Windows Logon, your input welcome!
-
-
I checked the NTAG21x datasheet, these have no built-in encryption like the DESFire. But it is indeed possible to use the password feature to protect the NTAG216 from reading. Also, see http://stackoverflow.com/questions/32607005/how-to-manage-password-protection-on-ntag216-using-the-mifare-lite-sdk
That feature would prevent the tag from being cloned by any reader without the password.
On top of that, on the software side of things, you can use the UniqueID of a tag as a hash to encrypt the data on it, so that data can only be decrypted with the same ID.
-
So... It is all refactored and makes a lot more sense now which is nice.
I did a new video and you see me testing it with an invalid NFC tag (the top of my ring) and it doesn't login, then when I scan the bottom it instantly lets me in (the ACR122U reader has a great range). You don't need to click anything at all just like the ASUS one.
I had an idea for how to store the credentials on the machine so I'll do that first and then I can look into password protecting credentials that are stored on the ring.
Maz -
@maz_net_au
Only using 6 indeed. -
@maz_net_au Dude, you're on fire. That's awesome.
FYI with the enterprise login I've been using, it has the three login types listed bottom left of the login window, NFC is selected by default but you can also select standard user login or the NFC alternative/question login.
This works basically the same as your latest video, tap to login. -
@Lokki said:
@maz_net_au Dude, you're on fire. That's awesome.
FYI with the enterprise login I've been using, it has the three login types listed bottom left of the login window, NFC is selected by default but you can also select standard user login or the NFC alternative/question login.
This works basically the same as your latest video, tap to login.I assume you're on windows 10? thats what it would look like if you installed my provider too. You'd have "User", "NFC Ring" and "Smart Card" now with the NFC one selected by default.
I'm just working on saving the user's credentials on the filesystem somewhere and I'll publish the code. -
Aah, yes that would be it. I've forgotten what old login screens even looked like at this point.
-
I was going to link in crypto++ to make sure nothing was ever stored in plaintext but it appears their wiki webserver has exploded. I'll look into it in the morning maybe otherwise I'll just be using the symmetric password protect api in windows for the proof of concept.
-
Argh! 2:40am
It's working. Also, don't hate me but I've used the registry for storing auth data (more to see if I could read the registry from C++ than anything else).
But now that my actual data isn't stored in the code I'll be able to push to github or something like that in the morning.
-
Apparently I am not as recovered from surgery as I might have hoped.
Here is my initial check-in and hopefully I can get back to it again soon. -
@maz_net_au said:
Apparently I am not as recovered from surgery as I might have hoped.
Get well soon :)
-
So resting is dull and I wrote a C++ wrapper around CredProtect which means i can store an encrypted password which (in theory) only windows itself can decrypt again. Then I wrote a C# forms app that can call my C++ wrapper and write the data to the registry (this is the precursor to having a registration app). I'm not sure how long I can store the CredProtect result because I'm wary of what Microsoft might mean by "current security context" in their documentation... "The CredProtect function encrypts the specified credentials so that only the current security context can decrypt them." so further testing is needed.
I'm learning a lot, even if I'm not getting all that much done. As of Monday, I have to go back to my real job so won't be able to spend as much time on this. Ideally by then I'll have some kind of binary package that other people can play around with (without needing to compile it yourselves).
-
That'd be awesome. I broke something the last time I tried to compile it, coding is not my friend this weekend.
-
@Lokki
Until I have a registration app theres not much point making a binary but for now if you didn't mind a clear-text password in your registry it works well enough for me to cobble something together. I wouldn't mind it if people wanted to test it on windows 10 for me. So far I've only done an x64 build using lib files from the win8.1 SDK so I'd have to find out what windows version that actually works with (i suspect the lib files haven't changed since vista). -
@maz_net_au The thing we're missing here is the ability to have NFC events fire while the user is logged in IE..
User uses ring to log in
(optional) User puts ring back over NFC Reader to Log outThis requires a different "service" than the implementation we currently have :)
Make sense?
-
@johnyma22
I was actually working on exactly that. I've made a .net wrapper for the PCSC calls that let me talk to the reader but that basically leaves the me the option of polling the reader for info.Anyone got more info? anyone else looked into it?
-
Alrighty.. So I just found a bug.. and if I can get back into my PC I'll fix it. But until then, please don't use my code unless you really know what you're doing :)
-
In terms of making a registration app to go with that, to use the windows encryption for the password I need to run it as the same current context. As far as I can tell that means I need to be running as the same user that the LogonUI and CredUI run as (which I think is LocalSystem). Otherwise I have to implement my own (AES128 or something) and then still send the password to windows in plaintext.
I'll have a look at it after work. -
I haven't forgotten this. working on a windows service that will also let me lock the machine with a ring swipe as well. hopefully that'll give me the correct security context to call CredProtect from otherwise i'll have to abandon that idea and roll my own symmetric encryption of some kind.
Maz -
Goddamn it. no matter what i do, i cant get the registration app to run CredProtect in the same security context as the LSA service on windows. Time for a new plan.