P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg
PV204 Security technologies
JavaCard platform
•Petr Švenda svenda@fi.muni.cz
•Faculty of Informatics, Masaryk University

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
JavaCard platform
•Lecture
–JavaCard algorithms, secure usage, performance
–JCVM mode of operation
–On-card, off-card code verification
–OpenPlatform – applet installation
•Lab:
–Programming of simple communication application (Java)
–Programming basic JavaCard 2.x applet (JavaCard)
•
•
| PV204 Security Technologies: JavaCard
2

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Overview
•JavaCard programming platform
•Skeleton of JavaCard applet
•How to upload and communicate with
•Best practices – performance, security
•Supplementary materials
–Simple signature applet
–Simple symmetric cryptography applet
•
•
3
| PV204 Security Technologies: JavaCard

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Old vs. multi-application smart cards
•One program only
•Stored persistently in ROM or EEPROM
•Written in machine code
–Chip specific
•
•Multiple applications at the same time
•Stored in EEPROM
•Written in higher-level language
–Interpreted from bytecode
–Portable
•Application can be later managed (remotely)
| PV204 Security Technologies: JavaCard
4

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
laptop
| PV204 Security Technologies: JavaCard
Libraries
PKCS#11, OpenSC, JMRTD
Smartcard control language API
C/C# WinSCard.h, Java java.smartcardio.*, Python pyscard
System smartcard interface: Windows’s PC/SC, Linux’s PC/SC-lite
Manage readers and cards, Transmit ISO7816-4’s APDU
Custom app with
direct control
PC application via library:
browser TLS, PDF sign…
PC application
with direct control:
GnuPG, GPShell
API: EMV, GSM, PIV, OpenPGP, ICAO 9303 (BAC/EAC/SAC)
OpenPlatform, ISO7816-4 cmds, custom APDU
SC app programming:
JavaCard, MultOS, .NET
Readers
Contact: ISO7816-2,3 (T=0/1)
Contactless: ISO 14443 (T=CL)
Card application 3
Card application 2
Card application 1
5
Our focus today

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
JavaCard basics
| PV204 Security Technologies: JavaCard
226px-Wave
6

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
JavaCard
•Maintained by Sun Microsystems (now Oracle)
•Cross-platform and cross-vendor applet interoperability
•Freely available specifications and development kits
–http://www.oracle.com/technetwork/java/javacard/index.html
•JavaCard applet is Java-like application
–uploaded to a smart card
–executed by the JCVM
| PV204 Security Technologies: JavaCard
JCArchitecture D:\Documents\Obrázky\SmartCard\firts_javacard_1997.jpg
7

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg blank_card
server
User Application
PC/SC library
Applet1
Applet2
JCVM
JavaCard applets
•Written in restricted Java syntax
–byte/short (int) only, missing most of Java objects
•Compiled using standard Java compiler
•Converted using JavaCard converter
–check bytecode for restrictions
–can be signed, encrypted…
•Uploaded and installed into smartcard
–executed in JC Virtual Machine (JCVM)
•Communication using APDU commands
–small packets with header
–
| PV204 Security Technologies: JavaCard
8

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
JavaCard versions
•JavaCard 2.1.x/2.2.x (2001-2003)
–widely supported versions
–basic symmetric and asymmetric cryptography algorithms
–PIN, hash functions, random number generation
–transactions, utility functions
•JavaCard 2.2.2 (2006)
–last version from 2.x series
–significantly extended support for algorithms and new concepts
•long “extended” APDUs, BigNumber support, biometrics
•external memory usage, fast array manipulation methods…
•JavaCard 3.x (2009)
–classic and connected editions, later
| PV204 Security Technologies: JavaCard
9

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
JavaCard 2.x not supporting
•No dynamic class loading
•No Security manager
•No Threads and synchronization
•No Object cloning, finalization
•No Large primitive data types
–float, double, long and char
–usually not even int (4 bytes) data type
•Most of std. classes missing
–most of java.lang, Object and Throwable in limited form
•Limited garbage collection
–Newer cards supports, but slow and not always unreliable
| PV204 Security Technologies: JavaCard
10

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
JavaCard 2.x supports
•Standard benefits of the Java language
–data encapsulation, safe memory management, packages, etc.
•Applet isolation based on the JavaCard firewall
–applets cannot directly communicate with each other
–special interface (Shareable) for cross applets interaction
•Atomic operations using transaction mode
•Transient data (buffer placed in RAM)
–fast and automatically cleared
•A rich cryptography API
–accelerated by cryptographic co-processor
•Secure (remote) communication with the terminal
–if GlobalPlatform compliant (secure messaging, security domains)
| PV204 Security Technologies: JavaCard
11

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
JavaCard 3.x (most recent is 3.0.5 (2015))
•Major release of JavaCard specification
–significant changes in development logic
–two separate branches – Classic and Connected edition
•JavaCard 3.x Classic Edition
–legacy version, extended JC 2.x
–APDU-oriented communication
•JavaCard 3.x Connected Edition
–smart card perceived as web server (Servlet API)
–TCP/IP network capability, HTTP(s), TLS
–supports Java 6 language features (generics, annotations…)
–move towards more powerful target devices
–focused on different segment then classic smart cards
| PV204 Security Technologies: JavaCard
12

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Version support
•Need to know supported version for your card
–convertor adds version identification to package
–If converted with unsupported version, upload to card fails
•Supported version can be obtained from card
–JCSystem.getVersion() ® [Major.Minor]
–See https://www.fi.muni.cz/~xsvenda/jcsupport.html
•Available cards supports mostly 2.x specification or 3.x (newer cards)
•
| PV204 Security Technologies: JavaCard
13

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
JavaCard applet firewall – runtime checks
•
14
| PV204 Security Technologies: JavaCard
blank_card
Inspired by http://ekladata.com/IHWNXUB-yernblD2sdiK1zxxQco/5_javacard.pdf
SmartCard hardware
JavaCard runtime environment (JCRE)
JCRE = JCVM + API
APDU
•Access to other applet’s methods and attributes prevented
–Even if public
•Applets can access specific JCRE objects
•JCRE can access all applets (no restriction)
•Static attributes of package accessible by all its applets!
Cap file 1
Static data
Cap file 2

