This discussion is archived
11 Replies Latest reply: Feb 15, 2013 11:30 AM by 981922 RSS

Setting finally security of java card

970895 Newbie
Currently Being Moderated
Hello all,

I'm a newby in Java Card, but in my last project I get some experiences with java card. I have a java card from NXP with OS JCOP 2.4.2 R1 with not personalized GP Card Manager(default card keys). I have developed and test my own applet - everything without any problem. I can succesfull load applet to the card - so I don't have any problems with building a secure channel(SCP02). Now, when everything is working fine, I would like to secure this java card and terminate the develoment process. And in this stage I am a little bit confused... I don't know how perform the last step to terminate the card for using in our customer.

I read Global platform Card Specification v2.2 several times but I have some question.
The secure chanell SCP02 is initiated using default set of three 16B keys - 0x404142....4F. Is it possible to change this default security domains keys to another value? Or this default keys cannot be deleted and I can only use the new set of keys? How can be this keys inserted to the card(the answer, use put key APDU command is not enough for me)?

Next question is about modifying security status of the java card for end customer using. What is needed to do when I want, that nobody can change the content of java card(isntall applet, delete applet)? When the card is secured, is it possible to build secure chanell or this option is in secured state disabled and changing the default keys has no sense?

When the card will be secured, will be my appplet selectable and will be working?


I will be grateful for any answer!
Thanks,
Milanatik
  • 1. Re: Setting finally security of java card
    801926 Explorer
    Currently Being Moderated
    There is a generic way: keep the CM keys secret, a more granular: use INSTALL[for registry update] to disable loading and a JCOP proprietary way: disable the selection of the CM during pre-perso plus set an applet as default selected.
  • 2. Re: Setting finally security of java card
    970895 Newbie
    Currently Being Moderated
    lexdabear, thank you for your ideas!

    You wrote : "There is a generic way: keep the CM keys secret" - when the card manager keys are default(and public known), keeping them secret has no effect.

    Then you wrote : "INSTALL[for registry update] to disable loading". Install command can be used(I expect) after mutual authentication. So, I need to know before this command card manager keys. And if this keys are public known, everyone can change this install command, or not?

    You also wrote "JCOP proprietary way: disable the selection of the CM during pre-perso plus set an applet as default selected.". This ideas look be useful...but I don't have any experiences with JCOP.

    Is there any other option for securing the java card with my applet from the outside attacks?
    And what about changing the card manager keys(also called card static key or Secure channel base key)?

    Thank you again,
    Milanatik
  • 3. Re: Setting finally security of java card
    801926 Explorer
    Currently Being Moderated
    You can change the CM keys using GP command PUT KEY or STORE DATA. In JCShell itls 'set-key ..' and 'put-keyset ..'.

    INSTALLL[for registry update] command is one way in JCOP as it only supports to disable post-issuance.
  • 4. Re: Setting finally security of java card
    970895 Newbie
    Currently Being Moderated
    lexdabear, thank you for your quick reply!

    I will try change the card manager keys...

    I read something about SET STATUS command In Global Platform card spec v2.2. Can be set the proper security level of java card also with this command? For example, set java card to SECURED state? Will be in state SECURED my applet works and security domain will be inaccessible?

    Sorry for my stupid questions, but I need to clarify basic java card security abilities.

    Thank you!
    Milanatik
  • 5. Re: Setting finally security of java card
    970895 Newbie
    Currently Being Moderated
    Hi again,

    I'm still improving the security of my java card for use in non-safe environment on the customer side. I change the default card manager key to my unique keys via PUT KEY APDU command.

    I also change the card manager life state from OP_READY to SECURED. In this SECURED state, is it possible to load/delete applets?
    My next question - now I'm in SECURED state and I want to change to CARD_LOCKED state. I am trying to build secure channel but after ext-auth command in JCShell, the response from card is 6985 - Conditions of use not satisfied.

    Is it possible to build secure channel in SECURED state?

