Questions about the JavaCard kit 2.2.2
Hi,
I've been working on JavaCard development for about two weeks now. Initially I used IBM's JCOP tools for eclipse, but I quickly realized that it doesn't use the JavaCard 2.2.2 (AES and ECC not supported). So, developing for JCOP21 and JCOP41 and wishing to utilize both aforementioned algorithms, I'm now trying to use the JavaCard kit 2.2.2. However, this is turning out to be rather troublesome. I've been trying to sort out issues myself, but I'm rather stuck with the following two now:
1. When trying to use the converter tool I get the following error message
Verifier Error: Ill-formed export file E:\tools\src\javacard\src.exp: Class or interface src.CryptoTest:
Library package cannot have non-abstract classes that extend javacard.framework.Applet. Please convert package src again with -applet option.
I guess this means that the converter wants me to use the -applet option to give the installer applet. From what I've been able to figure out, the installer applet is sort of a default thing (0xa0:0x0:0x0:0x0:0x62:0x3:0x1:0x8:0x1?), but this input is not accepted.
The other question is somewhat similar:
2. When using the apdutool, I have to submit my own install APDUs. How do I figure out these? I've tried looking at examples, but I'm not able to figure out how to determine all the bytes in the data field.
If anyone would be able to shed some light on either of these topics, I would be very grateful.
Best regards,
J鴕an Lillesand
[1537 byte] By [
Lillesanda] at [2007-11-27 8:06:15]
# 1
At the moment the latest JCOP products support Java Card 2.2.1, with AES and ECC support. How did you realize AES and ECC is not supported? What JCOP and Tools version are you using?
# 2
The current version of tools I have installed is 3.1.2.
However, I might have reached the conclusion of AES not being supported prematurely. I assumed that was the problem when the line
key = (AESKey) KeyBuilder.buildKey(KeyBuilder.TYPE_AES, (short) 128, false);
returns "Unexpected error; aborting execution", but does not when replaced with the line
key = (DESKey) KeyBuilder.buildKey(KeyBuilder.TYPE_DES, (short) 64, false);
Can I set the version of JCOP being used in the simulator myself? I've been looking for a way to do that, but haven't been able to find anything yet.
Message edit:
Turns out you are right, I am using the latest version which should be supporting AES and ECC. Then the problem probably is that I have some unknown programming error. If anyone is able to shed some light on what that might be, it would be greatly appreciated.
# 3
All JCOP products, but JCOP31 support AES. Can you identify your JCOP product (in JCShell: /identify)Where do you get this error? During compilation or during download? Could you please paste your applet source and APDU trace?
# 4
Okay, as mentioned I have JCOP21 and JCOP41, so that should be fine.
I'm currently using the embedded simulator in eclipse, and I get it during the installation. The relevant source code is
import javacard.framework.APDU;
import javacard.framework.Applet;
import javacard.framework.ISO7816;
import javacard.framework.ISOException;
import javacardx.crypto.Cipher;
import javacard.framework.OwnerPIN;
import javacard.security.KeyBuilder;
import javacard.framework.Util;
import javacard.security.AESKey;
public class AESApplet extends Applet {
/* Variable Definitions */
//CLAss definition
private final static byte AESApplet_CLA = (byte)0xB0;
//INStructions
// Encrypt data
private final static byte ENCRYPT_DATA = 0x01;
// Decrypt data
private final static byte DECRYPT_DATA = 0x02;
// Set PIN for administrator access
private final static byte SET_PIN = 0x03;
// Set key
private final static byte SET_KEY = 0x05;
//Custom Exceptions
// Unauthorized user attempts to perform operation that requires authorization
private final static short USER_NOT_AUTHORIZED = 0x6601;
// Wrong PIN given
private final static short ERRORNEOUS_PIN = 0x6301;
// Maximum number of PIN attempts performed. Should result in a locking of the card or the admin privileges.
private final static short MAX_PIN_ATTEMPTS_REACHED = 0x6302;
// Function disabled
private final static short FUNCTION_DISABLED = 0x6303;
// Key submitted has wrong length
private final static short INVALID_KEY_LENGTH = 0x6304;
//Constants
// Maximum number of guesses at the PIN (should be relatively low for this key, as all security is compromised if the key is)
private final static byte MAX_PIN_ATTEMPTS = 0x01;
// Maximum length of the PIN
private final static byte MAX_PIN_LENGTH = 0x06;
// Offset to PIN in install message. TODO: Depending on the format of the INSTALL APDU used, this might very well be a source of errors.
private final static short INIT_PIN_OFFSET = 9;
// Set default key to use untill a new one is set.
