PAM Authentication for RFID Tags
Contents
Overview
This project seeks to enable user authentication based on an RFID tag id. The project consists of two components:
- The PAM authentication module, used in a PAM stack to provide authentication based on an RFID tag
- A set of Linux utilities for managing the RFID authentication password file
Download: PAM Authentication for RFID Tags Version 1.0. This module is released under the Eclipse Public License 1.0.
Authentication Module
The authentication module is fairly straight forward. It is based on the premise that possession of a valid RFID tag is tantamount to knowing your userid and password. As such, it is of critical importance to protect your RFID tag, and the code it contains, as you would any other password. If you lose your RFID tag, remove the code from the authorization database. If you believe your RFID tag's ID is compromised, either discard it and use a new card, or (if applicable) rewrite the code stored on the card.
When using pam_authrfid in your PAM stack, you will be prompted to scan your RFID tag, rather than enter a username and password. That RFID tag will be checked against the RFID authentication password file for the user it corresponds to. That user id will be granted authorization by the 'pam_authrfid' module.
Configuration File
The configuration file stores SHA256 hashes of your RFID tag id, and associates them with your system username. The example shown below associates two tags with user 'tfanelli'. When the authentication module is executed, it takes the sha256sum of the tag and compares it to each entry in this configuration file. If a match is made, the user associated with that tag is authenticated, otherwise the module fails.
You can store the configuration file anywhere that makes sense to you, such as /etc/rfid/passwd. The configuration file should be writable by root, and readable by all users.
- Note: Future implementations may use a shadow password technique, keeping the RFID hashes readable only by root. For now, though, we use SHA256 which has no known collision attacks and is very secure.
- SHA256 is algorithmically very similar to SHA1, which has been compromised. It will only be a matter of time before SHA256 is compromised as well - but hopefully I will have moved to shadow password scheme by then.
# /etc/rfid/passwd - Sample configuration file for pam_authrfid # # Maps sha256 hashes of RFID tags to user ids... f2f42f8df8acf2856c452c1828a0d01ed267330eead7680a5ed3c2819051baea:tfanelli fc8b228b8126679f94191c606c201d70f77121d438bb6bc95f69a27a0535bff6:tfanelli
The command line utilities to manage this file are not yet implemented. To compute the sha 256 hash of your tag id, execute:
sudo echo -n <rfid tag id> | sha256sum
Specify the configuration file on the line of the PAM configuration that loads the pam_authrfid.so module. For example, below is the contents of my PAM GDM configuration file:
#%PAM-1.0 auth sufficient pam_authrfid.so /etc/rfid/passwd auth requisite pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth auth optional pam_gnome_keyring.so @include common-account session required pam_limits.so @include common-session session optional pam_gnome_keyring.so auto_start @include common-password
HAQ (Highly Anticipated Questions)
A couple notes and common questions about security while using pam_authrfid.
What is an HAQ? An HAQ is like an FAQ, except for questions that have not ever actually been asked. They are questions I anticipate being asked, and therefore I am answering in advance.
Why not just use your RFID tag as your account password? Several good reasons exist why you should not use your RFID tag to replace your account password:
- First and foremost in my mind - you have only one password for your account, but could conceivably have mutiple RFID tags in use.
If your tag is implanted and not writable, then if your tag id is compromised, it is forever useless as your computer password.
- If you ever desire to have remote access to your computer, chances are the computer you are on does not have an RFID scanner - so you'd have to have your RFID id code memorized.
Is it safe for my pam_authrfid configuration file to be readable by everybody? The short answer is 'yes, for now'. The configuration file stores the SHA256 hash of your RFID tag id, not your actual tag id. SHA256 is very secure, and it would be very difficult for an attacker to obtain your RFID tag id from the hash code of your tag id.
What if I lose my RFID tag, or am unable to scan my RFID tag? In this case, authentication using pam_authrfid would fail. The pam_authrfid module should be high up in your PAM stack, and configured to provide sufficient authorization. It is meant to supplement the existing authentication mechanisms of the operating system, though, not replace them. If pam_authrfid fails, the remainder of the PAM stack would take over and authenticate you using your username and password.
I would like to use pam_authrfid - do I need your permission? Absolutely not. The source code for this module is provided under the Eclipse Public License 1.0 - which allows you to use, modify, and redistribute this module as you see fit. All I ask for is credit where credit is due.
I am a developer, and have made changes to pam_authrfid. What now? Great! For now, you are welcome to submit your changes to me via e-mail to <tim AT timfanelli DOT com>. If I like what I see, I'd be happy to incorporate the changes and credit you with the code. Eventually, I'll set up a public SVN repository with the sources, and you can request a developer account then to commit changes.