9 Replies Latest reply: May 21, 2012 12:00 PM by safarmer RSS

    RSA encryption & key management

    932586
      Hi everybody,

      I'm currently developing a SIM card applet which send/receive apdu to/from an Android application.

      I'd like to be able to encrypt/decrypt messages in the SIM card. I'd like to encrypt messages using a private key stored in the SIM card and I'd like to decrypt messages using a public key stored in a web server.

      I know how to crypt/encrypt messages with RSA with keys that I have created in the applet.

      I have 2 issues :
      - I have a RSAPrivateKey and a RSAPublicKey that I have created in the applet. How could I get back the public key? I'd like to stored this public key in my server. What is the best way to realize this?
      - I have another public key stored on a server which communicates with the Android application. What is the best way to store the public key in the applet? When have I to do this?

      Thanks for your answers and I'm really sorry about my english.

      Cheers,
      M.
        • 1. Re: RSA encryption & key management
          safarmer
          Hi,

          You will need create two commands in your applet.

          1) Get Key: this will return the bytes of your key that you can get from key.getModulus() and key.getExponent(). Depending on the size of your keys you may need to have two APDU's for the entire key (use P1 or P2 to indicate which part of the key you are after)
          2) Put Key: this will take the bytes of your key that you want to store and put them into a key object. Depending on the size of your keys you may need to have two APDU's for the entire key (use P1 or P2 to indicate which part of the key you are sending)

          Shane
          • 2. Re: RSA encryption & key management
            932586
            Hi Shane,

            Thank you for your answer.

            I did a mistake in my first post. I'd like to encrypt with a public key and decrypt with a private key.

            I have a question : is it better to create the key pair in the applet and get back the public key using a command like you said (get key) or is it better to create the key pair offcard and send it to the applet (public + private)?

            M.
            • 3. Re: RSA encryption & key management
              932586
              I want to add something : when I try to create the key pair in the applet with this code :

              -------------------------------------------------------------------------------------------------------------------
              rsa_KeyPair = new KeyPair( KeyPair.ALG_RSA, KeyBuilder.LENGTH_RSA_512 );
              rsa_KeyPair.genKeyPair();
              rsa_PublicKey = (RSAPublicKey) rsa_KeyPair.getPublic();
              rsa_PrivateKey = (RSAPrivateKey) rsa_KeyPair.getPrivate();
              ------------------------------------------------------------------------------------------------------------------

              (I don't know how to use the text-coloration)

              And I want to get back the modulus and the exponent of the public key like this :

              --------------------------------------------------------------------------------------------------

              private void getModulusPublicKey(APDU apdu){
                   byte a[] = apdu.getBuffer();
                   short size = rsa_PublicKey.getModulus(a, (short)0);
              apdu.setOutgoing();
              apdu.setOutgoingLength((short) size);
              apdu.sendBytesLong(a, (short) dataOffset, (short) size );
              }

              public void     getExponentPublicKey(APDU apdu){
                   byte a[] = apdu.getBuffer();
                   short size = rsa_PublicKey.getExponent(a, (short)0);
              apdu.setOutgoing();
              apdu.setOutgoingLength((short) size);
              apdu.sendBytesLong(a, (short) dataOffset, (short) size );
              }

              --------------------------------------------------------------------------------------------------

              The value of the modulus is always : CLA: 90, INS: 22, P1: 00, P2: 00, Lc: 00, Le: 03, 00, 00, 00, SW1: 90, SW2: 00

              0x00 0x00 0x00 : it doesn't look like a good modulus...

              Do you have explanation?

              Thank you,

              M.
              • 4. Re: RSA encryption & key management
                safarmer
                rsa_KeyPair = new KeyPair( KeyPair.ALG_RSA, KeyBuilder.LENGTH_RSA_512 );
                rsa_KeyPair.genKeyPair();
                rsa_PublicKey = (RSAPublicKey) rsa_KeyPair.getPublic();
                rsa_PrivateKey = (RSAPrivateKey) rsa_KeyPair.getPrivate();
                (I don't know how to use the text-coloration)
                Use {code} tags :)

                And I want to get back the modulus and the exponent of the public key like this :
                private void getModulusPublicKey(APDU apdu){
                     byte a[] = apdu.getBuffer();  
                     short size = rsa_PublicKey.getModulus(a, (short)0);
                apdu.setOutgoing();
                apdu.setOutgoingLength((short) size);
                apdu.sendBytesLong(a, (short) dataOffset, (short) size );
                } 
                
                public void     getExponentPublicKey(APDU apdu){
                     byte a[] = apdu.getBuffer();  
                     short size = rsa_PublicKey.getExponent(a, (short)0);
                apdu.setOutgoing();
                apdu.setOutgoingLength((short) size);
                apdu.sendBytesLong(a, (short) dataOffset, (short) size );
                }
                The value of the modulus is always : CLA: 90, INS: 22, P1: 00, P2: 00, Lc: 00, Le: 03, 00, 00, 00, SW1: 90, SW2: 00

                0x00 0x00 0x00 : it doesn't look like a good modulus...

                Do you have explanation?
                The problem is with your offsets. You are copying into the APDU buffer at 0 but sending from dataOffset which could be anything. You are getting the correct length but since the APDU buffer has been zeroed out you are getting that response.

                Since you are copying into the APDU buffer you can use the setOutgoingAndSend convenience method to clean up your code a little (see the following example):
                byte[] buf = apdu.getBuffer();
                short len = rsa_PublicKey.getModulus(buf, (short) 0);
                apdu.setOutgoingAndSend((short) 0, len);
                Shane
                • 5. Re: RSA encryption & key management
                  936078
                  Hi,

                  I studied for several days and find out that the only way for a Android app to communicate with a SIM card applet is by seek-for-android. Is this your way to do such work? If not, could you please explain how does a SIM card applet to send/receive apdu to/from an Android application?

                  Thanks

                  cao

                  Edited by: 933075 on May 10, 2012 3:28 AM
                  • 6. Re: RSA encryption & key management
                    932586
                    Hi all,

                    Thank you Shane.

                    I'm using seek-for-android for the communication between a Android app and a SIM card applet.

                    See ya
                    • 7. Re: RSA encryption & key management
                      safarmer
                      933075 wrote:
                      I studied for several days and find out that the only way for a Android app to communicate with a SIM card applet is by seek-for-android. Is this your way to do such work? If not, could you please explain how does a SIM card applet to send/receive apdu to/from an Android application?
                      SEEK is the only way at the moment to send an APDU from Android to SIM. The problem is that this API may not work with all basebands and handsets since it is not standardised in Android (yet?). Currently the connection to the SIM is through the phones baseband modem so the telephony provider needs to be used. SEEK actually patches some of the Android classes for this to work.

                      Have you been able to communicate with the SIM? Which handset and version of Android (AOSP?) are you using?

                      Shane
                      • 8. Re: RSA encryption & key management
                        922951
                        I think you will need help of Mobile Phone manufacture ,as i remember that in seek they use microSD from G&D instead of SIM Card.

                        You may use Open Mobile API published by SIM Alliance and approved by many company except Google to communicate with different secure element.

                        Best Regards
                        Nabil
                        • 9. Re: RSA encryption & key management
                          safarmer
                          Nabil wrote:
                          I think you will need help of Mobile Phone manufacture ,as i remember that in seek they use microSD from G&D instead of SIM Card.

                          You may use Open Mobile API published by SIM Alliance and approved by many company except Google to communicate with different secure element.
                          From my understanding, SEEK works with microSD, SIM and embedded secure elements in a handset. The problem is that you need manufacturer support for it as it uses the telephony manager of the handset and it uses things like the baseband modem to get to the SIM etc.

                          Shane