Here are some default transport keys for empty (factory issued) Mifare Classic tags.
ffffffffffff
a0b0c0d0e0f0
a1b1c1d1e1f1
a0a1a2a3a4a5
b0b1b2b3b4b5
4d3a99c351dd
1a982c7e459a
000000000000
d3f7d3f7d3f7
aabbccddeeff
Since MIFARE Classic has been hacked time and again, it should be used for prototyping and experimenting only. Roel Verdult of Radboud Uni. has a good lecture on "classic mistakes" :)
Wednesday 8 December 2010
RFID Sniffer
Keep your key cards close and wrapped in tin foil, hackers are out and about armed with RFID Sniffers ;)
More on the sonMicro 13.56MHz reader module here and here.
More on the sonMicro 13.56MHz reader module here and here.
Wednesday 1 December 2010
G&D microSD cryptocontroller
A new microSD card containing a secure element and cryptocontroller has been released by G&D. It supports ECC up to 521 bits (F_p, I assume, and not F_2m), AES-256 and SHA-512. The main functionality is strong authentication to allow secure phone calls.
Note: authentication is all well and good, but the security chain is only as strong as its weakest link.The main problem with open systems and mobile/ad hoc clients is key management, and I have yet to come across a practical, secure and dynamic solution in the Secure Voice market.
Note: authentication is all well and good, but the security chain is only as strong as its weakest link.The main problem with open systems and mobile/ad hoc clients is key management, and I have yet to come across a practical, secure and dynamic solution in the Secure Voice market.
Tuesday 30 November 2010
New developments
The contactless sector has now reached the start of the snowball phase, with several NFC pilot projects being announced weekly, new NFC devices being released (Inside Contactless, Infineon and G&D partnership) bi-weekly, and new TSM service providers and brokers (Ericsson IPX: TSM) going public once a month.
Huge multinational customers are finally getting in on the action (Coca-Cola, Disney, Barclays, and many more).
If the current trend continues, I predict (based on my impressions, for what they're worth) further linear growth in R&D and market size until end Q2 2011. In the next two years we'll see most of the innovation taking place; market penetration rate should reach its peak at the end of 2012. I look forward to revisiting this prediction :)
Huge multinational customers are finally getting in on the action (Coca-Cola, Disney, Barclays, and many more).
If the current trend continues, I predict (based on my impressions, for what they're worth) further linear growth in R&D and market size until end Q2 2011. In the next two years we'll see most of the innovation taking place; market penetration rate should reach its peak at the end of 2012. I look forward to revisiting this prediction :)
Monday 29 November 2010
SWP-enabled SIM cards
SWP support is slowly becoming more widespread among mobile phone vendors, but there are almost no NFC-enabled SWP UICCs to be found. Gemalto has come up with their own SWP&NFC UICC prototype for a pilot study in Singapore. Note that WatchData (SIMPass) and Bladox (Waver) have been doing similar product development but without the SWP functionality. In fact, WatchData argues that SWP is overrated and unattractive for handset vendors.
I think Bladox will be - for the near future - a better choice than Gemalto from the viewpoint of small startups who are looking to source NFC-enabled SIM cards.
Edit 2011-01-05:
On Track Innovations now also offers an NFC-enabled SIM+antenna. No other information e.g. SWP support.
I think Bladox will be - for the near future - a better choice than Gemalto from the viewpoint of small startups who are looking to source NFC-enabled SIM cards.
Edit 2011-01-05:
On Track Innovations now also offers an NFC-enabled SIM+antenna. No other information e.g. SWP support.
Saturday 27 November 2010
Java Card applets access via web page, JavaScript and javax.smartcardio
Springcard blog describes an interesting way to access smart cards: via web browser, JavaScript and javax.smartcardio (PC/SC reader).
I'm in some doubt as to the usefulness of this... after all, a smart card is a trusted portable device and tying it down (leaving it in the reader connected to a PC) and making it directly accessible to the whole world via the internet (even if the webpage requires authentication) makes no sense.
Certainly, you could use this way for a mockup or demo where you need to authenticate directly to some TPM or HSM. But I don't see any commercial use-cases for this yet.
I'm in some doubt as to the usefulness of this... after all, a smart card is a trusted portable device and tying it down (leaving it in the reader connected to a PC) and making it directly accessible to the whole world via the internet (even if the webpage requires authentication) makes no sense.
