How To: Prevent communication over ISO14443 on a dual-interface card

[tay00000]

This is a HOW-TO on preventing communication over ISO14443 interface on a dual-interface card in an event you do not want to receive APDUs over ISO14443. Security issues might arise if anyone is given free access to ISO14443 contactless interface. In the event where you absolutely do not want someone to probe your applet over ISO14443 interface, this code snippet would prevent it from happening before any further APDUs can be issued over ISO14443 interface. There are encryption and authentication channels (i.e. SCP Secure Messaging) but it is better to simply deny access to your precious applet in the first place.

How the code snippet works is during the applet selection phase, the applet will go through a condition to check for ISO14443A/B interface and if it detects an ISO14443A/B interface, it will simply call it's own deselect() to deselect itself and prevent further access into it's APDU processing. This simply stops all attacks against the particular applet (save for deleting the applet via default GP keys over ISO14443) by not allowing applet selection over an "unwelcomed" interface (ISO14443).

Do note that you have to carefully use this code snippet by ensuring that your card has a contact interface to use otherwise blocking a contactless interface when your card only has a single access method via contactless (i.e. JC10M24R - only contactless interface) can be a nuisance.

The code snippet presented below have been tried and tested over an NXP JCOP dual interface card and works very quickly and well.

Code: Select all

public void process(APDU apdu) {
    if (selectingApplet()) {
        // Checks if APDU protocol is over ISO14443A/B contactless interface
        if (((byte) (APDU.getProtocol() & APDU.PROTOCOL_MEDIA_MASK) == APDU.PROTOCOL_MEDIA_CONTACTLESS_TYPE_A)
                    || ((byte) (APDU.getProtocol() & APDU.PROTOCOL_MEDIA_MASK) == APDU.PROTOCOL_MEDIA_CONTACTLESS_TYPE_B)) {
            // Deselects itself to prevent connection from ISO14443A/B contactless interface for security reasons
            deselect();
        } else {
            // Allows connection since it's not ISO14443A/B interface
            return;
        }
    }
}

[tay00000]

A sample use case for this method:
- Dual-interface card for office door access applet with email and document signing applet in same card.
- Door access via ISO14443 but email and document signing should not be conducted over ISO14443 due to the sensitive nature of email and document security.
- Door access applet allows ISO14443 while email and document signing applet denies ISO14443 using the above code snippet.
- Prevents Denial-of-Service over ISO14443 against email and document signing applet (i.e. proximity sending of fake PINs to block the email and document signing applet)
- Prevents leaking of sensitive email and document information over ISO14443 that can be sniffed from proximity while using email and document signing applet.

[Thelogan]

Very useful method! Thanks!

[Joevictor]

Thx for your article as I am right in need of the similar method.

[marjkbadboy]

It is a nice topic. Thanks

[marjkbadboy]

It is a nice topic. Thanks