-
-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unlock DB using NFC tag. Select entry using NFC tag. Use secure NFC tags. #1359
base: master
Are you sure you want to change the base?
Conversation
…ry with NFC tag (pending). Added NFC permission; Added NFC switch settings in Advanced Unlock and Autofill/Keyboard; NFC unlock is integrated in similar way like the other Advanced Unlock options; NFC unlock password is stored with different key - not overriding, not disabling the other Advanced Unlock options; Few extra lines for easy testing in emulator. (The emulator do not have NFC); Currently it is tested in read mode only (with NFC transport card). The DB password is saved with NFC tag ID; Review is needed for the code marked with comment 'todo-op'! Pending: 1) Write NDef NFC tags; 2) Start activity from keyboard - NFC talks to the foreground activity only; 3) Read/Write encrypted NFC tags (harder for copy/clone);
Thanks, I can see better what you are trying to do and it's better than my first idea of making it a KeePass standard. By using advanced unlock, we can link any key to an NFC, that's very good. I haven't tested your feature yet but I can make a specific icon to indicate that the advanced unlock is in NFC mode. |
It is at very start stage. I just got few blank NFC tags to test with: Mifare DesFire 4k, S70 4k, S50 1k, Mifare ultralight (512 bytes), NTAG 213 (few bytes). I checked how to write ONLY the unprotected Ndef tags (NTAG 213). Not tested yet! I guess, the other types are more complicated and I need to research more. Looks like, some phones/devices can not read/write Mifare cards. I do not know how much the encrypted NFC cards can compare with the hardware keys.
That is why, I am looking only at android flavor of KeePass. |
…ad-protect is not working. 1. Readonly and unsupported tags - Using NFC tag ID (unique) for; 2. Ndef - Writing mime record with db-password-checksum; 3. NdefFormatable - Like Ndef, not tested, probably it works fine; 4. MifareUltralight - Writing db-password-checksum to the last-empty-page; 5. Authentication and Read-protect. All attempts failed with 'tranceive failed' and 'tag lost' exceptions. Things done so far: 5.1. Ndef213, Mifare Ultralight EV1 and similar; 5.1.1. Authenticate with tag-password; 5.1.2. Write tag-password; 5.1.3. Protect last-empty-page, config and password; 5.1.4. Read-protect the tag; 5.2. Mifare Ultralight C; 5.2.1. Authenticate with tag-key; 6.1. Credential DB extract/store: Biometric/Device record: key = DBFileUri; value = credential; NFC tag record: key = DBFileUri + '#nfc'; value = credential + NFC-tag-unique-ID-version-etc; 6.2. NFC tag read/write: db-password-checksum; Needs re-write NFC tag after password change! Alternative - checksum based on Device or App installation? 7. Review is needed for the code marked with comment 'todo-op'! 8. Pending: MifareClassic (S50, S70), Mifare DESFire, etc. This could fail too similar to point 5; 9. Pending: Use NFC tag to select entry;
Current status: Details:
I tested with LineageOS, Android 11. Phone OnePlus 3T. It may works with different Android/Device!? Things done so far: 7.1. Credential DB extract/store: 6.2. NFC tag read/write: db-password-checksum;
Current UI:
User have to tap-and-hold the NFC tag util (and 1 second after) tap dialog 'Ok' button!!
Example: User saved credentials and NdefRecord were saved to NFC tag. There is Switch view to delete the saved data, restore (almost) and 'Undo' the changes on NFC tag. Currently, the Switch views are shown only if needed - if applicated for the current NFC tag. |
Plan:
Done:
Added NFC permission and NFC switch settings in Advanced Unlock and Autofill/Keyboard;
NFC unlock is integrated in similar way like the other Advanced Unlock options. Looks like it is properly integrated - including the menu item to delete NFC unlock data;
NFC unlock password is stored with different key - not overriding, not disabling the other Advanced Unlock options;
There are few extra lines for easy debug/test in emulator - the emulator do not have NFC;
Review is needed for the code marked with comment 'todo-op'!
Currently it is tested only in read mode - using few NFC transport cards. The DB password is saved together with NFC data; Currently it is using only NFC tag ID;
Current NFC UI is simple hint - check the pictures;
At this stage it can be used only for automation - it is not secure, because everyone with card with the same tag ID can unlock the database;
Pending: