I am replacing old non JavaCard with JavaCard. Would it be possible to also change the ATR of my JavaCard to be the same as my legacy card ? From what I read, ATR defines card communication parameters and since each chip has its own properties, does this mean this is not possible ?
Related
I'm trying to detect whether a contactless enabled smartcard or a mobile device equipped with ApplePay, Google Pay, or Samsung Pay was used for a contactless EMV transaction.
I have been researching via the EMV books, and there seems to be a tag 9F6E provides this sort of data:
EMV Book 3 - VISA
EMV Book 4 - MasterCard
Questions:
VISA provides a 4 byte value in the field 9F6E, but I can't find a list of possible values and their meanings anywhere. The EMV book says "out of scope". Is there anyway to reliably convert this to a known form factor?
MasterCard provides data 2 bytes for the form factor, but I'm seeing values that I don't undestand (32 31 ascii = 21). Is there a list of values and meanings somewhere for these?
Is there an easy way to understand if CDCVM has been used for a given contactless transaction, so that I could separate contactless transactions from contactless with CDCVM transactions?
Google Pay is using cloud-based payments while Apple is using an embedded secure element. You can find this tag on 9F6E form factor on Visa. However, it might be different for Master Card or Amex.
To fix this correctly, you might want to check the EMV tag 9F19 which returns to the token requestor ID. Check EMV payment tokenization for this spec. Token requestor ID looks like this:
MasterCard
50110030273 – APPLE_PAY
50120834693 – ANDROID_PAY
50139059239 – SAMSUNG_PAY
Visa
40010030273 – APPLE_PAY
40010075001 – ANDROID_PAY
40010043095 – SAMSUNG_PAY
40010075196 – MICROSOFT_PAY
40010075338 – VISA_CHECKOUT
40010075449 – FACEBOOK
40010075839 – NETFLIX
40010077056 – FITBIT_PAY
40010069887 – GARMIN_PAY
Refer the below documents. You will require Visa Online and MasterCard connect access to get these.
VCPS_2.2 Spec
M/ChipRequirements For Contact and Contactless Spec
check in CVM and CVR inside 9F10
I believe it is also possible to detect if the transaction was performed by a mobile device by using tag 0x82 (Application Interchange Profile). I believe this is a better approach because it will be the same regardless of card brand (as long as the card brand in question followed EMVCo's spec correctly.
Here is a link to EMV Co Contactless Book.
https://www.emvco.com/wp-content/uploads/2017/05/C-4_Kernel_4_v2.6_20160512101635327.pdf
Screenshot Of Desired Table
Check Bit 7 (second most significant bit) of Byte 2 (Rightmost Byte). If it is 1 it came from a mobile device. The Application Interchange profile will always be 2 Bytes.
According to the iBeacon spec, iBeacons have to broadcast 0x004C as the company ID in the advertisement's manufacturer data. 0x004c is Apple's company ID as assigned by the Bluetooth SIG.
I'm confused by this because other than the company ID, there doesn't seem to be any other data that definitively identifies a BLE device as an iBeacon. The next two bytes fixed to 0x02 and 0x15 and the rest is configuration dependent.
At one point I figured that if the first four bytes of the mfg data are 0x4c 0x00 0x02 0x15, then it is an iBeacon. Then, I found iBeacons that used other company ID's. I have Nordic Semiconductor iBeacon samples, for example, that use 0x59 0x00, which is Nordic's company ID.
Even if I look to make sure the 0x02 and 0x15 are where they are, and that the device is unconnectable, and the mfg data is the exact length, this doesn't seem to be definitive.
How to definitively identify an iBeacon?
You can see the byte sequence of an iBeacon transmission in my answer here.
The bottom line is that the exact header (including the company code) must be as specified for iOS to interpret an advertisement as an iBeacon transmission and to return the results using iOS CoreLocation APIs. If a different company code is used, it will simply not be detected by these APIs. Even though different companies manufacture beacons meeting the iBeacon specification, the all use the Apple company code.
