This discussion is archived
1 2 Previous Next 23 Replies Latest reply: Apr 30, 2010 4:38 PM by safarmer RSS

Ask Global Platform SecureChannel

843851 Newbie
Currently Being Moderated
Hi friends..

Sorry, i have a doubt regarding Secure Channel..
What is the Secure Channel itself?..
and, what is the usage of Secure Channel?..
I guess that the Secure Channel used for protect, but i don't know for protect what?..

Sorry, perhaps this question sounds silly..

Please help me regarding this..

Thanks in advance..
  • 1. Re: Ask Global Platform SecureChannel
    safarmer Expert
    Currently Being Moderated
    Hi,

    The secure channel is like an SSL connection. It starts with a handshake and the host and card generate session keys that are used to encrypt traffic to and from the card. You can then secure whatever traffic you need to send to the card. You would use a secure channel when you have data that is required to be kept confidential.

    Cheers,
    Shane
  • 2. Re: Ask Global Platform SecureChannel
    843851 Newbie
    Currently Being Moderated
    Thanks Shane for your reply..

    I tried to develop an application that use GlobalPlatform SecureChannel..
    But i don't know why, i can't select the applet and send the appropriate APDU for my application..
    It seems that i can't open the SecureChannel..

    Here's the APDU trace of my application :
    Selecting Applet
    -> 00 A4 04 00 0A A0 00 00 00 62 03 01 0C 09 01
    <- 6D 00
    ===========================================================
    Send Appropriate APDU for the application
    -> 80 01 00 00 00
    <- AB 66 17

    How to open the SecureChannel?..
    Do i must to change any APDU Command?..

    Thanks in advance
  • 3. Re: Ask Global Platform SecureChannel
    safarmer Expert
    Currently Being Moderated
    Hi,

    You must select your applet before opening the secure channel (you will see in the GP card spec that select resets the secure channel). You will also have to code your applet to handle the secure channel APDU's (by passing them to the GP subsystem, check the API doc for details). You will then need to use the GP API's available to your applet to unwrap the command and wrap the response.

    The card spec contains the API available to your applet.

    Cheers,
    Shane
  • 4. Re: Ask Global Platform SecureChannel
    843851 Newbie
    Currently Being Moderated
    Hi Shane, thanks for your reply..

    Actually, i have a doubt regarding the SecureChannel..
    How can i ensure that the APDU command transmitted is secured?
    SecureChannel mySecureChannel = GPSystem.getSecureChannel();
    short responseLength = mySecureChannel.processSecurity(apdu);
    with its code whether the APDU command is handled securely by GP's SecureChannel?.
    Yes, there's method for wrap and unwrap the "buffer", but i don't know what the purpose of wrap and unwrap method itself..
    Could you describe the usage of the Wrap and Unwrap method in the GP's SecureChannel?..

    Thanks in advance
  • 5. Re: Ask Global Platform SecureChannel
    safarmer Expert
    Currently Being Moderated
    Hi,

    This method is for letting the GP system on the card (card manager) handle the initialise update and external authenticate APDU's it has nothing to do with data being sent across a secure channel. The wrap and unwrap commands are responsible for this. You can look in the API doc for the GP classes to get more details on these methods. [http://www.win.tue.nl/pinpasjc/docs/apis/gp211/org/globalplatform/SecureChannel.html]

    Just double check that you card supports response encryption before using wrap in your applet. It may not do what you expect (response will not be altered if not supported).

    Cheers,
    Shane
  • 6. Re: Ask Global Platform SecureChannel
    Sebastien_Lorquet Journeyer
    Currently Being Moderated
    Hi,

    does this image help you?

    http://www.mirari.fr/Ct63

    once established, the secure channel encapsulates APDUs; the secure channel object is just a handler given by the card API to let you (en|de)capsulate plain APDUs.

    as Sarfamer said, on some cards that implement VGP (visa global platform) instead of plain GP, the card is not able to wrap the apdu, which means responses cannot be protected with this method. But the wrap() method failed with an exception instead of doing nothing :-]

    the host side secure channel must be done by you, or found somewhere.

    you will notice that this method is the same thing that happens when you authenticate with the card manager. Yes, the card manager is a normal applet that uses a secure channel to authenticate applet loading and installing.

