Just scratching the surface
Posted: Thu May 18, 2017 10:53 am
Hello
I'm a student in applied computer science. We learned a little about encryption/SSL/certificate/hashing etc. I am really interested in this subject and want to research it further. In Belgium (where I'm from) everybody carries a electronic ID card (which is a javacard). As I study Computer and Cyber crime (a sub course within applied computer science), I would like to know how I could play with these things or let them do unexpected things.
A few questions:
I have a Belgian ID card and managed to find out some details: It's a Cryptoflex JavaCard 32K, equipped with a 16 bit microcontroller (Infineon SLE66CX322P) and an additional crypto processor (for RSA and DES computations). The card has ROM, EEPROM and RAM. The Belpic Java Applet is handling all communications with the outside world.
Every Belgian has some middleware software installed on his/her computer. As I understand, the middleware sends commands to the JavaCard, and the JavaCard responds with data (like the name of the citizen, photo file, birthdate, etc)
What I am interested in, could I write a JavaCard applet that mimics a Belgian ID card? I'm not talking like logging in to online taxes via a mimiced ID, but the most simple thing the middleware does, is extracting data that is also printed phisically on the card.
Could I trick the middleware into thinking it is talking to a genuine JavaCard (the Belpic Java Applet), but is instead communicating with a self created java Applet that just writes back self choosen data?
Also: how do I find out the JavaCard version? And what is good hardware to 'upload' java applets to a blank card?
Thanks for your time/knowledge
Sorry if I'm asking to much questions, I'm just really intrigued by how this stuff works and how it could be 'exploited', as a lot of Belgian services just rely on identification (and not on authorisation by PIN), which looks like a major design flaw to me)
I'm a student in applied computer science. We learned a little about encryption/SSL/certificate/hashing etc. I am really interested in this subject and want to research it further. In Belgium (where I'm from) everybody carries a electronic ID card (which is a javacard). As I study Computer and Cyber crime (a sub course within applied computer science), I would like to know how I could play with these things or let them do unexpected things.
A few questions:
I have a Belgian ID card and managed to find out some details: It's a Cryptoflex JavaCard 32K, equipped with a 16 bit microcontroller (Infineon SLE66CX322P) and an additional crypto processor (for RSA and DES computations). The card has ROM, EEPROM and RAM. The Belpic Java Applet is handling all communications with the outside world.
Every Belgian has some middleware software installed on his/her computer. As I understand, the middleware sends commands to the JavaCard, and the JavaCard responds with data (like the name of the citizen, photo file, birthdate, etc)
What I am interested in, could I write a JavaCard applet that mimics a Belgian ID card? I'm not talking like logging in to online taxes via a mimiced ID, but the most simple thing the middleware does, is extracting data that is also printed phisically on the card.
Could I trick the middleware into thinking it is talking to a genuine JavaCard (the Belpic Java Applet), but is instead communicating with a self created java Applet that just writes back self choosen data?
Also: how do I find out the JavaCard version? And what is good hardware to 'upload' java applets to a blank card?
Thanks for your time/knowledge
Sorry if I'm asking to much questions, I'm just really intrigued by how this stuff works and how it could be 'exploited', as a lot of Belgian services just rely on identification (and not on authorisation by PIN), which looks like a major design flaw to me)