//private final static byte[] tempKey = {(byte) 0xAB, (byte) 0xCD, (byte) 0xEE, (byte) 0x0E, (byte) 0x12, (byte) 0x35,
//(byte) 0x87, (byte) 0xFA };
//Instance variable declaration
// Administrator PIN
OwnerPIN adminPIN;
// Cipher to be used
Cipher cipher;
// Reference to the key in use
AESKey key;
/*
* Class constructor. Should only be called from install()
*/
private AESApplet(byte[] bArray, short bOffset, byte bLength){
// Instanciate PIN
adminPIN = new OwnerPIN(MAX_PIN_ATTEMPTS, MAX_PIN_LENGTH);
// Set PIN from installation parameters
adminPIN.update(bArray, (byte)(bOffset+INIT_PIN_OFFSET), (byte)(bLength-INIT_PIN_OFFSET));
// Instanciate the cipher. For now, assume AES.
cipher = Cipher.getInstance(javacardx.crypto.Cipher.ALG_AES_BLOCK_128_CBC_NOPAD, false);
// Generate key
key = (AESKey) KeyBuilder.buildKey(KeyBuilder.TYPE_AES, KeyBuilder.LENGTH_AES_128, false);
// Set key value.
//key.setKey(tempKey,(short)0);
// Register the applet in the JCRE.
register();
}
public static void install(byte[] bArray, short bOffset, byte bLength) {
// Create the object, which will later do the registration
new AESApplet(bArray, bOffset, bLength);
}
The applet is really alot bigger, but this is the relevant part. Using the JCOP debug functionality I know the error occurs on the key building line:
key = (AESKey) KeyBuilder.buildKey(KeyBuilder.TYPE_AES, KeyBuilder.LENGTH_AES_128, false);
And the trace:
Load report:
875 bytes loaded in 0.0 seconds
effective code size on card:
+ package AID5
+ applet AIDs20
+ classes29
+ methods480
+ statics0
+ exports0
overall534 bytes
cm> install -i a1a1a1a1a1 -q C9#(ff01ff) f2f2f2f2f2 a1a1a1a1a1
=> 80 E6 0C 00 1B 05 F2 F2 F2 F2 F2 05 A1 A1 A1 A1................
A1 05 A1 A1 A1 A1 A1 01 00 05 C9 03 FF 01 FF 00................
00 .
(5441 usec)
<= 6A 80 j.
Status: Wrong data
jcshell: Error code: 6a80 (Wrong data)
jcshell: Wrong response APDU: 6A80
Unexpected error; aborting execution
Note that I omitted some irrelevant code and trace data, but if this is needed as well, please let me know.
Thanks for being so helpful :).
# 5
I tried to install your applet on a JCOP41/72 v2.2 card. It worked:Load report:
1638 bytes loaded in 1.2 seconds
effective code size on card:
+ package AID5
+ applet AIDs12
+ classes17
+ methods118
+ statics0
+ exports0
overall152 bytes
cm> install -i a1a1a1a1a1 -q C9#(ff01ff) f2f2f2f2f2 a1a1a1a1a1
=> 80 E6 0C 00 1B 05 F2 F2 F2 F2 F2 05 A1 A1 A1 A1................
A1 05 A1 A1 A1 A1 A1 01 00 05 C9 03 FF 01 FF 00................
00 .
(207553 usec)
<= 90 00 ..
Status: No Error
cm> card-info
=> 80 F2 80 00 02 4F 00 00.....O..
(4980 usec)
<= 08 A0 00 00 00 03 00 00 00 01 9E 90 00 .............
Status: No Error
=> 80 F2 40 00 02 4F 00 00..@..O..
(5494 usec)
<= 05 A1 A1 A1 A1 A1 07 00 90 00 ..........
Status: No Error
=> 80 F2 10 00 02 4F 00 00.....O..
(8534 usec)
<= 07 A0 00 00 00 03 53 50 01 00 01 08 A0 00 00 00......SP........
03 53 50 41 05 F2 F2 F2 F2 F2 01 00 01 05 A1 A1.SPA............
A1 A1 A1 90 00 .....
Status: No Error
Card Manager AID: A000000003000000
Card Manager state : OP_READY
Application: SELECTABLE (--) A1A1A1A1A1
Load File :LOADED (--) A0000000035350(Security Domain)
Module:A000000003535041
Load File :LOADED (--) F2F2F2F2F2
Module:A1A1A1A1A1
Then I tried to install it on a JCOP31/72 v2.2 card and it failed as you described:Load report:
1638 bytes loaded in 1.0 seconds
effective code size on card:
+ package AID5
+ applet AIDs12
+ classes17
+ methods118
+ statics0
+ exports0
overall152 bytes
cm> install -i a1a1a1a1a1 -q C9#(ff01ff) f2f2f2f2f2 a1a1a1a1a1
=> 80 E6 0C 00 1B 05 F2 F2 F2 F2 F2 05 A1 A1 A1 A1................
A1 05 A1 A1 A1 A1 A1 01 00 05 C9 03 FF 01 FF 00................
00 .
(2922634 usec)
<= 6A 80 j.
Status: Wrong data
jcshell: Error code: 6a80 (Wrong data)
jcshell: Wrong response APDU: 6A80
Unexpected error; aborting execution
Can you send an /identify ? Maybe I have the same JCOP version.
# 6
All right, thank you very much!
At the moment I'm still using the JCOP simulator in Eclipse, so I don't know if the identify actually gives any real information:
cm> /identify
=> 00 A4 04 00 09 A0 00 00 01 67 41 30 00 FF .........gA0..
(10997 usec)
<= 00 00 01 00 00 00 00 00 74 6F 6F 6C 73 20 00 00........tools ..
6A 82 j.
Status: File not found
FABKEY ID:0x00
PATCH ID:0x00
TARGET ID:0x01 (generic)
MASK ID:0x00 (0)
CUSTOM MASK: 00000000
MASK NAME:tools
FUSE STATE: not fused
ROM INFO:-
COMBO NAME: generic-m00-tool
The cards I currently have available is JCOP21/18K and a JCOP41/72K, but I haven't tried to download CAPs to them yet (I have some problems making the card reader work in Eclipse).
# 7
Ah, you tested only with the simulator. The simulator does not support ECC. I think due to some patent issues, but the card does. With AES I just discovered the same problem. Looks like a bug in the simulator to me. Email your findings to scard@de.ibm.com .
# 8
Okay, that's interesting! I'll do some more testing both in the simulator and on the card once I get the cards up and running (have to get my hands on the keys first) and then report it.
Just a quick question - I need to get the keys to the card from the manufacturer, right?
Thanks alot for your help, it is greatly appreciated!
# 9
If you have JCOP/NXP Engineering samples the cardmanager keys are 0x404142..4F . Otherwise you need to obtain the CM keys from the manufacturer and change them to your needs.Can you post the /identify for the cards you have? This command works always, you do not need
# 10
Ok, I have engineering samples so that sounds great!
The first card (JCOP41/72K V2.2):
cm> /identify
=> 00 A4 04 00 09 A0 00 00 01 67 41 30 00 FF .........gA0..
(28637 usec)
<= 19 13 01 27 00 00 00 00 50 48 36 32 30 42 01 03...'....PH620B..
02 6B 93 6A 82 .k.j.
Status: File not found
FABKEY ID:0x19
PATCH ID:0x13
TARGET ID:0x01 (smartmx)
MASK ID:0x27 (39)
CUSTOM MASK: 00000000
MASK NAME:PH620B
FUSE STATE: fused
ROM INFO:026B93
COMBO NAME: smartmx-m27.19.13-PH620B
The other (PHILIPS JCOP21/18K):
cm> /identify
=> 00 A4 04 00 09 A0 00 00 01 67 41 30 00 FF .........gA0..
(61166 usec)
<= F2 04 01 24 4B 4C 38 33 50 48 35 32 32 44 01 03...$KL83PH522D..
FE 90 F2 6A 82 ...j.
Status: File not found
FABKEY ID:0xF2
PATCH ID:0x04
TARGET ID:0x01 (smartmx)
MASK ID:0x24 (36)
CUSTOM MASK: 4B4C3833
MASK NAME:PH522D
FUSE STATE: fused
ROM INFO:FE90F2
COMBO NAME: smartmx-m24.F2.04.4B4C3833-PH522D
# 11
I tested on my cards now, and it fails on both. This is the trace from my JCOP41/72K:
Load report:
1421 bytes loaded in 2.5 seconds
effective code size on card:
+ package AID5
+ applet AIDs28
+ classes41
+ methods866
+ statics0
+ exports0
overall940 bytes
cm> install -i a1a1a1a1a1 -q C9#(ff01ff) f2f2f2f2f2 a1a1a1a1a1
=> 80 E6 0C 00 1B 05 F2 F2 F2 F2 F2 05 A1 A1 A1 A1................
A1 05 A1 A1 A1 A1 A1 01 00 05 C9 03 FF 01 FF 00................
00 .
(3393 msec)
<= 6A 80 j.
Status: Wrong data
jcshell: Error code: 6a80 (Wrong data)
jcshell: Wrong response APDU: 6A80
I've tried to remove the offending line and repeating the process - and then it uploads and installs just fine. Is it possible that the cards doesn't support JC2.2.1 after all? If so, I guess I seriously need to get some better cards :-).
By the way, is it sufficient to do
cm> delete f2f2f2f2f2
to delete the uploaded applets from the card? I just want to make sure I don't leave a lot of garbage on the cards after having installed failed applets :-): Also, is there any way to list contents of a card (i.e. to verify that everything is indeed removed)?
Message was edited by:
Lillesand
Removed some and added some text after doing some more testing.
# 12
The fact that the IDENTIFY command works is not an indication that you have a JCOP engineering sample. All JCOP products support it (>= v2.2).
Try to authenticate with the default CM keys (0x404142..4F). To do this, open in JCOP Tools the JCOP Debug perspective, connect to a reader (JCOP Shell view, on top the button 'Connect to terminal' --> choose the connected reader), and press in the JCOP Shell view the 'Reset, select, and authenticate to the CardManager' button. If this works, you have the default CM keys.
# 13
If you got this far, you must have the default CM keys.
For a listing use the 'ls' or the 'card-info' command in the JCOP shell. For a list of all commands see the Eclipse help --> JCOP Tools user guide.
To delete an applet the 'delete 1122334455' is sufficient. To delete the package with the corresponding references use 'delete -r 1122334455'. For help about the delete command type 'help delete'.
To check if the update method throws the exception surround the suspicious methods with try/catch (mark the line(s), right mouse button, Surround with, Try/Catch block), set a breakpoint at this line and start the simulator.
# 14
I have a mask39 card here. You're right, AES is switched off, but ECC works. Now with the mask36 card I have a different fabkey, but a CD036 (dual interface, 36k EEPROM) and AES is switched off as well.
So we can summarize that only JCOP41/72 v2.2 (mask36) and JCOP21/72 v2.2 (mask36) have AES enabled.
# 15
Out of the ones we have tested, so it appears!Looks like I will have to get some more cards, then. Do you know any relatively easy way to obtain information about different cards and what they support?
# 16
I just checked, and one of my cards (the Philips JCOP21 18K) is supposed to support AES (according to http://www.usasmartcard.com/component/page,shop.browse/category_id,20/option,com_virtuemart/Itemid,26/index.php?page=shop.browse&category_id=20&option=com_virtuemart&Itemid=26&vmcchk=1).
