This content has been marked as final. Show 7 replies
Are you looking for an example of a stored value card (say wallet) for copy machines etc using AES encryption? Do you have control over both ends of the system (card and terminal)?
Yes, such an example if any exists! And yes, I do have control of terminal and the card
I am not aware of any tutorials but if you give us a high level overview of what you are trying to achieve I am sure we would help out.
Are you trying to just encrypt data between the two? Are you looking at authenticating with AES to add/remove credit? You could start with the wallet example from the JCDK and add security to that.
Edited by: safarmer on Nov 15, 2012 10:12 AM
Well, I'd like to have a mutual authentication between card and terminal, but also a secure data transfer to decrease/increase the card value. I know - one at a time, but that is what I try to learn/achieve!
I'd like to start with the wallet example, I just don't have one, where is that to be found?
You can find sample in the JCDK. There is a samples directory and I believe JC 2.2.2 and 3.0 both have a sample wallet applet.
You could model your authentication off TLS/SSL and the GlobalPlatform secure channel protocols. Some basic steps you could use:
1. Send a nonce (random challenge) to the card.
2. Card generates a nonce and combines the two with a master AES to generate a session key. You can search for key derivation algorithms (and example is KDF1 - key derivation function 1).
3. Use the session key to generate a MAC of the two nonces.
4. Return the card nonce and MAC to the host.
5. The host uses the nonce from the card to generate a session key (should match card session key).
6. Host verifies the MAC received from the card using the two nonces and session key.
7. Generate a different MAC using the same data and key but opposite order when combining nonces.
8. Send MAC to the card to prove that the host has the same key. The card verifies this MAC.
After this you have proven that both sides have the same session key based on a shared secret. You can use the session key to encrypt the commands sent to the card.
Thank you SO much shane!!!
I will try this out!