如何防止NFC标签克隆? [英] How to prevent NFC tag cloning?
问题描述
我正在使用 NFC 标签制作应用程序,我必须防止 NFC 标签被克隆.我见过许多其他 NFC 标签,当尝试克隆时,会显示一条弹出消息克隆受到限制,标签受密钥保护",我希望我的 NFC 标签具有相同的安全性.
I am making an app using NFC tags and I have to prevent the NFC tag from cloning. I have seen many other NFC tags which when tried to be cloned, shows a pop up message "Cloning is restricted, tag is secured by secret key", I want the same security for my NFC tag.
推荐答案
这取决于您使用的标签类型以及您想要的防止克隆的级别.
That depends on what type of tag you use and what level of protection against cloning you want.
NFC 标签(由 NFC 论坛 定义)无法防止克隆.此类标签旨在作为可自由读取的数据(所谓的 NDEF 消息)的容器.任何人都可以从一个标签读取 NDEF 消息并将其复制到另一个标签.
NFC tags (as defined by the NFC Forum) have no protection against cloning. Such tags are intended as containers for freely readable data (so called NDEF messages). Anyone could read an NDEF message from one tag and duplicate it to another tag.
许多 NFC 标签还包含一个由标签制造商预先编程的唯一标识符,无法在普通标签上进行修改.您可以使用此唯一标识符来确定标签是由您发出(即您知道其 ID)还是伪造的(即您不知道其 ID).您还可以在标签的 id 及其数据上创建数字签名,而不是使用真正的 id 列表.这样,您就可以查明是否在具有不同唯一标识符的标签上使用了数据和签名.但是,仍然可以从您的标签中提取所有数据.因此,您应该意识到这样一个事实,即攻击者可以更改专用硬件(例如 Proxmark 等)和现成的标签标签 ID 值的唯一标识符.所以这肯定不是完美的克隆保护.
Many NFC tags also contain a unique identifier that is pre-programmed by the tag manufacturer and cannot be modified on normal tags. You could use this unique identifier to determine if a tag was issued by you (i.e. you know its id) or forged (i.e. you don't know its id). Instead of using a list of genuine ids, you could also create a digital signature over the tag's id and its data. THat way, you could find out if data and signature are used on a tag with a different unique identifier. However, all data can still be extracted from your tag. Therefore, you should be aware of the fact, that specialized hardware (e.g. Proxmark, etc) and ready-made tags are available where an attacker can change the unique identifier to the value of your tag's id. So this is certainly not perfect cloning protection.
您可以使用提供通信加密和基于共享密钥的访问控制(例如 MIFARE DESFire)的非接触式智能卡/标签.使用这种方法,您可以将不希望攻击者能够克隆的数据存储在受密钥保护的内存区域中.但是,如果您希望能够从您的应用程序中读取该数据(即没有直接与卡通信的在线后端),您将需要存储密钥以访问您的应用程序内的内存区域.因此,在离线场景(即存储在应用程序中的密钥),攻击者可能能够提取该密钥并使用它来克隆标签.
You could use a contactless smartcard/tag that provides communication encryption and shared-key based access control (e.g. MIFARE DESFire). With this approach, you could store data that you do not want an attacker to be able to clone in a key-protected memory area. However, if you want to be able to read that data from within your app (i.e. without having an online backend that directly communicates with the card), you would need to store the key to access the memory area within your app. Consequently, in an offline scenario (i.e. key stored in app), an attacker might be able to extract that key and use it to clone the tag.
您可以使用包含秘密非对称密钥并提供命令以使用该密钥签署加密挑战的标签/智能卡.在这种情况下,为了验证标签是否真实,您可以向标签请求这样的签名以进行随机质询,并根据标签对应的公钥验证签名.这肯定是最安全的解决方案,因为您不需要在您的应用程序中存储任何共享机密.提供此类功能的唯一现成 NFC 标签解决方案(我目前知道)似乎是 Inside Secure 的 VaultIC.尽管您可以根据非接触式智能卡(例如 Java 卡)的非对称加密功能自行创建一个.
You could use a tag/smartcard that contains a secret asymmetric key and provides a command to sign a cryptographic challenge with that key. In that case, in order to verify if the tag is genuine, you could request such a signature from the tag for a random challenge and verify the signature against the tags corresponding public key. This would certainly be the most secure solution as you do not need to store any shared secret within your app. The only ready-made NFC tag solution (that I'm currently aware of) that provides such functionality seems to be Inside Secure's VaultIC. Though you could create one yourself based on the asymmetric crypto functionality of a contactless smartcard (e.g. a Java Card).
请注意,对于上述所有克隆保护方案,您都必须创建一个应用程序来检查标签是真实的还是克隆的.默认情况下,NFC 手机仅使用 (1) 中的信息,因此不会执行任何此类检查.
Note that for all of the above cloning-protection scenarios you would have to create an app that checks if a tag is genuine or cloned. By default NFC phones only use the information in (1) and therefore do not perform any such checks.
这篇关于如何防止NFC标签克隆?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