However, using the following code I get a 0x6A80 (Wrong data) when installing the applet. Is this an error on the Smart Card USA webpage or is there some bug in my code? I've tried debugging it, but I can't see that the error is anything else than the line building the key.
import javacard.framework.APDU;
import javacard.framework.Applet;
import javacard.framework.ISO7816;
import javacard.framework.ISOException;
import javacardx.crypto.Cipher;
import javacard.framework.OwnerPIN;
import javacard.security.KeyBuilder;
import javacard.framework.Util;
import javacard.security.AESKey;
import javacard.security.CryptoException;
import javacard.framework.JCSystem;
public class AESApplet extends Applet {
/* Constant and variable definitions */
//CLAss definition
private final static byte AESApplet_CLA = (byte)0xB0;
//INStructions
// Encrypt data
private final static byte ENCRYPT_DATA = 0x01;
// Decrypt data
private final static byte DECRYPT_DATA = 0x02;
// Set PIN for administrator access
private final static byte CHK_PIN = 0x03;
// Return key in use (should be very protected indeed - preferrably even removed before final version :-))
private final static byte GET_KEY = 0x04;
// Set key
private final static byte SET_KEY = 0x05;
//Custom Exceptions
// Unauthorized user attempts to perform operation that requires authorization
private final static short USER_NOT_AUTHORIZED = 0x6601;
// Wrong PIN given
private final static short ERRORNOUS_PIN = 0x6602;
// Maximum number of PIN attempts performed. Should result in a locking of the card or the admin privileges.
private final static short MAX_PIN_ATTEMPTS_REACHED = 0x6603;
// Function disabled
private final static short FUNCTION_DISABLED = 0x6303;
// Key submitted has wrong length
private final static short INVALID_KEY_LENGTH = 0x6701;
// Unsupported algorithm
private final static short ALGORITHM_NOT_SUPPORTED = 0x6604;
//Constants
// Maximum number of guesses at the PIN (should be relatively low for this key, as all security is compromized if the key is)
private final static byte MAX_PIN_ATTEMPTS = 0x01;
// Maxmimum length of the PIN
private final static byte MAX_PIN_LENGTH = 0x06;
// Offset to PIN in install message. TODO: Depending on the format of the INSTALL APDU used, this might very well be a source of errors.
private final static short INIT_PIN_OFFSET = 9;
//Set default key to use untill a new one is set.
private final static byte[] tempKey = {(byte) 0xAB, (byte) 0xCD, (byte) 0xEE, (byte) 0x0E, (byte) 0x12, (byte) 0x35, (byte) 0x87, (byte) 0xFA,
(byte) 0xCC, (byte) 0xA1, (byte) 0x6F, (byte) 0xE7, (byte) 0xAB, (byte) 0xCD, (byte) 0xEE, (byte) 0x0E };
//Instance variable declaration
// Administrator PIN
OwnerPIN adminPIN;
// Cipher to be used
Cipher cipher;
// Reference to the key in use
AESKey key;
/*
* Class constructor. Should only be called from install()
*/
private AESApplet(byte[] bArray, short bOffset, byte bLength){
// Instanciate PIN
adminPIN = new OwnerPIN(MAX_PIN_ATTEMPTS, MAX_PIN_LENGTH);
// Set PIN from installation parameters
adminPIN.update(bArray, (byte)(bOffset+INIT_PIN_OFFSET), (byte)(bLength-INIT_PIN_OFFSET));
// Instanciate the cipher. For now, assume AES.
cipher = Cipher.getInstance(javacardx.crypto.Cipher.ALG_AES_BLOCK_128_CBC_NOPAD, false);
// Generate key
key = (AESKey) KeyBuilder.buildKey(KeyBuilder.TYPE_AES, KeyBuilder.LENGTH_AES_128, false);
// Set key value.
//key.setKey(tempKey,(short)0);
// Register the applet in the JCRE.
register();
}
public static void install(byte[] bArray, short bOffset, byte bLength) {
// Create the object, which will later do the registration
new AESApplet(bArray, bOffset, bLength);
}
}
PS: There is more code in the applet, but for convenience reasons I omitted the processing (as the crash occurs during install, thus either in install or in the constructor.
Message was edited by:
Lillesand
Forgot to include the URL reference
# 17
As stated above only JCOP41/72 and JCOP21/72 have AES enabled.
# 18
True. But, just to clarify, my JCOP 41/72K V2.2 doesn't work because of the mask ID? Are there differences internally between different cards labeled JCOP41/72?Quite confusing :-).
# 19
Your JCOP41/72 has the 2.2.1 version. Looks like it does not support it neither. I verified on v2.2 JCOP41/72 and JCOP21/72. All other types I have do not support AES. Do you have a data sheet for the v2.2.1?
# 20
As of now I do not, except for the very simple description at http://www.usasmartcard.com/component/page,shop.browse/category_id,20/option,com_virtuemart/Itemid,26/index.php?page=shop.browse&category_id=20&option=com_virtuemart&Itemid=26&vmcchk=1. Of course, that page states that these cards does NOT support AES. Is this a JCOP thing or a card vendor/manufacturer implementation thing? Are the cards you are using engineering samples? If so, could you tell me where you ordered them? I'm very interested in getting a card with AES, ECC and 3DES-support for my current project :-).
I must admit, at the current point I am confused as to how to check and make sure that a given card supports some given functionality (as the JCOP 21 V2.2/18K cards I have according to the vendor are supposed to support AES, but seemingly doesn't). Also, when I try to use unsupported algorithms, shouldn't the implementation ideally throw some ALGORITHM_NOT_SUPPORTED error or something instead of just WRONG_DATA?
Lastly, is ECC encryption/decryption really not implemented in JavaCard? As far as I have been able to figure out, only signature is supported. I am considering (though doubtful about) implementing it manually in software. I have serious concerns over both the practicality of this in terms of security and performance - and as to whether or not I will actually be able to do this. Does anyone have any input on this?
# 21
> As of now I do not, except for the very simple
> description at
> http://www.usasmartcard.com/component/page,shop.browse
> /category_id,20/option,com_virtuemart/Itemid,26/index.
> php?page=shop.browse&category_id=20&option=com_virtuem
> art&Itemid=26&vmcchk=1. Of course, that page states
> that these cards does NOT support AES. Is this a JCOP
> thing or a card vendor/manufacturer implementation
> thing? Are the cards you are using engineering
> samples?
The smart card shops offer engineering samples from NXP. They have a fixed configuration (three differentiators; e.g. JCOP 1) 31 2) 36 3) v2.2). As you found out the only information is the one provided by the shop itself.
>If so, could you tell me where you ordered them? I'm very interested in getting a card with AES, ECC and 3DES-support for my current project :-).
You can also obtain the smart cards directly from NXP, where you fill out an order entry form where you can specify nearly every feature for your card: e.g. Crypto ECC, AES ..., dual interface, certain ATR, ... .
This requires your company to order a large volume of cards. My company is working on a project where we ordered cards with a variety of configurations.
> I must admit, at the current point I am confused as to how to check and make sure that a given card supports some given functionality (as the JCOP 21 V2.2/18K cards I have according to the vendor are supposed to support AES, but seemingly doesn't). Also, when I try to use unsupported algorithms,
shouldn't the implementation ideally throw some ALGORITHM_NOT_SUPPORTED error or something instead of
> just WRONG_DATA?
If you ran a debugger over your applet you would have seen that the implementation that does not support AES throws a CryptoException.ALGORITHM_NOT_SUPPORTED . The method was in the constructor --> You did not catch this exception --> install failed.
> Lastly, is ECC encryption/decryption really not
> implemented in JavaCard? As far as I have been able
> to figure out, only signature is supported. I am
> considering (though doubtful about) implementing it
> manually in software. I have serious concerns over
> both the practicality of this in terms of security
> and performance - and as to whether or not I will
> actually be able to do this. Does anyone have any
> input on this?
Your card support ECC, dont they?: JCOP41/72 v2.2.1 and JCOP21/18 v2.2 .
