Re: [opensc-devel] banks
On Mon, 2011-08-22 at 07:41 +0200, Andreas Jellinghaus wrote: Am Samstag 20 August 2011, 09:34:21 schrieb Nikos Mavrogiannopoulos: On 08/18/2011 11:11 AM, Hans Witvliet wrote: Perhaps a ludicreous question, but i post it anyway... Some creditcard companies or banks supply their customer with cards plus pin-code in order to identify themselfs during financial transactions. From my focus i presume these look like ordinary smartcards. Can these cards also be used for anything else? These cards typically support the EMV protocol (or a subset). They have the ability to perform RSA and 3DES, so in theory there could be a vendor (or manufacturer) that releases a PKCS #11 module that allows you to access them. However, without it the operations available to an EMV card are not sufficient to emulate PKCS #11 (and be used in other than banking applications). IIRC for EMV protocoll you need to hand in the amount of money you want to deduct, wether you want offline or online transactions, the service code of the terminal (i.e. atm or store or ...) etc. that doesn't map well to pkcs#11. Andreas ___ Tnx Andreas,Martin, Ludovic, Nikos, many others You have givven me plenty material, to read, (and as for serendipity, relevant stuff for other projects also...) But the main objective is to check if the cards that are issued by bank or creditcompany can be legaly used for identifycation/authentication for other purposes. From what i deduced so far, is that on those (mostly java-) card is a specific applet stored, but no general-purpose key/certificates. So i presume that if i want to use a bank-card, i can only do that with the full coorporation of that bank. (simular to the problem we have with mal-functioning safesign applet driver ;-) Hans ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] banks
AFAIK, it depends on your bank card relationship We use a bank card, that can be used for payment and cash retrieval, and also used for authentication process. The card is customized for our company, and has the euro6000 logo. The workout its the following: the card has 2 applications (DF according to 7816 standard), one for EMV, the other one for our own puprposes. Some guys, a long time ago, designed the content of our card and now im the responsible of developing and mantaining the PKCS#11 interface for auth and sign on Win/Linux/Mac. Does that answer your question? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] banks
-Original Message- From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of helpcrypto helpcrypto Sent: Monday, August 22, 2011 9:04 AM To: Hans Witvliet Cc: opensc-devel@lists.opensc-project.org Subject: Re: [opensc-devel] banks AFAIK, it depends on your bank card relationship We use a bank card, that can be used for payment and cash retrieval, and also used for authentication process. The card is customized for our company, and has the euro6000 logo. The workout its the following: the card has 2 applications (DF according to 7816 standard), one for EMV, the other one for our own puprposes. Some guys, a long time ago, designed the content of our card and now im the responsible of developing and mantaining the PKCS#11 interface for auth and sign on Win/Linux/Mac. Does that answer your question? -Original Message- Wow, that is what would call seriously user friendly. And an example for others... Could you (offlist, as the list is non-commercial) disclose me the name of the bank? Hans. __ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] banks
Wow, that is what would call seriously user friendly. And an example for others... Could you (offlist, as the list is non-commercial) disclose me the name of the bank? Again AFAIK, this is a common scenario here in spain for public companies like the one i work for (university). In our case, the bank is a saving bank (according to wikipedia translation of caja de ahorros). kind of a bank that dont give benefits to their owners (cough). So, anyone could do it. at least, banco santander, lacaixa, bankia... Anyhow, this is -more or less- what we have: Dual card (contact/contacless). contactless interface has only an id for parking access and similar things. Contact interface with 2 applications: one for the bank, one for our own use with a 1024 (yes...i know...) RSA certificate for auth+sign... ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] banks
On 2011-08-22 10:40, Vlastimil Pavicek wrote: I think that MasterCard CAP Visa DPA is the technology to look for. see: http://en.wikipedia.org/wiki/Chip_Authentication_Program Shared secrets are not generally useful with more than one ID-provider. Anders Best regards VLP __ Od: Andreas Jellinghaus a...@dungeon.inka.de Komu: opensc-devel@lists.opensc-project.org Datum: 22.08.2011 07:39 Předmět: Re: [opensc-devel] banks Am Freitag 19 August 2011, 11:56:13 schrieb Martin Paljak: Hello, On Aug 18, 2011, at 12:11 , Hans Witvliet wrote: Hi all, Perhaps a ludicreous question, but i post it anyway... Some creditcard companies or banks supply their customer with cards plus pin-code in order to identify themselfs during financial transactions. From my focus i presume these look like ordinary smartcards. Can these cards also be used for anything else? Did anybody ever looked at them this way? It is not that i would try to temper with them, but if these are safe enough to be trusted by a bank, why could i not use them for instance, for setting up a vpn? You might want to study EMV DDA http://www.openscdp.org/scripts/tutorial/emv/dda.html SDA/DDA is a mechanism used for authenticating credit card transactions in the card / terminal / processor setup (or for offline use: card/terminal). the new mechanism for online banking with chipcard, reader and pin are something different - thought they might be build on top of EMV spec. so reading up on DDA won't help you. Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] banks
On 08/18/2011 11:11 AM, Hans Witvliet wrote: Perhaps a ludicreous question, but i post it anyway... Some creditcard companies or banks supply their customer with cards plus pin-code in order to identify themselfs during financial transactions. From my focus i presume these look like ordinary smartcards. Can these cards also be used for anything else? These cards typically support the EMV protocol (or a subset). They have the ability to perform RSA and 3DES, so in theory there could be a vendor (or manufacturer) that releases a PKCS #11 module that allows you to access them. However, without it the operations available to an EMV card are not sufficient to emulate PKCS #11 (and be used in other than banking applications). regards, Nikos ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] banks
Hello, On Aug 18, 2011, at 12:11 , Hans Witvliet wrote: Hi all, Perhaps a ludicreous question, but i post it anyway... Some creditcard companies or banks supply their customer with cards plus pin-code in order to identify themselfs during financial transactions. From my focus i presume these look like ordinary smartcards. Can these cards also be used for anything else? Did anybody ever looked at them this way? It is not that i would try to temper with them, but if these are safe enough to be trusted by a bank, why could i not use them for instance, for setting up a vpn? You might want to study EMV DDA http://www.openscdp.org/scripts/tutorial/emv/dda.html -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] banks
Hi all, Perhaps a ludicreous question, but i post it anyway... Some creditcard companies or banks supply their customer with cards plus pin-code in order to identify themselfs during financial transactions. From my focus i presume these look like ordinary smartcards. Can these cards also be used for anything else? Did anybody ever looked at them this way? It is not that i would try to temper with them, but if these are safe enough to be trusted by a bank, why could i not use them for instance, for setting up a vpn? (If it is completely nonsence, just say so) hw Oh, and by the way, the cards of some banks let you even store money on the card it self. And when do a micro transaction (ticket in a car-park or so) you only have to press the OK button. Funny thing is that these banks provide small gadgets that can read the amount still stored on these cards, and they work for cards from several banks eg: different kind of smartcards. Would be fun to be able to do those readings on my linux PC, not? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel