P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg
PB173 - Tématický vývoj aplikací v C/C++ (jaro 2016)
Skupina: Aplikovaná kryptografie a bezpečné programování
•Petr Švenda svenda@fi.muni.cz
•Konzultace: A.406, Pondělí 15-15:50

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
SMARTCARDS IN WIDER SYSTEM
•
| PB173 Secure hardware
2

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Big picture – terminal/reader and card
| PB173 Secure hardware
laptop
What principles and standards are used?
D:\Documents\Obrazky\question.png
Merchant payment
Digital signature
3

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Big picture - components
•User application
–Merchant terminal GUI
–Banking transfer GUI
–Browser TLS
–…
•Card application
–EMV applet for payments
–SIM applet for GSM
–OpenPGP applet for PGP
–…
| PB173 Secure hardware
server blank_card
User application
Card OS
Card application
Card I/O manager
contact(less)
transmission
OS smart card API
smart card reader
4

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
laptop
| PB173 Secure hardware
Libraries
PKCS#11, OpenSC, JMRTD
Smartcard control language API
C/C# WinSCard.h, Java java.smartcardio.*, Python pyscard
System smartcard interface: Windows’s PC/SC, Linux’s PC/SC-lite
Manage readers and cards, Transmit ISO7816-4’s APDU
Custom app with
direct control
PC application via library:
browser TLS, PDF sign…
PC application
with direct control:
GnuPG, GPShell
API: EMV, GSM, PIV, OpenPGP, ICAO 9303 (BAC/EAC/SAC)
OpenPlatform, ISO7816-4 cmds, custom APDU
SC app programming:
JavaCard, MultOS, .NET, MPCOS
Readers
Contact: ISO7816-2,3 (T=0/1)
Contactless: ISO 14443 (T=CL)
Card application 3
Card application 2
Card application 1
5

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Main standards
| PB173 Secure hardware
server blank_card
User application
Card OS
Card application
Card I/O manager
contact(less)
transmission
OS smart card API
smart card reader
•ISO7816 1-4
–Card physical properties ISO7816-1
–Physical layer communication protocol ISO7816-2-3
–Data packet format (APDU)
•PC/SC, PC/SCLite (host side)
–Readers/cards management
–Transmission of logical APDU packets
–C/C# WinSCard.h, Java java.smartcardio.*, Python pyscard
•PKCS#11
–standardized interface on host side
–card can be proprietary
•GlobalPlatform
–remote card management interface
–secure installation of applications
6

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
| PB173 Secure hardware
server blank_card
User application
Card OS
Card application
Card I/O manager
contact(less)
transmission
OS smart card API
smart card reader
Card’s programming platforms
•MultOS
–Multiple supported languages, native compilation
–Often bank cards
•JavaCard
–open programming platform from Sun
–applets portable between cards
•Microsoft .NET for smartcards
–Similar to JavaCard, but C#
–Applications portable between cards
–Limited market penetration
7

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
What is the typical performance?
•Hardware differ significantly
–Clock multiplier, memory speed, crypto coprocessor…
•Typical speed of operation is:
–Milliseconds (RNG, symmetric crypto, hash)
–Tens of milliseconds (transfer data in/out)
–Hundreds of millisecond (asymmetric crypto)
–Seconds (RSA keypair generation)
•Operation may consists from multiple steps
–Transmit data, prepare key, prepare engine, encrypt
–® additional performance penalty
| PB173 Secure hardware
8

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Performance tables for common cards
•Visit http://www.fi.muni.cz/~xsvenda/jcalgtest/
•
9
| PB173 Secure hardware
http://www.fi.muni.cz/~xsvenda/jcalgtest/

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
| PB173 Secure hardware
Practical assignment (from last week)
•Client to client network communication
•Speed-up encryption of data packets between two clients with CTR mode
–Divide packet into multiple parts
–Use parallel threads to protect parts of data packet
•number of available cores is parameter for function
•(at least one thread required ;))
•Document performance gains
–speed before and after the optimization (can you increase speed linearly?)
–What is length of packet for which multiple threads brings speedup benefit? (overhead with running
threads)
10

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Submissions, deadlines
•Upload application source codes as single zip file into IS Homework vault (Crypto - 8. homework
(Threads))
•DEADLINE 2.5. 12:00
–0-10 points assigned
11
| PB173 Secure hardware