This discussion is archived
1 Reply Latest reply: Aug 23, 2012 10:12 AM by safarmer RSS

SCP02 card with R-MAC support and contactless

957464 Newbie
Currently Being Moderated
Hi,

I have a card with SCP02 i=55. It seems that it doesn't support R-MAC. For it I will need something like i=75.

Then I have several questions:
- Is it possible to create a new SD on my card that supports i=75? How?
- Can you point me to any card that supports R-MAC? Or what do I have to tell the seller to get a card with such a CardManager implementation?

Besides that, is there any contactless API extension for Javacard 2.2.1 working with GP2.1.1, that is, to block access to a command on contactless mode etc?

TA
  • 1. Re: SCP02 card with R-MAC support and contactless
    safarmer Expert
    Currently Being Moderated
    I have a card with SCP02 i=55. It seems that it doesn't support R-MAC. For it I will need something like i=75.
    The i value should not affect it, it is more the implementation of the card as R-MAC is optional. We have come across this as a security concern recently. The problem is that most GP 2.1.1 commands do not require a secure response and the general history of smart cards was that they were usually issued in a physically secured facility. Now that OTA provisioning is more common with things like NFC enabled phones this is changing. GP 2.2 (and its amendments) cover there use cases a lot better.
    Then I have several questions:
    - Is it possible to create a new SD on my card that supports i=75? How?
    No, this is most likely something you will need changed at fabrication time from your card manufacturer. It may be a configuration flag so not a big deal for them to do... if you are lucky :)
    - Can you point me to any card that supports R-MAC? Or what do I have to tell the seller to get a card with such a CardManager implementation?
    Just ask them you want a card that supports R-MAC :) A card that has SCP03 or GP 2.2.1 may be more likely to support R-MAC. Unfortunately I no longer have the flexibility to ask for specific cards for my project so have not looked for R-MAC support.
    Besides that, is there any contactless API extension for Javacard 2.2.1 working with GP2.1.1, that is, to block access to a command on contactless mode etc?
    Yes. You can check the interface your applet is being accessed over and return an error. You can even prevent an applet from being selected on the wrong interface as well.

    Here is some completely untested code done while on the train. YMMV :)
    import javacard.framework.APDU;
    import javacard.framework.ISO7816;
    import javacard.framework.Applet;
    import javacard.framework.ISOException;
    
    /**
     * @author safarmer
     */
    public class DummyApplet extends Applet {
      public static void install(byte[] bArray, short bOffset, byte bLength) {
        // GP-compliant JavaCard applet registration
        new oracle.forum.DummyApplet().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
      }
    
      public void process(APDU apdu) {
        // Good practice: Return 9000 on SELECT
        if (selectingApplet()) {
          return;
        }
    
        boolean contactless = (APDU.getProtocol() & APDU.PROTOCOL_MEDIA_MASK) != APDU.PROTOCOL_MEDIA_DEFAULT;
    
        byte[] buf = apdu.getBuffer();
        switch (buf[ISO7816.OFFSET_INS]) {
          case (byte) 0x00:
            break;
          case (byte) 0x01:
            if (contactless) {
              ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
            }
            break;
          default:
            // good practice: If you don't know the INStruction, say so:
            ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
        }
      }
    }
    - Shane

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points