Andreas Jellinghaus wrote: > Am Montag 19 April 2010 16:57:35 schrieb Jan Just Keijser: > >> Note: there is no absolutely secure method to establish a connection >> between a card on a remote machine and the CA . Period. >> > > I think that is wrong. some smart card protocols work like that: > step 1: ask card for some serial number (or given number) > step 2: start encrypted communication using a key known to you and > stored on the card when it was initialised. > > of course the protocol started with step 2 needs to be secure > against replay attacks and so on, but I guess there are well > known protocols that can be implemented right away. > > I'm no expert on this, but I see no reason why encrypted secure > communication with a card needs more than a one time minimal > initialisation (e.g. writing a number and a key to the card). >
In our solutions we are doing card initialization (that can include load/init of the applets, secret keys create/change) with SM. The distant SCM&PKI server is used. There keysets are diversified from the card's data (serial number) with some master key stored in HSM. With SM is also done a part of the card personalization (key import); with the 'External Authentication' part of card administration (PIN unblock). > Regards, Andreas > Kind wishes, Viktor. > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Viktor Tarasov <viktor.tara...@opentrust.com> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel