Smartcard programming PKCS - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Smartcard programming PKCS

Description:

Microsoft .NET Framework Overview. Information Security ... The heap is ... Transactional behavior of heap changes. limited buffer size. no nested ... – PowerPoint PPT presentation

Number of Views:348
Avg rating:3.0/5.0
Slides: 30
Provided by: nikolayned
Category:

less

Transcript and Presenter's Notes

Title: Smartcard programming PKCS


1
Smartcard programmingPKCS11, JavaCard and
OpenSC API
  • Association For Information Security
  • www.iseca.org
  • Electronic Bulgaria
  • www.eBG.bg
  • Nikolay Nedyalkov Martin Valkanov
  • n.nedyalkov_at_iseca.org m.valkanov_at_iseca.org

2
Agenda
  • Smartcards introduction
  • What is smart card ?
  • Common standards and interfaces
  • Practical Sessions
  • APDU
  • JavaCard
  • PKCS11
  • OpenSC
  • Sources
  • Resources and Links

3
Smart cards
  • Definition
  • Classification
  • Readers and Terminals
  • JavaCard smart cards
  • Programming
  • Applications
  • Development

4
Definition
  • A smart card is a plastic card about the size of
    a credit card, with an embedded microchip that
    can be loaded with data, used for telephone
    calling, electronic cash payments, and other
    applications, and then periodically refreshed for
    additional use.

5
Classification
  • Contact and Contactless smart cards
  • Microprocessor and memory
  • The ISO7816 standard
  • ISO7816-1 defines the physical characteristics of
    the card.
  • ISO7816-2 defines dimension and contact position
    of the card.
  • ISO7816-3 defines the electrical signals and
    transmission protocols - T0, T1, ..

6
Classification (2)
  • ISO/IEC 7816 standard
  • Part 4 provides
  • specification of message exchange interface to
    the card
  • API for file and data access to the card
  • secure channels of communication
  • supported mechanisms
  • ways to access the algorithms provided by the
    card OS

7
Smart card common scheme
8
Readers and Terminals
  • Readers
  • Simple devices
  • External
  • Attached to RS232, parallel, USB ports
  • Integrated
  • keyboard
  • PCMCIA slots
  • Floppy drive device
  • For smart cards with crypto functions the power
    commonly is supplied by PS/2, USB or internal
    batteries

9
Readers and Terminals
  • Terminals
  • More complicated than readers
  • Programmable computer
  • Designed mainly for
  • Payments transactions
  • Different schemes for payments with electronic
    money
  • Supports features that provides remotely
    high-control software updates directly into the
    smart cards

10
ISO7816 smart cards
  • Standard communication interface
  • APDU packets CLS, INS, P1, P2, Lc, Data, Le,
    SW1, SW2
  • commands SELECT FILE, READ BINARY, READ RECORD
  • Hierarchy file system
  • Dedicated(DF) and Elementary (EF) files
  • Access control read, write, delete - CHV1, CHV2
  • Files with PIN codes hierarchy defined PIN
    codes for specific sub-tree of file system

11
PKCS11 standard
  • PKCS11 is a standard API for access to crypto
    modules as a smart card, HSM etc.
  • PKCS11 and several key concepts
  • Slot place where the smart card is inserted
  • Token thing, which is inserted into the Slot.
    Commonly smart cards
  • Object keys, certificates, data, sessions, etc.
  • Session before any operation we need to
    establish a session to the token

12
PKCS11 standard (2)
13
JavaCard smart cards
  • APDU interface
  • File system is missing
  • Space is distributed between applets
  • Applets are running over the JavaCard Runtime
    Environment
  • Implements firewall between applets, implementing
    JavaCard OS
  • The applets are written in standard Java language
  • They are converting to CAP files (converted
    applet)
  • a CAP file is uploaded on the card via a series
    of APDU messages

14
JavaCard smart cards(2)
  • There is always one currently selected applet
  • An applet dispatches incoming APDUs, performs a
    calculation and returns the result in the APDU
    buffer and status word
  • The applet instance is active until another
    applet is selected
  • The primitive types are limited to
  • byte, short, int
  • The is no notion of garbage collector
  • The heap is stored in EEPROM
  • There are transient arrays designed for
    temporary storage of data

15
JavaCard smart cards (3)
  • Transactional behavior of heap changes
  • limited buffer size
  • no nested transaction support
  • Simplified RMI for communicating with an
    application on the PC
  • Shareable interface is used to communicate data
    between applets
  • There is no firewall between applets in the same
    package
  • The CLS byte of the APDU can indicate MAC usage,
    the data can be encrypted

16
JavaCard smart cards (4)
  • GlobalPlatform API used for uploading new
    applets
  • Implemented by a CardManager applet
  • The storage space can be separated into several
    security domains
  • Each domain has a key set for establishing a
    secure channel
  • The keyset for the CardManager applet is fixed by
    the card manufacturer
  • A PKI applet can be uploaded to provide
    cryptographic functionality
  • the applet can be certified, i.e. for FIPS-140
    level 2 compliance