    Thank you for your answer!
    Regards,

    Milan
  • 6. Re: Setting finally security of java card
    970895 Newbie
    Currently Being Moderated
    Hi,

    at this time I can build a secure channel with java card whose card manager has SECURED state. I need to write in JCShell command ext-auth mac instead of ext-auth plain. So...I have build a secure channel and now I want to Set STATUS of card manager from SECURED to CARD LOCKED, but I obtain an error message 6985 - Conditions of use not satisfied. Here is a log:

    -----
    +
    cm> ext-auth mac
    => 84 82 01 00 10 0E 75 DD FC AB 9F FB 3C 8B E4 68
    48 40 07 95 D6
    (77157 usec)
    <= 90 00
    Status: No Error
    cm> card-info
    => 84 F2 80 00 0A 4F 00 C7 78 49 BF AC 25 C8 AB 00
    (58252 usec)
    <= 08 A0 00 00 00 03 00 00 00 0F 9E 90 00
    Status: No Error
    => 84 F2 40 00 0A 4F 00 E3 0E 73 E7 FC BA 3F 28 00
    (58027 usec)
    <= 0C 70 6F 63 69 74 61 64 6C 6F 41 70 6C 07 00 90
    00
    Status: No Error
    => 84 F2 10 00 0A 4F 00 D7 94 FD 98 B0 AB BC CC 00
    (67461 usec)
    <= 07 A0 00 00 00 03 53 50 01 00 01 08 A0 00 00 00
    03 53 50 41 0B 73 65 63 75 72 69 74 79 50 6B 67
    01 00 01 0C 70 6F 63 69 74 61 64 6C 6F 41 70 6C
    90 00
    Status: No Error

    Card Manager AID : A000000003000000
    Card Manager state : SECURED

    Application: SELECTABLE (--------) xxxxxxxxx
    Load File : LOADED (--------) yyyyyyyyyy
    Module : yyyyyyyyyyyyy
    Load File : LOADED (--------) "xxxxxxxxxx
    Module : "xxxxxxxxxx
    cm> /send 80f0807f07a0000000035350
    => 80 F0 80 7F 07 A0 00 00 00 03 53 50
    (44108 usec)
    <= 69 85
    +
    -----

    is it possible change the cycle from SECURED life cycle to CARD LOCKED? If yes, how?

    Thanks in advance.
    Milan
  • 7. Re: Setting finally security of java card
    970895 Newbie
    Currently Being Moderated
    Hi again,

    from my last post many things have changed - I change the card manager defult keys, set the card manager(CM) state to secured and I'm also able to build a secure channel if the CM are in protected state. Is the java card secured as I wrote in previous sentence secured enough(I mean from hackers side to break the security and modify applet)?
    What does it mean, when somebody tell that the java card is fused? Can be my java card considered as fused(changed key, CM set to secured)?

    lexdabear wrote:
    use INSTALL[for registry update] to disable loading and a JCOP proprietary way: disable the selection of the CM during pre-perso plus set an applet as default selected.
    Can somebody tell me, how can be disabled the selection of the CM using JCShell commands? I will be grateful for any examples codes, logs, tips.

    Thank you!
    Regards,

    Milan
  • 8. Re: Setting finally security of java card
    970895 Newbie
    Currently Being Moderated
    No one can help me?
  • 9. Re: Setting finally security of java card
    991038 Newbie
    Currently Being Moderated
    Not possible to load applets unless CM keys are known to the user. Keep your CM keys safe, so no one can load any additional applets.
  • 10. Re: Setting finally security of java card
    safarmer Expert
    Currently Being Moderated
    The best way to keep your keys says is to only ever have them stored in a HSM that is both logically and physically secured. This is not the easiest or cheapest thing to do but it is the only way to be sure that your keys are safe from others using them (other than destroying the keys so no one can use them).

    - Shane
  • 11. Re: Setting finally security of java card
    981922 Newbie
    Currently Being Moderated
    you have two choices:
    1) change the key in a random key, that anyone (also you) will not be able to save and use later
    it is something procedural, that will be mainly based on the consideration:
    1) you will not trace in any way the random key (for example, you will provide to a 3th party the code to show that there is no tracing
    2) the best way, but I don't know if it is applicable, is to "block" the key, that means use it incorrectly till the error counter will became zero, and the key will be blocked.
    You need to check if the key provide this kind of error counter.

    by definition, if "only you" have the key, it doesn't meen that the system is secure.

    It is always a good procedure to change the transport key and limit the usage to the minimum necessary.

    If you need to use this key later, the hsm is the only way. consider that a smartcard can be considered as a "slow hsm".

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points