The fact that some chip manufacturers give example code using different company identifiers (e.g. Nordic Semiconductor 0x59 0x00) may just be a way of getting around intellectual property restrictions. Apple insists that those who market their products as iBeacon compatible sign an agreement saying they will not disclose the specification. Nordic may be attempting to comply with this agreement by changing the company identifier in its sample code. Regardless of the reason, the fact remains that iOS devices will not interpret such a transmission as an iBeacon packet with an unexpected company code.
Since there is no standard defining a "beacon", different manufacturers have their own advertisement formats. Therefore you will have to make up a list of advertisement patterns you want to snap up. Each company defines what their data means so just looking at the first 2 bytes in the manufacturer data does not work since some company might use the prefix 0x02, 0x15 for something else.
You can download the iBeacon specification here (requires accepting licence agreement).
The specification states that the Company ID:
Must not be used for any purposes not specified by Apple.
Using these 2 bytes for their intended purpose of identifying the manufacturer is acceptable. Using these 2 bytes to broadcast additional information would probably fall outside of the licence agreement.
The information contained in the spec should be enough to help you. If you see a length of 0x1A, and 0x02, 0x15 in their respective places, it is most likely an iBeacon packet.
So I'm trying to write a small applet which reads a serial number from a smart card using the javax.smartcardio library. Smartcard is connected with bit4id reader, and right now I successfully connect to the smartcard and read basic infos such as ATR and protocol (T=1).
I did some research about it (for example: http://www.cardwerk.com/smartcards/smartcard_standard_ISO7816-4_5_basic_organizations.aspx#table9)
But I'm not getting which specific list of command APDUs should I send to the card to get that serial.
Is there an "easy way" to do that, without reading tons of papers and manuals?
I guess I would need some datasheets to know how data is stored inside the card, right? or can i send some kind of command APDUs to retrieve this info from the card too?
Right now I only receive SW=6986 responses (not valid command)
Any advises, even only on the workflow, would be strongly appreciated!
There is no one way to read a smart cards serial number. "smartcard" is an ISO/IEC standard defined in the 7816 specification. Many industries use this standard like Mobile SIM, Bank Cards and Digital Signature Cards.
The implementation of the standard is different across industry with some industries advancing this basic standard with there own additional APDUs etc. like 3GPP/GSMA standard in the Mobile SIM case or the EMV standard in banking.
Anyhow, assuming that this card is smart-card ISO/IEC 7816 compliant you could possibly assume that it uses file base storage for card data. You could use the "SELECT" command (defined in 7816-4) to try to access all available files and print there information. i.e. files are identified by two bytes like 3F00 you could select from 0000,0001,0002....FFFF then if you get a successful select (status word 90) then read the contents and print it. Doing this you may be able to identify which file has the "serial" then you would only need to read this file going forward.
The above is not "easy" but may be a nice challenge and learning experience.
I was wondering is there a particular organisation you have to contact with regards to reserving a manufacturer ID for a bluetooth beacon? For instance, if we wanted to start mass producing them, ensuring no one else uses a particular ID?
Any advice would be appreciated.
Why yes there is. You must be member of the Bluetooth SIG. See here for more information and a list of current Manufacturer IDs.
As an addition to the previous answer regarding Bluetooth SIG and Company ID,
I will add a few things:
Company IDs are assigned by the Bluetooth SIG. In order to get one, your company must first become a member of the Bluetooth SIG. The entry level membership (adopter level) is free.
Once you are an adopter member, you can submit a request to get a Company ID (also free).
The company ID is necessary if you want to use the Manufacturer specific data field in order for example to have custom data in the BLE advertisement frames.
