Our Online Store have the new products: RFID antenna board. Currently it can work with JC10M24R and JCOP4 card chips.
Compared with normal cards, the antenna board module has a smaller size and fixed holes, which is easy to integrate in the IOT(Internet Of Things) project.

Enhancing security and authenticity on JavaCardOS offered products

Card Products

Moderator: horse dream

tay00000
Posts: 161
Joined: Tue Sep 27, 2016 10:58 am
Points :2324
Contact:

Enhancing security and authenticity on JavaCardOS offered products

Post by tay00000 » Fri Jul 14, 2017 9:13 pm

I would like to recommend a value-add for all JavaCard manufacturers to consider implementation on all it's cards to enhance security and authenticity of applets deployed on the cards.

Attesting to whether a symmetric or asymmetric key is generated on a particular card is difficult as there is no mechanism that can be used to identify as needed that a key is created from a particular card when such attestation is needed. The Trusted Platform Module (TPM) has a mechanism that does that which is called the Direct Anonymous Attestation protocol where the TPM's EK embedded into the TPM is used to attest for keys generated by the TPM when required to proof that keys are minted by a particular TPM as described in a very generic sense.

Similarly, there is no way to proof that a particular key is created from a particular smart card in the public offering and this enhancement can be done by a Card Authenticity Applet (CAA) that can be called by RMI methods between applets.

The CAA applet will hold a single uniquely generated ECDSA P256 keypair as it's identity called it's Card Identity Key (CIK). The private part of the CIK must be generated randomly with the card's own Secure Random RNG and only the public part of the CIK is to be extract for endorsement and verification. The card's unique P-256 public key will be signed by a JavaCard manufacturer or card issuer own's P-256 keypair (inside a HSM) and the card manufacturer or issuer will host a Certificate Authority with their own P-256 key. The issuer/manufacturer's key is the Endorsement Key (EK) to endorse cards manufacturer by them by using their EK to sign the CIK.

Any card applet installed inside the card requiring a certification will call the CAA applet and ask for the CIK to sign their public keys or keyhashes and generate a CIK Attestation Certificate which can be used to proof that the key is minted from a unique card. The entire certificate attestation chain can be traced from the EK to the CIK to the CIK Attestation Certificate and thus ensuring that keys are unique and trusted.

Who is online

Users browsing this forum: No registered users and 16 guests

JavaCard OS : Disclaimer