[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Slides and other resources from talk on NFC related security enhancements focussed on Linux

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Slides and other resources from talk on NFC related security enhancements focussed on Linux
From: Ben Whorwood <ml-devcornlinuxgrp@xxxxxxxxxx>
Date: Mon, 27 Apr 2015 10:42:20 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1428397562; h=Sender:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=0+aeaXXvzwPLVMlYq/BqJRMSSYgRGQ6imxN/33tlyZ8=; b=AxE0JkVdDmIG65N/lwEb2znTx7MhRbrykmNHdr5LdA9DBM4a3PPrMfNDYY18VnFAOqn6HZ8bPKpQB2UX2HveYvtIrb1gOQnNzOXyZTFmvcf1+0LRIuaKUbXn/I1Gb+A9ylbFnh7O+kNuWeJ0tbOxPJY4utsf3ZpGVTstOWJAZKk=;

Thanks for your comments.

Both are valid concerns and are possible vulnerabilities for the system. The fact that the ring is worn on the extremities (rather than kept inside a pocket for example) and is readable wirelessly means it could be read and potentially stolen. However, the NFC Ring has been developed with some of these considerations in mind:

https://www.youtube.com/watch?v=2uQlRYCUNLk
http://store.nfcring.com/pages/developers

Also some interesting challenges on the design (nothing scientific that I'm aware of):

https://developer.rackspace.com/blog/steal-my-nfc-ring-data-at-defcon-for-100-dollars-of-free-hosting-with-rackspace/

For my purposes the reader itself and host computer aren't publicly accessible and so swapping in a fake listener would be more difficult than in other scenarios. By using other security systems to protect the physical access to the reader some of the risk can be mitigated (alarm systems securing the premises, etc).

On 25/04/15 21:41, Martijn Grooten wrote:

On Fri, Apr 24, 2015 at 05:09:37PM +0100, Ben Whorwood wrote:

There are 256 bit AES encryption keys stored on the EEPROM (external memory
chip attached to the Arduino) which are encrypted using the 256 bit AES key
stored on the ring (only 144 bytes available on the ring so 4 possible keys
planned for different operations (logging in, mounting encrypted system 1,
system 2, etc).

I essentially paired the ring to the EEPROM so that if the ring is lost or
cloned you also need physical access to the Arduino to gain system entry.

So the ring AES key decrypts the EEPROM AES key which is then sent over the
serial connection to the host PC.

I know next to nothing about NFS, but couldn't someone steal the AES key
by either listening on it being sent from the ring to the Arduino or,
more likely, by having a fake listener pretending to be the Arduino?

Anyway, looks like it was a cool talk judging from the slides. Looking
forward to reading the blog!

Martijn.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

References:
- [LUG] Slides and other resources from talk on NFC related security enhancements focussed on Linux
  - From: Ben Whorwood
- Re: [LUG] Slides and other resources from talk on NFC related security enhancements focussed on Linux
  - From: Simon Waters
- Re: [LUG] Slides and other resources from talk on NFC related security enhancements focussed on Linux
  - From: Ben Whorwood
- Re: [LUG] Slides and other resources from talk on NFC related security enhancements focussed on Linux
  - From: Martijn Grooten

Prev by Date: Re: [LUG] Jessie was Re: Best linux distro for home file server
Next by Date: Re: [LUG] Jessie was Re: Best linux distro for home file server
Previous by thread: Re: [LUG] Slides and other resources from talk on NFC related security enhancements focussed on Linux
Next by thread: [LUG] Best linux distro for home file server
Index(es):
- Date
- Thread