# 22
Once again, thank you so much for your response, lexdabear.
Unfortunately I'm working on a relatively small project, where the anticipated order will only be in the magnitude of some hundred cards, so I assume tailor made cards will be too expensive.
My cards supports ECC, but only for signatures. And, as far as I am able to figure out, this is the case with every card following the Java Card specification, as even the JavaCard 2.2.2 API does not specify ECC as an algorithm in it's Cipher-class. To me this seems very strange as ECC would easily be preferable over RSA for smart cards (because of key length and performance)...
# 23
As far as I understood the cards do not to be tailored much. There are heaps of configuration flags which are set during production (also depend on the HW platform used). So even if you have "only" some hundred cards NXP still might be interested to produce the cards with the configuration you desire.
With ECC you're correct. Java Card does not support ciphering with ECC but only for signature purposes. I don't think you can implement it SW based neither. This would require a lots of processing in your applet since you cannot access the low level ECC crypto API. Is RSA cipher not sufficient? Even there are long key lengths, as long as the smart card OS does it's job correct and on-time ...
# 24
Sorry for kicking this dead horse once more, but I've been thinking about one thing for some time. About the (lack of) AES support on my cards, I wish to implement it as optional functionality in case we get cards with the support in place later. With that in mind, I choose between 3DES and AES as an installation parameter and try to catch CryptoException.ALGORITHM_NOT_SUPPORTED upon getting the Cipher instance:
try{
symmetricCipher = Cipher.getInstance(Cipher.ALG_DES_ECB_NOPAD, false);
}catch(CryptoException e){
parseCryptoException(e);
}
But strangely, the exception is not thrown untill I try to set the key:
try{
keys[buf[ISO7816.OFFSET_P1]] = (AESKey) KeyBuilder.buildKey(KeyBuilder.TYPE_AES, (short) ((buf[ISO7816.OFFSET_P2] & 0x00ff)*8), false);
}catch(CryptoException e){
// Algorithm or key size not supported, throw general cryptoexception
ISOException.throwIt(StatusWords.SW_CRYPTO_ERROR);
}
(buf[ISO7816.OFFSET_P2] contains the key length in bytes, 16 bytes = 128 bits).
# 25
Good idea. But how does the terminal know what algorithm is used?> But strangely, the exception is not thrown untill I try to set the key:This is what the JC API specifies. Does Cipher.getInstance() throw an exception for AES?
# 26
The applet is actually part of a bigger system which also includes an XML file describing the contents of the card. In addition, one set of cards (meaning cards with similar or identical config) will usually be used in one context and the algorithm in use will be implicit for that context.
The JavaCard API states the following for Cipher.getInstance():
Throws:
CryptoException - with the following reason codes:
* CryptoException.NO_SUCH_ALGORITHM if the requested algorithm is not supported or shared access mode is not supported.
This leads me to think that there MIGHT be something wrong with the key I try to input, but I find it highly unlikely that any card would support AES with 192/256 bit key, but not 128...
Hopefully I will get my hands on a card with definite AES support sometime soon so I can test this fully (if Oberthur-sc could just check their mail...).
# 27
> This leads me to think that there MIGHT be something wrong with the key I try to input, but I find it highly unlikely that any card would support AES with 192/256 bit key, but not 128...
Don't be so sure on this. Carefully check what crypto algorithms and key lengths a Java Card product supports.
Did NXP reject yo send you samples with AES support?
# 28
I don't know what I'm doing wrong, but I'm getting the silent treatment from most SC manufacturers upon contacting them... I should probably just give them a call instead of mailing. Will have to get a phone installed in my office, then!
How are your experiences with getting answers from NXP and other manufacturers/vendors?
# 29
You're new to the smart card business. Generally speaking they are only interested in big numbers, so things like customer support or academic questions are 'silently ignored'. There are exceptions. Contacts to product management or development team are essential if you want to have an answer. Maybe you could try to align with your stakeholder to build up a contact to Oberthur/NXP/ .. .
I have pretty good experience with NXP and IBM. A colleague of mine had good experience with Oberthur.
