Hi Karsten,
Well, I encourage you to participate in the public review of the current Version 2.2 (see the GP website) and provide feedback. Be aware, the GP communite relies on people like YOU! So please provide feedback and it can be considered!
By the way: the JCOP 2.1.1 also contains the API 2.0.1'. I agree with you that it is rather unfortunate that the backwards compatibility of API 2.1.1 is not as perfect as it could be for the applets that have been written for 2.0.1. You are not the only one to face this issue... once again, I urgue to provide feedback to the GP card spec workgroup.
Greetings, Klaus.
| Karsten Ohme <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 11.08.2005 14:24
|
|
Klaus Peter Gungl schrieb:
>
> Hi Karsten,
> your email below is correct. What I intended to refer to is that an
> applet does not have to code any of the cryptography - neither MAC nor
> encryption - if it wants to take advantage of SCP. So from the API you
> can see the support that is available, that's what I was referring to.
> And you are correct in saying that an applet needs to get a handle to
> its SCP and then invoke unwrap(). SCP in the Security Domain does the rest.
> The intention is to enable each applet to use with very little effort
> the capabilities of a GP card, but not to mandate the use of SCP.
Yes, after I read your mail a second time I also realized that you refer
to the API. Some time ago I thought about the realization of
GlobalPlatform support in the MuscleCard applet. The inconvenient thing
is, that there are the older but much more used standard 2.0.1' and the
new standard 2.1.1. I only know the new JCOP card from IBM supporting
2.1.1, but to support all cards the applet must be conditionally
compiled to implement this or that standard. This are not so many lines
of code, maybe some day.
Thanks, Karsten
> Greetings,
> Klaus.
>
>
> *Karsten Ohme <[EMAIL PROTECTED]>*
> Sent by: [EMAIL PROTECTED]
>
> 10.08.2005 16:49
> Please respond to
> MUSCLE
>
>
>
> To
> MUSCLE <[email protected]>
> cc
>
> Subject
> Re: [Muscle] GPShell 1.0.0 release
>
>
>
>
>
>
>
>
> Klaus Peter Gungl wrote:
> >
> > Hello everyone,
> >
> > some comments about Secure Channel Protocol:
> > (1) The applet does not need to support SCP, this support is available
> > to the applet from its Security Domain via the Global Platform API. The
> > applet does not need to have access to the keys.
>
> No. This seems not to be correct. To support SC a applet must support
> this. It is not transparently.
>
> I quote something form the Programmers guide:
>
> 2.2.1. Retrieving a Security Channel Handle
> In order to use the Secure Channel, the application must first obtain a
> handle
> to its associated Security Domain. As it is possible for an Application
> to be
> extradited from one Security Domain to another, the handle to the Security
> Domain should be retrieved each time the Application is selected.
> The Sample Application extract below shows the getSecureChannel() method
> (getSecurityDomain() method in the deprecated API) being invoked during the
> selection process of the application.
> 2.1 API:
> private SecureChannel MySecureChannel;
> ...
> public boolean select() {
> MySecureChannel = GPSystem.getSecureChannel();
> ...
> Deprecated API:
> private ProviderSecurityDomain SecurityDomain;
> ...
> public boolean select() {
> SecurityDomain = OPSystem.getSecurityDomain();
>
> This is not much, but an applet is not implicilty SC enabled. Maybe this
> is a weakness in the design.
>
> > (2) SCP is always used for package loading and applet installation, it
> > can optionally be used for applet personalization and by the applet
> > during runtime.
> > (3) Global Platform offers a compliance package for vendors who claim
> > proper implementation of the GP card specification.
> >
> > All of this can be found on the Global Platform website:
> > http://www.globalplatform.org
> >
> > Klaus.
>
> Karsten
>
> >
> > *Karsten Ohme <[EMAIL PROTECTED]>*
> > Sent by: [EMAIL PROTECTED]
> >
> > 10.08.2005 02:22
> > Please respond to
> > MUSCLE
> >
> >
> >
> > To
> > MUSCLE <[email protected]>
> > cc
> >
> > Subject
> > Re: [Muscle] GPShell 1.0.0 release
> >
> >
> >
> >
> >
> >
> >
> >
> > Peter Williams wrote:
> > > a nice featue would be this:
> > >
> > > use the SCP01 support to establish a confidentiality channel, and use
> > > the GP kek in the keyset to load a DES key into the _muscle_ key
> store.
> >
> > Thanks. But this would mean that the applet must support secure channels
> > and the user of
> > the applet must also have access to the keys of the security domain.
> > With this much more is possible. Due to the fact that a secure channel
> > is established everything can be transmitted secretly, also without the
> > double encryption with the KEK. Both is possible. But I believe the goal
> > of GPShell is only to have a free platform for GlobalPlatform management
> > tasks. Ask the author.
> >
> > Another problem, I know at least one card which has broken API support
> > within the card for this. GlobalPlatform is not a very well verified
> > standard on cards ...
> >
> > Karsten
> >
> > >
> > >
> > >> From: Snit Mo <[EMAIL PROTECTED]>
> > >> Reply-To: Snit Mo <[EMAIL PROTECTED]>, MUSCLE
> > >> <[email protected]>
> > >> To: [email protected]
> > >> Subject: [Muscle] GPShell 1.0.0 release
> > >> Date: Thu, 4 Aug 2005 22:58:18 -0700
> > >>
> > >> Hi,
> > >>
> > >> We have just released GPShell 1.0.0. From the README:
> > >>
> > >> GPShell is a script interpreter which talks to a smart card. It is
> > >> written on top of the OpenPlatform library, which was developed by
> > >> Karsten Ohme. It uses smart card communication protocols ISO-7816-4
> > >> and Open Platform (which later became Global Platform) 2.0.1. It can
> > >> establish a secure channel with a smart card, load, instantiate,
> > >> delete, list applets on a smart card.
> > >>
> > >> GPShell and OpenPlatform Library (which GPShell depends on) can be
> > >> found at:
> > >> http://sourceforge.net/projects/globalplatform/
> > >>
> > >> Enjoy,
> > >>
> > >> _______________________________________________
> > >> Muscle mailing list
> > >> [email protected]
> > >> http://lists.drizzle.com/mailman/listinfo/muscle
> > >
> > >
> > >
> > > _______________________________________________
> > > Muscle mailing list
> > > [email protected]
> > > http://lists.drizzle.com/mailman/listinfo/muscle
> >
> >
> > _______________________________________________
> > Muscle mailing list
> > [email protected]
> > http://lists.drizzle.com/mailman/listinfo/muscle
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Muscle mailing list
> > [email protected]
> > http://lists.drizzle.com/mailman/listinfo/muscle
>
> _______________________________________________
> Muscle mailing list
> [email protected]
> http://lists.drizzle.com/mailman/listinfo/muscle
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Muscle mailing list
> [email protected]
> http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
