Wed
Mar 6

Idea: an NFC authentication scheme

Update 2: A better (and probably, the final) implementation of this idea is now available here.

Update: I implemented this idea. It works even better than I thought because Android lets you auto-start apps when NFC cards are scanned. More info (and APK) here.

I like the KeePassX password manager, but it's a hassle to enter my password all the time, especially on a phone. Also, I frequently have to enter the password in places with video surveillance. This feels pretty unsafe.

My phone supports NFC so it would be pretty easy to just store the password on an NFC tag. But of course if someone scans the tag they have my password.

Proposed solution therefore is:

  1. Pad the password to 127 bytes (or some other arbitrary amount). Prepend the password length (or stick a 0 at the end or whatever).
  2. Generate 128 bytes of random numbers.
  3. XOR the padded password with the random numbers to produce an encrypted padded password. Store that on the phone.
  4. Store the random numbers on an NFC fob.

This means that I could scan the fob, the phone would XOR the random values with the encrypted password, and then use the result to unlock my KeepassX database.

If someone stole (or scanned) the fob, they would just get random data. If someone stole my phone they would also just get random data (effectively). The key and the ciphered data are the same length, so knowing one cannot possibly help you deduce the other.

Of course, someone could just steal my phone and scan the fob. While that could happen it seems pretty unlikely as my phone and my keys are always in different places. Also they would have to know that this is how I store my passwords, which they wouldn't unless I were being specifically targeted, which seems unlikely.

Can anyone see any problems with this scheme? If not I might implement it in KeepassDroid.