I am trying to sign an XML document with the Micrisift API for the smart cards...
So far I can list the card readers, connect to the right card and establish the context but after that I am not sure what is next......
What PC/SC Functions Do I need to call to sign a document with a private smartcard key?
thanks in advance
Javier
If you have a middleware installed you can use the Windows CAPI for cryptographic functions. Some middlewares also ship a PKCS#11 library you can use.
If you don't have any middleware you have to do it yourself using the PC/SC interface, I suggest you look into ISO/IEC 7816-4 and ISO/IEC 7816-8 if the card is using Secure Messaging (or Sado Machism if you ask me). Unfortunately those ISO specs are quite expensive, however you can find some excerpts from ISO/IEC 7816-4 right here.
The ISO/IEC 7816-4 describe the APDU commands for information exchange with the card. The PKCS#15 standard can also be of great help regarding how files are stored on the card.
Also, you might need the full specification from the card manufacturer. If you are lucky you can find a plugin for your card in the MuscleCard project or the OpenSC project (they both work in Windows too).
Related
I'm going to write a Java Card applet to convert my card into an EMV compliant card.
1- The question is how can I do that?
As far as I know, there are four EMV specifications known as EMV Books which contain principles of EMV cards (Chip characteristics, file structure and also the list of APDU commands). Do I need any other specifications to implement my applet or these are all I need? If there are some other specifications which I need, are they freely available or they are proprietary?
2- Do EMV cards have an specific Applet AID?
EFT-Lab provided a good list of applet AIDs. As you see below, there are a lot of AIDs which belong to Visa International (as vendors) that all are "EMV" types. Why does Visa International have a lot of different AIDs for its EMV applets? What's the difference between these applets?
3- Is there any open source EMV applet? Is there any Java Card that has an EMV applet/package by default?
4- Is there any specific difference between contact and contactless EMV cards? (I mean in the file-structure or in the APDU commands)
1- The question is how can I do that?
Yes. Implement the specifications. If there are any other requirements (and surely there will be) then they should be referenced in the specs.
2- Do EMV cards have an specific Applet AID?
Because they offer specific functionality? You may even have multiple applications on the same card. Note that it is possible to select applications using a partial AID (see how the Debit & Credit card partially match). The VISA specific cards are likely used internally only, e.g. when servicing cash machines.
3- Is there any open source EMV applet? Is there any Java Card that has an EMV applet/package by default?
Not likely. It would be rather unusable because it would require EMVCo security evaluation to be accepted. So you need some kind of payment structure to pay for certification and audits. No open source initiative is likely to pony up the cash up front.
Often these kind of implementations require techniques to avoid vulnerabilities that need to remain secret; smart cards do not offer perfect security after all. That's perpendicular to open sourcing an implementation. So if there is anything out there it must be created out of academic interest (e.g. for testing the security of the protocol, proof of concept etc.).
4- Is there any specific difference between contact and contactless EMV cards? (I mean in the file-structure or in the APDU commands)
Generally it is more about which parts of the applet are available or not. The fact that most applets can be used in dual mode probably speaks for itself otherwise.
This paper seems to have a good introduction to the possible differences.
Is there any open source EMV applet? Is there any Java Card that has
an EMV applet/package by default?
Was working on a similar project and found this github repo. According to the owner:
This is a fully working EMV applet for javacard 2.2.1.
I am trying to develop a custom cryptographically secure protocol for authenticating through an RFID smart card, all I can find over the internet are generic info on how write static Tags into the card.
For my project I need for the reader to send a Challenge nonce to the card (fixed length random bytes), then the card should send back the challenge encrypted with the hard-coded key (for example with AES CBC) or an hash HMAC.
The problem is: how can I program the card to do such behavior? I can write the code to do so, but how to "flash" it to the card. Also the code for the reader is not a problem (I want to use an Arduino with a reader module).
And then has a passive chip enough power to do this kind of calculations or is better to use an active one, considering that the distance would be few centimeters, such as behind a door?
A passive tag can't do this. Those just hold serial numbers that they spit out back.
You need some smarter card. You have basically two choices:
1) Choose a general-purpose card that fit your needs
The authentication scheme you describe is very widely used, and implemented by virtually all general-purpose smart cards, whether with contact or contactless (RF) interfaces (or both). If you go this way, you don't need to program the card with your own code, you just need to get the specs and initialize the card with the key value you want by sending the appropriate commands. And actually, with these cards, there are often generic tools available to initialize them. Easy.
Mifare (by NXP), for example is very widely used, easily available, and cards are cheap (drawback: it is certainly not the most secure cards ever made). You could use Mifare Classic - with proprietary NXP security protocol - specs here (be careful, the reader must be compatible) or Mifare UltraLight C, with open 3DES crypto - specs here. There are other variants, as well (e.g. Mifare Plus, which uses AES). Just don't go for the simple Mifare Ultralight, which doesn't provide authentication means. You'll see that for all these type of cards, there is a builtin authentication scheme that can functionally fulfill your needs (it is actually a mutual authentication, so it does more that what you require, but it's fine).
FeliCa (made by Sony), ACOS3 (made by ACS - specs here) are other possibilities, although I'm less familiar with it.
2) Get programmable cards
There are some, but it is not very easy to find for contactless and they are very expensive. You can lookup:
BasicCard (ZeitControl), which exist with dual interface. Those cards are programmable in Basic, and there are some kits available (but I'm not familiar with it either).
JavaCard (any manufacturer), which is a standard, but those are hard to find for small volumes. A few online shops seem to have some, though. These cards are programmable in Java (actually a subset of Java). There are tools available for the development phase (from Oracle, or even as Eclipse Plugins, for example). Then, for loading your custom applet in the smart card, you need to get familiar with GlobalPlatform, which is another (publicy available) standard, describing the way applications are managed in a smart card. This would be too broad to describe in detail here, though. You can find resources on the internet, but this road is definitely the most difficult.
Note, that NFC just describes the communication method and tells nothing about the intelligence available on other side.
More intelligence is needed (the command you seem to look for is called EXTERNAL AUTHENTICATE in ISO 7816-4), but does not help for your range problem, since the weaker the field, the less power is available. The idea of having communication through the door will only work for doors which are so weak, that a high-tech electronic protection won't improve overall security. The maximum distance achievable with standard field strength (heart pacemakers and similar devices limit that one) with nothing more than air between suffices typically for something like 10 centimeters. So for me it seems that your reader has to be on the outside and needs to be mechanically hardened against tampering itself.
(What would help, is a "card" with its own power source, so the field is only required for communication. As far as I know, this is mostly provided by a sort of external sleeve.)
What dim fails to mention is the product group of so-called native cards, which are typically only programmable with significant manufacturer support (non-disclosure agreement, probably fee involved), but luckily contain functionality for most use cases already, in your case the commands Get Challenge and External Authenticate.
I'm working on the AFC (automatic fare collection) system which required a SAM( secure access module) for key management.system works fine with local key management in MCU and I don't have any experience in using SAM.SAM required to install beside MCU as main reader controller & contactless card reader chip(PCD).
Is used protocol based on the smart card ISO7816?Am i true?
As i know SAMs are part of SMART cards family,are a SAM javacard or there are javacard SAM and non javacard SAM?
is there upper level standard used for communicating with SAMs(based on iso7816 ) or each manufacturer use its own protocol?
whats different between SAM and usual GSM SIM-CARD? and can i use a GSM-SIMCARD instead of SAM?
is there any standard use case for process of key management in smart cards ?
wbr
A SAM may be a smart card or another chip like a trusted platform module. A TPM is addressed using an API, see here.
SAMs are seldom required, so there are no domain independent standards how to address these.
If a smart card is used, then 7816 is obviously the way to go. A native smart card is also perfectly possible as SAM, especially if Perform Security Operation command of ISO 7816-8 is supported.
A typical SAM command is "encrypt these data with your (say AES) key number 1". A typical SIM card will have no command for it.
You have to collect the use cases you are interested in by yourself. Some ideas:
encrypt these data
decrypt this cryptogram
compute or verify this message authentication ocde
derive session key
replace key data of existing key
I'm new to smart-card development. Please help me understand how to get started.
