www.crcs.cz/rsa @CRoCS_MUNI
PV204 Security technologies LABS
Introduction to smart cards and JavaCard platform
Petr Švenda svenda@fi.muni.cz @rngsec
Centre for Research on Cryptography and Security, Masaryk University
www.crcs.cz/rsa @CRoCS_MUNI
The masterplan for this lab
1. Communicate with smart card (GPPro tool)
– ATR, basic info, CPLC
2. Communicate with card programmatically
– Java java.smartcardio.* or C/C++ PC/SC API
3. Intro to JavaCard programming
| PV204: Smartcards and JavaCard2
www.crcs.cz/rsa @CRoCS_MUNI
GLOBALPLATFORMPRO
REAL CARD (JAVACOS A40)
Separate CLI tool for card management
3 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
1. Communicate with smart card (GPPro)
• Contact PC/SC readers + cards
• GlobalPlatformPro tool
– https://github.com/martinpaljak/GlobalPlatformPro/releases
– Basic smart card commands, sending APDUs
– Management of GlobalPlatform cards (JavaCard)
– Type gp --help for all functionality
– We will use basic functionality now, rest next week
| PV204: Smartcards and JavaCard5
www.crcs.cz/rsa @CRoCS_MUNI
gp --info
• Obtain information about smart card
– gp --info
– Obtain ATR (Answer To Reset)
– Parse using https://smartcard-atr.appspot.com/parse?ATR=xxx
– Consult cplc-20211110.pdf from IS
• Who is the probable manufacturer of card?
• What is the probable environment for this card?
• Is it an open JavaCard?
• What is this card’s circuit serial number?
• When was the card produced?
• What is different if ‘gp --info --debug’ is executed?
6 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
gp --apdu APDU_in_hexa --debug
• Send APDU command from command line
• Try gp --info --debug
– Can you spot APDU command to obtain CPLC info?
• Send get CPLC APDU separately
– gp --apdu 80CA9F7F00 --debug
• Can you relate card’s response data and gp --info?
• What is the response status word?
| PV204: Smartcards and JavaCard7
www.crcs.cz/rsa @CRoCS_MUNI
NETBEANS IDE
SIMULATOR JCARDSIM.ORG
REAL CARD (JAVACOS A40)
Java javax.smartcardio.* API
8 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
2. Communicate with card programmatically
• SimpleAPDU project (IS, NetBeans)
– Uses Java’s javax.smartcardio.* API
– CardMngr.java – utility functions for card communication
• Obtain list of available readers
– List readers = TerminalFactory.getDefault().terminals().list();
• Connect to card
– CardTerminal.isCardPresent(), CardTerminal.connect(“*”);
• Obtain ATR: Card.getATR().getBytes()
• Send APDU:
– ResponseAPDU resp = CardChannel.transmit(apdu)
| PV204: Smartcards and JavaCard9
www.crcs.cz/rsa @CRoCS_MUNI
3. JAVACARD PROGRAMMING
14 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
Setup SimpleAPDU [NetBeans]
• Download NetBeans 12.6
– https://netbeans.apache.org/download/archive/index.html
• Download/extract SimpleAPDU.zip from IS
• Run NetBeans and import existing project SimpleAPDU
– File → Open project → SimpleAPDU
– (Now contains only host application)
• Add jar library file with simulator
– Libraries→Add JAR→\lib\jcardsim-3.0.5.5.jar
• Add link to folder with on-card applet
– File → Project properties → Sources → Add folder
– Add SimpleApplet\src
| PV204: Smartcards and JavaCard17
Use NetBeans 12.6 from https://netbeans.apache.org/download/archive/index.html
Or NetBeans portable https://sourceforge.net/projects/nbportable/
www.crcs.cz/rsa @CRoCS_MUNI
Setup SimpleAPDU [NetBeans]
• Project properties → Run → VM Options
– -enableassertions -noverify
– (required when custom compilation of jcardsim is used)
– Not required anymore, if you will use provided jcardsim-3.0.5.5.jar
– Otherwise, you will get „Exception in thread "main" java.lang.VerifyError: Expecting a
stackmap frame at branch target 19“
• Project should now compile
• Try to run in debug mode (Ctrl+F5)
– Place breakpoint inside SimpleAPDU.Main() method
– Place breakpoint into SimpleApplet.process() method
18 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
SIMULATED CARD (VIA JCARDSIM)
19 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
Task: demoGetRandomDataCommand()
• Example code with single APDU command
• Simulated card is used
• Investigate the code, observe the values returned
• Place breakpoints and observe in debugger:
– SimpleApplet constructor
– process() method
– Random() method
• Why are bytes of “random” data on simulator always the same after
program restart?
