Hi Karsten,
your email below is correct. What I intended to refer to is that an applet does not have to code any of the cryptography - neither MAC nor encryption - if it wants to take advantage of SCP. So from the API you can see the support that is available, that's what I was referring to. And you are correct in saying that an applet needs to get a handle to its SCP and then invoke unwrap(). SCP in the Security Domain does the rest.
The intention is to enable each applet to use with very little effort the capabilities of a GP card, but not to mandate the use of SCP.
Greetings,
Klaus.
| Karsten Ohme <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 10.08.2005 16:49
|
|
Klaus Peter Gungl wrote:
>
> Hello everyone,
>
> some comments about Secure Channel Protocol:
> (1) The applet does not need to support SCP, this support is available
> to the applet from its Security Domain via the Global Platform API. The
> applet does not need to have access to the keys.
No. This seems not to be correct. To support SC a applet must support
this. It is not transparently.
I quote something form the Programmers guide:
2.2.1. Retrieving a Security Channel Handle
In order to use the Secure Channel, the application must first obtain a
handle
to its associated Security Domain. As it is possible for an Application
to be
extradited from one Security Domain to another, the handle to the Security
Domain should be retrieved each time the Application is selected.
The Sample Application extract below shows the getSecureChannel() method
(getSecurityDomain() method in the deprecated API) being invoked during the
selection process of the application.
2.1 API:
private SecureChannel MySecureChannel;
...
public boolean select() {
MySecureChannel = GPSystem.getSecureChannel();
...
Deprecated API:
private ProviderSecurityDomain SecurityDomain;
...
public boolean select() {
SecurityDomain = OPSystem.getSecurityDomain();
This is not much, but an applet is not implicilty SC enabled. Maybe this
is a weakness in the design.
> (2) SCP is always used for package loading and applet installation, it
> can optionally be used for applet personalization and by the applet
> during runtime.
> (3) Global Platform offers a compliance package for vendors who claim
> proper implementation of the GP card specification.
>
> All of this can be found on the Global Platform website:
> http://www.globalplatform.org
>
> Klaus.
Karsten
>
> *Karsten Ohme <[EMAIL PROTECTED]>*
> Sent by: [EMAIL PROTECTED]
>
> 10.08.2005 02:22
> Please respond to
> MUSCLE
>
>
>
> To
> MUSCLE <[email protected]>
> cc
>
> Subject
> Re: [Muscle] GPShell 1.0.0 release
>
>
>
>
>
>
>
>
> Peter Williams wrote:
> > a nice featue would be this:
> >
> > use the SCP01 support to establish a confidentiality channel, and use
> > the GP kek in the keyset to load a DES key into the _muscle_ key store.
>
> Thanks. But this would mean that the applet must support secure channels
> and the user of
> the applet must also have access to the keys of the security domain.
> With this much more is possible. Due to the fact that a secure channel
> is established everything can be transmitted secretly, also without the
> double encryption with the KEK. Both is possible. But I believe the goal
> of GPShell is only to have a free platform for GlobalPlatform management
> tasks. Ask the author.
>
> Another problem, I know at least one card which has broken API support
> within the card for this. GlobalPlatform is not a very well verified
> standard on cards ...
>
> Karsten
>
> >
> >
> >> From: Snit Mo <[EMAIL PROTECTED]>
> >> Reply-To: Snit Mo <[EMAIL PROTECTED]>, MUSCLE
> >> <[email protected]>
> >> To: [email protected]
> >> Subject: [Muscle] GPShell 1.0.0 release
> >> Date: Thu, 4 Aug 2005 22:58:18 -0700
> >>
> >> Hi,
> >>
> >> We have just released GPShell 1.0.0. From the README:
> >>
> >> GPShell is a script interpreter which talks to a smart card. It is
> >> written on top of the OpenPlatform library, which was developed by
> >> Karsten Ohme. It uses smart card communication protocols ISO-7816-4
> >> and Open Platform (which later became Global Platform) 2.0.1. It can
> >> establish a secure channel with a smart card, load, instantiate,
> >> delete, list applets on a smart card.
> >>
> >> GPShell and OpenPlatform Library (which GPShell depends on) can be
> >> found at:
> >> http://sourceforge.net/projects/globalplatform/
> >>
> >> Enjoy,
> >>
> >> _______________________________________________
> >> Muscle mailing list
> >> [email protected]
> >> http://lists.drizzle.com/mailman/listinfo/muscle
> >
> >
> >
> > _______________________________________________
> > Muscle mailing list
> > [email protected]
> > http://lists.drizzle.com/mailman/listinfo/muscle
>
>
> _______________________________________________
> Muscle mailing list
> [email protected]
> http://lists.drizzle.com/mailman/listinfo/muscle
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Muscle mailing list
> [email protected]
> http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
