Thanks Karsten. So you are saying that I could use JCOP21id with cardedge applet loaded, avoiding BlueZ and secure messaging? Please clearify me - what did you mean by extending opensc to support open platform and what is that free library available??
I am very curious... regards, dejan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karsten Ohme Sent: Wednesday, August 24, 2005 3:44 PM To: MUSCLE Subject: Re: [Muscle] JCOP21id with secure messaging support Gambin Dejan wrote: > Thanks Karsten, I really appreciate your detailed explanations. Now > let me inform you: > > JCOP21id cards that we have are 32kB EEPROM. They fully support > Garbage collection. The card has FIPS 140-2 certified version of the > BlueZ PKCS#15 application included in ROM mask (so the complete EEPROM > space remains free for application use). For this PKCS#15 version, > some restrictions apply but I won't write all of this to you now > because it is all well described in > http://www.zurich.ibm.com/jcop/download/specs/BlueZ-PKCS15.pdf. I > shall only mention that the main restriction is that any read, update > and erase operations on secret or private key files are only allowed > if secure messaging is used. The complete secure messaging protocol is > explained in chapter 12 of this pdf and all the cryptographic > operations for secure messaging are as defined in Open Platform. Does IBM offer a PKCS#11 library implementing the connection to BlueZ? The PKCS#11 solution uses the CardEgde applet. So you would not use BlueZ. So you must decide for a design. The advantage of the CardEdge applet is, that it is more flexible. > During my opensc testing, I have successfully sent some of sm required > commands thanks to help of Chaskiel Grundman. The main reason I went > to opensc is the CSP11 open source project that is using opensc > PKCS#11 library (but it could use some other PKCS#11 library as the > Muscle one for example). I know there is CSP for Muscle but this is > not open source so I can not use it... Yes this seems to be a reason to use OpenSC. A free solution is here missing for MuscleCard. Would it be a solution to extend OpenSC to support OpenPlatform? For OpenPlatform there is a free library available, which should simplify the integration. Karsten > regards, dejan > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Karsten Ohme > Sent: Tuesday, August 23, 2005 6:43 PM > To: MUSCLE > Subject: Re: [Muscle] JCOP21id with secure messaging support > > > Gambin Dejan wrote: > >>Thanks Karsten, >> >>The thing is, I am not too much familiar with MUSCLE, we were using >>opensc in a project to test smartcard enabled PKI applications so we >>need to hold the certificates with the keypair on the card. Also, we >>were using javacard based cards because of future needs of building >>javacard applications on it. Before the test we have bought a number >>of JCOP21id cards but they are not fully supported because of secure >>messaging requirement. > > > Read this: > http://www.inf.tu-dresden.de/~ko189283/MuscleCard/MuscleCardArticle.html > > >>So I just wanted to know if maybe this is supported in Muscle to help >>me implement it in opensc or maybe to make me go to Muscle. What are >>the main differences between the Muscle and opensc? I have heard >>Muscle has some limitations regarding my "cryptograhic needs"? Sorry >>to bother you... > > > http://www.inf.tu-dresden.de/~ko189283/MuscleCard/MCardAppletChanges.h > tm > l > > I don't know how fast you need a solution, but this will be ready in > some time. (The Garbage Collection does not work at the moment, aside > from this everything is functional.) > Look in the section ComputeCrypt to see the supported cipher and > signature algorithms. Also the rest should give an insight what the > applet can do. > Look in the section TODO, where I propose another solution instead the > OpenPlatform Secure Channel protocol. > Elliptic Curves is also still missing. With some time I will include the > > code, but I know no card, which supports EC. > > But, obey, how much memory does the JCOP21id card have? Does it > support > Garbage Collection? Because of the memory limitation it will not be > possible to allow all algorithms. > > Karsten > > >>thanks very much >> >>regards >> >>dejan gambin >> >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Karsten Ohme >>Sent: Monday, August 22, 2005 11:14 PM >>To: MUSCLE >>Subject: Re: [Muscle] JCOP21id with secure messaging support >> >> >>Gambin Dejan wrote: >> >> >>>Hi, >>> >>>would like to know if JCOP21id is fully supported by Muscle regarding >>>the secure messaging/channel requirement? Is this protocol >>>implemented >> >> >>>in Muscle? If it is, where in the code? >> >> >>No. >> >> >> >>>I have a number of JCOP21id cards that I need to fully suport. >> >> >>What is your task? >> >>You want to use the secure channels? What means need? Is the integrity >>and confidentiality really important? Is the card user the same like > > the > >>card issuer (Else this does not work, because the user has access to >>the >> >>secret keys of the card issuer and can install untrusted applications. >>Aside from this, this means that the user has to enter every time > > these > >>secret keys or at least a pass phrase for the encryption of the keys > > (if > >>these keys are stored encrypt on a media) (storing this keys in plain >>text would violate any idea of this system.) at each computer system. > > At > >>the keyboard. In an untrusted environment the system knows the keys >>and >>the whole secure channel system is broken ...) >> >>If you are adept with this technology then you certainly know all the >>above things and an adaption of MuscleCard is possible. >> >>Karsten >> >> >> >>>thanks very much >>> >>>regards, dejan >>> >>>_______________________________________________ >>>Muscle mailing list >>>[email protected] >>>http://lists.drizzle.com/mailman/listinfo/muscle >> >> >>_______________________________________________ >>Muscle mailing list >>[email protected] >>http://lists.drizzle.com/mailman/listinfo/muscle >> >>_______________________________________________ >>Muscle mailing list >>[email protected] >>http://lists.drizzle.com/mailman/listinfo/muscle > > > _______________________________________________ > Muscle mailing list > [email protected] > http://lists.drizzle.com/mailman/listinfo/muscle > > _______________________________________________ > Muscle mailing list > [email protected] > http://lists.drizzle.com/mailman/listinfo/muscle _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
