https://www.youtube.com/watch?v=YDe2o5Jo0Wg
This is my latest project. A NFC Door Lock Controller that works with many different ident-media. e.g: Yubikeys, Tesla Key Cards, Tesla Phone Key via NFC, DESFire EV - Series with AES Encryption, probably more can be implemented. What !!!expressly not!!! implemented is - a simple UUID-Check, so Mifare-classic cards will never be able to open a door with my unit for security reason.
What is working:
- Yubikey OATH on a single credential slot (w or w/o PIN-protection (hardcoded to a fixed PIN yet))
- Yubikey challenge-response with eighter slot1 or slot2 HMAC-Key
- every OATH credential is valid to a single yubikey only, so even you let your credential qr-code unattended and someone else scans this code, this will not work with a 2nd yubikey.
- DESFire EV-Series NFC cards / tokens with AES128 protected APP installed
- Blacklisting DESFire or Yubikeys via https-update
- Tesla Key Cards / Fobs / Phone-key via NFC (Android only) when whitelisted
- Whitelisting Tesla Cards via https-update
- Firmware update via https for both back- / frontend triggered via a “master-key”-token
Replay attacks are probably impossibe. DESFIRE and YUBIKEY works with NONCES. Every YUBIKEY in OATH-Mode has its own HMAC-Key. For Tesla-keys and cards every swipe will generate a random ECDH-Key-pair at the backend-unit and a random challenge for authentication. DESFIRE and Yubikeys can be blacklisted via https-update, every tesla card has to be whitelisted to work.
ToDo:
- change key generation code for DESFIRE-Cards so every DESFIRE card has its own AES-Key
- add a I2C Touch-Keypad at the Frontend for entering a numerical PIN for OATH-App unlocking
- maybe DESFIRE-Personalization via a master-token at the frontend
- some other working token (U2F) (dindn’t understood the protocol yet)
- suggestions???
Regards
Peppy.