RE: [Project] An extensible (plugin based) windows service that performs actions for NFC events

I found a memory leak in the service (in the sense that I noticed it was consuming 18gb of ram after 8 days. Hopefully that is now fixed but I'll have to keep an eye on it for a while to make sure.
Maz

I was just tinkering and found a neat feature. Because my credential provider talks to the service, I can have it suspend the services normal functions when a credential window is active. Which means I can use my ring to log into remote servers etc. its just a matter of getting the name of the server from the context of the credential provider (im sure its there somewhere. otherwise it sends my usual username and password).
Anyway. just thought that was cool.
Maz

Argh! 2:40am

It's working. Also, don't hate me but I've used the registry for storing auth data (more to see if I could read the registry from C++ than anything else).

But now that my actual data isn't stored in the code I'll be able to push to github or something like that in the morning.

BAM!
Hard-coded proof of concept working...

So,
I can potentially store the CredProtectW protected credentials on the NFC ring itself so that way I dont have to store the users details on the filesystem of the machine they're logging into. Or do we want both options?

I'm learning all about NFC as I go so forgive me if I don't know what I'm doing on that side of things.

Just in case anyone wanted to see I made a terrible video.
This is just a proof of concept!

I think I'm the only person in the world who can easily log on to my home desktop PC with an nfc ring right now.

So... It is all refactored and makes a lot more sense now which is nice.

I did a new video and you see me testing it with an invalid NFC tag (the top of my ring) and it doesn't login, then when I scan the bottom it instantly lets me in (the ACR122U reader has a great range). You don't need to click anything at all just like the ASUS one.

I had an idea for how to store the credentials on the machine so I'll do that first and then I can look into password protecting credentials that are stored on the ring.
Maz

Apparently I am not as recovered from surgery as I might have hoped.
Here is my initial check-in and hopefully I can get back to it again soon.

https://github.com/maz-net-au/NCFRingCredentialProvider

So resting is dull and I wrote a C++ wrapper around CredProtect which means i can store an encrypted password which (in theory) only windows itself can decrypt again. Then I wrote a C# forms app that can call my C++ wrapper and write the data to the registry (this is the precursor to having a registration app). I'm not sure how long I can store the CredProtect result because I'm wary of what Microsoft might mean by "current security context" in their documentation... "The CredProtect function encrypts the specified credentials so that only the current security context can decrypt them." so further testing is needed.

I'm learning a lot, even if I'm not getting all that much done. As of Monday, I have to go back to my real job so won't be able to spend as much time on this. Ideally by then I'll have some kind of binary package that other people can play around with (without needing to compile it yourselves).

So I've just made a C# .Net project using MEF that runs as a windows service, checks a USB nfc reader and triggers events "NFCTagDown" and "NFCTagUp" respectively, passing the ID of the ring across to the set of plugins. It is possible to run multiple plugins / actions for each event (you'd probably want to have some way to register an NFC tag to a plugin).

The first attempt I made was to lock the PC with a swipe of the NFC ring (to go with my credentialprovider unlock project) but it seems that the new Session 0 isolation security measure blocks the service from performing this action. Even when I have marked the service as "Allow service to interact with desktop".

Call to action:

1. Does anyone have any ideas for how to lock a windows 8 / 10 pc from a service in C#? I've tried
   [DllImport("user32.dll")]
   public static extern bool LockWorkStation();
   and
   Process.Start(@"C:\WINDOWS\system32\rundll32.exe", "user32.dll,LockWorkStation");

2. What other plugins / actions would people want to perform?

3. What events are developers interested in for their own plugins?

Apparently I can't upload files here so I've shared it off my website in case people wanted the code. When I have a plugin that works I'll push it to github. The code is under an MIT license. Go nuts with it.
http://maz.net.au/Files/Public/NFCRingServiceCore.zip

Note: this is for developers only at the moment. You need to use installutil.exe to install the service.

I don't know how much time I'm going to have in the short term. I am getting ready to move countries. I was hoping that the kickstarter would be run and that could be used for polishing / making installers / making it user friendly.
I'll still try and work on this in my evenings and I'm definitely available to help other people get up to speed on what I've done.
Maz

Just after I wrote that I went back through the code and found what might be causing the 6321 and multiple reader failure. So... expect an update tomorrow (about 12 hours from now).
Maz

@jasok2
I dont think the kickstarter is going to delay it at all. You can already get the latest version now. The kickstarter is just going to add polish (RE: installers and crap) because it seems unlikely that I'll get around to that any time soon. I like the idea of using a kickstarter to add some professionalism to open source projects. So many of them could be really useful if an installer was made and a nice UI designed and used.

Okay. Update 7 is the last for the night. Could other users with windows 10 please test and see if the credential provider / unlock part fails if the machine is left locked for 5 minutes. I need to find out if it is specific hardware that is causing it or windows 10 in general.
Thanks.
Maz

This is how apps work on mobile phones. It has nothing to do with the NFC ring. It is the same if they click a link to your profile on a webpage. Worse yet, the different mobile platforms handle deep-linking a little differently.

The nfc tag is just saying "open url: your.url.facebook.com" or whatever. After that, it's the software on your phone that does the rest and that is where the problem lies. Send a message to google, apple, microsoft, facebook, linkedin, twitter etc and see if you can convince them to make the system more streamlined.

I wonder if they could actually make the facebook website detect that it is being opened on a phone that has the app installed and then from the browser, launch the app. I suspect not but you can always ask.

That's interesting. The limit in Australia seems to be $100 (AUD.. currently about US$75) and there aren't any fees to recover your money if you report the problem promptly.

New ring with new chips.

@Lokki
Done and done. Hopefully they actually ship it when they say they'll ship it. heh.

I just got home and found my arc122 waiting for me. i'm basically bedridden for a week so it'll give me a chance to start tinkering away with it. got any advice or suggestions where to get started with it? Might just save me a bit of time. Otherwise i'll see how i get on with making it lock / unlock windows.
Maz

Okay. So I've just spent some time to create a custom credential provider for windows 7, 8, 10 etc and I have code that talks to my ARC122U reader (all in C++).
Security... If i do it based on the ID, copying the NFC ring would allow someone else to access the machine.
If i store a certificate on the ring (I should be able to fit one), then I'd need to create a C# UI that streamlines the registration / certificate creation process (if possible, i havent actually tried this yet).
My question is, how secure is this expected to be?

my vm's lockscreen...
Lockscreen.jpg

@johnyma22
I was hoping to get a proof of concept going today but given that its 11pm i might not finish it tonight.
If I can get it working then I'm happy to turn over all the code for free with whatever license you like. I have a good job with Fove Inc already and don't need any extra pressure right now. I'm actually at home sick this week (recovering from some minor surgery) but it's so dull I thought I'd do a bit of code (even though the painkillers add an extra challenge).
I'll keep updating with my progress here and you can decide if you'd like your dev to start from scratch or if they can use my code to help a bit.

So far I have the credential provider showing, and when the user selects the NFC Ring option it connects to the first card reader and pulls the UID off the card there. Now I'm trying to find a good way to compare that with a registered ring's value and then pass a credential across to windows. The C++ documentation around ICredentialProvider is pretty frustrating. AFAIK there isn't a good way for .Net to access these API's without wrapping a C++ dll.
Maz