Access protection for NFC Tags

Question

I am extremely new to NFC as a technology and have a very basic question. I am investigating the use of NFC tags in the field of authentication. At a broader level imagine a PKI architecture. A private key resides on the NFC tag, and an app can access it for authentication/signing/validation etc.

I understand that smart cards are the de-facto standards for such things, but the cost of NFC tags is far far less. My question is what level of protection is offered by NFC tags for such a scenario or is NFC tag a good choice for such a design?

Can I somehow ensure that a tag is readable by only a certain device? As in, can another user just use his phone/NFC reader to read the key on the tag? What methods are available to protect/restrict access to the data residing on the NFC tag?

Answer 1

There is nothing inherent in an NFC tag that restricts access to read the data to one device. For the most part everyone can read, and everyone can write if the tag has not been made read-only. Some of the newer NTAG series of chips have password features allowing only software with the password to write the tag.

All NFC tags come with a unique manufacturer supplied id that is often uses in security implementations. It is very difficult, but not impossible to clone that ID. It is very easy to close the data on an NFC tag. There are a new set of "secure" tags being developed, but these often have a server-side component. One thing to note, is that while the data on the tag can be read by anyone, that says nothing about what value they actually get.

Many people encrypt the data and store the encrypted value on the NFC tag. The decryption key is then known by the software and can then read and interpret the tag's data. This requires custom software as its not a part of the current NDEF spec. This is really the same as SSL, where someone can sniff the network traffic but not know what the actual data is. In general we advise customers to make the NFC tags as "dumb" as possible and leverage NDEF for the broadest compatibility without custom software.

DISCLAIMER: I am the CEO of GoToTags, an NFC software and tag solutions provider.

Answer 2

NFC tags are basically a data store. They may provide restrictions for accessing data, but they remain a data store. If you implement a PKI with a NFC tag, you only store keys on the tag, no computation is done on tag.

On the other hand, PKI smart cards store the keys, but they also provide the computing resources for calculations done with the keys. Moreover, they are designed in a way keys never leave the card (on demand or by side-channel attacks). This way, you may expect key not to leak.

Because they offer different services, NFC and PKI card interfaces complexities are not the same at all.

Note some PKI smart cards do offer a contactless interface. This is not NFC tag interface, but rather PKCS#15 over ISO14443-4.