This content has been marked as final. Show 4 replies
For security purposes, you would store the private key in the card and perform all private key operations there. One approach could be to store a certificate and the corresponding private key in a java card applet and then retrieve the certificate from the card. You could then send a random number (nonce) to the card and ask it to sign the number. The host application can then verify the signature with the public key in the certificate. The host could also verify the certificate against a certificate authority or a known trust chain.
The hard part is that you will need to implement this in the applet yourself. You can define a set of APDU's that you could send to the card for specific responses. For instance one command to get the certificate and another to sign some arbitrary data. You would also want a way of injecting the keys (this is the simple less secure approach though).
With certificates you can use the cryptographic properties to verify that you trust the card and if you do not receive a trusted certificate the program can terminate. Also if the signature is not verified then you could exit as well as the card has not proven ownership of the private key.
Thanks Shane. Appreciate your prompt response.
1. pass a random string to the card
2. encrypt string in card using RSA security using Private / Public key
3. Get the Modulus from the card
4. Get the Exponent from the card
5. Construct the Public Key
6. Carryout the Decryption process
Another alternative is Certifying the random number. Need to explore
Will the code work without Certification, considering the above steps OR are there loop holes ?
Also, another question is if i want to incorporate this in Delphi (client), would it be possible. Iam not sure if you are a delphi OR VB person. But hoping some one can answer and give me some leads.
Once again appreciate your quick response Shane.
Those steps seem reasonable. You can also use the Signature class to perform a hash and have it encrypted with the private key. This is a general crypto primitive that can prove ownership of a private key.
You can do this without a certificate as well but then there is no way of verifying the key you get. It is then possible for someone to pretend to be the smart card.
You can communicate with the card through Delphi and VB using PC/SC (winscard.dll I believe). I have not tried this myself but it is indeed possible. You should be able to find some examples online.
Yes, do not use the card as a streaming device. It's recommended to encrypt small amounts of data or calculate hash off-card and let the card perform the last step of signing by doing the appropriate padding and encryption.