On Thu, Oct 11, 2001 at 03:27:49PM +0200, Adrian Muscalu wrote:
> Hi,
> Please excuse my ignorance, I am not very familiar with smartcard
> programming stuff; I'm not even sure that this list is the right place to
> post my questions... but I'll do it anyway.
> Here are the facts: my boss gave me a smartcard reader (CardMan 2011), a
> card (probably a memory card) and told me to make an application using
> CT-API that should first verify an user input pin with the one stored on the
> card.
> At a glance seems very tricky for me because I just managed to play with
> with CT_init, CT_close and CT_data methods.
> To het to the point:
> 1) How can I perform a pin validation?
There are cards functions (Verify) to validate the PIN.
> 2) Can I retrieve the PIN and make a comparison by myself with the user
> enetered one or is the card that makes it?
You probably can't. If you can, then the card has been improperly
setup / configured / programmed and should not be trusted.
> 3) The card seems to have stored in it three cryptographic keys. How can I
> get them?
See answer to #2. The whole point of using smart cards is to be
able to store and use data on them with no chance of compromise from having
the data copied off the card.
Both the PIN and the keys should be writeable under proper
circumstances but never readable. Both should also be verifiable
using appropriate card functions.
I don't know what card you have so I'll tell you what I have with
my cyberflex cards.
By default, the card comes with a PIN file and a key file and the
key file has space for three keys. The first key (Key 0) is the factory
key and nobody has that outside of the factory. The second key (Key 1)
is the "transport key". You normally get a slip of paper with your
cards, when you order blank cards, containing that key. The third key
(Key 2) is empty. As initially defined, three failed AUTH attempts
against a given key will lock that key out and disable it. The only
way to reenable it is to pass that AUTH check using one of the other
keys and then re-enable that key. Once you have passed an AUTH check,
you can overwrite any of the three keys. The AUTH check can be either
a DES challenge response using the key or can be a simple (and less
secure) key comparison by providing the key to the card (but you can
never get the key from the card) for the card to compare with the
value it holds. If you lock out Key 1 (the transport key) and haven't
assigned new alternate values for Key 0 or Key 2, then the card is
probably toast.
Similar lock-outs occur on the PIN file. But you can reset a
lockout on the PIN file if you pass the AUTH check against the key file.
But not the other way around.
Access to other files on the card may depend on whether you have
passed a PIN check or an AUTH check.
> If if has any relevance, I'll use Windows NT and Java/JNI/C++
It has relevance in a negative sort of way. This is the list
for Linux smart card development (hence the sclinux name).
Sounds like you need a lot of the basics...
Smart Card Developer's Kit
Scott B. Guthery & Timothy M. Jurgensen
MacMillan Technical Publishing
ISBN: 1-57870-027-2
Comes with software and a smart card.
> Thank you in advance for your help,
> Adrian
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
***************************************************************
Unix Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/
To unsubscribe send an email to [EMAIL PROTECTED] with
unsubscribe sclinux
***************************************************************
