问题
I am trying to implement an authorization system based on general NFC tags. One of the concerns I want to address is tag cloning. I have read some literature ensuring tag authenticity by using a read-only tag ID written on the tags during manufacture. This ID is signed by the owner and written on the tag. This way, a cloned tag (which will have a different, tag-manufacturer assigned ID) can be detected by comparing tag IDs with the cloned signature.
My question is, is it safe to assume that all (or most) NFC tags will have such a coded-in, read-only ID which I may use for cloning detection?
回答1:
Narrow your problem down first pick a tag type and manufacturer that is suitably secure for your needs.
A UID is a general property of most tags BUT different tags have different specifications. Some tags have a small UID size and thus UID re-use is likely. Different tags have different length UID's. Some are supposed to be set at the factory but clones allow them to be set later. Some specification state the tag UID is always writeable.
Also using Host Card Emulation, it possible to write program to brute force any security based on UID alone (time taken could vary depending on UID length used)
Various tags offer password protection and encryption of the data on the tag (older tag types can have weak encryption/password protection though).
Most of the of the password protection is done with a special area where a password can be written to by a Reader/Writer but can only be read by the tag itself.
If you do use the password protection features of some tags make sure you don't the same password for every instance of the system, make sure the Admin of the system is forced to set one for their systems.
回答2:
Do not rely on the UID as security mechanism. There are cloned chips on the market, as well as chips where you can program the UID yourself. On top we have seen mistakes from manufactureres, resulting in duplicate UIDs.
Better use your own numbering scheme. Ideally on a cryptographic basis.
回答3:
Considering UID for authenticity check is not a good idea, because cloned cards can have the UID cloned exact same as that of original card.
I'm not sure about other manufacturers, but as I have worked a lot with NXP tags, I'm just gonna suggest a solution here, if that suits your requirements then you can go ahead. For working with NXP cards they have provided an open api called TapLinx, where you get an api for originality check. Using which you can get to know if the card is authentic or cloned. It will identify the cloned cards even if the UID is also cloned.
来源:https://stackoverflow.com/questions/61247918/do-nfc-tags-have-unique-read-only-ids