Is it possible to use FIDO UAF Standard on an Android mobile + NFC to opening doors?
This project is a simple prototype to verify how FIDO could be used in this scenario (see FIDO Security Reference). This card reader uses NFC to communicate with a specific Android Opening Door App, that emulates a NFC card using Android's Host-based Card Emulation functionality.
The card reader and Android Opening Door App depend of a third-party, called FIDO UAF RP Server.
Figure below shows all necessary components and the relation between them
- If you prefer, there is a Docker container ready to use here: https://github.com/emersonmello/docker-fidouafserver
- Door lock NFC card reader <- You are working on it right now!
- Dummy FIDO UAF Client
- Opening Door Android App
- 01 Raspberry PI 2 B
- 01 Adafruit PN532
- 01 Breadboard to connect raspberry and PN532
- 01 N channel MOSFET - https://www.adafruit.com/products/355
- 01 Lock-style solenoid - https://www.adafruit.com/product/1512
- 02 Resistors - 300 Ohms
- 02 LED (red and green)
- 02 Diode 1N4001 - https://www.adafruit.com/product/755
- To use UART on PNB532 breakout you must set to OFF the SEL0 and SEL1 jumpers
- Follow instructions (and picture) below to connect all components
Raspberry PI 2 B | Wire color | PNB532 |
---|---|---|
Pin 2 (5v) | RED | 5.0V |
Pin 6 (ground) | BLACK | GND |
Pin 8 (BCM 14 TXD) | YELLOW | TXD |
Pin 10 (BCM 15 RXD) | GREEN | RXD |
Raspberry PI 2 B | Wire color | Component |
---|---|---|
Pin 11 (BCM 17) | ORANGE | Green LED anode (+) |
Pin 13 (BCM 27) | BLUE | RED LED anode (+) |
Pin 15 (BCM 22) | PURPLE | Diode #1 anode (+) |
Pin 39 (Ground) | BLACK | Breadboard negative rail |
sudo apt-get install git build-essential autoconf libtool libpcsclite-dev
sudo apt-get install libusb-dev libcurl4-openssl-dev libjson-c-dev
Freeing UART
sudo raspi-config
- Select option 9 "Advanced Options"
- Select option A8 "Serial" and select NO
- Finish and reboot:
sudo shutdown -r now
- Select option 5 "Interface options"
- Select option P6 "Serial", and select NO
- Exit and reboot
git clone https://github.com/nfc-tools/libnfc.git
cd libnfc
sudo cp contrib/libnfc/pn532_uart_on_rpi.conf.sample /etc/nfc/devices.d/pn532_uart_on_rpi.conf
echo "allow_instrusive_scan = true" | sudo tee -a /etc/nfc/devices.d/pn532_uart_on_rpi.conf
sudo cp contrib/libnfc/pn532_uart_on_rpi_3.conf.sample /etc/nfc/devices.d/pn532_uart_on_rpi_3.conf
and you have to:
-
enable uart on GPIO, add this line to bottom of
/boot/config.txt
enable_uart=1
-
Stop and disable serial console:
sudo systemctl stop serial-getty@ttyS0.service
sudo systemctl disable serial-getty@ttyS0.service
-
Remove console from
/boot/cmdline.txt
by removing:console=serial0,115200
-
Save and reboot for changes to take effect.
autoreconf -vis
./configure --with-drivers=pn532_uart --sysconfdir=/etc --prefix=/usr
sudo make clean && sudo make install all
You can test your setup reading an ISO14443-A card using nfc-poll
program that came with libnfc
. Place a card on the reader and run the command:
cd ~/libnfc/examples
./nfc-poll
- Please, follow the instructions provided by official website.
- Get the source code
cd ~ && git clone https://github.com/emersonmello/doorlock_raspberrypi.git
cd doorlock_raspberrypi
- Change HOSTNAME and PORT values on Door lock NFC card reader's rp_settings.h file to the IP Address and PORT where you are running the FIDO UAF Demo Server
- For instance:
nano rp_settings.h
- Compile Door lock NFC card reader project
make clean && make
- Run it (sorry, you must be root because it is a requirement of wiringPi lib)
- For instance:
sudo ./dist/Debug/GNU-MacOSX/doorlock_raspberrypi
- For instance:
- Start FIDO UAF Demo Server
- Follow the instructions provided by:
- FIDO UAF Demo Server
- Or, if you prefer, there is a Docker container ready to use here
- Install Dummy FIDO UAF Client on your Android phone
- Install Opening Door Android App on your Android phone
- On Opening Door Android App touch on "Settings" on the main application menu and update "server endpoint" field to the IP Address and PORT where you are running the FIDO UAF Demo Server
- On Opening Door Android App touch on "Whitelisting facetID" (to follow FIDO UAF specifications ).
- Or you can do it: On Opening Door Android App touch on "See app facetID" on the main application menu and insert the showed value in FIDO UAF Demo Server MySQL database. For instance:
INSERT INTO facets (fDesc) values ('android:apk-key-hash:Lir5oIjf552K/XN4bTul0VS3GfM')
- Or you can do it: On Opening Door Android App touch on "See app facetID" on the main application menu and insert the showed value in FIDO UAF Demo Server MySQL database. For instance:
- Open Opening Door Android App and touch "Register" button
- Tap your mobile phone on "NFC reader"
- Follow the instructions provided by application (i.e. put your finger on the sensor, etc.) and you should see the message "Access Granted"
I'm using supervisord to handle this task because it can also restart a failed process
- Copy
doorlock_raspberrypi
binary to /usr/local/bin
sudo cp ~/doorlock_raspberrypi/dist/Debug/GNU-Linux/doorlock_raspberrypi /usr/local/bin
- Installing python2.7
sudo apt-get install python
- Installing supervisord
sudo easy_install supervisor
echo_supervisord_conf | sudo tee /etc/supervisord.conf
- Adding a program section to supervisord's configuration file
- Add the follow lines at the end of /etc/supervisord.conf file
[program:doorlock]
command=/usr/local/bin/doorlock_raspberrypi
- For instance:
printf "[program:doorlock]\n command=/usr/local/bin/doorlock_raspberrypi \n" | sudo tee -a /etc/supervisord.conf
- Download supervisord.sh file and save it at
/etc/init.d
sudo cp ~/doorlock_raspberrypi/supervisord.sh /etc/init.d
sudo chmod 755 /etc/init.d/supervisord.sh
sudo update-rc.d supervisord.sh defaults
- https://learn.adafruit.com/adafruit-nfc-rfid-on-raspberry-pi/
- https://curl.haxx.se/libcurl/c/libcurl-tutorial.html
- https://gist.github.com/leprechau/e6b8fef41a153218e1f4
- https://github.com/nfc-tools/libnfc/tree/master/examples
- https://netbeans.org/kb/docs/cnd/remotedev-tutorial.html
- http://pinout.xyz/