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
DEVELOPING JAVACARD APPS
•
15
| PV204 Security Technologies: JavaCard

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Desktop vs. smart card
•Following slides will be marked with icon based on where it is executed
•
•       Process executed on host (PC/NTB…)
•
•       Process executed inside smart card
16
| PV204 Security Technologies: JavaCard
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
•| PV204 Security Technologies: JavaCard
•package example;
•import javacard.framework.*;
•
•public class HelloWorld extends Applet {
•    protected HelloWorld()  {
•       register();
•    }
•    public static void install(byte[] bArray, short bOffset, byte bLength) {
•        new HelloWorld();
•    }
•    public boolean select() {
•        return true;
•    }
•    public void process(APDU apdu) {
•        // get the APDU buffer
•        byte[] apduBuffer = apdu.getBuffer();
•        // ignore the applet select command dispached to the process
•        if (selectingApplet()) return;
•        // APDU instruction parser
•        if (apduBuffer[ISO7816.OFFSET_CLA] == CLA_MYCLASS) &&
•            apduBuffer[ISO7816.OFFSET_INS] == INS_MYINS)) {
•            MyMethod(apdu);
•        }
•        else ISOException.throwIt( ISO7816.SW_INS_NOT_SUPPORTED);
•    }
•    public void MyMethod(APDU apdu) { /* ... */ }
•}
•include packages from javacard.*
•extends Applet
•Called only once, do all allocations&init HERE
•Called repeatedly on application select, do all temporaries preparation HERE
•Called repeatedly for every incoming APDU, parse and call your code HERE
17

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
JC development process
•
18
| PV204 Security Technologies: JavaCard
server blank_card
6. Write user Java app
(javax.smartcardio.*)
1.Extends
javacard.framework.Applet
2. Compile Java®*.class
(Java 1.3 binary format)
3. Convert *.class®*.jar/cap
(JavaCard Convertor)
4. Upload *.jar/cap
® smart card (GPPro/GPShell)
5. Install applet
(GPPro/GPShell)
7. Use applet on
smart card (APDU)

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
JavaCard application running model
1.Uploaded package – application binary
2.Installed applet from package – running application
3.Applet is “running” until deleted from card
4.Applet is suspended when power is lost
–Transient data inside RAM are erased
–Persistent data inside EEPROM remain
–Currently executed method is interrupted
5.When power is resumed
–Unfinished transactions are rolled back
–Applet continues to run with the same persistent state
–Applet waits for new command (does not continue with interrupted method)
6.Applet is deleted by service command
19
| PV204 Security Technologies: JavaCard

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
On-card, off-card code verification
•Off-card verification
–Basic JavaCard constraints
–Possibly additional checks (e.g., type consistency when using Shareable interface)
–Full-blown static analysis possible
–Applet can be digitally signed
•On-card verification
–Limited resources available
–Proprietary checks by JC platform implementation
| PV204 Security Technologies: JavaCard
20
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
OpenPlatform Package/applet upload
A.Security domain selection
B.Secure channel establishment – security domain
C.Package (cap file) upload
–Local upload in trusted environment
–Remote upload with relayed secure channel
D.Applet installation
–Separate instance from package binary with unique AID
–Applet privileges and other parameters passed
–Applet specific installation data passed
| PV204 Security Technologies: JavaCard
21
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
DEVELOPING SIMPLE APPLET
•
| PV204 Security Technologies: JavaCard
22

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
JavaCard – My first applet
•Desktop Java vs. JavaCard
–PHP vs. C J
•No modern programming features
–No threads, no generics, no iterators…
•Limited type system
–Usually no ints (short int and byte only), no floats, no Strings
•Fun with signed 16-bits values
–JavaCard is usually 16-bit platform (short)
–(short) typecast must be performed on intermediate results
–Shorts are signed => to obtain unsigned byte
•Convert to short with & 0x00ff
•
–
–
| PV204 Security Technologies: JavaCard
23

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Necessary tools
•Several tool chains available
–both commercial (RADIII, JCOPTools, G&D JCS Suite)
–and free (Sun JC SDK, AppletPlayground…)
•We will use:
–Java Standard Edition Development Kit 1.3 or later
–Apache Ant 1.7 or later, JavaCard Development Kit 2.2.2
–JavaCard Ant Tasks (from JC SDK 2.2.2)
–NetBeans 6.8 or later as IDE
–GlobalPlatformPro for applets management
–
–
| PV204 Security Technologies: JavaCard
24
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
•| PV204 Security Technologies: JavaCard
•package example;
•import javacard.framework.*;
•
•public class HelloWorld extends Applet {
•    protected HelloWorld()  {
•       register();
•    }
•    public static void install(byte[] bArray, short bOffset, byte bLength) {
•        new HelloWorld();
•    }
•    public boolean select() {
•        return true;
•    }
•    public void process(APDU apdu) {
•        // get the APDU buffer
•        byte[] apduBuffer = apdu.getBuffer();
•        // ignore the applet select command dispached to the process
•        if (selectingApplet()) return;
•        // APDU instruction parser
•        if (apduBuffer[ISO7816.OFFSET_CLA] == CLA_MYCLASS) &&
•            apduBuffer[ISO7816.OFFSET_INS] == INS_MYINS)) {
•            MyMethod(apdu);
•        }
•        else ISOException.throwIt( ISO7816.SW_INS_NOT_SUPPORTED);
•    }
•    public void MyMethod(APDU apdu) { /* ... */ }
•}
•include packages from javacard.*
•extends Applet
•Called only once, do all allocations&init HERE
•Called repeatedly on application select, do all temporaries preparation HERE
•Called repeatedly for every incoming APDU, parse and call your code HERE
25

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Simple JavaCard applet - code
1.Subclass javacard.framework.Applet
2.Allocate all necessary resources in constructor
3.Select suitable CLA and INS for your method
4.Parse incoming APDU in Applet.process() method
5.Call your method when your CLA and INS are set
6.Get incoming data from APDU object (getBuffer(), setIncomingAndReceive())
7.Use/modify data
8.Send response (setOutgoingAndSend())
| PV204 Security Technologies: JavaCard
26

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
select() method
•Method called when applet is set as active
–for subsequent APDU commands
–begin of the session
–use for session data init (clear keys, reset state…)
•
•
•
•deselect()
–similar, but when applet usage finish
–may not be called (sudden power drop) => clear in select
| PV204 Security Technologies: JavaCard
 public void select() { // CLEAR ALL SESSION DATA
        chv1.reset(); // Reset OwnerPIN verification status
        remainingDataLength = 0; // Set states etc.
        // If card is not blocked, return true.
        // If false is returned, applet is not selectable
       if (!blocked) return true;
       else return false;
    }
27

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Sending and receiving data
•javacard.framework.APDU
–incoming and outgoing data in APDU object
•Obtaining just apdu header
–APDU.getBuffer()
•Receive data from terminal
–APDU.setIncomingAndReceive()
•Send outgoing data
–APDU.setOutgoingAndSend()
| PV204 Security Technologies: JavaCard
28

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Sending and receiving data – source code
•
| PV204 Security Technologies: JavaCard
private void ReceiveSendData(APDU apdu) {
     byte[]    apdubuf = apdu.getBuffer();     // Get just APDU header (5 bytes)
     short     dataLen = apdu.setIncomingAndReceive(); // Get all incoming data
     // DO SOMETHING WITH INPUT DATA
     // STARTING FROM apdubuf[ISO7816.OFFSET_CDATA]
     // ...
     // FILL SOMETHING TO OUTPUT (apdubuf again)
     Util.arrayFillNonAtomic(apdubuf, ISO7816.OFFSET_CDATA, 10, (byte) 1);
     // SEND OUTGOING BUFFER
     apdu.setOutgoingAndSend(ISO7816.OFFSET_CDATA, 10);
 }
29

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
COMMUNICATION WITH SMART CARD
•
| PV204 Security Technologies: JavaCard
30

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
•| PV204 Security Technologies: JavaCard
JavaCard communication lifecycle
1.(Applet is already installed, APPLET_AID)
2.PC: Reset card (plug smart card in, software reset)
3.PC: Send SELECT command (00 0a 04 00 APPLET_AID)
lreceived by Card Manager application
lSC: sets our applet active, select() method is always called
4.PC: Send any APDU command (any of your choice)
lSC: received by process() method
5.SC: Process incoming data on card, prepare outgoing data
lencryption,  signature…
6.PC: Receive any outgoing data
ladditional special readout APDU might be required
7.PC: Repeat again from step 4
8.PC: (Send DESELECT command)
lSC: deselect() method might be called
31
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Java javax.smartcardio.* API
•List readers available in system
–TerminalFactory.terminals()
–identified by index CardTerminal.get(index)
–readable string (Gemplus GemPC Card Reader 0)
•Connect to target card
–Check for card (CardTerminal.isCardPresent())
–connect to Card (CardTerminal.connect("*"))
–get channel (Card.getBasicChannel())
–reset card and get ATR (Card.getATR())
•
| PV204 Security Technologies: JavaCard
32
Already used in labs last week – SimpleAPDU project
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Java javax.smartcardio.* API (2)
•Select applet on card
–send APDU with header 00 a4 04 00 LC APPLET_AID
•Send APDU to invoke method
–prepare APDU buffer (byte array)
–create CommandAPDU from byte array
–send CommandAPDU via CardChannel.transmit()
–check for response data (getSW1() == 0x61)
–read available response data by 00 C0 00 00 SW2
•Process response
–status should be ResponseAPDU.getSW() == 0x9000
–returned data ResponseAPDU.getData()
| PV204 Security Technologies: JavaCard
33
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Response APDU (R-APDU)
•Response data + status word (2 bytes)
–0x9000 - SW_NO_ERROR, OK
–0x61** -  SW_BYTES_REMAINING_**
–see javacard.framework.ISO7816 interface
–other status possible (GlobalPlatform, user defined)
•May require special command to read out
–first response is just status word (0x61**)
–00 C0 00 00 ** or C0 C0 00 00 ** APDU
•** is number of bytes to read out
| PV204 Security Technologies: JavaCard
34
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
PV204 JavaCard platform
argumentů funkce
•| PV204 Security Technologies: JavaCard

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
DEBUGGING APPLET
•
| PV204 Security Technologies: JavaCard
36

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
•
37
| PV204 Security Technologies: JavaCard

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
1. Debugging applets: simulator
•The smartcard is designed to protect application
–Debugger cannot be connected to running application
•Option 1: use card simulator (jcardsim.org)
–Simulation of JavaCard 2.2.2 (based on BouncyCastle)
–Very helpful, allows for direct debugging (labs)
–Catch of logical flaws etc.
–Allows to write automated unit and integration tests!
•Problem: Real limitations of cards are missing
–supported algorithms, memory, execution speed…
| PV204 Security Technologies: JavaCard
38
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
2. Debugging applets: real cards
•Option 2: use real cards
–Cannot directly connect debugger, no logging strings…
•Debugging based on error messages
–Use multiple custom errors rather than ISO7816 errors
–Distinct errors tell you where problem (might) happened
•Problem: operation may end with unspecific 0x6f00
–Any uncaught exception on card (other than ISOException)
–Solution1: Capture on card, translate to ISOException
–Solution2: Locate problematic command by insertion of ISOException.throwIt(0x666); and recompile
39
| PV204 Security Technologies: JavaCard

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Possible causes for exception on card
•Writing behind allocated array
•Using Key that was Key.clear() before
•Insufficient memory to complete operation
•Cipher.init() with uninitialized Key
•Import of RSA key into real card generated by software outside card (e.g., getP() len == 64 vs.
65B for RSA1024)
•Storing reference of APDU object localAPDU = origAPDU;
•Decryption of value stored in byte[] array with raw RSA with most significant bit == 1 (set first
byte of array to 0xff to verify)
•Set CRT RSA key using invalid values for given part - e.g. setDP1()
•Too many nested calls, no free space on stack for arguments
•… and many more J
•
| PV204 Security Technologies: JavaCard
40

