Re: [opensc-devel] banks
On Mon, 2011-08-22 at 07:41 +0200, Andreas Jellinghaus wrote: Am Samstag 20 August 2011, 09:34:21 schrieb Nikos Mavrogiannopoulos: On 08/18/2011 11:11 AM, Hans Witvliet wrote: Perhaps a ludicreous question, but i post it anyway... Some creditcard companies or banks supply their customer with cards plus pin-code in order to identify themselfs during financial transactions. From my focus i presume these look like ordinary smartcards. Can these cards also be used for anything else? These cards typically support the EMV protocol (or a subset). They have the ability to perform RSA and 3DES, so in theory there could be a vendor (or manufacturer) that releases a PKCS #11 module that allows you to access them. However, without it the operations available to an EMV card are not sufficient to emulate PKCS #11 (and be used in other than banking applications). IIRC for EMV protocoll you need to hand in the amount of money you want to deduct, wether you want offline or online transactions, the service code of the terminal (i.e. atm or store or ...) etc. that doesn't map well to pkcs#11. Andreas ___ Tnx Andreas,Martin, Ludovic, Nikos, many others You have givven me plenty material, to read, (and as for serendipity, relevant stuff for other projects also...) But the main objective is to check if the cards that are issued by bank or creditcompany can be legaly used for identifycation/authentication for other purposes. From what i deduced so far, is that on those (mostly java-) card is a specific applet stored, but no general-purpose key/certificates. So i presume that if i want to use a bank-card, i can only do that with the full coorporation of that bank. (simular to the problem we have with mal-functioning safesign applet driver ;-) Hans ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] banks
AFAIK, it depends on your bank card relationship We use a bank card, that can be used for payment and cash retrieval, and also used for authentication process. The card is customized for our company, and has the euro6000 logo. The workout its the following: the card has 2 applications (DF according to 7816 standard), one for EMV, the other one for our own puprposes. Some guys, a long time ago, designed the content of our card and now im the responsible of developing and mantaining the PKCS#11 interface for auth and sign on Win/Linux/Mac. Does that answer your question? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] banks
-Original Message- From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of helpcrypto helpcrypto Sent: Monday, August 22, 2011 9:04 AM To: Hans Witvliet Cc: opensc-devel@lists.opensc-project.org Subject: Re: [opensc-devel] banks AFAIK, it depends on your bank card relationship We use a bank card, that can be used for payment and cash retrieval, and also used for authentication process. The card is customized for our company, and has the euro6000 logo. The workout its the following: the card has 2 applications (DF according to 7816 standard), one for EMV, the other one for our own puprposes. Some guys, a long time ago, designed the content of our card and now im the responsible of developing and mantaining the PKCS#11 interface for auth and sign on Win/Linux/Mac. Does that answer your question? -Original Message- Wow, that is what would call seriously user friendly. And an example for others... Could you (offlist, as the list is non-commercial) disclose me the name of the bank? Hans. __ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] banks
Wow, that is what would call seriously user friendly. And an example for others... Could you (offlist, as the list is non-commercial) disclose me the name of the bank? Again AFAIK, this is a common scenario here in spain for public companies like the one i work for (university). In our case, the bank is a saving bank (according to wikipedia translation of caja de ahorros). kind of a bank that dont give benefits to their owners (cough). So, anyone could do it. at least, banco santander, lacaixa, bankia... Anyhow, this is -more or less- what we have: Dual card (contact/contacless). contactless interface has only an id for parking access and similar things. Contact interface with 2 applications: one for the bank, one for our own use with a 1024 (yes...i know...) RSA certificate for auth+sign... ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] banks
On 2011-08-22 10:40, Vlastimil Pavicek wrote: I think that MasterCard CAP Visa DPA is the technology to look for. see: http://en.wikipedia.org/wiki/Chip_Authentication_Program Shared secrets are not generally useful with more than one ID-provider. Anders Best regards VLP __ Od: Andreas Jellinghaus a...@dungeon.inka.de Komu: opensc-devel@lists.opensc-project.org Datum: 22.08.2011 07:39 Předmět: Re: [opensc-devel] banks Am Freitag 19 August 2011, 11:56:13 schrieb Martin Paljak: Hello, On Aug 18, 2011, at 12:11 , Hans Witvliet wrote: Hi all, Perhaps a ludicreous question, but i post it anyway... Some creditcard companies or banks supply their customer with cards plus pin-code in order to identify themselfs during financial transactions. From my focus i presume these look like ordinary smartcards. Can these cards also be used for anything else? Did anybody ever looked at them this way? It is not that i would try to temper with them, but if these are safe enough to be trusted by a bank, why could i not use them for instance, for setting up a vpn? You might want to study EMV DDA http://www.openscdp.org/scripts/tutorial/emv/dda.html SDA/DDA is a mechanism used for authenticating credit card transactions in the card / terminal / processor setup (or for offline use: card/terminal). the new mechanism for online banking with chipcard, reader and pin are something different - thought they might be build on top of EMV spec. so reading up on DDA won't help you. Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Fork of Debian's openSC repo at Github with ideas for 0.12.2 DEB
Hi, On Sunday, 21. August 2011, you wrote: On 08/21/2011 12:36 PM, Peter Marschall wrote: * renable zlib readline support [...] what about a new, official Debian package, with my changes as the starting point as starting point? i don't think these are compatible with the DFSG, alas. GNU readline (at least) is GPL-licensed, and opensc links against OpenSSL. So building a package that links to both of them creates a non-redistributable work :( http://people.gnome.org/~markmc/openssl-and-the-gpl.html Is there any way to have OpenSC build against some crypto libraries other than OpenSSL (preferably licensed in GPL-compatible ways) so we could link it to readline without violating one license or the other? OK, let's leave out libreadline (simple changes in debian/{rules,control}). My interest is less in libreadline - although it makes opensc-explorer a lot more comfortable - but in an update to opensc in Debian. What about that? Best Peter PS: if zlib has similar issues, then maybe leave it away too. -- Peter Marschall pe...@adpm.de ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel