Our Online Store have the new products: RFID antenna board. Currently it can work with JC10M24R and JCOP4 card chips.
Compared with normal cards, the antenna board module has a smaller size and fixed holes, which is easy to integrate in the IOT(Internet Of Things) project.

Keepass NFC Applet

Collect and collate various open source JavaCard applets.
All applets are under the open source licenses.

Moderator: Ellisun

User avatar
JavaCardOS
Posts: 273
Joined: Thu Apr 30, 2015 12:00 pm
Points :2403
Contact:

Keepass NFC Applet

Post by JavaCardOS » Fri Dec 23, 2016 3:15 am

KeepassNFC is a applet in javacard platform that it can protect the secret key of KeePass database . It was based on the project smartcard_crypto_applet and can be run on javacard platform with JCRE version 2.2.x or above. KeePass is a famous software about password managerment .


Note:

    1. You can also view this applet from GitHub or SourceForge.
    2. This Applet has been successfully compiled in JCIDE.
You do not have the required permissions to view the files attached to this post. Please login first.

tay00000
Posts: 161
Joined: Tue Sep 27, 2016 10:58 am
Points :2324
Contact:

Re: Keepass NFC Applet

Post by tay00000 » Fri Dec 23, 2016 7:45 am

The security of the KeepassNFC applet is insufficient for NFC application and I would probably recommend that only standard ISO7816 contact channel be used and even if contact channels are used, it is still vastly insufficient in terms of security.

The reasons:
* Lack of PIN access
* Sloppy use of RSA to wrap keys instead of implementing a full secure channel protocol.
* Sloppy allocation and use of memory (not critical)
* No zeroizing of memory for critical memory areas that may hold cryptographic material (aes_key_temporary).

Possible security attacks:
* MiTM interception and spoofing when transferring public key from card
* MiTM interception and modifying of public key wrapped cryptographic materials
* Abuse of no secure and authenticated channel feature turning the card into an "Oracle" where a malicious attackers can spam the NFC channel in a bid to further attacks.

Security mitigations:
* Introduce asymmetric secure channel especially the A02 Secure Channel Protocol (viewtopic.php?f=12&t=983#p3004) I have created and used successfully on actual cards. The benefits and cons are written inside.
* Over the A02 Secure Channel, attempt a login with a PIN code. If the login succeed, the channel is not only secure but also authenticated.
* Using a secure and authenticated channel, transfer key materials as needed.
* Zeroize buffer memory after decryption or encryption have taken place.

Efficiency and Improvements:
* aes_key_temporary is not needed at all and one can save 260 bytes of RAM space immediately. The rationale is aes_key_temporary is exclusively used in the context of:

Code: Select all

private boolean decryptWithCardKey(byte[] input, short offset, byte[] output)
{
   if(!card_cipher_initialised) {
      RSAPrivateCrtKey private_key = (RSAPrivateCrtKey)card_key.getPrivate();
      card_cipher.init(private_key, Cipher.MODE_DECRYPT);

      card_cipher_initialised = true;
   }

   card_cipher.doFinal(input, offset, (short)(RSA_KEYLENGTH / 8), output, (short)0);
   return true;
}


It is used in the cipher.doFinal portion and as we know the input and the output can be the same byte array especially suitable for the circumstances for KeepassNFC where after the input is loaded to be decrypted into the output, it is not used anymore in the function and thus can be reused in such an efficient manner.

The better code would be:

Code: Select all

decryptWithCardKey(scratch_area, (short)0, scratch_area);
Util.arrayFillNonAtomic(scratch_area, (short) 0, (short)(RSA_KEYLENGTH / 8), (short) 0); // Zeroize memory


These are my personal opinions on the insufficiencies of the security measures that KeepassNFC and the inefficient and insecure use of resources by the applet which can be improved on.

User avatar
UNKNwYSHSA
Posts: 630
Joined: Thu May 21, 2015 4:05 am
Points :3053
Contact:

Re: Keepass NFC Applet

Post by UNKNwYSHSA » Wed May 10, 2017 2:22 am

The operation generate card key and set password key are not confirmed. It is too dangerous.
sense and simplicity

LoganG
Posts: 1
Joined: Tue Jul 03, 2018 6:40 am
Points :16
Contact:

Re: Keepass NFC Applet

Post by LoganG » Tue Jul 10, 2018 10:08 am

Has anyone used this Applet recently? Was it improved at all? I remember trying it out when it was released but I wasn't impressed.

Post Reply Previous topicNext topic

Who is online

Users browsing this forum: No registered users and 19 guests

JavaCard OS : Disclaimer