Bruce, Since I to some extent work with this I may provide some answers. NFC's main contribution is really "only" to initiate a secure WLAN, Bluetooth, or UWB link between a smart device an a contact point of some kind. A possible session state is only in the link.
Due to the short range security issues are essentially the same as for RFID. It is likely that an initiation could be hijacked if you have a modified highly sensitive device. OTOH this is seldom of major �nterest unless you want to pay somebody other's bills or be first in a passport line. But I'm sure that some security experts can come up with something that would make this scheme look real bad. I think this should be pitted gainst the evils of social engineering, device theft and vilolence against the device holder. Or why not just some old-fashioned ignorance? I am also pretty sure that RFID systems are vulnerable to DoS attacks as is probably valid for all RF based systems. Regarding Man-in-the-Middle attacks I think these are highly dependent on the application protocol. If the application uses SSL client auth there should be small chances to succeed. Although overkill IMHO, SSL client auth could probably be used even for access control. Anders ----- Original Message ----- From: "Bruce Barnett" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 16, 2004 16:02 Subject: Re: [Muscle] NFC - A killer technology > I would actually be more interested to see how Muscle could address > this potentially very useful technology. I think NFC is interesting, and I'm not sure how certain issues are handled. If someone can clarify, or has ideas, I'd appreciate it. For instance, suppose you use it for access control, as an entranceway. More than one token can be near the reader (tailgating). Which token goes with which person? Are there eavesdropping issues? Can one token prevent another one from accesing the system? (Denial of Service) Can sessions be hijacked? Can one token act as a Trojan? Man-in-the-Middle attack? _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.drizzle.com/mailman/listinfo/muscle _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.drizzle.com/mailman/listinfo/muscle
