Scott, I wonder if there is more to this that at first might appear and that there isn't such a clear backdoor? I cannot imagine the GlobalPlatform people allowing such obvious backdoors. Also it is not in the network operators' interest to have such clear backdoors if they want to sell secure application space on their SIMs which is a must for their future business models.
All the TS 102 226 stuff is dealt with using Secured Packets (TS 102 224) which requires a cryptographically supported authentication system. So the access domain packet is happening in a secure authenticated transaction which gives a point at which an access has to prove itself before being able to get at the filestore. To say more at the moment would be to speculate -- I definitely need to investigate this further. Of course the UICC store is not the sensible place for any Java and Java Card applications to store information -- for Java Card or Java applications on a (U)SIM maintaining data objects within the application is the only really sensible secure system. Aha here is a design for a useful SIM-based application -- a secure data store... On Thu, 2004-03-11 at 17:07, Scott Guthery wrote: > Since the backdoor is mandated by the SIM standards, it is true of all > standards-compliant Java Card SIMs. > > ETSI TS 102 226 states: > > "The access rights granted to an application and defined in the access > domain parameter shall be independent > from the access rights granted at the UICC/Terminal interface. > > NOTE: This implies in particular that the status of a secret code > (e.g. disabled PIN1, blocked PIN2, etc.) > at the UICC/Terminal interface does not affect the access rights granted > to an application. > > If an application with Access Domain Parameter 'FF' (i.e. No Access to > the File System) tries to access a > file the framework shall throw an exception. > > If an application has Access Domain Parameter '00' (i.e. Full Access to > the File System), all actions can > be performed on a file except the ones with NEVER access condition." > > As you point out this may not be true of non-standards compliant SIMs > but I suspect there are few of those in use. > > You can imagine the surprise of a subscriber when PIN-protected data > shows up on the screen courtesy of a Java applet and the subscriber > knows that they haven't entered their PIN. -- Russel. ==================================================================== Dr Russel Winder, Chief Technology Officer Tel: +44 20 8680 8712 OneEighty Software Ltd Fax: +44 20 8680 8453 Cygnet House, 12-14 Sydenham Road [EMAIL PROTECTED] Croydon, Surrey CR9 2ET, UK http://www.180sw.com
signature.asc
Description: This is a digitally signed message part
