Forum / MIFARE general topics and applications / 3DES authentication timeout
Tagged: 3DES, Mifare Ultralight C, timeout
-
Hello,
I'm currently working on a Android app that handle the mifare ultralight 3DES Auth.
My problem is that I do a request to a server to handle the generation of the RndA+RndB' challenge and It seems that the request is to slow (the authentication is working if the request is under 50 milliseconds).
When I send to next apdu to continue the authentication I have :
android.nfc.TagLostException: Tag was lost.
I don't use the NXP nfc lite library, I'm sending the APDU myself.
Is there a way to increase the timeout between the two requests ?
Thanks in advance,
Christophe
+ 0 | - 0
Hi Christophe,
There is nothing wrong to use plain APDU commands to communicate with the Ultralight. Unfortunately the 3DES authenticate cannot be split into parts.
You should think about to implement the authenticate response into the reader terminal. It makes sense also especially in view of the security. You transform sensitive information over the net with your approach.
The 3DES mutual authentication procedure is not very difficult to implement it in the reader software. There is also the way to use the SAM AV2 in your reader station for highest security. Here the SAM contains all keys and make the authenticate calculation.
Regards,
The MIFARE Team
+ 0 | - 0
Hello,
Thanks for your answer,
I already tough about implementing the authentication process in the reader, but my problem is that I need the key on the client app in order to build the response.
Our application has to work on any android phone, so I it is not possible (and secure) because I should transfer the password in a request from the server.
It is also not possible to store the passwords on the device, as the application should work on any NFC compatible phone.
I suppose the mifare authentication won't fit the requirements of our application.
Do you have another tag that could fit with our requirements?
We need to be able to authenticate a tag with an android app, by exchanging challenges with a distant server.
Regards,
Christophe
+ 0 | - 0
Hi Christophe,
If you have to do the authentication calculation outside of your device you always have to deal with (possible) long replies and “service not available conditions” because of connection problems.
In your case I would prefer a solution where I use time limited credentials which you can load once to your mobile device and which are valid only for one day. I can also imagine to work with diversified keys which depends for instance on the UID of the card or tag. Then you can read the UID of the device and ask the server instance for the unique key for this tag. When you get the key you can start the authentication locally. The diversified key is generated from a master key together with a constant which is unique to the card. This is the UID and the generated diversified key is unique for the tag with the given UID.
Regards,
The MIFARE Team
+ 0 | - 0
Hello,
Thanks again for your answer.
I'm still searching for solution for this timeout problem in the android documentation and found this :
http://developer.android.com/reference/android/nfc/NfcAdapter.html#EXTRA_READER_PRESENCE_CHECK_DELAY
Could it be possible to avoid this timeout problem by using reader mode ?
Regards,
Christophe
+ 0 | - 0
Hi Christophe,
The parameter EXTRA_READER_PRESENCE_CHECK_DELAY can be set to give a delay for your app to react on the presence of a NFC intent. This will not help in your issue! You want to break down the authenticate procedure into several “slow motion parts” giving the server time to calculate every single step for you. From my point of view you will not fulfil the authentication satisfactory, because you cannot guarantee the server responses will be available always in time.
Indeed, to save all password on the phone is not a useful approach! For security reasons, you cannot split or break the authentication. But you can use smarter approaches. However this depends on your key architecture. Very often the UID of the tag is used for calculation of the device credentials. You can read the UID before and ask the server for the device credentials and make the authentication afterwards locally.
The MIFARE Team
+ 0 | - 0
-
AuthorPosts
Viewing 6 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic.