Hello
I'm a student in applied computer science. We learned a little about encryption/SSL/certificate/hashing etc. I am really interested in this subject and want to research it further. In Belgium (where I'm from) everybody carries a electronic ID card (which is a javacard). As I study Computer and Cyber crime (a sub course within applied computer science), I would like to know how I could play with these things or let them do unexpected things.
A few questions:
I have a Belgian ID card and managed to find out some details: It's a Cryptoflex JavaCard 32K, equipped with a 16 bit microcontroller (Infineon SLE66CX322P) and an additional crypto processor (for RSA and DES computations). The card has ROM, EEPROM and RAM. The Belpic Java Applet is handling all communications with the outside world.
Every Belgian has some middleware software installed on his/her computer. As I understand, the middleware sends commands to the JavaCard, and the JavaCard responds with data (like the name of the citizen, photo file, birthdate, etc)
What I am interested in, could I write a JavaCard applet that mimics a Belgian ID card? I'm not talking like logging in to online taxes via a mimiced ID, but the most simple thing the middleware does, is extracting data that is also printed phisically on the card.
Could I trick the middleware into thinking it is talking to a genuine JavaCard (the Belpic Java Applet), but is instead communicating with a self created java Applet that just writes back self choosen data?
Also: how do I find out the JavaCard version? And what is good hardware to 'upload' java applets to a blank card?
Thanks for your time/knowledge
Sorry if I'm asking to much questions, I'm just really intrigued by how this stuff works and how it could be 'exploited', as a lot of Belgian services just rely on identification (and not on authorisation by PIN), which looks like a major design flaw to me)
JavacardOS will not accept order any more, please contact our partner Feitian online Store:
https://ftsafe.en.alibaba.com/index.html
https://ftsafe.en.alibaba.com/index.html
Just scratching the surface
-
carharttguy
- Posts: 2
- Joined: Thu May 18, 2017 10:36 am
- Points :24
- Contact:
-
UNKNwYSHSA
- Posts: 630
- Joined: Thu May 21, 2015 4:05 am
- Points :3055
- Contact:
Re: Just scratching the surface
1 You can't pass the authentication and the communication MAC verification. They are all based on secure keys, the most important thing is how to got the secure key.
2 You can only clone other people's card. Because he(she)'s card is registered in the server system. If you create you own card with your private datas, the server can not know you.
3 If the card is only one ID card, just like this card in the store, you can looking for the cloneable ID card, and clone other's ID to your ID card. But it is not so simple to use the ID card.
4 There will be many troubles if you do that: law, technique, ...
2 You can only clone other people's card. Because he(she)'s card is registered in the server system. If you create you own card with your private datas, the server can not know you.
3 If the card is only one ID card, just like this card in the store, you can looking for the cloneable ID card, and clone other's ID to your ID card. But it is not so simple to use the ID card.
4 There will be many troubles if you do that: law, technique, ...
sense and simplicity
Who is online
Users browsing this forum: No registered users and 69 guests