Our Online Store have the new products: RFID antenna board. Currently it can work with JC10M24R and JCOP4 card chips.
Compared with normal cards, the antenna board module has a smaller size and fixed holes, which is easy to integrate in the IOT(Internet Of Things) project.

Just scratching the surface

JavaCard Applet Development Related Questions and Answers.
carharttguy
Posts: 2
Joined: Thu May 18, 2017 10:36 am
Points :24
Contact:

Just scratching the surface

Post by carharttguy » Thu May 18, 2017 10:53 am

Hello

I'm a student in applied computer science. We learned a little about encryption/SSL/certificate/hashing etc. I am really interested in this subject and want to research it further. In Belgium (where I'm from) everybody carries a electronic ID card (which is a javacard). As I study Computer and Cyber crime (a sub course within applied computer science), I would like to know how I could play with these things or let them do unexpected things.

A few questions:
I have a Belgian ID card and managed to find out some details: It's a Cryptoflex JavaCard 32K, equipped with a 16 bit microcontroller (Infineon SLE66CX322P) and an additional crypto processor (for RSA and DES computations). The card has ROM, EEPROM and RAM. The Belpic Java Applet is handling all communications with the outside world.

Every Belgian has some middleware software installed on his/her computer. As I understand, the middleware sends commands to the JavaCard, and the JavaCard responds with data (like the name of the citizen, photo file, birthdate, etc)

What I am interested in, could I write a JavaCard applet that mimics a Belgian ID card? I'm not talking like logging in to online taxes via a mimiced ID, but the most simple thing the middleware does, is extracting data that is also printed phisically on the card.

Could I trick the middleware into thinking it is talking to a genuine JavaCard (the Belpic Java Applet), but is instead communicating with a self created java Applet that just writes back self choosen data?

Also: how do I find out the JavaCard version? And what is good hardware to 'upload' java applets to a blank card?

Thanks for your time/knowledge

Sorry if I'm asking to much questions, I'm just really intrigued by how this stuff works and how it could be 'exploited', as a lot of Belgian services just rely on identification (and not on authorisation by PIN), which looks like a major design flaw to me)

User avatar
UNKNwYSHSA
Posts: 630
Joined: Thu May 21, 2015 4:05 am
Points :3053
Contact:

Re: Just scratching the surface

Post by UNKNwYSHSA » Thu May 18, 2017 11:22 pm

1 You can't pass the authentication and the communication MAC verification. They are all based on secure keys, the most important thing is how to got the secure key.
2 You can only clone other people's card. Because he(she)'s card is registered in the server system. If you create you own card with your private datas, the server can not know you.
3 If the card is only one ID card, just like this card in the store, you can looking for the cloneable ID card, and clone other's ID to your ID card. But it is not so simple to use the ID card.
4 There will be many troubles if you do that: law, technique, ...
sense and simplicity

Post Reply Previous topicNext topic

Who is online

Users browsing this forum: No registered users and 35 guests

JavaCard OS : Disclaimer