Skip navigation
> RoadTest Reviews

Experiment with Blockchain Tech - Review

Scoring

Product Performed to Expectations: 8
Specifications were sufficient to design with: 8
Demo Software was of good quality: 9
Product was easy to use: 8
Support materials were available: 10
The price to performance ratio was good: 10
TotalScore: 53 / 60
  • RoadTest: Experiment with Blockchain Tech
  • Buy Now
  • Evaluation Type: Development Boards & Tools
  • Was everything in the box required?: Yes
  • What were the biggest problems encountered?: 0) The documentation was slightly incomplete 1) The card was not designed to generate ethereum signatures. Fortunately the support team responded to my enquiries to explain the limitations. 2) The security could be improved These will be described in the review.

  • Detailed Review:

    SMART TAGS


    The first application I was considering creating smart ID tags that could be interrogated by a security system to sign a piece of arbitrary data thus proving that you possess a specific private key.


    1) PIN CODE ISSUES

    Unfortunately I found that the card design made this idea quite risky because the card only allows a single PIN code to control all functions.

     

    A single PIN code unlocks

    • Key Generation / Overwriting
    • Signature generation

     

    Thus, if I were to provide my PIN and tap my card on a compromised device that I expected to sign a transaction to prove my identity, that device could instead erase the key pair by overwriting it with a new pair. It would be an excellent idea to have seperate PIN codes for each function.

    I signed a piece of data and ensured that the extracted public key matched the key recovered from the device.
    This uncovered TWO issues

    The ETHEREUM SIGNATURE generated

    An ethereum signature comprises

    • R : a 32 byte code
    • S : a 32 byte code
    • V : a single byte code one of 0,1, 27 or 28


    2) R and S fields

    This card generates either 32 or 33 bytes of data for R and S.

     

    Sadly this was not documented beyond telling that there is a length field for each.

    Reply from support
    The support team verified that the field would be extended to 33 bytes if the leading bit were set thereby making the number negative.
    This is based on the  assumption that you are dealing with a language that does not support unsigned integers.

     

    3) The missing V field

     

    The card does not generate a V field. While it is possible to work around this missing piece of data, it makes your code clunky.

    Reply from support
    The team confirmed that this field was missing and that it would be a great idea to include it in the next software version.
    Work Around
    Since you can query the card to get its public key, when you sign data, you can test reverse engineering the public key from the signature and the data with varying values of V until you get a matching extracted public key.

    Having implemented that method, on re-reading the Android code, I understood that method was also being employed by the android code sample.

    Error Codes

    Unfortunately, with so many error codes to choose from, it was decided to recycle a couple error codes with just slightly different meanings depending on the call being made thereby making an error logger more complicated to write

     

    CodeCallMeaning
    6982Generate Signature

    Global or key-specific signature counter exceeded (Security status not satisfied)

    6982Encrypted Key Import

    Maximal number of key import calls exceeded (Security status not satisfied)

    6985Set PINPin already set
    6985Several OthersNot authenticated with PIN

     

     

    Conclusion

    With no documented way to add functions to the card, this is essentially a proof of concept or a demonstration of what can be done with Infineon's NFC cards.

     

    This could be very useful out of the box for a wallet type application as long as you do not intend to use the card in an environment where it could be  compromised but I do not feel that Infineon really intend it to have mass market appeal in its current form.

     

    If you were designing for that market you would select a particular NFC tag and design specific firmware for it, however this would involve a far higher learning curve.

     

    Code Samples (Go)

     

    A library to expose some of the functions : https://github.com/DaveAppleton/cardSigner





Comments

Also Enrolling

Enrollment Closes: Dec 19 
Enroll
Enrollment Closes: Dec 13 
Enroll
Enrollment Closes: Dec 27 
Enroll
Enrollment Closes: Dec 27 
Enroll
Enrollment Closes: Dec 26 
Enroll