Dejan Gambin wrote:
Thanks Karsten. So you are saying that I could use JCOP21id with
cardedge applet loaded, avoiding BlueZ and secure messaging?
Yes. You could use this applet. Maybe you first must test it for
stability. I think the IBM applet is a mature application and you can
use it without concern, if you have a software which supports it. For
CardEdge I'm not sure how stable the applet is, I have no bad
experiences but one week in daily use should show if it is stable. I
just received a JCOP card from IBM and there is a CSP and PKCS#11
library included, but not free.
Please clearify me - what did you mean by extending opensc to support
open platform and what is that free library available??
I have no further knowledge of OpenSC. Is the only problem why you
cannot use it the missing support for secure channels? Then you could
contribute to OpenSC and extend it to support it.
I am very curious...
I developed a free library for C/C++ and Java for OpenPlatform cards.
Maybe you can use it for this purpose.
https://sourceforge.net/projects/globalplatform
Karsten
regards, dejan
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Karsten Ohme
Sent: Wednesday, August 24, 2005 3:44 PM
To: MUSCLE
Subject: Re: [Muscle] JCOP21id with secure messaging support
Gambin Dejan wrote:
Thanks Karsten, I really appreciate your detailed explanations. Now
let me inform you:
JCOP21id cards that we have are 32kB EEPROM. They fully support
Garbage collection. The card has FIPS 140-2 certified version of the
BlueZ PKCS#15 application included in ROM mask (so the complete EEPROM
space remains free for application use). For this PKCS#15 version,
some restrictions apply but I won't write all of this to you now
because it is all well described in
http://www.zurich.ibm.com/jcop/download/specs/BlueZ-PKCS15.pdf. I
shall only mention that the main restriction is that any read, update
and erase operations on secret or private key files are only allowed
if secure messaging is used. The complete secure messaging protocol is
explained in chapter 12 of this pdf and all the cryptographic
operations for secure messaging are as defined in Open Platform.
Does IBM offer a PKCS#11 library implementing the connection to BlueZ?
The PKCS#11 solution uses the CardEgde applet. So you would not use
BlueZ. So you must decide for a design. The advantage of the CardEdge
applet is, that it is more flexible.
During my opensc testing, I have successfully sent some of sm required
commands thanks to help of Chaskiel Grundman. The main reason I went
to opensc is the CSP11 open source project that is using opensc
PKCS#11 library (but it could use some other PKCS#11 library as the
Muscle one for example). I know there is CSP for Muscle but this is
not open source so I can not use it...
Yes this seems to be a reason to use OpenSC. A free solution is here
missing for MuscleCard. Would it be a solution to extend OpenSC to
support OpenPlatform? For OpenPlatform there is a free library
available, which should simplify the integration.
Karsten
regards, dejan
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Karsten Ohme
Sent: Tuesday, August 23, 2005 6:43 PM
To: MUSCLE
Subject: Re: [Muscle] JCOP21id with secure messaging support
Gambin Dejan wrote:
Thanks Karsten,
The thing is, I am not too much familiar with MUSCLE, we were using
opensc in a project to test smartcard enabled PKI applications so we
need to hold the certificates with the keypair on the card. Also, we
were using javacard based cards because of future needs of building
javacard applications on it. Before the test we have bought a number
of JCOP21id cards but they are not fully supported because of secure
messaging requirement.
Read this:
http://www.inf.tu-dresden.de/~ko189283/MuscleCard/MuscleCardArticle.html
So I just wanted to know if maybe this is supported in Muscle to help
me implement it in opensc or maybe to make me go to Muscle. What are
the main differences between the Muscle and opensc? I have heard
Muscle has some limitations regarding my "cryptograhic needs"? Sorry
to bother you...
http://www.inf.tu-dresden.de/~ko189283/MuscleCard/MCardAppletChanges.h
tm
l
I don't know how fast you need a solution, but this will be ready in
some time. (The Garbage Collection does not work at the moment, aside
from this everything is functional.)
Look in the section ComputeCrypt to see the supported cipher and
signature algorithms. Also the rest should give an insight what the
applet can do.
Look in the section TODO, where I propose another solution instead the
OpenPlatform Secure Channel protocol.
Elliptic Curves is also still missing. With some time I will include
the
code, but I know no card, which supports EC.
But, obey, how much memory does the JCOP21id card have? Does it
support
Garbage Collection? Because of the memory limitation it will not be
possible to allow all algorithms.
Karsten
thanks very much
regards
dejan gambin
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Karsten Ohme
Sent: Monday, August 22, 2005 11:14 PM
To: MUSCLE
Subject: Re: [Muscle] JCOP21id with secure messaging support
Gambin Dejan wrote:
Hi,
would like to know if JCOP21id is fully supported by Muscle regarding
the secure messaging/channel requirement? Is this protocol
implemented
in Muscle? If it is, where in the code?
No.
I have a number of JCOP21id cards that I need to fully suport.
What is your task?
You want to use the secure channels? What means need? Is the integrity
and confidentiality really important? Is the card user the same like
the
card issuer (Else this does not work, because the user has access to
the
secret keys of the card issuer and can install untrusted applications.
Aside from this, this means that the user has to enter every time
these
secret keys or at least a pass phrase for the encryption of the keys
(if
these keys are stored encrypt on a media) (storing this keys in plain
text would violate any idea of this system.) at each computer system.
At
the keyboard. In an untrusted environment the system knows the keys
and
the whole secure channel system is broken ...)
If you are adept with this technology then you certainly know all the
above things and an adaption of MuscleCard is possible.
Karsten
thanks very much
regards, dejan
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
