90% of the time, installing the GIDS applet on NFC enabled javacard is a cheaper and more secure solution !
NFC Connector is a solution to emulate cryptographic smart card functionalities for RFID tags or memory cards. With this solution, tags can virtually store certificates and be used in any smart card scenarios like login, signature or encryption. This solution is compatible with EIDAuthenticate or Active Directory for smart card logon. This solution do not rely on the user password at all.
- Windows XP SP3 or Windows 2003 SP2 or later.
- A NFC PCSC card reader, like
- A NFC Tag recognized by the card reader, like
- Local admin rights to install the software and register the NFC tag driver
- Domain administrator for NFC Connector Enterprise automatic provisioning
View NFC Connector Light Demo (configuration and login to active directory). Demo for NFC Connector Enterprise with configuration, card creation, login to active directory and audit.
NFC Connector has two editions :
- NFC Connector Light
The word “Light” implies that this edition has not been designed for Enterprise use cases, aka users which needs to use the NFC tags / RFID with the same certificate on multiple computers and with key usage audit. This edition is distributed freely but it has the following limitations :
- Keys and certificates related to the RFID tag cannot be exported or used to another computer. This limitation has been set to prevent the unauthorized export of the cryptographic material.
- There is no limits to the number of PIN attempts and no lockout mechanism.
- NFC Connector Enterprise
This edition allow any computers of a network to access a “shared repository” where the certificates are stored, provision automatically cards and perform audits. The private key cannot be exported from the software. This solution has been designed to incorporate existing access control tokens (badges) and can be used with the same process than badge provisioning.
Differences between NFC Connector Light and NFC Connector Enterprise:
|Product||NFC Connector Light||NFC Connector Enterprise|
|Price||Free||15 euros excluding VAT per computer|
|Certificate storage||Locally||On a server|
|Provisionning||Manually||Manually, automatic certificate deployment|
|rfid login active directory with a card touch||No. An empty PIN must be entered||Yes|
|Card compatibility||Cards with UID (Mifare, phone with NFC emulation, …)||Cards with UID (Mifare, phone with NFC emulation, …)PACS bits (badge HID Prox, Mifare)|
|Extensibility||None||Plugins can be written to customize the smart card behavior or cryptographic storage|
|PIN Enforcement||None||Like a real smart card (PIN count, PIN reset, …)|
|Audit logs||None||Yes, with computer IP, program, card ID, …|
Scenario 1: Use RFID as classic smart card (Light / Enterprise editions)
This use case allows to use any RFID card as a smart card. Requirements: None Difficulty : low Scalability : bad When the automatic registration of cards is enabled, the card are created on the fly but without any user information nor certificate. If a logon certificate has to be installed, the user has to request it (via the smart card manager or the certificate console) or a GPO has to be deployed.
Scenario 2: An administrator enroll the card (Enterprise edition only)
This use case relies on an administrator to create the card on behalf the user and configure the smart card logon. Requirements: An enrollment agent certificate Difficulty : Medium Scalability : Medium The card is created using the NFC Connector administration tool. The administrator, after having configured an enrollment certificate on the solution, requests the creation of the card and the service automatically installs a smart card logon certificate on behalf the user.
Scenario 3: Automatic registration of smart card (Enterprise edition only)
This use case relies on a data source which contains both user references and card references and an enrollment agent certificate. No user / administrator interaction is required. Requirements: An enrollment agent certificate and a data source Difficulty : High Scalability : Good When an unknown card is presented to the solution, the software asks the data source for a user match. Then, it creates automatically the card and enroll a smart card logon certificate on behalf the user.