Application Security in GlobalPlatform
Hi,
I'm trying to develop two applications in a jcop31 card. i did it and now those two work well. but i install both of them in Issuer Security Domain and then access to both of them are same. i need to setup defferent security roles for each of them. now i have two question:
1. if i want to put them in a same security domain (like now), is there any way to restrict access them in GlobalPlatform or JCOP specification? security domain keys are same for both of applets. is it possible to define seperate roles for each of them by this keys (i talk about roles out of applet, not methods like pin). if no, is there any other method to do this in GlobalPlatform?
2.am i restricted to use different Security Domains for esch of them?
thanks
Message was edited by:
Bam_Zam
[832 byte] By [
Bam_Zama] at [2007-10-3 5:08:52]
You touch here two different GlobalPlatform processes.
First is the concept of logical channels. For this the OS needs to ensure that the logical channels can run simultanously secure channel protocols.
The second concept is delegated management. It means that you could have a SSD with its own key set. By sharing the keys with one application provider, you could ensure a clear seperation between your own applets (e.g. under the ISD) and a different provider (own applets under SSD). This goes both ways: The other provider does not know your secret keys and you do not know the SSD keys since the provider can change them knowing the initial key set provided by you.
Now in your case you want to use different SD's for each applet from inside and hand over the security management. GlobalPlatform offers methods to do so and if you look at the list of packages on a JCOP card (JCOP41/31/21) you will find the CardManager and a SSD package. From this SSD package you can derive an instance and populate it with your keys.
I never saw a need from customers to have multiple security domains. "One card --> One application" is the standard way.
You have to be aware that JCOP does not support multiple logical channels and delegated management.
thanks lexdabear. your comments was very useful. now i have another question. you told about derivation an instance from SSD . how can i do that? how can i drive some instances of SSD? can i do it several times?
Think of a SSD as a "special" Applet. The package is already on-card. Now you have to use the command Install[for install and make selectable] for a SSD. You can choose any AID. For details look into the GlobalPlatform specification. Do not forget to set the install parameter:
dear lexdabear, your answers was really informative. i tried to drive a new instance from SSD. i did it according to http://forum.java.sun.com/thread.jspa?forumID=23&threadID=646157 in this way:
cm> install -s a0000000035350 a000000003535043
Status: No Error
cm> /select a000000003535043
Status: No Error
cm> init-update
Status: No Error
cm> ext-auth enc
Status: No Error
cm> set-key 5/1/DES-ECB/504142434445464748494a4b4c4d4e4f 5/2/DES-ECB/504142434445464748494a4b4c4d4e4f 5/3/DES-ECB/504142434445464748494a4b4c4d4e4f
cm> put-keyset 5
Status: No Error
every thing seems OK until this point. now when i send Card-Info command:
cm> select
Status: No Error
cm> init-update 3
Status: No Error
cm> ext-auth
Status: No Error
cm> card-info
...
Card Manager AID: A000000003000000
Card Manager state : OP_READY
Sec. Domain:PERSONALIZED (S-) A000000003535043
...
but i can't upload anything on this SD:
cm> upload -s a000000003535043 "D:\javacard\myhelloworld.cap"
=> 80 E6 02 00 1D 10 6D 79 68 65 6C 6C 6F 77 6F 72......myhellowor
6C 64 50 61 63 6B 08 A0 00 00 00 03 53 50 43 00ldPack......SPC.
00 00 00...
(68534 usec)
<= 69 85 i.
Status: Conditions of use not satisfied
jcshell: Error code: 6985 (Conditions of use not satisfied)
jcshell: Wrong response APDU: 6985
let me know is my approach ok? what is wrong is my code?
thanks
As mentioned in http://forum.java.sun.com/thread.jspa?threadID=768932&messageID=9386944#9386944 Delegated Management is not supported by JCOP. It means you cannot give content management rights to a SD. The limitation comes from a specification mentioned on the JCOP Tools page: http://www-306.ibm.com/software/wireless/wecos/tools.html .
So why do we have a SSD in JCOP? You can use the INSTALL[for load] and DELETE command only through the Card Manager. You can delegate the security management for an Applet to a Supplementary Security Domain: INSTALL[for install and make selectable] with the SSD as the responsible SD for security management.
So upload with the CM and INSTALL[for install and make selectable] with the CM, setting the SSD as the responsible SD.
you said that we can't do applet installation and deletion via anything else CM in JCOP. is it true? ok. now i have a basic question: After uploadin and installing an applet with CM, how can i set the SSD as the security management responsible SD?
