stackoom
  简体   繁体   中英

Relation between Security Domain and Applet in Personalization

 原文  2014-12-15 12:12:38       smartcard/ javacard/ globalplatform

Question

The Guide to Common Personalization describes the following process for Personlalization:

  • Reset
  • Atr
  • Select AID to personalize
  • initiate Secure Channel
  • multiple Store-data commands

The Secure Channel is established with the Security Domain and Store-data commands holding DGIs are forwarded to the Applet. The Applet has the Application and the Personalization interface from org.globalplatform package and inherits processData methods to make use of the Store-data commands.

The question now is if I have to implement the init-update and external-authenticate command in my applet myself as the Security Domain is not selected anymore and my applet does not know these INS? Does the JCRE automatically detect these GlobalPlatform APDUs and forward them to the SecurityDomain? If not why isn't this hidden/filtered by the JCRE?

e: I have found an old example on the Global Platform website from 2006 called CPSDemonstrator: http://www.globalplatform.org/specificationform.asp?fid=6596 Beside deprecated API calls is this still the standard way to do it?

1 answers

solution1
 2 ACCPTED  2014-12-16 08:14:03

No, you don't need to implement the secure channel functions yourself: you can use the Security Domain for that. It is often a business decision: do you control the keys to that Security Domain yourself, or a trusted partner?

Let's say that you do. Then, the Secure Channel can be established to the Security Domain (selecting the Secure Channel's AID), which already implements all the necessary functionality. Once established, you can send STORE DATA APDUs to your applet if you first send an INSTALL[for personalization] APDU to the Security Domain, indicating your applet's AID within the command parameters. Step-by-step:

  1. SELECT the Security Domain
  2. Establish Secure Channel to the SD: INITIALIZE_UPDATE, EXTERNAL_AUTHENTICATE
  3. INSTALL[for personalization]. In the command's data field, send your applet's AID
  4. STORE DATA - it will be forwarded to your applet

Internally, inside the card, the Security Domain will decrypt these STORE DATA APDUs and forward them to your applet, calling its processData method.

INSTALL[for personalization] is meant to be used if you want to personalize your application before it has been "made selectable". Once the applet is selectable, you can set up a secure channel towards the applet's AID. The applet just needs to implement the SecureChannel interface ( http://www.win.tue.nl/pinpasjc/docs/apis/gp211/org/globalplatform/SecureChannel.html ) to delegate authentication and encryption to its associated Security Domain.

To answer your question: you DO NOT need to implement the security commands in your applet.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Update: Personalization of Javacard Applet with GlobalPlatform Difference between a SmartCard with and without an applet installed on it? What is the exact purpose of the personalization procedure in globalplatform architecture? Using javacard Shareable class to share an interface between two applet as client and server with different package? Smart Card Pre-Personalization and Historical Bytes How to communicate between Android and Java Card Applet on SIM card (with or withour RIL libs)? Installing applet in javacard Deploy javacard applet on a Jcard AID of JCOP's Security Domain and meaning of “Card Not Fused” or “Not Pre-Personalized” I would like to create a security domain on eUICC using ES3.CreateISDP function
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM