nfcpy

How to make a secure channel

Asked by doorlock

Hi,

I am new to developing nfc applications, and i would like to build a doorlock system which authenticates a user with a nfc tag.
I am using a pn532 breakout board and i wanted to know if it is possible to build a secure channel between a nfc tag and a corresponding reader with nfcpy? I just would like to prevent Man-In-The-Middle attacks...

Greets

Question information

Language:
English Edit question
Status:
Solved
For:
nfcpy Edit question
Assignee:
No assignee Edit question
Solved by:
Stephen Tiedemann
Solved:
Last query:
Last reply:
Revision history for this message
Best Stephen Tiedemann (stephen-tiedemann) said : 		#1

You'll need to use a tag that supports encryption and allows you to store your own key into it. That may require commercial agreement with the tag vendor and you would then use tag specific commands to authenticate. It is possible with nfcpy to build those commands but there is no specific support built in.

For a doorlock system you would usually just require to know a tag is genuine and unique. Lighter weight options for that may be the Sony FeliCa Lite-S tag mutual authentication (specs at http://www.sony.net/Products/felica/business/tech-support/#Lite05S) or NXP NTAG 213 originality signature.

Revision history for this message
doorlock (doorlock) said : 		#2

Thanks Stephen Tiedemann, that solved my question.

Revision history for this message
corzand (acorzani) said : 		#3

Hi Stephen,
i have another question about checking if an NTAG213 is genuine.
What is the right way to do it with a NXP NTAG213 on nfcpy?

Thanks!

Revision history for this message
Stephen Tiedemann (stephen-tiedemann) said : 		#4

As far as nfcpy is concerned, you can use the transceive function to send the READ_SIG command and get the 32 byte signature. The signature signs the Tag's UID which is a data member of the tag object. The code snippet at http://pastebin.com/nJNkgpMj shows how to get UID and Signature from a tag.

You'd then need to have an ECC public key from NXP and use for example OpenSSl to verify the signature (ECDSA algorithm, curve secp128r1). I do unfortunately not know how to get the public key from NXP, the spec sounds ike it should be available but I couldn't find it. Maybe it's necessary to ask NXP directly, if you get it and it's not rectricted, feel free to post.

/Stephen

Revision history for this message
corzand (acorzani) said : 		#5

Thank you Stephen,

if I will find out something about the public key, then i'll post it here

Revision history for this message
corzand (acorzani) said : 		#6

Hello Stephen, I have a new NXPNTAG212.
I tried this snippet, but when i try to transceive the command, i have this error logged:

Traceback (most recent call last):
  File "read-sig.py", line 15, in <module>
    sig = tag.transceive("\x3C\x00")
  File "/home/pi/nfcpy/nfc/tag/tt2.py", line 241, in transceive
    return self.clf.exchange(data, timeout)
  File "/home/pi/nfcpy/nfc/clf.py", line 553, in exchange
    rcvd_data = self.dev.exchange(send_data, timeout)
  File "/home/pi/nfcpy/nfc/dev/pn53x.py", line 580, in send_cmd_recv_rsp
    raise nfc.clf.TransmissionError(str(error))
nfc.clf.TransmissionError: [PN53x Error 0x7f] Invalid command syntax - received error frame

Looks like it's an invalid command, even if the NXP documentation tells me that it's the right one for READ_SIG
http://www.nxp.com/documents/data_sheet/NTAG210_212.pdf

What i'm missing?

Thank you again :)

Revision history for this message
corzand (acorzani) said : 		#7

I solved it using Tomasz solution:

https://answers.launchpad.net/nfcpy/+question/255995