Christmas is coming!

To celebrate the new year and thank for the support from all our dear customers, Christmas promotional activity is being held in JavaCardOS online store.

During the event, you can enjoy many promotional activities - High Discount on JavaCardOS products,Lucky Draw,Double forum Points.

Come to choose your own Christmas gift and try your luck now!

Enhancing security and authenticity on JavaCardOS offered products

Card Products

Moderator: horse dream

tay00000
Posts: 112
Joined: Tue Sep 27, 2016 10:58 am
Points: 1458
Contact:

Enhancing security and authenticity on JavaCardOS offered products

Postby tay00000 » Fri Jul 14, 2017 9:13 pm

I would like to recommend a value-add for all JavaCard manufacturers to consider implementation on all it's cards to enhance security and authenticity of applets deployed on the cards.

Attesting to whether a symmetric or asymmetric key is generated on a particular card is difficult as there is no mechanism that can be used to identify as needed that a key is created from a particular card when such attestation is needed. The Trusted Platform Module (TPM) has a mechanism that does that which is called the Direct Anonymous Attestation protocol where the TPM's EK embedded into the TPM is used to attest for keys generated by the TPM when required to proof that keys are minted by a particular TPM as described in a very generic sense.

Similarly, there is no way to proof that a particular key is created from a particular smart card in the public offering and this enhancement can be done by a Card Authenticity Applet (CAA) that can be called by RMI methods between applets.

The CAA applet will hold a single uniquely generated ECDSA P256 keypair as it's identity called it's Card Identity Key (CIK). The private part of the CIK must be generated randomly with the card's own Secure Random RNG and only the public part of the CIK is to be extract for endorsement and verification. The card's unique P-256 public key will be signed by a JavaCard manufacturer or card issuer own's P-256 keypair (inside a HSM) and the card manufacturer or issuer will host a Certificate Authority with their own P-256 key. The issuer/manufacturer's key is the Endorsement Key (EK) to endorse cards manufacturer by them by using their EK to sign the CIK.

Any card applet installed inside the card requiring a certification will call the CAA applet and ask for the CIK to sign their public keys or keyhashes and generate a CIK Attestation Certificate which can be used to proof that the key is minted from a unique card. The entire certificate attestation chain can be traced from the EK to the CIK to the CIK Attestation Certificate and thus ensuring that keys are unique and trusted.

Return to “Card Products”

Who is online

Users browsing this forum: No registered users and 1 guest

JavaCard OS : Disclaimer