1 / 16

Open Platform on Java Card

Open Platform on Java Card. Introduction by Ingeborg Sandow. Content. Specifications Overview Card Architecture Card Manager Tasks Security Domain Tasks Functionality of Provider Security Domains Life Cycle Models APDU-Interface Card Manager OP API. Specifications.

senalda
Download Presentation

Open Platform on Java Card

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Open Platform on Java Card Introduction by Ingeborg Sandow

  2. Content • Specifications • Overview • Card Architecture • Card Manager Tasks • Security Domain Tasks • Functionality of Provider Security Domains • Life Cycle Models • APDU-Interface Card Manager • OP API

  3. Specifications • Open Platform Card Specification Version 2.0.1’ • GlobalPlatform Card Specification Version 2.1 available at: • www.visa.com • www.globalplatform.org

  4. Overview

  5. Card Architecture

  6. Card Manager Tasks • Loading, installation and deletion of applications • Realization of the Card Issuers security with the support of a security domain • Performing access checks on card global data • Check of application privileges • Administration of life cycles

  7. Security Domain Tasks • Realization of the cryptographic functionality • Key administration Methods for the personalization of the Card Manager i.e. loading of keys • Cryptographic Support for Load File DAPs for Secure Messaging for the loading of keys

  8. Functionality of Provider Securtiy Domains Standard Provider Security Domain • Methods supporting the loading of keys • Implementation of the Secure Messaging Provider Security Domain with DAP verification privilege • Performing the verification of the Load File Data Block Data Authentication Pattern(s) Provider Security Domains with Delegated Management privilege • Security domains with the privilege to load, install and delete applications

  9. Life Cycle Models (1) Card Manager Life Cycle OP_READY INITIALIZED SECURED CM_LOCKED TERMINATED

  10. Life Cycle Models (2) Load File Life Cycle LOADED DELETED (logically or physically)

  11. Life Cycle Models (3) Application Life Cycle INSTALLED SELECTABLE PERSONALIZED DELETED (logically or physically) BLOCKED LOCKED

  12. APDU-Interface Card Manager • Administrative: • SELECT • Secure Channel: • INITIALIZE UPDATE • EXTERNAL AUTHENTICATE • Card Content Management: • DELETE • GET DATA • PUT DATA • GET STATUS • INSTALL • LOAD • PUT KEY • PIN: • PIN CHANGE/UNBLOCK

  13. OP API OPSystem (1) • Life Cycle administration The Card Manager Life Cycle can be accessed by applications with special privileges. Therefore the application can use the methods getCardManagerState(), lockCardManager()and terminateCardManager(). The application can get/modify its own state via getCardContentState() and setCardContentState(). • ATR The historical bytes of the Answer To Reset (ATR) can be changed with setATRHistBytes().

  14. OP APIOPSystem (2) • PIN check The card global PIN inside the Card Manager is addressed by getTriesRemaining() , setPin() and verifyPin(). • Access a ProviderSecurityDomain An application can grant access on its (Provider) SecurityDomain using the method getSecurityDomain().

  15. OP API ProviderSecurityDomain (1) • Authentication An external authentication can be verified with the method verifyExternalAuthenticate()which uses the APDU buffer for the input parameters. • Key management Key loading is supported by the method decryptVerifyKey(). The key(s) contained in a PUT_KEY APDU is/are encrypted and the key verification value is checked. If the check was successful, true is returned.

  16. OP APIProviderSecurityDomain (2) • Secure Messaging 1. The secure session starts by setting up a secure channel via openSecureChannel(). 2. Encrypted APDUs are decrypted by the method unwrap(). 3. At the end the derived secure messaging keys are discarded inside the method closeSecureChannel().

More Related