    The GPSystem.getSecureChannel() gives you a way to use the card manager functionnality in your own applet. the keys are the same as the card manager's one.
    You can also reimplement the cryptography using a normal java class that implement the SecureChannel interface, I did this once, for VGP cards that didn't have the wrap() functionnality. only special thing, we needed a way to store keys in a special way.

    regards
    sebastien
  • 7. Re: Ask Global Platform SecureChannel
    843851 Newbie
    Currently Being Moderated
    Thanks Shane and Sebastien for your reply.. :)

    Actually, i have a doubt about the image in that link..
    Does the SecureChannel method, especially Wrap/Unwrap is called automatically?..
    I mean whether we have to writing those methods or not?..

    You said that "the host side secure channel must be done by you, or found somewhere".
    How to establish the "SecureChannel" on the host side (off-card application)?..
    How to getting started to it?.. sorry, i'm pretty new in this field..

    Thanks in advance..
  • 8. Re: Ask Global Platform SecureChannel
    Sebastien_Lorquet Journeyer
    Currently Being Moderated
    the secure channel has to be established by sending the proper APDUs to your applet.
    -select your applet
    -send INIT UPDATE (8050 xxxx XX xxxx...)
    -send EXT AUTHENTICATE (8482 xxxx XX xxxx...)

    these are the same APDUS as what you use to authenticate to the card manager.

    - in the select() method of your applet, call the GPSystem.getSecureChannel() and store the result in an instance field
    - in the process() method of your applet, test the CLA and INS, and if they match (80 50) or (84 82), send them to the processSecurity() method of the secure channel instance you got from select(). Else, manage it. you can use the secure channel instance to know if it's opened or not (and the security level (C_MAC, C_ENC)), and then call the unwrap() method to unwrap it. so yes, you must call the on card API. the secure channel instance will do what is required, verify MAC and/or decrypt if necessary.
    import org.globalPlatform.;
    
    //warning: this is pseudo code and may contain syntax errors and plain text
    
    public class app extends Applet{
        private SecureChannel chan;
        public app() {
            //init applet
        }
    
        public static void install(proper params) {
            new app().register(proper params);
        }
    
        public boolean select() {
            chan=GPSystem.getSecureChannel();
        }
    
        public void process(APDU apdu) {
            byte[] buf = apdu.getBuffer();
            short cla = (short)(buf[0]&0xff);
            short ins = (short)(buf[1]&0xff);
            short lc  = 0;
            if((cla==0x80 && ins==0x50) || (cla==0x84 && ins==0x82)) {
                //this apdu for the secure channel
                //DO NOT CALL SETINCOMINGANDRECEIVE! the method will do it, and fail if you did it before
                lout = chan.processSecurity();
                apdu.setOutgoingAndSend((short)0,lout) //may be 5 instead of 0, don't remember
                return;
            } else {
                //this apdu for me
                switch(ins) {
                    case AN_INS_THAT_DOES_NOT_NEED_WRAPPING: dosomething(apdu,0); break;
                    case AN_INS_THAT_DOES_NEED_WRAPPING:
                            if(chan.getSecurityLevel() < C_MAC) {
                                ISOException.throwIt(0x6982);
                            }
                            lc=apdu.setIncomingAndReceive();
                            lc=(short)(chan.unwrap(buf,(short)0,lc+5)-5); //the "5" hack is needed before lc is DATA length and we need APDU length
                            dosomething(apdu,lc); 
                            break;
                    default: ISOException.throwIt((short)0x6D00);
                }
            }
        }
    }
  • 9. Re: Ask Global Platform SecureChannel
    safarmer Expert
    Currently Being Moderated
    Hi Sebastien,

    One improvement I could suggest on the code you posted would be to check the CLA byte rather than the instruction to see if an APDU needs to be unwrapped. This way you can use a filter design pattern to handle secure messaging transparently to the business logic. There is enough information without inspecting specific INS bytes. You still enforce specific INS to be secure by checking the state of the secure channel. I know this is just an example of how you could do it, but someone starting out may take this literally to be the way to do it and base an entire application on it :)

    Cheers,
    Shane
  • 10. Re: Ask Global Platform SecureChannel
    843851 Newbie
    Currently Being Moderated
    Thanks Sebastien and Shane for your reply..

