Setting up password protected volumes on flexDF/xDF2


#1

So for as long as I’ve had my flexDF, I have wanted to set up some way to store password-protected text NDEF records, but I have not found a way to do so. I see on DSruptive’s website that the SIID is able to store password protected NDEF volumes (at least that’s what is claimed.). With the DESFire ev1/ev2, it is set up to use a filesystem layout, so I feel like this should be theoretically possible, I am just not so sure how to approach it with the datasheets for the chip beings so hard to access.

Does anyone have any experience with how DSruptive handles this action, or if they even do? Does anyone know if accomplishing something like this is truly feasible?


#2

I store store some protected info using my PGP key (Hosted with Keybase.io) and attach the encrypted text to an NDEF record as text


#3

Yeah, I have done the same in the past, the only thing is I wanted to find a way to store this information where the decryption/encryption of text occured on device. One of the main benifits of havng it this way is that you are able to read whatever sensitive data you have stored on any device by only knowing the password. HOnestly, I didn’t think that his was feasible, but then I saw DSruptive’s claim, so I wanted to see if anyone knew how they were acheiving such a result.


#4

I’m pretty sure what you’re describing is what the VivoKey does. It’s a Java Card that runs encryption and decryption operations locally on the device, so you never have to give out your private keys to a potentially unsecure device like your smartphone.


#5

Yeah, the Flex One is the only product that can do this. The xNT (ntag216) and SIID work the same way. A password can be set on them that, in combination with an auth setting and prot setting, can require authentication before the ndef memory can be read… but this password is not encryption… it’s passed in the clear by the reader to the tag and data sent from tag to reader is also in the clear. Worst of all, the way it works would mean an emulator sending the tag uid to the reader would prompt the reader to send the password to the spoofer!

The DESFire chips have advanced abilities that can set up an encrypted session between reader and chip, but the data itself is not encrypted unless you do that at the app level.


#6

Thanks for the response, how would one set up an interface like that on the flexNT/xNT? I know it’s not the most secure, but it is better than no password at all for the time being.


#7

The DESFire chips are quite advanced and there aren’t any good apps out there that utilize their features. We could work on updating Dangerous NFC but this has been a back burner project for quite some time… and dealing with all the features in an intelligent way will take some serious thought and effort. We’re just focused on VivoKey right now… so there’s not much bandwidth left to address this.