What's the relationship between Javacard and JCOP?
How do I map a JCOP version to a GlobalPlatform Card Specification?
For example, what specification does JCOP 2.4.1 map to?
When do I need to code against one API versus the other?
Where can I find a good tutorial to get started?
JCOP is a software platform originally from IBM that implements Javacard API and GlobalPlatform (formerly Open Platform). Now owned and managed by NXP.
JCOP 2.4.1? Probably GP 2.1.1. Do a web search for specific product specifications.
javacard and GP:
Javacard is used to write applications - javacard applets - for smartcard platforms, using the Java Programming language and a limited version of the JVM and java libraries.
GlobalPlatform is a specification for managing applet-aware smartcards, defining operations for things like:
managing card lifecycle,
card/host authentication,
installing/deleting/instantiating/selecting applets, and
managing security policies on the card.
Using GlobalPlatform you'll exchange APDUs with the GP card for the aforementioned operations; using javacard you'll write applets that can accept and process APDUs that are specific to your application. GlobalPlatform isn't javacard specific, but javacard is the only relevant technology for smartcard applet development.
For javacard tutorials, start with the javacard site. Look through the documentation section for Getting Started stuff. Download the dev kit and you'll find some html howtos. For GlobalPlatform, you'll need to begin with the latest GP spec; it's certainly not a tutorial, but I don't think you'll find anything more useful. The spec will require strong smartcard fundamentals. Also see Required Things to start Smartcard Programming Using Javacard
I used this excellent tutorial when started with JavaCard: http://javacard.vetilles.com/tutorial/
This might be useful - I spent a while getting older tutorials working on real hardware (e.g. physical Java Cards with GP), including sending APDUs etc. I've collected some of my notes into a video format as it was too much work to write down every little thing.
The video is here: https://www.youtube.com/watch?v=oj2l0X8D4y0&hd=1 and includes basically a quick run-through of what to install, building a program, installing to a Java Card, and talking to said program via Python. It's very very basic but sometimes that's what you need...
jcManager
http://www.brokenmill.com/2010/03/java-secure-card-manager/
comes with source code, which is useful
The two best introductory tutorials I have found are:
"Lecture 14 - Javacard" https://edux.pjwstk.edu.pl/mat/268/lec/lect14/lecture14.html
and this one at JavaWorld,
How to write a Java Card applet: A developer's guide
For example code there is a section titled Learning in this Github repo,
javacard-curated-list of applets
To give an idea of the first topics that are typically covered, the headings from the second link mentioned are:
Architecting the applet
Specifying the functions of the applet
Specifying AIDs
Defining the class structure and method functions of the applet
Defining the interface between an applet and its terminal application
An APDU primer
Defining APDU commands
The Javacard APDU Class
The applet processes an APDU command by invoking methods on the APDU object. In general it performs these steps:
Step 1. Retrieve the APDU buffer
Step 2. Receive data
Step 3. Return data
Step 4. Return status word
Constructing the applet code
Implementing error checking
This article is by Zhiqun Chen who also wrote the book Java Card Technology for Smart Cards
Has anyone got a tutorial up on getting your own smartcard and getting pkcs#11 working on it? In Linux? (Windows would be fine too).
Most of the vendors seem to assume you'll be wanting enough for your whole company, not one or two.
This heavily depends on the driver and application you use. We use OpenSC/OpenCT for all non-Enterprise Smartcard uses. They have decent documentation.
Yes, check out what OpenSC supports.
Make sure that you know what you want - USB tokens or full-size smart cards. There are pros and cons with both solutions - USB tokens require drivers, often by the manufacturer, to use on some platforms (eg Windows7 or OSX can be troublesome). But they are easy to use once set up and sometimes offer better performance than ISO smartcards. Casual smart cards on the other hand have also contactless interfaces and can be used with pinpad readers which provide higher security than USB tokens.
If you're into fancier features and may want to extend your card infra further than just pkcs#11 crypto, javacards might be useful (OpenSC can not work with JavaCards directly but certain applets are supported, like Muscle) Otherwise look for a supported card operating system.