21 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
REAL CARD (JAVACOS A40)
(SimpleApplet.cap preuploaded)
22 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
Task: demoGetRandomDataCommand() with real card
• Do the same as before, but with real card JavaCOS A40
– Uncomment RunConfig.CARD_TYPE.PHYSICAL
– Comment CARD_TYPE.JCARDSIMLOCAL
• Observe the change in random data returned from card
• Try to restart program – will it change wrt simulator?
23 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
Tasks: demoEncryptDecrypt()
• Try first with simulated card, then with real one
• Investigate method demoEncryptDecrypt
• Task 1: Prepare and send APDU with 32 bytes of data for encryption, observe
output
• Task 2: Extract the encrypted data from the card's response. Send APDU with
this data for decryption
– Compare data for encryption with the decrypted data
• Task 3: What is the value of AES key used inside applet? Use debugger to
figure this out
• Task 4: Prepare and send APDU for setting different AES key, then encrypt
and verify
24 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
CONVERSION AND UPLOAD TO REAL
CARD
25 | PV204: Smartcards and JavaCard
We will compile, convert and install SimpleApplet.cap
www.crcs.cz/rsa @CRoCS_MUNI
Task: Create cap file and upload to card
• Navigate to SimpleApplet folder
– src folder contains applet’s source code in SimpleApplet.java
– jcbuild.xml contains configuration for conversion with
ant-javacard project
26 | PV204: Smartcards and JavaCard
<target name="build" description="Builds the CAP file with SimpleApplet">
<javacard jckit="${JC222}">
<cap output="!uploader/SimpleApplet.cap" sources="src/" aid="73696d706c65">
<applet class="applets.SimpleApplet" aid="73696d706c656170706c6574"/>
</cap>
</javacard>
</target>
Path and name for
resulting cap file
Folder with applet sources
(level before package)
Package AID
Applet main class
(including package name) Applet AID
www.crcs.cz/rsa @CRoCS_MUNI
Task: Create cap file and upload to card
• Compile & Convert
– Execute on cmd line: ant -f jcbuild.xml build
• If OK, SimpleApplet.cap is created in !uploader folder
27 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
THE REST OF JAVACARD NEXT WEEK ☺
28 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
Task: Create cap file and upload to card
• http://github.com/martinpaljak/GlobalPlatformPro
1. List already loaded applets
– java -jar gp.jar –list -d
2. Uninstall previous version of SimpleApplet
– java -jar gp.jar -uninstall SimpleApplet.cap -d
3. Install SimpleApplet.cap
– java -jar gp.jar -install SimpleApplet.cap -d
4. Use applet (commands in SimpleAPDU code)
29 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
Problem: what with other applets on card?
1. List already loaded applets
– java -jar gp.jar –list -d
2. Find package_AID and run:
– java -jar gp.jar –deletedeps –delete package_aid
– The –deletedeps will also delete all applets from target
package
• E.g., our SimpleApplet can be also removed by
– gp –deletedeps –delete 73696d706c65
30 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
Be aware – real card can be blocked
• Too many unsuccessful authentication requests
31 | PV204: Smartcards and JavaCard
>gp --list -debug
# Detected readers from SunPCSC
[*] Alcor Micro USB Smart Card Reader 0
SCardConnect("Alcor Micro USB Smart Card Reader 0", T=*) -> T=0, 3BF71800008031F
E45736674652D6E66C4
SCardBeginTransaction("Alcor Micro USB Smart Card Reader 0")
A>> T=0 (4+0000) 00A40400 00
A<< (0018+2) (56ms) 6F108408A000000003000000A5049F6501FF 9000
A>> T=0 (4+0008) 80500000 08 6265E168FB2639C1
A<< (0028+2) (118ms) 00003126960097543174010200103595AC1420213D2969EA8B8C41F3 90
00
openkms.gp.GPException: STRICT WARNING: Card cryptogram invalid!
Card: 3D2969EA8B8C41F3
Host: DB1E6E1E71958A15
!!! DO NOT RE-TRY THE SAME COMMAND/KEYS OR YOU MAY BRICK YOUR CARD !!!
at openkms.gp.GlobalPlatform.printStrictWarning(GlobalPlatform.java:156)
at openkms.gp.GlobalPlatform.openSecureChannel(GlobalPlatform.java:471)
at openkms.gp.GPTool.main(GPTool.java:348)
www.crcs.cz/rsa @CRoCS_MUNI
Be aware – real card can be blocked
• Don’t write script that executes many authentications at once (cycle,
multiple commands)
• If unsuccessful one/two authentication is detected, then as for help,
please!!!