If you plan an building a 'simple' beacon product following, you might not need a Company ID. For Apple's iBeacon format for example, the frame format should use the Apple's company ID as well as their beacon format (see for example this page explaining the ibeacon format : http://www.warski.org/blog/2014/01/how-ibeacons-work/). I belive the Google Eddystone beacon format also do not require beacon manufacturer to have their own company ID.
How exactly does Bluetooth paring work? What is communicated between each device during the pairing process?
I was told if you had device-A wanting to pair with device-B:
A sends a 'unique key' to device B on some wavelength/frequency
B returns an 'echo' back to A, and hence the devices pair.
+-----+ key +-----+
| | ----> | |
| A | | B |
| | <---- | |
+-----+ echoed +-----+
This seems to be inaccurate, so would anyone be able to either expand further or actually explain how/what is communicated to result in a successful pairing of the devices?
I was thinking of incorporating some of this research into a final year project (University), but would at least need to know the something of the Bluetooth programming pairing first.
Any help would be much appreciated in describing how these initial communications work.
I've heard of terms such as 'parked mode', and 'passive mode' within my research, but am yet to find any 'useful' information in the programming behind the design, (and hence I have asked this question). The likes of googling this type of topic is also quite difficult as it seems to bring up stuff like 'how to turn your bluetooth on' pages, and not the design of the programming behind it.
Bluetooth Secure Simple Pairing uses Elliptic Curve Diffie Hellman (ECDH) public key cryptography with approximately 95 bits of entropy using the FIPS approved P192 elliptic curve.
E:y2=x3 +ax+b(modp)
The following parameters are given:
The prime modulus p, order r, base point x-coordinate Gx, base point y- coordinate Gy.
The integers p and r are given in decimal form; bit strings and field elements are given in hex.
p = 6277101735386680763835789423207666416083908700390324961279
r = 6277101735386680763835789423176059013767194773182842284081
b = 64210519 e59c80e7 0fa7e9ab 72243049 feb8deec c146b9b1
Gx = 188da80e b03090f6 7cbf20eb 43a18800 f4ff0afd 82ff1012
Gy = 07192b95 ffc8da78 631011ed 6b24cdd5 73f977a1 1e794811
There are five phases of Secure Simple Pairing:
1. Public key exchange
Each device generates its own Elliptic Curve Diffie-Hellman (ECDH) public-private key pair.
2. Authentication Stage 1
1 of 3 protocol options is chosen by the connecting devices based on the IO capabilities of the two devices. These are:
Numeric Comparison,
Out-of-Band,
Passkey Entry
3. Authentication Stage 2
Each device confirms that both devices have successfully completed the exchange as stipulated by which of protocol was chosen and used in the previous step.
4. Link key calculation
A link key is computed from the derived shared key and the publicly exchanged data. This is the numeric code shown to the user.
5. LMP Authentication and Encryption
The encryption keys are generated. The devices are successfully connected.
Further Reading:
Bluetooth user Interface Flow Diagrams for Bluetooth Secure Simple Pairing Devices (PDF)
Bluetooth Core Complete Specification v4.0 vol0 (ZIP/PDF)
the core specification is 138 pages and to fully answer your question would take at least 20 so to fully answer your question you'll need to read the references
A trusted relationship is established between the devices using a numerical password, commonly referred to as a passkey. Depending on how often one Bluetooth device connects to another, the user might opt to have the passkey saved for future connection attempts or prompt to enter the passkey each time the devices request communication with each other.
Read more : http://www.ehow.com/how-does_4964578_bluetooth-pairing-work.html
For two devices to have the ability to pair, they must share the same bluetooth profile. The following is from the official Bluetooth website:
Pairing devices
Not all Bluetooth enabled devices are designed to be paired. Logically, there's no reason to connect a wireless mouse to a wireless headset. You should be able to pair a Bluetooth enabled headset to a Bluetooth enabled phone, or a Bluetooth enabled mouse to a Bluetooth enabled computer.
If you're not sure whether the two devices you want to connect are designed to be paired with each other, make sure their Bluetooth profiles match.