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Getting more than 0x6f00
41
| PV204 Security Technologies: JavaCard
    public void process(javacard.framework.APDU apdu) {
        // ignore the applet select command dispatched to the process
        if (selectingApplet()) return;
        try {
            //
           // … Standard APDU command dispatching...
           //
        } catch (ISOException e) {
            throw e; // Our exception from code, just re-emit
        } catch (ArrayIndexOutOfBoundsException e) {
            ISOException.throwIt(SW_ArrayIndexOutOfBoundsException);
        } catch (ArithmeticException e) {
            ISOException.throwIt(SW_ArithmeticException);
        } catch (ArrayStoreException e) {
            ISOException.throwIt(SW_ArrayStoreException);
        } catch (NullPointerException e) {
            ISOException.throwIt(SW_NullPointerException);
        } catch (NegativeArraySizeException e) {
            ISOException.throwIt(SW_NegativeArraySizeException);
        } catch (CryptoException e) {
            ISOException.throwIt((short) (SW_CryptoException_prefix | e.getReason()));
        } catch (SystemException e) {
            ISOException.throwIt((short) (SW_SystemException_prefix | e.getReason()));
        } catch (PINException e) {
            ISOException.throwIt((short) (SW_PINException_prefix | e.getReason()));
        } catch (TransactionException e) {
            ISOException.throwIt((short) (SW_TransactionException_prefix | e.getReason()));
        } catch (CardRuntimeException e) {
            ISOException.throwIt((short) (SW_CardRuntimeException_prefix | e.getReason()));
        } catch (Exception e) {
            ISOException.throwIt(Consts.SW_Exception);
        }
    }
final short SW_Exception     = (short) 0xff01;
final short SW_ArrayIndexOutOfBoundsException = (short) 0xff02;
final short SW_ArithmeticException     = (short) 0xff03;
final short SW_ArrayStoreException     = (short) 0xff04;
final short SW_NullPointerException     = (short) 0xff05;
final short SW_NegativeArraySizeException     = (short) 0xff06;
final short SW_CryptoException_prefix     = (short) 0xf100;
final short SW_SystemException_prefix     = (short) 0xf200;
final short SW_PINException_prefix     = (short) 0xf300;
final short SW_TransactionException_prefix     = (short) 0xf400;
final short SW_CardRuntimeException_prefix     = (short) 0xf500;
•Some exceptions provide additional information (code). Propagate it further
•Our exception, just re-emit

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Debugging using custom commands
•Addition of custom commands to “dump” interesting parts of data
–Intermediate values of internal arrays, unwrapped keys…
•Should obey to Secure by default principle
–Debugging possibility should be enabled only on intention
–E.g., specific flag in installation data which cannot be enabled later (by an attacker)
–Don’t let debugging code into release!
•
42
| PV204 Security Technologies: JavaCard

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
BEST PRACTICES
•
| PV204 Security Technologies: JavaCard
43

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Execution speed hints (1)
•Big difference between RAM and EEPROM memory
–new allocates in EEPROM (persistent, but slow)
•do not use EEPROM for temporary data
•do not use for sensitive data (keys)
–JCSystem.getTransientByteArray() for RAM buffer
–local variables automatically in RAM
•Use algorithms from JavaCard API and utility methods
–much faster, cryptographic co-processor
•Allocate all necessary resources in constructor
–executed during installation (only once)
–either you get everything you want or not install at all
| PV204 Security Technologies: JavaCard
44

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Execution speed hints (2)
•Garbage collection limited or not available
–do not use new except in constructor
•Use copy-free style of methods
–foo(byte[] buffer, short start_offset, short length)
•Do not use recursion or frequent function calls
–slow, function context overhead
•Do not use OO design extensively (slow)
•Keep Cipher or Signature objects initialized
–if possible (e.g., fixed master key for subsequent derivation)
–initialization with key takes non-trivial time
•
| PV204 Security Technologies: JavaCard
45

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
D:\Documents\Obrazky\numobjects2.png
How many cryptographic engines?
•
| PV204 Security Technologies: JavaCard
46

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Security hints (1)
•Use API algorithms/modes rather than your own
–API algorithms fast and protected in cryptographic hardware
–general-purpose processor leaks more information
•Store session data in RAM
–faster and more secure against power analysis
–EEPROM has limited number of rewrites (105 - 106 writes)
•Never store keys and PINs in primitive arrays
–use specialized objects like OwnerPIN and Key
–better protected against power, fault and memory read-out attacks
| PV204 Security Technologies: JavaCard
47

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Security hints (2)
•Erase unused keys and sensitive arrays
–use specialized method if exists (Key.clearKey())
–or overwrite with random data (Random.generate())
•Use transactions to ensure atomic operations
–power supply can be interrupted inside code execution
–be aware of attacks by interrupted transactions - rollback attack
•Do not use conditional jumps with sensitive data
–branching after condition is recognizable with power analysis
| PV204 Security Technologies: JavaCard
48

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Security hints (3)
•Allocate all necessary resources in constructor
–applet installation usually in trusted environment
–prevent attacks based on limiting available resources
•Don’t use static attributes (except constants)
–Static attribute is shared between multiple instances of applet (bypass applet firewall)
–Static ptr to array/engine filled by dynamic allocation cannot be removed until package is removed
from card (memory “leak”)
•Use automata-based programming model
–well defined states (e.g., user PIN verified)
–well defined transitions and allowed method calls
–
| PV204 Security Technologies: JavaCard
49

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
| PV204 Security Technologies: JavaCard
JavaCard applet firewall issues
•Main defense for separation of multiple applets
•Platform implementations differ
–Usually due to the unclear and complex specification
•If problem exists then is out of developer’s control
•Firewall Tester project (W. Mostowski)
–Open and free, the goal is to test the platform
–http://www.sos.cs.ru.nl/applications/smartcards/firewalltester/
–
short[] array1, array2; // persistent variables
short[] localArray = null; // local array
JCSystem.beginTransaction();
array1 = new short[1];
array2 = localArray = array1; // dangling reference!
JCSystem.abortTransaction();
50

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Additional reading
•Gemalto JavaCard developers guide
–https://is.muni.cz/el/1433/podzim2007/PV181/um/4472881/Gemalto_JavaCard_DevelGuide.pdf
•Java Card lecture, Erik Poll, Radboud Uni
–http://ekladata.com/IHWNXUB-yernblD2sdiK1zxxQco/5_javacard.pdf
•
51
| PV204 Security Technologies: JavaCard

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Summary
•Smart cards are programmable (JavaCard)
–reasonable cryptographic API
–coprocessor for fast cryptographic operations
–multiple applications coexist securely on single card
–Secure execution environment
•Standard Java 6 API for communication exists
•PKI applet can be developed with free tools
–PIN protection, on-card key generation, signature…
•JavaCard is not full Java – optimizations, security
| PV204 Security Technologies: JavaCard
52