Certainly, you could use this way for a mockup or demo where you need to authenticate directly to some TPM or HSM. But I don't see any commercial use-cases for this yet.
Tuesday 26 October 2010
Contactless card + GUI = killer app.
This device from Toppan is a smart card with a built-in GUI: screen and buttons. It's not clear whether the card has on-board battery or whether the GUI is active only when the card is in the reader field. (Image used without permission.)
Tuesday 31 August 2010
Nokia 6131/6212 - Crypto Capabilities
It looks like the secure chip in the Nokia NFC phones does not support Elliptic Curve Cryptography - RSA works fine though. I've tried to create ECC keypairs using NIST curve specifications SECP160K1 and SECT163K1 but the response is 0x6F03 (no such algorithm). However the latter curve does work (signature generation and verification OK) on my single and dual interface smart cards (JCOP20/JCOP30).
In my previous post I saw that the COS for the Nokia 6131 NFC is G&D SmartCafe Expert 3.1 In G&D's sparse public documentation and SmartCafe Expert 3.1 flyer only RSA is mentioned so I conclude ECC is definitely not supported. As an interesting side note, the flyer says the COS is JavaCard 2.2.1 compliant - which confirms a conclusion in an earlier post.
Since there are so few other mobiles with NFC I guess we'll have to wait for microSD cards with embedded NFC and secure elements which support ECC.
In my previous post I saw that the COS for the Nokia 6131 NFC is G&D SmartCafe Expert 3.1 In G&D's sparse public documentation and SmartCafe Expert 3.1 flyer only RSA is mentioned so I conclude ECC is definitely not supported. As an interesting side note, the flyer says the COS is JavaCard 2.2.1 compliant - which confirms a conclusion in an earlier post.
Since there are so few other mobiles with NFC I guess we'll have to wait for microSD cards with embedded NFC and secure elements which support ECC.
Secure Chip Identifier List
Useful resource: a list of ATR/ATS for secure chip ICs and their COSs. Mirror here.
From the list:
Edit: Rousseau also hosts a free Python ATR parsing service based on the list above.
I also found "Visa Approved Visa GlobalPlatform Card Products as of December 2007" which indicates the COS and IC vendor on VISA certified secure chips.
More (albeit slightly off-topic): "Visa Approved, Visa Smart Debit Credit (VSDC) Chip Cards as of December 2007"
A list of VISA-related documents can be found here (thanks to TwinTech and Google Translate).
From the list:
3B 88 80 01 00 73 C8 40 13 00 90 00 71 Nokia 6131 NFC phone http://wiki.forum.nokia.com/index.php/Nokia_6131_NFC_-_FAQs Giesecke & Devrient’s (G&D) Sm@rtCafé Expert 3.1
3B 8D 80 01 0D 78 80 84 02 00 73 C8 40 13 00 90 FF F8 Nokia 6212 phone seen as NFC device
Edit: Rousseau also hosts a free Python ATR parsing service based on the list above.
I also found "Visa Approved Visa GlobalPlatform Card Products as of December 2007" which indicates the COS and IC vendor on VISA certified secure chips.
More (albeit slightly off-topic): "Visa Approved, Visa Smart Debit Credit (VSDC) Chip Cards as of December 2007"
A list of VISA-related documents can be found here (thanks to TwinTech and Google Translate).
Wednesday 4 August 2010
Updated: JCOP feature info
Tracking back to a previous post where I listed features of NXP JCOP: NXP's linecard for PKI processors has been updated to document 75016728, including a new section about JCOP J2A and J3A (page 10).
Tuesday 3 August 2010
Machine Readable Travel Documents
While hunting for info about file systems on Java Card I came across this very useful reference implementation of the ICAO MRTD standard by Radboud Uni. It demonstrates (among other things) how to wrap and unwrap SCP02 protected APDUs and how to chain object and byte arrays into a very rudimentary file system (see FileSystem.java).
Wednesday 30 June 2010
PC/SC and contactless card ATS
I was recently puzzled by the different ATS values returned by my Omnikey Cardman 5321 (connected to PC) and my NXP PN531 (connected to embedded system). I tried with both the Nokia 6131 NFC and an NXP JCOP31 smart card; here's what the output looked like (all hex):
Nokia 6131 ...
