This discussion is archived
7 Replies Latest reply: Sep 12, 2013 11:26 PM by PraveenPT RSS

Tokens (load, install)

843851 Newbie
Currently Being Moderated
The token is needed for delegated management. If SD support delegated management, the ISD should have the knowledge of the token key (RSA public key). So this token key is store (use PUT KEY comamnd?) to ISD in the card during installation of the SD?? If there are few SDs support delegated management, how the ISD recognize which token key is belong to the SD? Thank you in advance!!
  • 1. Re: Tokens (load, install)
    843851 Newbie
    Currently Being Moderated

    The DM Tokens are signatures of one or more DM functions (loading application code, installing Applications and extraditing Applications) generated by the Card Issuer and used to
    provide the Card Issuer the control over these Card Content changes. Tokens are required when the Issuer Security Domain is not managing the Card Content changes itself. The Issuer Security Domain shall verify
    Tokens.

    The ISD may generate Receipts during DM. A Receipt is proof to the Card Issuer that an Application Provider has modified the Card Content.

    Cryptographic security is required for DM and the ISD requires the knowledge of keys and algorithms used for Tokens and optionally for Receipts. If the Card Issuer�s Security policy requires Receipt generation, the Issuer Security Domain shall also keep track of
    a Confirmation Counter that is incremented when generating each Receipt.
    DM is a privilege that a Security Domain shall be granted during Installation.

    understand ?
  • 2. Re: Tokens (load, install)
    843851 Newbie
    Currently Being Moderated
    If there are few application providers have the right to make changes of the card content ( Install, load), how the ISD know which token key belong to its application providers. The application provider will used the Token (generated using token private key) to install or load the application, so different application provider must have different token (different private key) given right? So when ISD verify the token using the token public key, it should know which key belong to which application provider. The ISD have different Token public key for each applcation provider, am i right?

    Thank you for ur precious time spent here!!!!
  • 3. Re: Tokens (load, install)
    843851 Newbie
    Currently Being Moderated
    I understand your question, but you arn't understanding the complete picture of a SD.
    Why in the world would an ISD allow multiple application providers to have card content changes privileges? If they hand over the domain to different providers, they can in turn remove each others applets and create a card content headache that would be out of the ISD realm. In real world deployment this isn't a viable solution. For development do what ever you want.
    -----
    Think about why SD exists for JC? The JC as it stands, without SD, allows anyone to change the card content. No keys are needed, just the installer applet AID. That posed a problem considering there wasn't any control over the card. No one "owned" the card. Your question is along these same lines, except multiple entities can "own" the card.

  • 4. Re: Tokens (load, install)
    843851 Newbie
    Currently Being Moderated
    One more thing i still don't know, if Issuer allow 2 application providers to have the DM privilege, is that mean issuer will have 2 tokens key . So in real time deployment, issuer will not allow multiple application providers to have card content changes, but how if every application providers want to allow post issuase of their applet (maybe do some update) in the future, must they all need to have SD with DM privilege.


    If they hand over the domain to different providers, they can in turn remove each others applets and create a card content headache that would be out of the ISD realm.

    I thought each SD will have dirrent token key so that provider can only remove their own applet. ???

    Thank in advance!!!!

  • 5. Re: Tokens (load, install)
    843851 Newbie
    Currently Being Moderated
    I ask again, why would the ISD give two application providers DM privileges ? You aren't going to find an ISD that will allow 2 application providers to have DM privileges. It's too much of a risk. They usually opt out for the easiest solution and that's to have a Post Issuance Portal that loads post issuance applets so no tokens/DM, or keys have to be exchanged.

    I think you confuse DM as the way to load an post issuance applet and that's not true. You may load an applet if you are aware of the keys, provided that the ISD is sharing that with you. Once you've authenticated, you may perform card content changes thru the ISD.
  • 6. Re: Tokens (load, install)
    843851 Newbie
    Currently Being Moderated
    So if the Card support Delegated Management, this SD with DM is pre-issuance or post-issuance SD? We cannot develop the SD with DM after the card is issue because ISD and SD with DM need to have the knowledge of the token and this token is done during personalization. Am i right??

    If we can develop the SD with DM in post issuance, how can we assign the ISD to use the token key because that is only a Put Key Command to put key in but no other command to indicate that the key is for token verification. Is it right??
  • 7. Re: Tokens (load, install)
    PraveenPT Explorer
    Currently Being Moderated

    Hi All,

     

    I have created a SSD with delegated management privilege in JCOP using below given command,

     

    install -i A000000151535041  -s -e -q C9#() A0000001515350 A000000151535041

     

    and im trying to personalize it using below PUT-KEY commands,

    /select A000000151535041

     

     

     

    auth

     

     

     

    set-key 3/1/DES-ECB/404142434445464748494A4B4C4D4E50 3/2/DES-ECB/404142434445464748494A4B4C4D4E60 3/3/DES-ECB/404142434445464748494A4B4C4D4E70

     

     

     

    put-keyset 3

     

     

     

    put-key 115/1/RSA-PUB/0301000180893D7102E3A97E60969F38E1E3A8777C67A20EBF32A49B6786364374100294790363DE942531C682E706D965EC2FE7B0D3DEDE9D02AC5834DCCFD5C2D19312A8115BBC4A2459B1D84E441D5CEA991770C7527025EE1F3EF7655AAB3CB1CEFF1DF59A7A1666173BF01A25EC580197B481ACA37DA2D78F0F2515F86B8ABAFDEA53

     

    But Put-key for RSA-PUB key is failing with 0x6A81, but SSD is in PERSONALIZED state.

     

    Can you pls help me with this.

     

    And im nt getting clear picture about how to generate the token and share it if any one can explain it it will be of great help.

     

    Thanks and Regards,

    Praveen P T