I'am programming the differents implementations of globalplatform scp01 and scp02 on Javacard and I've found a problem.
Can someone explain me how is the mechanism of secure channel initiation on mode implicit?
In the spec I've found perfectly described the explicit way, (pag. 214, E.1.2.1 Explicit Secure Channel Initiation, with an awesome graphic), but the implicit form is very brief...
What are the steps I have to follow to do it correctly??
Thanks
Related
One of the main features of Bluetooth v4.2 is LE secure connections, where Elliptic Curve Diffie-Hellman (ECDH) is used for the key agreement protocol. As of BlueZ v5.26, support for LE secure connections has been added as follows:-
"BlueZ 5.26 is the first release with support for Blueooth 4.2 features. Perhaps the most notable one of these is Low Energy Secure Connections which will require a 3.19 or newer kernel."[1]
Is there a way to test ECDH pairing through the command line? if not, what is the easiest way to test this?
I'm using BlueZ v5.38 on kernel 3.19 but I can't figure out how to do this.
[1] http://www.bluez.org/release-of-bluez-5-26/
In Linux, the secure connections feature using ECDH can be verified by performing pairing (using bluetoothctl) between two Bluetooth v4.2 devices and observing the output through btmon. Look for HCI Event: Link Key Notification and observe the Key type. If it shows P-256, then Secure Connections feature is verified. If it shows P-192, then it is using Secure Simple Pairing (SSP).
Additional background on this can be found in the Bluetooth Core Specification v4.2 in Vol 1, Part A, Section 5.1: Security Architecture.
I hope this helps.
from where I can download test specification for Bluetooth v4.1, I'm specifically looking for Secure Connections feature. I know its bluetooth.org but not sure for the exact place.
Please help.
okay, so its here:
https://www.bluetooth.org/docman/handlers/DownloadDoc.ashx?doc_id=60535
I could see what I wanted.
I'm new to smart-card development. Please help me understand how to get started.
What's the relationship between Javacard and JCOP?
How do I map a JCOP version to a GlobalPlatform Card Specification?
For example, what specification does JCOP 2.4.1 map to?
When do I need to code against one API versus the other?
Where can I find a good tutorial to get started?
JCOP is a software platform originally from IBM that implements Javacard API and GlobalPlatform (formerly Open Platform). Now owned and managed by NXP.
JCOP 2.4.1? Probably GP 2.1.1. Do a web search for specific product specifications.
javacard and GP:
Javacard is used to write applications - javacard applets - for smartcard platforms, using the Java Programming language and a limited version of the JVM and java libraries.
GlobalPlatform is a specification for managing applet-aware smartcards, defining operations for things like:
managing card lifecycle,
card/host authentication,
installing/deleting/instantiating/selecting applets, and
managing security policies on the card.
Using GlobalPlatform you'll exchange APDUs with the GP card for the aforementioned operations; using javacard you'll write applets that can accept and process APDUs that are specific to your application. GlobalPlatform isn't javacard specific, but javacard is the only relevant technology for smartcard applet development.
For javacard tutorials, start with the javacard site. Look through the documentation section for Getting Started stuff. Download the dev kit and you'll find some html howtos. For GlobalPlatform, you'll need to begin with the latest GP spec; it's certainly not a tutorial, but I don't think you'll find anything more useful. The spec will require strong smartcard fundamentals. Also see Required Things to start Smartcard Programming Using Javacard
I used this excellent tutorial when started with JavaCard: http://javacard.vetilles.com/tutorial/
This might be useful - I spent a while getting older tutorials working on real hardware (e.g. physical Java Cards with GP), including sending APDUs etc. I've collected some of my notes into a video format as it was too much work to write down every little thing.
The video is here: https://www.youtube.com/watch?v=oj2l0X8D4y0&hd=1 and includes basically a quick run-through of what to install, building a program, installing to a Java Card, and talking to said program via Python. It's very very basic but sometimes that's what you need...
jcManager
http://www.brokenmill.com/2010/03/java-secure-card-manager/
comes with source code, which is useful
The two best introductory tutorials I have found are:
"Lecture 14 - Javacard" https://edux.pjwstk.edu.pl/mat/268/lec/lect14/lecture14.html
and this one at JavaWorld,
How to write a Java Card applet: A developer's guide
For example code there is a section titled Learning in this Github repo,
javacard-curated-list of applets
To give an idea of the first topics that are typically covered, the headings from the second link mentioned are:
Architecting the applet
Specifying the functions of the applet
Specifying AIDs
Defining the class structure and method functions of the applet
Defining the interface between an applet and its terminal application
An APDU primer
Defining APDU commands
The Javacard APDU Class
The applet processes an APDU command by invoking methods on the APDU object. In general it performs these steps:
Step 1. Retrieve the APDU buffer
Step 2. Receive data
Step 3. Return data
Step 4. Return status word
Constructing the applet code
Implementing error checking
This article is by Zhiqun Chen who also wrote the book Java Card Technology for Smart Cards
The GlobalPlatform smart-card standard defines irreversible state changes, such as card termination after too many failed authentications or initial card initialization. How does one learn about GlobalPlatform without burning through hundreds of smart-cards (which is expensive)?
Use a simulator. The JCOP toolset includes a simulator that runs within Eclipse, and implements GlobalPlatform commands.
When I've implemented e.g. the Secure Channel protocols myself, I compared the messages that my code generated with the messages generated by the simulator, using the default JCOP keys, until I was certain I had it right. It's just DES/3DES, but arranging the blocks to be encrypted/verified is tricky.
When I test against cards, I have a handful ready, and if authentication fails, I rotate cards, making sure that when I solve the problem I successfully authenticate against the cards with prior authentication failures.
I implemented GP Secure Channel protocols 01 and 02, and destroyed no more than two cards.
In addition the answer of pb2q, some cards may have additional access points next to the card manager which you may use to reset the card. Obviously, you need info on how to do it for a particular implementation, and quite possibly a key.
I am trying to sign an XML document with the Micrisift API for the smart cards...
So far I can list the card readers, connect to the right card and establish the context but after that I am not sure what is next......
What PC/SC Functions Do I need to call to sign a document with a private smartcard key?
thanks in advance
Javier
If you have a middleware installed you can use the Windows CAPI for cryptographic functions. Some middlewares also ship a PKCS#11 library you can use.
If you don't have any middleware you have to do it yourself using the PC/SC interface, I suggest you look into ISO/IEC 7816-4 and ISO/IEC 7816-8 if the card is using Secure Messaging (or Sado Machism if you ask me). Unfortunately those ISO specs are quite expensive, however you can find some excerpts from ISO/IEC 7816-4 right here.
The ISO/IEC 7816-4 describe the APDU commands for information exchange with the card. The PKCS#15 standard can also be of great help regarding how files are stored on the card.
Also, you might need the full specification from the card manufacturer. If you are lucky you can find a plugin for your card in the MuscleCard project or the OpenSC project (they both work in Windows too).