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
•
| PV204 Security Technologies: JavaCard
53

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
SUPPLEMENTARY MATERIALS
•
| PV204 Security Technologies: JavaCard
54

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
QUICK AND DIRTY START
•
55
| PV204 Security Technologies: JavaCard

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Quick and dirty start – OpenPGP applet
1.Get JavaCard smart card and reader
2.Install Java SDK and ant build environment
–Don’t forget to set proper paths (javac, ant)
3.Download AppletPlayground project
–https://github.com/martinpaljak/AppletPlayground
4.Download GlobalPlatformPro uploader
–https://github.com/martinpaljak/GlobalPlatformPro
56
| PV204 Security Technologies: JavaCard
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
1. Compile and convert applets
•> ant toys
–‘toys’ is ant build target inside build.xml
–Compiles source with Java compiler (javac)
–Convert with javacard convertor
•(use > ant simpleapplet to build only our applet)
57
| PV204 Security Technologies: JavaCard
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
2. Manage applets on smart card
•GlobalPlatformPro tool
–Authenticates against CardManager
–Establish secure channel with CM
–Manage applets (list/upload/delete)
•
58
| PV204 Security Technologies: JavaCard
Auto-detected ISD AID: A000000003000000
Host challenge: BD525E5585006202
Card challenge: 05211C9591C58232
Card reports SCP02 with version 255 keys
Master keys:
Version 0
ENC: Ver:0 ID:0 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F
MAC: Ver:0 ID:0 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F
KEK: Ver:0 ID:0 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F
Sequence counter: 0521
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
•
59
| PV204 Security Technologies: JavaCard
>gp -list –verbose
Reader: Gemplus USB SmartCard Reader 0
ATR: 3BF81300008131FE454A434F5076323431B7
More information about your card:
    http://smartcard-atr.appspot.com/parse?ATR=3BF81300008131FE454A434F507632343
1B7
Auto-detected ISD AID: A000000003000000
Host challenge: 10FFA96848D9EB62
Card challenge: 0520E372F35B4818
Card reports SCP02 with version 255 keys
Master keys:
Version 0
ENC: Ver:0 ID:0 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F
MAC: Ver:0 ID:0 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F
KEK: Ver:0 ID:0 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F
Sequnce counter: 0520
Derived session keys:
Version 0
ENC: Ver:0 ID:0 Type:DES3 Len:16 Value:654E72AAADA31F0A7B5567160DE4C5A7
MAC: Ver:0 ID:0 Type:DES3 Len:16 Value:C6883A00AB6E56384B845A5A6F68CA6C
KEK: Ver:0 ID:0 Type:DES3 Len:16 Value:3875213C9F2123EB01AA420DC83C18F0
Verified card cryptogram: 62CBE443B3F4FB80
Calculated host cryptogram: 9AAC671F9B1E0630
AID: A000000003000000 (|........|)
     ISD OP_READY: Security Domain, Card lock, Card terminate, Default selected, CVM (PIN)
management
AID: A0000000035350 (|.....SP|)
     ExM LOADED: (none)
     A000000003535041 (|.....SPA|)
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
3. Upload applet to smart card
•(already converted applet *.cap is assumed)
•> gp --instal OpenPGPApplet.cap –verbose
•
•
•
•
•
•
•Hint: test with gpg --card-edit
60
| PV204 Security Technologies: JavaCard
CAP file (v2.1) generated on Sat Oct 03 15:13:58 CEST 2015
By Sun Microsystems Inc. converter 1.3 with JDK 1.8.0_60 (Oracle Corporation)
Package: openpgpcard v0.0 with AID D27600012401
Applet: OpenPGPApplet with AID D2760001240102000000000000010000
Import: A0000000620101 v1.3
Import: A0000000620201 v1.3
Import: A0000000620102 v1.3
Import: A0000000620001 v1.0
Cap loaded
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
OpenPlatform Package/applet upload
A.Security domain selection
B.Secure channel establishment – security domain
C.Package upload
–Local upload in trusted environment
–Remote upload with relayed secure channel
D.Applet installation
–Separate instance from package binary with unique AID
–Applet privileges and other parameters passed
–Applet specific installation data passed
| PV204 Security Technologies: JavaCard
61
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
4. Communicate with smart card
•> gp --apdu  apdu_in_hex --debug
•Example for SimpleApplet.java
–gp –-apdu B0541000 -d (generate random numbers)
–
–
–
–
–
–
62
| PV204 Security Technologies: JavaCard
>gp --apdu B0541000 -d
[*] Gemplus USB SmartCard Reader 0
SCardConnect("Gemplus USB SmartCard Reader 0", T=*) -> T=1, 3BF81300008131FE454A
434F5076323431B7
SCardBeginTransaction("Gemplus USB SmartCard Reader 0")
A>> T=1 (4+0000) B0541000
A<< (0016+2) (32ms) 801D52307393AC0AB1CC242F6905B7C5 9000
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
5. Delete applet
•> gp --delete D27600012401 --deletedeps
•
•(Verify that applet was deleted by gp –list)
63
| PV204 Security Technologies: JavaCard
server

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
DEVELOPING SIMPLE PKI APPLET
•
| PV204 Security Technologies: JavaCard
64

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
PKI-relevant JavaCard API
•Access controlled by PIN
–javacard.security.OwnerPIN
•Asymmetric cryptography keys
–javacard.security.KeyPair, PublicKey, PrivateKey
•Digital signatures
–javacard.security.Signature
•Asymmetric encryption
–javacard.security.Cipher
•
•
| PV204 Security Technologies: JavaCard
65

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
PIN verification functionality
•javacard.framework.OwnerPIN
•Management functions (available for “admin”)
–Create PIN (new OwnerPIN())
–Set initial PIN value (OwnerPIN.update())
–Unblock PIN (OwnerPIN. resetAndUnblock())
•Common usage functions (available to user)
–Verify supplied PIN (OwnerPIN.check())
–Check if was verified (OwnerPIN.isValidated())
–Get remaining tries (OwnerPIN.getTriesRemaining())
–Set new value (OwnerPIN.update())
| PV204 Security Technologies: JavaCard
66

