search

PeculiarVentures / fortify-examples

Fortify enables web applications to use smart cards, local certificate stores and do certificate enrollment. This is a set of examples of how to use Fortify in your own applications.
MIT License
8 stars 5 forks source link

Reading NFC/MIFARE card UID? #3

Open ezrasu opened 5 years ago

ezrasu commented 5 years ago

Can I use ws.cardReader.on("insert", xxx) to get UID of NFC card from smart card reader?

rmhrisk commented 5 years ago

@ezrasu I am not sure. I also I do not have a MIFARE card to test with.

cardReader.on("insert") is based on PC/SC insert events.

I believe your MIFARE card would still trigger that, the question becomes then could you get the UID of the card?

I guess the question then becomes is that the UID stored as the ATR of the card? if so, then yes.

If not, then I assume a specific APDU sequence must be sent to get the ATR back from the card. If that's the case then currently the answer is no.

I could imagine us having a list of cards we know to be NFC cards, we would specify this in the cards.json file. Then we could expose that information for known cards.

The question we would have then would be what is the scenario this enables? in general, we have avoided providing direct access to cards for security reasons.

What is the user story here?

ezrasu commented 5 years ago

We currently use mifare card as our ID in university and we use web app to do punch in or event check in etc. We have been using IE with ActiveX to read the UID of card for many years, now we are searching alternative way to read mifare card cross browser. This is why I came across this great project.

BTW, UID is not in ATR :( And yes I do get insert/remove event. {"message":"Provider:Token:Insert reader:'ACS ACR122 0' name:'SCard Windows API' atr:3b8f8001804f0ca000000306030001000000006a","level":"info"} {"message":"Provider:Token:Insert Looking for ACS ACR122 0 into 1 slot(s)","level":"info"} {"message":"Provider:Token:Remove reader:'ACS ACR122 0' name:'SCard Windows API' atr:3b8f8001804f0ca000000306030001000000006a","level":"info"}

Thanks for your kind reply.

rmhrisk commented 5 years ago

I see. So the UID is a per user value on a standard MiFare card.

http://database.mysmartlogon.com/SmartCardDetail.php?Id=270

I am not super familiar with MiFare, @iangcarroll can you explain how the UID value is retrieved?

rmhrisk commented 5 years ago

I chatted briefly with @iangcarroll. It seems you can not tell from the ATR what kind of MIFARE card you're dealing with and your UID value is likely card specific.

I explicitly did not want to allow web applications to blindly interact with cards, that's a recipe for disaster; right now we only allow creation and use of keys, and we require the user to approve them with a password.

My guess is for your use case we would need to allow any an origin to get any UID value without the user providing an indication they approve.

This would also likely involve sending a deployment-specific APDU.

I don't like the idea of this for a few reasons:

  1. How many of these cards are out there? Probably not many.
  2. Does enabling this for all users despite the number of users cause harm for the rest?
  3. If you allow this once there will be an expectation that you will do it for others.

The only way we would consider enabling this at all is if:

  1. It was off by default,
  2. Turning it on required a manual, administrative action,
  3. The mechanism used to implement it involved a per-site APDU whitelist.

We wouldn't want to do this work ourselves given the limited use. I do think something along those lines may be acceptable. If someone would like to do the work we would be open to having the conversation.