#StackBounty: #authentication #rfid #nfc NXP NTAG 21x/Desfire password protection and Original signature, protects against cloning?

Bounty: 50

I saw a few threads about NFC NTAG against cloning and NTAG Desfire, I just want to find out if NTAG 21x with their “New” password protection and “Original Signature against cloning” really does provide the security against it(the cloning issue)? As I read if someone uses a card simulator, they can possible clone the UID as well(the tag ID).

How would I detect it if a cloned card is read?

I am trying to determine if NTAG can provide good security against cloning, I am pretty sure it must be able to provide pretty good level of security as I read that it is the number 1 provider for NFC tech for public transport systems and sold over 4.5 bil of NTAG cards.

I am also trying to figure out the Felica security and see if it totally stops the cloning issue, as the other documentation talked about the dynamic change of the encryption key after each query/transaction. But does it mean the card can still be cloned and used, so e.g. if the “real user” did not use his card for over 3 months, and the cloned card was repeatedly using it. Then the account it is linked to, all the funds etc could be depleted??

I am not 100% sure how does the Original Signature works, but i read that the new 21x family has password protection.

So I am thinking if the worse case I can’t get the Original Signature to work/or understand how it works etc. I would use the password protection feature and set a Unique id myself in the password-protected area, and each time a function is performed the password for that specific UID will be updated, and each time both the card id and the UID will have to match inorder for the card to perform any function on the server…. not sure if it is good enough/or would work or not.

Ps. still on the research and designing structure phrase.

  1. How would I detect a cloned card with Original Signature on NTAG 21x family?
    Their documents mentioned about an ECC based originality signature(but no idea how to work with it)http://www.nxp.com/products/identification_and_security/smart_label_and_tag_ics/ntag/series/NTAG213_215_216.html

  2. Is the protected area on NTAG 21x safe? (Trying to only allow the area to be read when the password is correct)
    (I have heard the protected area could still be read with NXP Taginfo app) https://play.google.com/store/apps/details?id=com.nxp.taginfolite&hl=en

  3. Should I choose Mifare DESFire ev2 instead of NTAG 21x? (Not sure if it is a lot more secure or not)

All I am trying to do is to design a structure to avoid cloning, not sure if NTAG 21x password-protected area would be strong enough. (Not sure if I am over-thinking)

I did further research on the documentation and a manufacturer that I should probably use Desfire.

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.