32 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
Tasks: demoUseRealCard()
• Change from simulator to real card
– runCfg.setTestCardType(RunConfig.CARD_TYPE.PHYSICAL);
• Task 5: Obtain random data from real card
• Task 6: Set new key value and encrypt on card
33 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
ASSIGNMENT 2
34 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
Assignment 2: Status-Keycard analysis
• Analyze existing JavaCard applet available
– https://github.com/status-im/status-keycard/
• Answer the following questions:
1. What cryptographic algorithms are executed on card and with what parameterization?
(provide list of JavaCard constants like ‘ALG_RSA_NOPAD’ and parameters (key lengths,
domain params…))
2. Describe purpose of usage (achieved functionality) of a particular cryptographic algorithm
(e.g., “OwnerPIN cardPIN is used to protect RAM memory against fault induction”)
3. Describe details of the secure channel used to protect APDUs to and from applet
• How are keys distributed and established, what mechanism is used to protect data
• Be specific, use information and terminology used in Lecture 2
35 | PV204 Security technologies - Labs
www.crcs.cz/rsa @CRoCS_MUNI
Assignment 2: Real cards
• Bonus (+2 points):
– Write program which will scan all instruction codes supported by “Blue card”
• Test with a simulator first
– Use reader and card from lab, write your name and reader serial number on the paper sheet
– Which INS codes are supported? Can you reverse engineer more information (P1/P2, LC…)?
• Produce short (2xA4) text description of your solution
– Provide answers to questions asked, description your setup precisely, including screenshots
• Submit before 9.3.2023 23:59 into IS HW vault
– Soft deadline: -1.5 points for every started 24 hours
| PV204 Security technologies - Labs36
www.crcs.cz/rsa @CRoCS_MUNI37 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
SOLUTIONS (KIND OF ☺)
(VALID FOR BLUE CARDS FROM LAB)
| PV204: Smartcards and JavaCard38
www.crcs.cz/rsa @CRoCS_MUNI
gp --info
• Who is probable manufacturer of card?
– Gemplus/Gemalto
• What is probable environment for this card?
– Possibly JavaCard with MPCOS applet
• Is it open JavaCard?
– No (no CardManager with known keys)
• What is card’s circuit serial number?
– ICSerialNumber: 02006FC1 (Note: your card will be different)
– Good to consider also other ICxxx values for uniqueness
• When was card produced?
– ICFabricationDate: 1105
– Probably 15th May 2011 (105th day of year ending with 1)
| PV204: Smartcards and JavaCard39
www.crcs.cz/rsa @CRoCS_MUNI
Probing unknown commands
• Probing possible because of:
– limited space of command values
– error message side channel
– missing failed tries counter
| PV204: Smartcards and JavaCard40
www.crcs.cz/rsa @CRoCS_MUNI
GRADLE TEMPLATE
41 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
Usage of gradle template
• Intended for automatic conversion and tests
– Used by TravisCI…
• IntelliJ IDEA can import project from gradle scripts
– Interactive debugging, test coverage…
• Download complete zip
– https://github.com/crocs-muni/javacard-gradle-template-
edu/archive/refs/tags/v0.2.2-edu.zip
• Read README.md carefully!
– ./gradlew buildJavaCard --info --rerun-tasks
– ./gradlew test --info --rerun-tasks
42 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
Integration with TravisCI
• .travis.yml
43 | PV204: Smartcards and JavaCard
language: java
jdk:
- oraclejdk8
script:
- ./gradlew check --info
- ./gradlew buildJavaCard --info
+
www.crcs.cz/rsa @CRoCS_MUNI
Gradle + IntelliJ IDEA
• IntelliJ IDEA supports import of gradle –based projects (simpler IDE
NetBeans not)
• Debugging with simulated card works as in NetBeans
44 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
Test coverage: Gradle + IntelliJ IDEA
• Go to Gradle plugin in IntelliJ IDEA
• Tasks → verification → test
• RClick → run with coverage
45 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI46 | PV204: Smartcards and JavaCard
www.crcs.cz/rsa @CRoCS_MUNI
Real cards – CPLC of your bank card
• Obtain ATR and CPLC info for your bank card
– java -jar gp.jar --info -d
– Don’t worry, nothing is changed on card
– If you are getting “Could not SELECT default selected: 0x6700 (Wrong length (Lc))”, then
you need to send CPLC command separately: gp --apdu 80CA9F7F00 --debug
• Can you figure out IC manufacturer and chip type?
• Can you figure out Operating System ID and name?
• Can you figure out fabrication date?
• Try to use cplc.py for reference
– https://github.com/crocs-muni/JCAlgTest/blob/master/AlgTest_Process/cplc.py
47 | PV204: Smartcards and JavaCard