Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reading NFC/MIFARE card UID? #3

Open
ezrasu opened this issue Dec 3, 2018 · 4 comments
Open

Reading NFC/MIFARE card UID? #3

ezrasu opened this issue Dec 3, 2018 · 4 comments

Comments

@ezrasu
Copy link

ezrasu commented Dec 3, 2018

Can I use ws.cardReader.on("insert", xxx) to get UID of NFC card from smart card reader?

@ezrasu ezrasu changed the title Reading card UID? Reading NFC/MIFARE card UID? Dec 3, 2018
@rmhrisk
Copy link
Contributor

rmhrisk commented Dec 3, 2018

@ezrasu I am not sure. I also I do not have a MIFARE card to test with.

cardReader.on("insert") is based on PC/SC insert events.

I believe your MIFARE card would still trigger that, the question becomes then could you get the UID of the card?

I guess the question then becomes is that the UID stored as the ATR of the card? if so, then yes.

If not, then I assume a specific APDU sequence must be sent to get the ATR back from the card. If that's the case then currently the answer is no.

I could imagine us having a list of cards we know to be NFC cards, we would specify this in the cards.json file. Then we could expose that information for known cards.

The question we would have then would be what is the scenario this enables? in general, we have avoided providing direct access to cards for security reasons.

What is the user story here?

@ezrasu
Copy link
Author

ezrasu commented Dec 4, 2018

We currently use mifare card as our ID in university and we use web app to do punch in or event check in etc. We have been using IE with ActiveX to read the UID of card for many years, now we are searching alternative way to read mifare card cross browser. This is why I came across this great project.

BTW, UID is not in ATR :(
And yes I do get insert/remove event.
{"message":"Provider:Token:Insert reader:'ACS ACR122 0' name:'SCard Windows API' atr:3b8f8001804f0ca000000306030001000000006a","level":"info"}
{"message":"Provider:Token:Insert Looking for ACS ACR122 0 into 1 slot(s)","level":"info"}
{"message":"Provider:Token:Remove reader:'ACS ACR122 0' name:'SCard Windows API' atr:3b8f8001804f0ca000000306030001000000006a","level":"info"}

Thanks for your kind reply.

@rmhrisk
Copy link
Contributor

rmhrisk commented Dec 4, 2018

I see. So the UID is a per user value on a standard MiFare card.

http://database.mysmartlogon.com/SmartCardDetail.php?Id=270

I am not super familiar with MiFare, @iangcarroll can you explain how the UID value is retrieved?

@rmhrisk
Copy link
Contributor

rmhrisk commented Dec 4, 2018

I chatted briefly with @iangcarroll. It seems you can not tell from the ATR what kind of MIFARE card you're dealing with and your UID value is likely card specific.

I explicitly did not want to allow web applications to blindly interact with cards, that's a recipe for disaster; right now we only allow creation and use of keys, and we require the user to approve them with a password.

My guess is for your use case we would need to allow any an origin to get any UID value without the user providing an indication they approve.

This would also likely involve sending a deployment-specific APDU.

I don't like the idea of this for a few reasons:

  1. How many of these cards are out there? Probably not many.
  2. Does enabling this for all users despite the number of users cause harm for the rest?
  3. If you allow this once there will be an expectation that you will do it for others.

The only way we would consider enabling this at all is if:

  1. It was off by default,
  2. Turning it on required a manual, administrative action,
  3. The mechanism used to implement it involved a per-site APDU whitelist.

We wouldn't want to do this work ourselves given the limited use. I do think something along those lines may be acceptable. If someone would like to do the work we would be open to having the conversation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants