| Yubico Forum https://forum.yubico.com/ |
|
| [ANSWERED] NDEF access via USB https://forum.yubico.com/viewtopic.php?f=26&t=1667 |
Page 1 of 1 |
| Author: | darco [ Thu Dec 18, 2014 10:04 pm ] |
| Post subject: | [ANSWERED] NDEF access via USB |
Question 1: Is it possible for me to select the NDEF app and query it for its value from the USB interface? Question 2: Can the NDEF feature on the NEO be disabled? |
|
| Author: | darco [ Fri Dec 19, 2014 12:42 am ] |
| Post subject: | Re: [QUESTION] NDEF access via USB |
Well, it seems I answered my first question: Code: OpenSC [3F00]> apdu 00 A4 04 00 07 D2 76 00 00 85 01 01 00 Sending: 00 A4 04 00 07 D2 76 00 00 85 01 01 00 Received (SW1=0x90, SW2=0x00) Success! OpenSC [3F00]> apdu 00 A4 00 0C 02 E1 03 Sending: 00 A4 00 0C 02 E1 03 Received (SW1=0x90, SW2=0x00) Success! OpenSC [3F00]> apdu 00 B0 00 00 0F Sending: 00 B0 00 00 0F Received (SW1=0x90, SW2=0x00): 00 0F 20 00 7F 00 7F 04 06 E1 04 00 7F 00 00 .. ......?..... Success! OpenSC [3F00]> apdu 00 A4 00 0C 02 E1 04 Sending: 00 A4 00 0C 02 E1 04 Received (SW1=0x90, SW2=0x00) Success! OpenSC [3F00]> apdu 00 B0 00 00 02 Sending: 00 B0 00 00 02 Received (SW1=0x69, SW2=0x83) Failure: Authentication method blocked It also fails to read the OTP when using the private yubico API (which is what I would expect): Code: OpenSC [3F00]> apdu 00 a4 04 00 08 A0 00 00 05 27 20 01 01 Sending: 00 A4 04 00 08 A0 00 00 05 27 20 01 01 Received (SW1=0x90, SW2=0x00): 03 03 00 01 85 07 06 00 00 00 .......... Success! OpenSC [3F00]> apdu 00 03 00 00 00 Sending: 00 03 00 00 00 Received (SW1=0x90, SW2=0x00): 03 03 00 01 85 07 ...... Success! OpenSC [3F00]> apdu 00 02 00 00 00 Sending: 00 02 00 00 00 Received (SW1=0x69, SW2=0x85) Failure: Not allowed So, unless I am interpreting these results incorrectly, it seems that you cannot read the OTP value from a slot without performing some sort of user action, either by pressing the button or by NFC NDEF. This is a good thing. I'm curious if it is possible to read the NDEF multiple times over NFC (without removing and replacing the ykneo), but the security impact of that would be considerably less significant. |
|
| Author: | Klas [ Fri Dec 19, 2014 4:33 pm ] |
| Post subject: | Re: [QUESTION] NDEF access via USB |
As you've discovered, if the NDEF is read over a contact interface it requires the button to be touched. If you read it several times over NFC you'll get the same behaviour as if you touch the button several times in one session, the session counter is incremented for each OTP read. And to answer #2, no way to completely disable NDEF. /klas |
|
| Author: | darco [ Fri Dec 19, 2014 10:56 pm ] |
| Post subject: | Re: [QUESTION] NDEF access via USB |
Too bad about not being able to disable NDEF support. That would be a desirable feature for a future version, by the way. I notice that multiple requests to read 0xE104 yield the same OTP. After which specific command is the OTP generated? Is it when I select 0xE104, or when I read it first? I also noticed that if I query the OTP directly from the YubicoOTP app (using APDU 00 02 00 00 00) that I can query for many new OTPs successfully for as long as my ykneo is laying on top of the NFC reader. Not really a problem as a reset will probably get similar behavior from the NDEF app... Just pointing it out to anyone who is reading and interested. |
|
| Author: | Klas [ Mon Dec 22, 2014 7:58 am ] |
| Post subject: | Re: [QUESTION] NDEF access via USB |
Yes, you're entirely correct, the NDEF applet will always respond with the same OTP (until it's re-selected). The main reason that the NDEF applet returns the same OTP is that it supports chunking by specifying an offset in p1 and p2. /klas |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|