... with PN531:
... and with Cardman 5321:
Smart card:
... with PN531:
After scratching my head for a while I gave in and RTFM for the Cardman reader. And I was reminded again that glossing over details is never good, because in fact ATS != ATR. The PC/SC standard (PC/SC v2.01 “Interoperability Specification for ICCs and Personal Computer Systems”) requires that the driver convert the received ATS to an ATR.
The PC/SC specifications can be downloaded here.
Nokia 6131 ...
... with PN531:
SENS_RES 0200
SEL_RES 38
NFCIDLENGTH 4
NFCID1 5039F5A8
ATS 0D 78 80 84 02 00 73 C8 40 13 00 90 00 .x....s.@....
... and with Cardman 5321:
(same NFCID1)
ATR 3B 88 80 01 00 73 C8 40 13 00 90 00 71
Smart card:
... with PN531:
SENS_RES 0400... and with Cardman 5321:
SEL_RES 28
NFCIDLENGTH 4
NFCID1 E0742A86
ATS 0D 38 33 B1 4A 43 4F 50 33 31 56 32 32 .83.JCOP31V22
(again, NFCID1 is similar)
ATR 3B 89 80 01 4A 43 4F 50 33 31 56 32 32 4A
After scratching my head for a while I gave in and RTFM for the Cardman reader. And I was reminded again that glossing over details is never good, because in fact ATS != ATR. The PC/SC standard (PC/SC v2.01 “Interoperability Specification for ICCs and Personal Computer Systems”) requires that the driver convert the received ATS to an ATR.
The PC/SC specifications can be downloaded here.
Wednesday 26 May 2010
OpenSC Project
New resource found, OpenSC Project :
OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the PKCS#11 API so applications supporting this API (such as Mozilla Firefox and Thunderbird) can use it. On the card OpenSC implements the PKCS#15 standard and aims to be compatible with every software/card that does so, too.In the Java section there are useful tips and links about JNI for PKCS#11, javax.smartcardio, PKCS#15 and GlobalPlatform.
Monday 19 April 2010
Smart cards: The commercial project perspective
I came across a website containing very useful information for smart card projects: http://www.smartcardbasics.com/
It is an excellent starting point and reference source for any project leader since it contains - among other things - overviews of standards (ISO7816, FIPS120, EMV etc), smart card system planning, and security (systems, infosec, cryptography, and more).
It is an excellent starting point and reference source for any project leader since it contains - among other things - overviews of standards (ISO7816, FIPS120, EMV etc), smart card system planning, and security (systems, infosec, cryptography, and more).
Friday 19 March 2010
OSS jcManager
I came across this useful open source tool for managing JCOP cards:
http://www.brokenmill.com/2010/03/java-secure-card-manager/
From the project homepage:
Motivation:
Some time ago there was a JCOP tools plugin for the eclipse IDE developed by IBM labs in Zurich but it is no longer available.
Features:
- low-level implementation according to GobalPlatform Card Specification
- supports both SCP01 and SCP02 card protocols
- open source
- cross-platform
- display detailed debug information to be able to understand the complex low-level operations – derivations, encryptions, padding, etc
- uses the musclecard pcsc java implementation for the low-level communication with readers/cards. Also, it is fully compatible with the IBM JCOP implementation - if you do have the offcard.jar library from IBM it will also seamlessly work with it.
- works with the majority of card readers (pcsc compatible). Tested with Schlumberger, Omnikey, etc
It's early days for this project but it looks very promising.
http://www.brokenmill.com/2010/03/java-secure-card-manager/
From the project homepage:
Motivation:
Some time ago there was a JCOP tools plugin for the eclipse IDE developed by IBM labs in Zurich but it is no longer available.
Features:
- low-level implementation according to GobalPlatform Card Specification
- supports both SCP01 and SCP02 card protocols
- open source
- cross-platform
- display detailed debug information to be able to understand the complex low-level operations – derivations, encryptions, padding, etc
- uses the musclecard pcsc java implementation for the low-level communication with readers/cards. Also, it is fully compatible with the IBM JCOP implementation - if you do have the offcard.jar library from IBM it will also seamlessly work with it.
- works with the majority of card readers (pcsc compatible). Tested with Schlumberger, Omnikey, etc
It's early days for this project but it looks very promising.
Subscribe to:
Posts (Atom)
