Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing support for authenticators using NFC Protocol T=0 in contacted mode #711

Open
4 of 17 tasks
jcBeaupre opened this issue May 16, 2023 · 2 comments
Open
4 of 17 tasks

Missing support for authenticators using NFC Protocol T=0 in contacted mode #711

jcBeaupre opened this issue May 16, 2023 · 2 comments
Labels
BLOCKED

Comments

@jcBeaupre
Copy link

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email [email protected]

FIRST PRE CHECK

  • I SOLEMNLY SWEAR THAT I HAVE SEARCHED DOCUMENTATION AND WAS NOT ABLE TO RESOLVE MY ISSUE

What protocol are you implementing?

  • FIDO2 Server
  • CTAP2.0
  • CTAP2.1
  • UAF 1.1
  • U2F 1.1
  • U2F 1.2

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

  • Security Key / FIDO2 / U2F authenticators
  • Server
  • UAF Client-ASM-Authenticator combo
  • UAF Client
  • UAF ASM-Authenticator

If you are platform authenticator vendor, please email [email protected]

What is the version of the tool are you using?

v1.7.11

What is the OS and the version are you running?

For desktop tools

  • OSX
  • Windows
  • Linux

For UAF mobile tools

  • iOS
  • Android

Issue description

We can use the conformance tool in NFC contactless mode with our smart card authenticator with no issues since it is using Protocol T=2, but we fail to run any test when we use contacted mode.

As you can see in the screenshot below, the conformance tool selects the Protocol T=1 when we insert our smart card, but alas, our current cards do not support T=1, they can only use T=0 in contacted.

Screenshot 2023-05-15 142430

Also, you can see in the transactions that when the conformance tool sends it's SELECT cmd, our smart card authenticator responds with a SW1-SW2 of: 0x61-0x08. According to Protocol T=0 (ISO7816-3), the authenticator expects a GET RESPONSE, but the conformance tool miss interpret it and resends the SELECT cmd. The communication then goes in an infinite loop.

Screenshot 2023-05-15 145018

I hope this is enough information for the maintainers. If not, do not hesitate to let me know what information you would need, or if you want me to test a fix on my side, it will be my pleasure to help!

Expected behavior

The tool can communicate with authenticators in contacted that only implement Protocol T=0

Reproduction steps

  • Use a authenticator that only supports Protocol T=0 in contacted.
  • Insert it in reader
  • Run any test
@yackermann
Copy link
Collaborator

@jcBeaupre that one is much harder since I do not have any authenticators working in T=0 mode. *(

Do you have any idea what commercially available devices are T=0 only?

@jcBeaupre
Copy link
Author

Hey @herrjemand, sorry for the delaid response here.

While we are developing on one, we don't know of other FIDO2 smart card authenticators using T=0 that are commercially available 😞.

However, since the problem occurs on the applet SELECT specifically you can probably reproduce the error with a dummy FIDO2 applet on any T=0 smart card or even with a smart card emulator such as https://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html.

We would be happy to provide a dummy test applet if you decide to go that route!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BLOCKED
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yackermann @jcBeaupre