    Is it mean that the SecureChannel is established automatically when we send INIT UPDATE and EXT AUTHENTICATE?
    Since if i select the applet and then send either INIT UPDATE or EXT AUTHENTICATE, i always got result 6D00..
    this is my APDU trace :
    Selecting Applet
    -> 00 A4 04 00 0A A0 00 00 00 62 03 01 0C 01 01
    <- 90 00
    
    Send to establish the SecureChannel
    -> 80 50 00 00 00
    <- 6D 00
    How to check whether the SecureChannel has been established or not?.
    And then how to set the Security level from the host (off-card) application?
    Since, if i check the Security Level through the getSecurityLevel() method, i always got result 00..

    Please help me regarding this..

    Thanks in advance..
  • 11. Re: Ask Global Platform SecureChannel
    safarmer Expert
    Currently Being Moderated
    Is it mean that the SecureChannel is established automatically when we send INIT UPDATE and EXT AUTHENTICATE?
    Since if i select the applet and then send either INIT UPDATE or EXT AUTHENTICATE, i always got result 6D00..
    If you have a closer look at the card spec, these are the commands you use to actually open a secure channel. This error means your applet does not handle the APDU's for INIT UPDATE and EXT AUTH. You will need to add code to pass these off to GPSystem (as in Sebastiens post).
    How to check whether the SecureChannel has been established or not?.
    Call the SecureChannel.getSecurityLevel() method. The bit mask will have the bits for AUTHENTICATED set.
    And then how to set the Security level from the host (off-card) application?
    Read the description of EXT AUTH in the card spec.
    Since, if i check the Security Level through the getSecurityLevel() method, i always got result 00..
    This is because of the 0x6D00 SW you said you get from INIT UPDATE.

    Cheers,
    Shane
  • 12. Re: Ask Global Platform SecureChannel
    843851 Newbie
    Currently Being Moderated
    Thanks Shane for your reply.. :)
    safarmer wrote:
    This error means your applet does not handle the APDU's for INIT UPDATE and EXT AUTH. You will need to add code >to pass these off to GPSystem (as in Sebastiens post).
    Actually, i use the code posted by Sebastien (with a little revision)..
    And then i loaded and installed it into real card..
    and then i tried to select and open the SecureChannel and i got always 6D00.. :(
    I thought that the code posted by Sebastien handles the APDU's for INIT UPDATE and EXT AUTH, but why it return 6D00 if i send both of those APDU Commands..

    Please help me regarding this..

    Thanks in advance

    Edited by: Leonardo_Carreira on Apr 28, 2010 2:46 AM
  • 13. Re: Ask Global Platform SecureChannel
    safarmer Expert
    Currently Being Moderated
    Hi,

    Since your code hase "some revisions" you will need to post your code for us to see what is happening.

    Cheers,
    Shane
  • 14. Re: Ask Global Platform SecureChannel
    843851 Newbie
    Currently Being Moderated
    Thanks Shane for your reply.. :)

    This is the code :
    public class TestSecureChannel extends Applet {
         
         private SecureChannel mySecureChannel;
         
         public void deselect() {
              mySecureChannel.resetSecurity();
              super.deselect();
         }
    
         public boolean select() {
              mySecureChannel = GPSystem.getSecureChannel();
              return super.select();
         }
    
         private TestSecureChannel() {
         }
    
         public static void install(byte bArray[], short bOffset, byte bLength)
                   throws ISOException {
              new TestSecureChannel().register();
         }
    
         public void process(APDU apdu) throws ISOException {
              byte[] buffer=apdu.getBuffer();
             if((buffer[ISO7816.OFFSET_CLA]==0x80 && buffer[ISO7816.OFFSET_INS]==0x50) || (buffer[ISO7816.OFFSET_CLA]==0x84 && buffer[ISO7816.OFFSET_INS]==0x82)) {
                short lout = mySecureChannel.processSecurity(apdu);
                apdu.setOutgoingAndSend((short)0,lout); 
                return;
            } else {
                
                 if(selectingApplet()) return;
                 
                switch(buffer[ISO7816.OFFSET_INS]) {
                     case (byte) 0x01:
                          buffer[0]=mySecureChannel.getSecurityLevel();
                          apdu.setOutgoingAndSend((short) 0, (short) 1);
                          break;
                    default: ISOException.throwIt((short)0x6D00);
                }
            }
         }
    }
    I don't know what's being a problem why i can't send the APDU's for INIT UPDATE and EXT AUTH..

    Please help me regarding this..

    Thanks in advance...
1 2 Previous Next