Re: [opensc-devel] banks
I think that MasterCard CAP & Visa DPA is the technology to look for. see: http://en.wikipedia.org/wiki/Chip_Authentication_Program Best regards VLP __ > Od: "Andreas Jellinghaus" > Komu: > Datum: 22.08.2011 07:39 > Předmět: Re: [opensc-devel] banks > >Am Freitag 19 August 2011, 11:56:13 schrieb Martin Paljak: >> Hello, >> >> On Aug 18, 2011, at 12:11 , Hans Witvliet wrote: >> > Hi all, >> > >> > Perhaps a ludicreous question, but i post it anyway... >> > >> > Some creditcard companies or banks supply their customer with cards plus >> > pin-code in order to identify themselfs during financial transactions. >> > >> >> From my focus i presume these look like ordinary smartcards. >> > >> > Can these cards also be used for anything else? >> > >> > Did anybody ever looked at them this way? >> > It is not that i would try to temper with them, but if these are safe >> > enough to be trusted by a bank, why could i not use them for instance, >> > for setting up a vpn? >> >> You might want to study EMV DDA >> >> http://www.openscdp.org/scripts/tutorial/emv/dda.html > >SDA/DDA is a mechanism used for authenticating credit card transactions >in the card / terminal / processor setup (or for offline use: card/terminal). > >the new mechanism for online banking with chipcard, reader and pin are >something different - thought they might be build on top of EMV spec. > >so reading up on DDA won't help you. > >Andreas >___ >opensc-devel mailing list >opensc-devel@lists.opensc-project.org >http://www.opensc-project.org/mailman/listinfo/opensc-devel > ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Java and pkcs11
You might consider this useful as well (card detection): http://download.oracle.com/javase/6/docs/jre/api/security/smartcardio/spec/javax/smartcardio/package-summary.html it works very well under Sun/Oracle Java. Best regards VLP __ > Od: "NdK" > Komu: , helpcrypto helpcrypto > > Datum: 10.08.2011 08:36 > Předmět: Re: [opensc-devel] Java and pkcs11 > >On 09/08/2011 20:48, Vlastimil Pavicek wrote: >> I haven't read the whole thread, but you might find this library useful (it >> is easier to use than JNI/JNA): >> http://jce.iaik.tugraz.at/sic/Products/Core-Crypto-Toolkits/PKCS-11-Wrapper >Tks. >Found last night. It's used by j4sign[1] that targets multiple >platforms. By its own it seems it's not enough, but it have to be used >in parallel with the OCF wrapper (for card detection). > >I'll have to dig better... > >[1] http://j4sign.sourceforge.net/index.html > >BYtE, > Diego. >___ >opensc-devel mailing list >opensc-devel@lists.opensc-project.org >http://www.opensc-project.org/mailman/listinfo/opensc-devel > ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Java and pkcs11
Hi, I haven't read the whole thread, but you might find this library useful (it is easier to use than JNI/JNA): http://jce.iaik.tugraz.at/sic/Products/Core-Crypto-Toolkits/PKCS-11-Wrapper Best regards VLP __ > Od: "NdK" > Komu: > Datum: 02.08.2011 13:52 > Předmět: [opensc-devel] Java and pkcs11 > >Hi all! > >Maybe it's nearly OT, but I think it could be useful for other readers. > >I've found that a quite recurring problem in accessing tokens from java >is the "PKCS11 not found" exception. >Disabling hot plug support, as suggested in the past to another user, >didn't work in my case. > >The "-Djava.security.debug=sunpkcs11" 'workaround' is quite >unsatisfactory (really slows down startup), but I've found that using >SunPKCS11 and a config file containing: >-8<-- >name = smartcard >library = /usr/lib/opensc-pkcs11.so >slotListIndex=1 >-8<-- >(so, specifying the slotListIndex) I can actually avoid that exception. >But every user should determine his own slotListIndex (and, IIUC, it >changes if there are certs under different PINs). > >What I still miss: >- why can't I read certs out of the card even if they're publicly readable? >- once I can read a cert, how could I determine which slot I should >authenticate against to use the corresponding private key? >- should I avoid SunPKCS11 and base my program on "simple" PC/SC? > >Tks, > Diego. >___ >opensc-devel mailing list >opensc-devel@lists.opensc-project.org >http://www.opensc-project.org/mailman/listinfo/opensc-devel > ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] iKey 4000 once again
> How and when did you contact safenet? I e-mailed support (either directly, or via a web form, I can't remember) and received an acknowledge with number 883656. > However I will get the required documentation and make it available to the > project. That would be great, thank you a lot! VLP ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] iKey 4000 once again
Hello, I have a SafeNet iKey 4000 token and I would really like to use it under linux/opensc. I have some smartcard experience (unfortunately not with PKCS#15) and I've already done some tests. I would like to share their results if you are interested. Token atr (different than the one in the mailing list earlier) is: 3B FF 18 00 00 81 31 FE 4D 80 25 A0 00 00 00 56 57 44 4B 34 30 30 06 00 DD As far as I know, this variant of token does not support CCID interface (I've communicated with Ludovic Rousseau about that and he told me that the USB descriptors don't seem to be CCID compliant). Neverthless I was able to spy on the APDU-level communication of vendor-provided software using SnoopyPro and some painful bash scripting. Thru this I discovered some basic non-ISO commands and I am able to browse card files (I am using jaccal to communicate with the token in WinXP). I would like to share these results to find out whether the token APDU level dialect and file structure is not familiar to anyone of you. That would help me a lot in further reverse-engeneering of the card. In short ... There are two applications "01IntermediateDF" and "SafeNet Cryptoki", each of them having couple of files. The first one has EF00, FF00, FF01, 0006, 0007, 000A and 7BAD. The second one has DF00, EF00, FF01, FF02, FF03, 000A, 000C, 000D, 001B, 001D, 001E and 7BAD. EXAMPLE SCENARIO: When I import a pkcs#12 file from vendor-provided software it creates some new files under "SafeNet Cryptoki" (using command with INS 0xE0). 0020 -> identifiers of the imported object + some unknown fileds 0021 -> unknown contents?? 0022 -> here he stores identifiers, key modulus and some more unknown fields -> public key?? can't be read with READ BINARY with PIN entered 0023 -> here goes identifiers, key private exponents, key private coefficient, one of the private primes and some unknown fields -> private key??, can't be read with READ BINARY with PIN entered 0024 -> identifiers, certificate + some more unknown fields -> certificate?? I can send the full dumps of the communication. Since now I've tried the vendor-provided test sequence that generates a RSA key(INS 0x4E ???). It does encrypt (0xEC ???), decrypt,(0x54 ???) sign(0x5A ???) and verify(in sw???). And deletes the generated key (delete file 0xE8). I've also captured the token initialization. The vendor provides a working pkcs#11 library dll so I should be able to try all it's functions and observe the communication. But it is really time consuming. Please can anyone tell me whether this is a good way and what to do next? Thanks in advance, have a nice day Vlastimil Pavicek PS: I am sorry for my sometimes confusing English :) PS2: Of course I tried to contact SafeNet asking for some specs, but I received no reply. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
