Well, I'd like to have a mutual authentication between card and terminal, but also a secure data transfer to decrease/increase the card value. I know - one at a time, but that is what I try to learn/achieve!
I'd like to start with the wallet example, I just don't have one, where is that to be found?
You can find sample in the JCDK. There is a samples directory and I believe JC 2.2.2 and 3.0 both have a sample wallet applet.
You could model your authentication off TLS/SSL and the GlobalPlatform secure channel protocols. Some basic steps you could use:
1. Send a nonce (random challenge) to the card.
2. Card generates a nonce and combines the two with a master AES to generate a session key. You can search for key derivation algorithms (and example is KDF1 - key derivation function 1).
3. Use the session key to generate a MAC of the two nonces.
4. Return the card nonce and MAC to the host.
5. The host uses the nonce from the card to generate a session key (should match card session key).
6. Host verifies the MAC received from the card using the two nonces and session key.
7. Generate a different MAC using the same data and key but opposite order when combining nonces.
8. Send MAC to the card to prove that the host has the same key. The card verifies this MAC.
After this you have proven that both sides have the same session key based on a shared secret. You can use the session key to encrypt the commands sent to the card.