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
PIN code
•
| PV204 Security Technologies: JavaCard
// CREATE PIN OBJECT (try limit == 5, max. PIN length == 4)
OwnerPIN m_pin = new OwnerPIN((byte) 5, (byte) 4);
// SET CORRECT PIN VALUE
m_pin.update(INIT_PIN, (short) 0, (byte) INIT_PIN.length);
// VERIFY CORRECTNESS OF SUPPLIED PIN
boolean correct = m_pin.check(array_with_pin, (short) 0, (byte) array_with_pin.length);
// GET REMAING PIN TRIES
byte j = m_pin.getTriesRemaining();
// RESET PIN RETRY COUNTER AND UNBLOCK IF BLOCKED
m_pin.resetAndUnblock();
67

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Digital signature
•Management functions
–Generate new key pair (KeyPair().genKeyPair())
–Export public key (KeyPair().getPublic())
–(export private key) (KeyPair().getPrivate())
–create Signature object (Signature.getInstance())
–init with public/private key (Signature.init())
•Common usage functions
–sign message (Signature.update(), Signature.sign())
–verify signature (Signature.update(),verify())
| PV204 Security Technologies: JavaCard
68

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
On-card asymmetric key generation
•javacard.security.KeyPair
•Key pair is generated directly on smart card
–very good entropy source (TRNG)
–private key never leaves the card (unless you allow in code)
–fast sign/verify operation
•But who is sending data to sign/decrypt?
–protect signature method by PIN.isValidated() check
–use secure channel to prevent injection of attacker’s message
–terminal still must be trustworthy
•
| PV204 Security Technologies: JavaCard
69

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Key generation - source code
•
| PV204 Security Technologies: JavaCard
// CREATE RSA KEYS AND PAIR
m_keyPair = new KeyPair(KeyPair.ALG_RSA_CRT, KeyBuilder.LENGTH_RSA_1024);
// STARTS ON-CARD KEY GENERATION PROCESS
m_keyPair.genKeyPair();
// OBTAIN REFERENCES TO PRIVATE AND PUBLIC KEY OBJECT
m_publicKey = m_keyPair.getPublic();
m_privateKey = m_keyPair.getPrivate();
Example shows RSA 1024b – not recommended
Use KeyBuilder.LENGTH_RSA_2048 instead
(But 2 APDUs are required to transmit signature back)
70

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Public (private) key export/import
•Obtain algorithm-specific key object from KeyPair
–e.g., RSAPublicKey pubKey = keyPair.getPublic();
–get exponent and modulus
•getExponent() & getModulus() methods
–send it back to terminal via APDU
•Similar situation with key import
–setExponent() & setModulus() methods
•Private key export
–It is up to you if your code will allow private key export (usually not)
–Otherwise similar as for RSAPublicKey
–more parameters with RSAPrivateCrtKey (CRT mode)
| PV204 Security Technologies: JavaCard
71

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
javacard.security.Signature
•Both symmetric and asymmetric crypto signatures
–RSA_SHA_PKCS1 (always), ECDSA_SHA, DSA (less common)
–DES_MAC8_NOPAD (always), ISO9797 (common), AES (common)
–check in advance what your card supports (JCAlgTester)
•Message hashing done on card (asymmetric sign)
–message received in single or multiple APDUs
–Signature.update(), Signature.sign()
•If you need just sign of message hash
–use Cipher object to perform asymmetric crypto operation
| PV204 Security Technologies: JavaCard
72

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Signature – source code
•
| PV204 Security Technologies: JavaCard
// CREATE SIGNATURE OBJECT
Signature m_sign = Signature.getInstance(Signature.ALG_RSA_SHA_PKCS1, false);
// INIT WITH PRIVATE KEY
m_sign.init(m_privateKey, Signature.MODE_SIGN);
// SIGN INCOMING BUFFER
signLen = m_sign.sign(apdubuf, ISO7816.OFFSET_CDATA, (byte) dataLen,
                                     m_ramArray, (byte) 0);
73

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Asymmetric encryption
•javacardx.crypto.Cipher
•Usage similar to Signature object
–generate key pair
–export/import public key
–initialize Key and set mode (MODE_ENCRYPT/DECRYPT)
–process incoming data (Cipher.update(), doFinal())
•Supported algorithms
–RSA_NOPAD (always), RSA_PKCS1 (almost always)
| PV204 Security Technologies: JavaCard
74

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
DEMO - SYMMETRIC CRYPTOGRAPHY APPLET
•
| PV204 Security Technologies: JavaCard
75

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Random numbers
•javacard.security.RandomData
•Two versions of random generator
–ALG_SECURE_RANDOM (truly random)
–ALG_PSEUDO_RANDOM (deterministic from seed)
•Generate random block
–RandomData.generateData()
•Very fast and high quality output
–bottleneck is usually card-to-terminal link
| PV204 Security Technologies: JavaCard
76

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
RandomData – source code
•
| PV204 Security Technologies: JavaCard
private RandomData     m_rngRandom = null;
// CREATE RNG OBJECT
m_rngRandom = RandomData.getInstance(RandomData.ALG_SECURE_RANDOM);
// GENERATE RANDOM BLOCK WITH 16 BYTES
m_rngRandom.generateData(array, (short) 0, ARRAY_ONE_BLOCK_16B);
77

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Key generation and initialization
•Allocation and initialization of the key object (KeyBuilder.buildKey())
•Receive (or generate random) key value
•Set key value (AESKey.setKey())
•
| PV204 Security Technologies: JavaCard
// …. INICIALIZATION SOMEWHERE (IN CONSTRUCT)
// CREATE AES KEY OBJECT
AESKey m_desKey = (AESKey) KeyBuilder.buildKey(KeyBuilder.TYPE_AES,
    KeyBuilder.LENGTH_AES_256, false);
// Generate random data to be used as key
m_rngRandom.generateData(array, (short) 0,
    (short) KeyBuilder. KeyBuilder.LENGTH_AES_256/8);
// SET KEY VALUE
m_aesKey.setKey(array, (short) 0);
78

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Symmetric cryptography encryption
•javacard.security.Cipher
•Allocate and initialize cipher object
–Cipher.getInstance(), Cipher.init()
•Encrypt or decrypt data
–Cipher.update(), Cipher.doFinal()
•
•
| PV204 Security Technologies: JavaCard
79

