Our Online Store have the new products: RFID antenna board. Currently it can work with JC10M24R and JCOP4 card chips.
Compared with normal cards, the antenna board module has a smaller size and fixed holes, which is easy to integrate in the IOT(Internet Of Things) project.

new A40CR & digital signature

JavaCard Applet Development Related Questions and Answers.
Post Reply Previous topicNext topic
fishsoup
Posts: 2
Joined: Mon Jul 04, 2016 8:04 pm
Points :516
Contact:
Contact fishsoup

Re: new A40CR & digital signature

Post by fishsoup » Thu Jul 07, 2016 6:06 am

BR sorry for being incomprehensible,

Normally, (i don't know what the A40 cards do), when a key is generated, it is done on the secure element or coprocessor of the platform. The platform handles loading and storing of the key from the coprocessor to NVRAM (usually by wrapping it with some transport key). In this model, the PrivateKey object doesn't contain the private key, only a reference to a key that is stored elsewhere. Some vendors choose to implement this functionality in a separate package which can be instantiated multiple times so that different applets have different transport keys.

One such card that works this way is the NXP J3A081 (there are many others). They ship from the factory with ISD A000000003000000, a package A0000000035350, with an applet A000000003535041. The applet A000000003535041 implements the default secure storage for keys.

If you delete the A000000003535041 applet from the card, the card behaves in exactly the same way as these A40 cards do:

1) attempts to use RSA keys throw ILLEGAL_USE.
2) using the workaround above, RSA keys then work.

The work-around reads the secret P and Q values of the key from the coprocessor and places them back into the PrivateKey. Now the PrivateKey object, instead of holding an opaque reference to the key, actually contains the secret key data. [Some platforms claim that they will write the key back into the secure element and replace it with an opaque object at this point, I can't find any statements about what the A40 cards do] Nevertheless the private key is exposed as a byte array in the applet and thus the JVM, rather than only ever being handled encrypted.

Given that I can reproduce the exact same problem with the J3A081 card by deleting the applet that implements the secure key storage, I wondered if the problem with the Feitian A40 cards was that they were missing the applet that implemented secure key storage.

James.
Top
User avatar
JavaCardOS
Posts: 273
Joined: Thu Apr 30, 2015 12:00 pm
Points :2405
Contact:
Contact JavaCardOS

Re: new A40CR & digital signature

Post by JavaCardOS » Fri Jul 08, 2016 8:08 am

Hi @fishsoup,

Thank you very much for your thorough explanation! It make us have a brand new idea about secure key storage.

We have contacted our card provider FEITIAN, they thought that the content you mentioned and the problem vletoux experienced is not same.

And they are also much appreciated for your reply and opinion. Thanks again!
Top
Post Reply Previous topicNext topic

Return to “Questions & Answers”

Who is online

Users browsing this forum: No registered users and 51 guests

JavaCard OS : Disclaimer