17
Practical Session APDU commands
  • Select master file 3F00
  • Select command
  • Result (FCI file control information)
  • Verification PIN code
  • CHV1 check for code 1234 with padding

80 A4 00 00 02 3F 00
80 20 00 01 08 31 32 33 34 FF FF FF FF SW190
SW200 status code
18
Practical Session APDU commands
  • Opensc-explorer - navigate through file system,
    SELECT FILE, READ RECORD
  • Verify pin
  • pcscd logs of PKCS11 library used by web browser
    for accessing a site over https
  • Java sample code using jpcsc - send simple APDUs
    to a JavaCard with MacCalculator applet loaded

19
Practical Sessions - APDU
  • Sending block type 1, padding, SHA1 OID and SHA1
    hash
  • Result 130 bytes length and 128 bytes RSA
    signature

80 2C 00 01 82 81 00 00 01 FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF 00 BA 04 8C AA CF E1 E4 15 9B C9 64 7A 4E
75 15 F0 D6 43 92 0B 09 C3 37 6C D2 87 85 F0 2A
13 E2 A7 43 DF B4 0C
80 command XXX
81 00 A2 E8 3D 75 8B 65 21 0C 93 EA DE E8 9A EB
29 F4 A7 FF 62 4C E1 F6 6F B1 CD B2 DE 09 2D 63
FF 4A 89 D0 0A E7 91 5F 8A F8 5D A3 5A D4 EF C2
44 AF 38 D8 DC 89 AE 96 D5 E9 1B 57 CE 21 B7 3D
86 B0 61 18 11 26 60 36 32 B6 81 E8 9F CA 1C 05
12 C2 28 9A C0 AB F4 E4 AA 12 DE 2C 5B C6 6F 94
DB 98 DA 08 1A 7C D7 D5 0D 8C D0 94 2F F6 DC DE
6F D1 12 A7 AF D9 B8 33 D6 8B 5F F9 8E EF BA 6D
CD C3
20
Practical Session - JavaCard
  • echo applet
  • example for writing, compiling, loading and
    testing the applet with Cyberflex Access Toolkit
  • example for Java application accessing the applet
    through jpcsc
  • macCalculator applet key parts demo
  • store a secret key
  • unwrap a secret key with secret key
  • calculate a DES encryption
  • compare the results with openssl
  • calculate an ISO 9797-1 Alg3 Mac

21
Practical Session - PKCS11
  • pkcs11-tool
  • browse different objects on a Charismathics
    profile initialized card and keys loaded by
    initCard
  • initCard application key parts demo
  • CK_FunctionList, store a secret key, unwrap
    secret key with secret key, calculate DES
    encryption
  • compare the result with openssl, calculate Iso
    9797-1 Alg3 Mac
  • import a RSA public key, unwrap a secret key with
    RSA, calculate a KCV and compare the result with
    openssl

22
Practical Session OpenSC
  • Export a certificate from a ISO 7816 card with
    pkcs11-tool
  • PKCS7 signature of a file and verification with
    openssl

23
Sources
  • Demos
  • initCard (C/PKCS11)
  • macCalculator javaCard applet
  • macCalculator usage - java/jpcsc and java/pkcs11
  • OpenSC StampIt module

24
Platforms and toolsets
  • PCSCLite
  • Implements APDU packets transfer to reader
  • Multiple readers support
  • WinSCard compatible API
  • OpenSC
  • Personalize smartcard and access to PKCS15 file
    systems
  • PKCS11 module

25
Applications
  • Authentication and authorization
  • Payments standarts
  • EMV (Europay, Mastercard, Visa)
  • Payment transactions protocol
  • Defines interfaces for communications between
    smart cards, terminals and risk management
    procedures
  • CEPS (Common E-Purse Specification)
  • E-Purse application common is implemented as an
    applet deployed into the smart card
  • Usages in Public and Private Services
  • Other

26
Applications (2)
  • M.U.S.C.L.E (Movement for the use of smart cards
    in Linux environment) framework
  • Similar to PKCS11
  • Unified access to PKI smart cards
  • Modules for file based smart cards (ex.
    Schlumberger CryptoFlex)
  • Muscle Applet for Java cards, PKCS11 module

27
Development
  • Identification services
  • Stores medical records
  • Management and control of different information
    systems
  • Different application in social and public life
  • Making payments
  • Banks
  • Internet
  • Terminals
  • Other institutions

28
Resources and Links
  • http//www.citi.umich.edu/projects/smartcard/
  • http//www.opensc.org/
  • http//www.rsasecurity.com/
  • http//www.iseca.org/
  • http//training.iseca.org/
  • http//pcsclite.alioth.debian.org/
  • http//java.sun.com/products/javacard/
  • http//www.smartcardsupply.com/
    Content/Cards/7816standard.htm

29
Questions?
Smartcard programming
Write a Comment
User Comments (0)
About PowerShow.com