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Encryption with 3DES – source code
•
| PV204 Security Technologies: JavaCard
// INIT CIPHER WITH KEY FOR ENCRYPT DIRECTION
m_encryptCipher.init(m_desKey, Cipher.MODE_ENCRYPT);
//….
// ENCRYPT INCOMING BUFFER
void Encrypt(APDU apdu) {
      byte[]    apdubuf = apdu.getBuffer();
      short     dataLen = apdu.setIncomingAndReceive();
      // CHECK EXPECTED LENGTH (MULTIPLY OF 64 bites)
      if ((dataLen % 8) != 0) ISOException.throwIt(SW_CIPHER_DATA_LENGTH_BAD);
      // ENCRYPT INCOMING BUFFER
      m_encryptCipher.doFinal(apdubuf, ISO7816.OFFSET_CDATA, dataLen, m_ramArray, (short) 0);
      // COPY ENCRYPTED DATA INTO OUTGOING BUFFER
      Util.arrayCopyNonAtomic(m_ramArray, (short) 0, apdubuf, ISO7816.OFFSET_CDATA, dataLen);
      // SEND OUTGOING BUFFER
      apdu.setOutgoingAndSend(ISO7816.OFFSET_CDATA, dataLen);
}
80

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Message authentication code (MAC)
•javacard.security.Signature
•Usage similar to asymmetric signatures
•Create signature object for target MAC algorithm
•Initialize with symmetric cryptography key
•Supported algorithms
–DES_MAC8 (always), AES_MAC8 (increasingly common)
| PV204 Security Technologies: JavaCard
81

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MAC – source code
•
•
•
•
•
•
•
•
•Example based on 3DES, can be AES as well
| PV204 Security Technologies: JavaCard
private   Signature      m_sessionCBCMAC = null;
private   DESKey         m_session3DesKey = null;
// CREATE SIGNATURE OBJECT
m_sessionCBCMAC = Signature.getInstance(Signature.ALG_DES_MAC8_NOPAD, false);
// CREATE KEY USED IN MAC
m_session3DesKey = (DESKey) KeyBuilder.buildKey(KeyBuilder.TYPE_DES, KeyBuilder.LENGTH_DES3_3KEY,
false);
// INITIALIZE SIGNATURE DES KEY
m_session3DesKey.setKey(m_ram, (short) 0);
// SET KEY INTO SIGNATURE OBJECT
m_sessionCBCMAC.init(m_session3DesKey, Signature.MODE_SIGN);
// GENERATE SIGNATURE OF buff ARRAY, STORE INTO m_ram ARRAY
m_sessionCBCMAC.sign(buff, ISO7816.OFFSET_CDATA, length, m_ram, (short) 0);
82

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Data hashing
•javacard.security.MessageDigest
•Create hashing object for target algorithm
–MessageDigest.getInstance()
•Reset internal state of hash object
–MessageDigest.reset()
•Process all parts of data
–MessageDigest.update()
•Compute final hash digest
–MessageDigest.doFinal()
•Supported algorithms
–MD5, SHA-1 (always), SHA-256 (increasingly common)
–related to supported Signature algorithms
| PV204 Security Technologies: JavaCard
83

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Data hashing – source code
•
| PV204 Security Technologies: JavaCard
// CREATE SHA-1 OBJECT
MessageDigest m_sha1 = MessageDigest.getInstance(
   MessageDigest.ALG_SHA, false);
// RESET HASH ENGINE
m_sha1.reset();
// PROCESS ALL PARTS OF DATA
while (next_part_to_hash_available) {
 m_sha1.update(array_to_hash, (short) 0, (short) array_to_hash.length);
}
// FINALIZE HASH VALUE (WHEN LAST PART OF DATA IS AVAILABLE)
// AND OBTAIN RESULTING HASH VALUE
m_sha1.doFinal(array_to_hash, (short) 0, (short) array_to_hash.length,
   out_hash_array, (short) 0);
84

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
GPPro – M. Paljak
•gp.exe -install applet.cap -verbose
•Reader: OMNIKEY AG Smart Card Reader USB 0
•ATR: 3BF81800008031FE450073C8401300900092
•More information about your card:
•http://smartcard-atr.appspot.com/parse?ATR=3BF81800008031FE450073C8401300900092
•
•Auto-detected ISD AID: A000000003000000
•Host challenge: 764D6A0982DC5E17
•Card challenge: 0005112D5C02E152
•Card reports SCP02 with version 1 keys
•Master keys:
•Version 0
•ENC: Ver:0 ID:0 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F
•MAC: Ver:0 ID:0 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F
•KEK: Ver:0 ID:0 Type:DES3 Len:16 Value:404142434445464748494A4B4C4D4E4F
•Diversififed master keys:
•Version 0
•ENC: Ver:0 ID:0 Type:DES3 Len:16 Value:8D16CDB90D9A1BCB9C3B208FB491DFF6
•MAC: Ver:0 ID:0 Type:DES3 Len:16 Value:D3A3DD0DB2C1F84F79E3BC0EF4B0A78E
•KEK: Ver:0 ID:0 Type:DES3 Len:16 Value:F80C3E807D4C57293B651693ED999448
•Sequnce counter: 0005
•Derived session keys:
•Version 0
•ENC: Ver:0 ID:0 Type:DES3 Len:16 Value:6BCC8856C64D5A6090A603C5FFBA7F4F
•MAC: Ver:0 ID:0 Type:DES3 Len:16 Value:3BDCE52AE932EFF43E506C498BAC9F21
•KEK: Ver:0 ID:0 Type:DES3 Len:16 Value:FFC30797EFA7EC37A28E4485052EA21D
•Verified card cryptogram: 37C4139407A2F0DD
•Calculated host cryptogram: A9376B4721194AFA
•CAP file (v2.1) generated on Tue Aug 04 14:34:51 CEST 2015
•By Sun Microsystems Inc. converter 1.3 with JDK 1.8.0_31 (Oracle Corporation)
•Package: AlgTest v1.0 with AID 6D797061636B616731
•Applet: JCAlgTestApplet with AID 6D7970616330303031
•Import: A0000000620001 v1.0
•Import: A0000000620102 v1.2
•Import: A0000000620101 v1.2
•CAP loaded
| PV204 Security Technologies: JavaCard
85

