This content has been marked as final. Show 11 replies
There is a generic way: keep the CM keys secret, a more granular: use INSTALL[for registry update] to disable loading and a JCOP proprietary way: disable the selection of the CM during pre-perso plus set an applet as default selected.1 person found this helpful
lexdabear, thank you for your ideas!
You wrote : "There is a generic way: keep the CM keys secret" - when the card manager keys are default(and public known), keeping them secret has no effect.
Then you wrote : "INSTALL[for registry update] to disable loading". Install command can be used(I expect) after mutual authentication. So, I need to know before this command card manager keys. And if this keys are public known, everyone can change this install command, or not?
You also wrote "JCOP proprietary way: disable the selection of the CM during pre-perso plus set an applet as default selected.". This ideas look be useful...but I don't have any experiences with JCOP.
Is there any other option for securing the java card with my applet from the outside attacks?
And what about changing the card manager keys(also called card static key or Secure channel base key)?
Thank you again,
You can change the CM keys using GP command PUT KEY or STORE DATA. In JCShell itls 'set-key ..' and 'put-keyset ..'.1 person found this helpful
INSTALLL[for registry update] command is one way in JCOP as it only supports to disable post-issuance.
lexdabear, thank you for your quick reply!
I will try change the card manager keys...
I read something about SET STATUS command In Global Platform card spec v2.2. Can be set the proper security level of java card also with this command? For example, set java card to SECURED state? Will be in state SECURED my applet works and security domain will be inaccessible?
Sorry for my stupid questions, but I need to clarify basic java card security abilities.
I'm still improving the security of my java card for use in non-safe environment on the customer side. I change the default card manager key to my unique keys via PUT KEY APDU command.
I also change the card manager life state from OP_READY to SECURED. In this SECURED state, is it possible to load/delete applets?
My next question - now I'm in SECURED state and I want to change to CARD_LOCKED state. I am trying to build secure channel but after ext-auth command in JCShell, the response from card is 6985 - Conditions of use not satisfied.
Is it possible to build secure channel in SECURED state?
Thank you for your answer!
at this time I can build a secure channel with java card whose card manager has SECURED state. I need to write in JCShell command ext-auth mac instead of ext-auth plain. So...I have build a secure channel and now I want to Set STATUS of card manager from SECURED to CARD LOCKED, but I obtain an error message 6985 - Conditions of use not satisfied. Here is a log:
cm> ext-auth mac
=> 84 82 01 00 10 0E 75 DD FC AB 9F FB 3C 8B E4 68
48 40 07 95 D6
<= 90 00
Status: No Error
=> 84 F2 80 00 0A 4F 00 C7 78 49 BF AC 25 C8 AB 00
<= 08 A0 00 00 00 03 00 00 00 0F 9E 90 00
Status: No Error
=> 84 F2 40 00 0A 4F 00 E3 0E 73 E7 FC BA 3F 28 00
<= 0C 70 6F 63 69 74 61 64 6C 6F 41 70 6C 07 00 90
Status: No Error
=> 84 F2 10 00 0A 4F 00 D7 94 FD 98 B0 AB BC CC 00
<= 07 A0 00 00 00 03 53 50 01 00 01 08 A0 00 00 00
03 53 50 41 0B 73 65 63 75 72 69 74 79 50 6B 67
01 00 01 0C 70 6F 63 69 74 61 64 6C 6F 41 70 6C
Status: No Error
Card Manager AID : A000000003000000
Card Manager state : SECURED
Application: SELECTABLE (--------) xxxxxxxxx
Load File : LOADED (--------) yyyyyyyyyy
Module : yyyyyyyyyyyyy
Load File : LOADED (--------) "xxxxxxxxxx
Module : "xxxxxxxxxx
cm> /send 80f0807f07a0000000035350
=> 80 F0 80 7F 07 A0 00 00 00 03 53 50
<= 69 85
is it possible change the cycle from SECURED life cycle to CARD LOCKED? If yes, how?
Thanks in advance.
from my last post many things have changed - I change the card manager defult keys, set the card manager(CM) state to secured and I'm also able to build a secure channel if the CM are in protected state. Is the java card secured as I wrote in previous sentence secured enough(I mean from hackers side to break the security and modify applet)?
What does it mean, when somebody tell that the java card is fused? Can be my java card considered as fused(changed key, CM set to secured)?
Can somebody tell me, how can be disabled the selection of the CM using JCShell commands? I will be grateful for any examples codes, logs, tips.
use INSTALL[for registry update] to disable loading and a JCOP proprietary way: disable the selection of the CM during pre-perso plus set an applet as default selected.
No one can help me?
Not possible to load applets unless CM keys are known to the user. Keep your CM keys safe, so no one can load any additional applets.
The best way to keep your keys says is to only ever have them stored in a HSM that is both logically and physically secured. This is not the easiest or cheapest thing to do but it is the only way to be sure that your keys are safe from others using them (other than destroying the keys so no one can use them).
you have two choices:
1) change the key in a random key, that anyone (also you) will not be able to save and use later
it is something procedural, that will be mainly based on the consideration:
1) you will not trace in any way the random key (for example, you will provide to a 3th party the code to show that there is no tracing
2) the best way, but I don't know if it is applicable, is to "block" the key, that means use it incorrectly till the error counter will became zero, and the key will be blocked.
You need to check if the key provide this kind of error counter.
by definition, if "only you" have the key, it doesn't meen that the system is secure.
It is always a good procedure to change the transport key and limit the usage to the minimum necessary.
If you need to use this key later, the hsm is the only way. consider that a smartcard can be considered as a "slow hsm".