4 Replies Latest reply: Mar 7, 2012 9:20 AM by 801926 RSS

    RSA implementation host (PC) and Java Card ....

    921488
      Hi,

      I have an application in which i need to introduce security/protection thru Java Card. For every option selected on the screen (application), there needs to be a check done to ensure the Smart Card exist and an algorithm checked by implementing RSA security.
      I have a few questions,
      - In order to implement the same i need to send encrypted message using private key on the host machine to the Java card. Decrypt with a Public Key in the card.

      Considering the above, how do i let the calling apps OR host that the card was validated properly and hence the operations could continue. If the card is not present OR a simulation of the card is done, how do i catch and terminate the entire application OR do not proceed until the validation is successful.
      My question is how do i receive some information in ecrypted form from Java card and decript it at the host end ?
      Also, what is the best way of doing such a type of protection, since i am given to understand that data sent or received thru ports can be cracked. Appreciate any help.

      Apologize if my articulation is not up to the mark.

      Regards,

      Lnarsee
        • 1. Re: RSA implementation host (PC) and Java Card ....
          safarmer
          Hi,

          For security purposes, you would store the private key in the card and perform all private key operations there. One approach could be to store a certificate and the corresponding private key in a java card applet and then retrieve the certificate from the card. You could then send a random number (nonce) to the card and ask it to sign the number. The host application can then verify the signature with the public key in the certificate. The host could also verify the certificate against a certificate authority or a known trust chain.

          The hard part is that you will need to implement this in the applet yourself. You can define a set of APDU's that you could send to the card for specific responses. For instance one command to get the certificate and another to sign some arbitrary data. You would also want a way of injecting the keys (this is the simple less secure approach though).

          With certificates you can use the cryptographic properties to verify that you trust the card and if you do not receive a trusted certificate the program can terminate. Also if the signature is not verified then you could exit as well as the card has not proven ownership of the private key.

          Cheers,
          Shane
          • 2. Re: RSA implementation host (PC) and Java Card ....
            921488
            Thanks Shane. Appreciate your prompt response.

                 1. pass a random string to the card
                 2. encrypt string in card using RSA security using Private / Public key
                 3. Get the Modulus from the card
                 4. Get the Exponent from the card
                 5. Construct the Public Key
                 6. Carryout the Decryption process
                 Another alternative is Certifying the random number. Need to explore

            Will the code work without Certification, considering the above steps OR are there loop holes ?

            Also, another question is if i want to incorporate this in Delphi (client), would it be possible. Iam not sure if you are a delphi OR VB person. But hoping some one can answer and give me some leads.

            Once again appreciate your quick response Shane.

            regards,

            Lnarsee
            • 3. Re: RSA implementation host (PC) and Java Card ....
              safarmer
              Hi,

              Those steps seem reasonable. You can also use the Signature class to perform a hash and have it encrypted with the private key. This is a general crypto primitive that can prove ownership of a private key.

              You can do this without a certificate as well but then there is no way of verifying the key you get. It is then possible for someone to pretend to be the smart card.

              You can communicate with the card through Delphi and VB using PC/SC (winscard.dll I believe). I have not tried this myself but it is indeed possible. You should be able to find some examples online.

              Cheers,
              Shane
              • 4. Re: RSA implementation host (PC) and Java Card ....
                801926
                Yes, do not use the card as a streaming device. It's recommended to encrypt small amounts of data or calculate hash off-card and let the card perform the last step of signing by doing the appropriate padding and encryption.