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
•| PV204 Security Technologies: JavaCard
GPShell script – another tool for upload
•
•# Install & configure script for Gemalto TOP IM GX4, mother key
•mode_201
•gemXpressoPro
•enable_trace
•establish_context
•card_connect
•
•select -AID A000000018434D00
•open_sc -security 3 -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45
•
•delete -AID ${jc.applet.AID_GPShell}
•delete -AID ${jc.package.AID_GPShell}
•
•install -file ${jc.package.shortName}.cap -sdAID A000000018434D00
•    -nvCodeLimit 4000 -priv 0
•
•# test selection
•select -AID ${jc.applet.AID_GPShell}
•
•card_disconnect
•release_context
•Connect to reader and card
•Select Card Manager application
•Authenticate and establish secure channel (OpenPlatform)
•Delete previous version of our applet (instance first, package second)
•Upload and install file *.cap with applet
•Try to select newly installed applet
86

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
DEMO: OPENPGP APPLET
•
•| PV204 Security Technologies: JavaCard
87

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
OpenPGP
•Standard for PGP/GPG compliant applications
•Includes specification for card with private key(s)
–openpgp-card-1.0.pdf
•Supported (to some extend) in GnuPG
•Pre-personalized OpenPGP cards available
–http://www.g10code.de/p-card.html
•Open source Java Card applet available
–JOpenPGPCard
–http://sourceforge.net/projects/jopenpgpcard/
–our card can be used
•| PV204 Security Technologies: JavaCard
88

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
JOpenPGPCard applet
•Main parts
–two level of PIN protection
–on-card keys generation, public key export
–on-card encryption/signature
•Compilation and upload
–Project settings (preconfigured)
–AID (given in OpenPGP specification)
–GPShell script
•Compile and upload applet to card
•| PV204 Security Technologies: JavaCard
89

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Compilation and upload
•gpg --card-edit
•Command> admin
•Command> help
•Command> generate
–follow the instructions (default PINs)
–signature, decryption and authentication key
–private keys generated directly on the card
–public keys exported to GPG keyring
•Change your PIN by Command> passwd
•| PV204 Security Technologies: JavaCard
90

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
GPG --card-edit
•| PV204 Security Technologies: JavaCard
•No keys generated yet
91

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
GPG – keys generation finished
•| PV204 Security Technologies: JavaCard
92

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
What we have…
•Card with OpenPGP-compliant applet
•GPG generated private&public keypairs
–sign, enc, auth
•Public keys exported from card and imported to local keyring
•Can be used to sign, encrypt message on command line
•Can be further integrated into applications
–Thunderbird + Enigmail + GPG
•| PV204 Security Technologies: JavaCard
93

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
(gpg –card-edit) Command> list
•| PV204 Security Technologies: JavaCard
94

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Using GPG with smart card
•gpg --clearsign --output myfile.sig --sign myfile
–our public key is already imported to keyring
–PIN is required to sign (notice signature count so far)
–--clearsign causes output in BASE64
•gpg --verify myfile.sig
–smart card not required, public key in keyring
•gpg --output gpshell.log.gpg --recipient petr@svenda.com --encrypt gpshell.log
–smart card not required, public key in keyring
•gpg --decrypt gpshell.log.gpg
•| PV204 Security Technologies: JavaCard
95

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
MORE DETAILS ABOUT JAVACARD
•
•| PV204 Security Technologies: JavaCard
96

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
| PV204 Security Technologies: JavaCard
JavaCard – more to be discovered
•Recursion is slooow...
•Memory allocation issues
–EEPROM vs. RAM allocations, new operator
–No (real-time) garbage collector!
•Persistent objects
•Transactions, atomic operations
•JavaCard applet firewall
•
function f(…) {
    byte a[] = new byte[10];
    byte b[] = JCSystem.makeTransientByteArray(...);
    byte c;
}
97

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
GPShell upload&install
•Upload and install converted *.cap file
–GPShell tool with script specific for target card
–GP SCP channel version (mode_201, mode_211)
–select CardManager by AID (various AIDs)
–authenticate and open secure channel (open_sc)
–delete previous applet version (1. applet, 2. package)
–load and install (install command, many params)
–install may pass personalization data (master key…)
•Check applet functionality
–from GPShell script,  no need for secure channel
–select your applet by AID (select –AID xxx)
–send test APDU (send_apdu -APDU xxx)
| PV204 Security Technologies: JavaCard
98

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
| PV204 Security Technologies: JavaCard
JavaCard – PIN verification
•Image/code for PIN verification
–Vulnerable to transaction rollback
•
public class OwnerPIN implements PIN {
    byte triesLeft; // persistent counter
    boolean check(...) {
        ...
        triesLeft--;
        ...
    }
}
99

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
| PV204 Security Technologies: JavaCard
JavaCard – PIN verification done better
•Non-atomic operations
public class OwnerPIN implements PIN {
  byte[] triesLeft = new byte[1]; // persistent counter
  byte[] temps =
     JCSystem.makeTransientByteArray(1,
                JCSystem.CLEAR_ON_RESET);
  boolean check(...) {
    ...
    temps[0] = triesLeft[0] - 1;
    // update the try counter non-atomically:
    Util.arrayCopyNonAtomic(temps, 0, triesLeft, 0, 1);
   ...
  }
}
100

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
| PV204 Security Technologies: JavaCard
JavaCard – Atomic vs. Non-Atomic
•Persistent memory updates
–Two ways of updating
–FillArrayNonAtomic, CopyArrayNonAtomic
•Code refactoring
–Original short/byte values have to be converted to arrays[1]
•
101

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
| PV204 Security Technologies: JavaCard
JavaCard – Atomic vs. Non-Atomic
•Non-deterministic variable rollback
•
•
•
•
•
•Result dependency on the commands order
–a[0] == 0 vs. a[0] == 2
•
a[0] = 0
beginTransaction()
  a[0] = 1;
  arrayFillNonAtomic(a,0,1,2);
  // a[0] = 2;
abortTransaction()
a[0] = 0;
beginTransaction();
  arrayFillNonAtomic(a,0,1,2);
  // a[0] = 2;
  a[0] = 1;
abortTransaction();
102