Here is another question related to NFC, this time about what I understand of NDEF signatures (could be incomplete).
The NFC Forum has recently added the possibility to include a signature record in tags. Adding such a signature can be used to ensure that the content of the tag (say, a URL) has been written by the person who sign it, and not modified afterwards. OK, so what does such a signature really bring in terms of security?
Well, I must admit that I am not really sure. Of course, one of the reasons is that I am yet to see a phone that verifies these signatures; I may also not have all the information. So far, I have read the NDEF spec, and the thesis by Markus Kilås on this topic. So, let’s say that this entry will get modified at some point.
Let’s continue with the URL example, on a very simple, innocuous example: a tag in Nice that contains a URL pointing to explanations about the Ste-Reparate Cathedral. If this tag is signed, then we can expect that a mobile phone would verify the signature before to forward the URL to the browser. However, the mobile phone would also be able to read unsigned tags.
Let’s now consider the two main attacks on this kind of tags:
- Cloning. The entire record can be read freely, so a signature doesn’t protect at all against cloning. A Nice supporter may be able to put a Ste-Reparate tag on a Notre-Dame de Paris poster.
- Tag replacement. The signature does not protect against this. If a Paris supporter comes to Nice, removes the Ste-Reparate tag and replaces it with a Notre-Dame de Paris tag, this will work with a browser. Of course, the phone may display a small “Trusted” icon for a recognized signature, but unless all tags rapidly become signed, I doubt that users will notice this icon any time soon.
So, my conclusion is that signatures are likely to be useless for this URL use case, at least before the industry reaches a global agreement on a way to define how signatures should be handled on phones.
Of course, signatures may still be very useful in proprietary applications, which may be used in the industry. In such cases, the signatures will be verified by a specific application. In that case, it would solve part of the tag replacement attacks, since it would mean that a tag from a given company could only be replaced by another tag from the same company (or a clone of it). This means that a good level of tamper-evidence will also be required.
Not really good looking so far, but if I have missed something, I would be really glad to update this to something more positive.