as with the Mifare Classic tags so you'll probably have to get hold of Mifare Ultralight C specifications and implement your own Connection by extending TagConnection and handling all the data exchange with the tag.

    Another way, if security is critical and you don't mind a little bump in the costs, you could use NFC smartcards which are supposed to be far more secure.

  10. #10
    Nokia Developer Champion
    Join Date
    Sep 2007
    Posts
    915

    Re: security issue

    Quote Originally Posted by Pybel View Post
    Because of this vulnerability, Mifare Classic tag can always be duplicated (with the right hardware and software) no matter what you write on the card. Once again, this requires specific hardware and software so if you don't expect people to try hard to crack your tags, it doesn't really matter. It's as if you used a insecure lock on a door: a burglar would be able to pick it easily, but it'd still prevent most people from entering.

    The only solution would be to use another type of secure tag such as Mifare Ultralight C, but there are no JSR-257 extensions in the Nokia SDK to deal with them as easily as with the Mifare Classic tags so you'll probably have to get hold of Mifare Ultralight C specifications and implement your own Connection by extending TagConnection and handling all the data exchange with the tag.

    Another way, if security is critical and you don't mind a little bump in the costs, you could use NFC smartcards which are supposed to be far more secure.
    Thanks pybel for your continuous support. Did you read the comment by mankinPT in that video of youtube. As he commented there as below.

    the signnature created is never the same on two transaction with the use of CDA, it uses unique number, amount etc. on the signure. the use of a static signature is rare, and can only be done so often by a card.


    and

    I work with contacless cards, and the only weak link here is the program implemented in the card, not the card itself. The use of CDA protocol makes this impossible to replicate, unless you discover the private key, but good luck with that (this with an asymetric key protocol).


    so do you think that if we implement the way he described then we can make it secure ? Another thing which i want to tell is that can we user JSR 256 and JSR 257 if we use SMART Card

  11. #11
    Regular Contributor
    Join Date
    Jul 2007
    Posts
    50

    Re: security issue

    I don't know, but you can also take a look at Wikipedia and it looks like there are some big security issues that allow people to duplicate tags and I'm not sure if there's anything you can do to prevent their use.

    You can use JSR-257 with smartcard, it's explained in the SDK, but the problem is that you'll need to develop a javacard applet as well. I haven't tried it (I just tested with the emulator) but it looks like it's a little more complicated than just writing on a tag. You might also try using Mifare DESFire smartcards, which have a specific support in Nokia's SDK, but I haven't tried them and can't tell you how to use them.

    You could also try Mifare Plus tags (which are supposed to replace Mifare Classic with a more secure version) but I'm not sure if they are supported by Nokia's NFC phones.

Similar Threads

  1. OVI Publishing Issue - POINT OF CONTACT
    By Vignesh.M in forum [Closed] Publishing to Nokia Store
    Replies: 4
    Last Post: 2009-08-18, 14:35
  2. issue with at+cusd over bluetooth link
    By hbanks in forum General Messaging
    Replies: 2
    Last Post: 2007-09-25, 21:21
  3. RTSP video streaming issue on 6280
    By olivier_irac in forum General Development Questions
    Replies: 0
    Last Post: 2006-12-04, 15:11
  4. Installation security error on Symbian OS
    By dusanbaranec in forum Mobile Java General
    Replies: 2
    Last Post: 2006-04-03, 18:37
  5. FingerPrint Scanning Security System for Cellphones
    By riez_n in forum General Development Questions
    Replies: 1
    Last Post: 2004-01-13, 11:43

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •