hi:
i wanted to have my employees use a nitrokey for an access ctrl system, specifically unifi access.
is there any way to use the nitrokey for this purpose ?
the method of authentication is NFC
i was wondering because i listened to this video from 1 of my favorite youtubers and noticed they were abkle to use the yubikey to get into the door just fine, and the flipper could not clone the key.
i was wondering if nitrokey could do the same.
thanks in advance
We’ve actually done a concept for that, however we were not able to find a reader manufacturer who can supply the required hardware.
All current physical access control systems (PACS) use low-cost cards like Mifare or Legic.
Ideally you would use a USB based NFC reader PIN pad combination with a relay to switch the door opener and a Pi to control the process and implement the authentication protocol and logic. WIth something like a LDAP database in the background to combine logical and physical access.
well, interesting. the yubikey was able to do that just fine with the unifi access controller.
if the nitrokey happens to have NFC, and a smartcard, it should be able to do that without getting cloned or emulated by the flipper zero.
if any person can get their hands on a unifi access controller, test it with the nitrokey and see what happens…
Based on the specs, the access control reader supports
NFC Tag 1,2,3,4,5
MIFARE Classic
MIFAREPlus
MIFARE Ultralight
MIFARE DESFire
So either the Yubikey has some sort of MIFARE emulation on board or (more realistic) the reader only take the UID send in the ATS to identify the token. In the later case, this has nothing to do with security, as the UID can be easily spoofed.
Does the video disclose what authentication protocol is used ? NFC is just the communication layer, but has no authentication mechanism.
well actually, if you turned off the option that limits it to ubiquiti NFC cards, thats how you can get yubikey.
i see.
i’m a blind user here, but i think i get where you’re coming from.
but this raises another question for me.
how can it be insured that a nitrokey will not be cloned by, say, a flipper zero?
how can it be insured that a nitrokey will not be cloned by, say, a flipper zero?
The example uses FIDO2 for authentication. FIDO 2 uses a challenge that is signed by the device. The challenge changes with each authentication. FIDO Is a standard that was built to prevent MITM attacks and cloning of the device. Therefore the flipper zero (or any other RF or USB intercepting tool) cannot clone the device or even replay a login flow.