Help choosing EMV + ID cards

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Help choosing EMV + ID cards

Logi Ragnarsson
Hello,

I'm working for an institution which is about to start issuing EMV-based
payment cards and we are also planing to include private keys and x.509
certificates for authentication and non-repudiation on the same cards.

Obviously we'd like to be as compatible as possible and I'm trying to
work out what's required for OpenSC-based software to use the
authentication/signature functions on the card. I would, for example,
really like to be able to use my card for authentication in firefox
and/or konqueror on the linux machine at home.

It seems that OpenSC uses PKCS#15, more specifically ISO-7816-15 for the
card layout. The ISO-7816-15 merely recommends support for ISO-7816-8,
but is that an implicit requirement of OpenSC as well? I can't quite see
how actual crypto operations would otherwise be performed on-card.

It then seems that there is additional support for selected cards
through other means. Is this merely knowledge of the card structure,
i.e. bypassing ISO-7816-15, or is there also support for proprietary,
non-ISO-7816-8 cryptographic operations? Is there an up-to-date and
reasonably complete list of these cards anywhere?

We've been presented by a potential supplier with a card which has
on-board crypto hardware, but supports neither an ISO-7816-4 file system
(can be added via applet and then the structure could of course be
ISO-7816-15 compliant) nor the ISO-7816-8 crypto operations. Am I
correct that getting OpenSC to support such cards is well nigh impossible?

Assuming that an EMV + ISO-7816-8 + ISO-7816-15 card is automatically
supported, do we know about any such cards out there? We're just
beginning the procurement process and if the perfect card exists out
there, we'd really like to hear about it!

Regards,
Logi

Fyrirvari/Disclaimer: http://www.landsbanki.is/index.aspx?GroupId=275
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Help choosing EMV + ID cards

Nils Larsch
Logi Ragnarsson wrote:

> Hello,
>
> I'm working for an institution which is about to start issuing EMV-based
> payment cards and we are also planing to include private keys and x.509
> certificates for authentication and non-repudiation on the same cards.
>
> Obviously we'd like to be as compatible as possible and I'm trying to
> work out what's required for OpenSC-based software to use the
> authentication/signature functions on the card. I would, for example,
> really like to be able to use my card for authentication in firefox
> and/or konqueror on the linux machine at home.

since when does konqueror support pkcs11 ?

>
> It seems that OpenSC uses PKCS#15, more specifically ISO-7816-15 for the

pkcs15 is specific enough (and I prefer open standards anyway)

> card layout. The ISO-7816-15 merely recommends support for ISO-7816-8,
> but is that an implicit requirement of OpenSC as well? I can't quite see
> how actual crypto operations would otherwise be performed on-card.

only the card driver needs to know how the crypto operation is performed

>
> It then seems that there is additional support for selected cards
> through other means.

you mean the pkcs15 emulations (pkcs15-netkey.c etc.) ? Yep, some
non-pkcs15 cards are supported by the pkcs15 emulation.

> Is this merely knowledge of the card structure, i.e. bypassing ISO-7816-15,

yep, s/bypassing/ignoring/

> or is there also support for proprietary, non-ISO-7816-8 cryptographic operations?

how to create a signature (or how to decrypt some data) is implemented
in the card driver, hence it doesn't need to be iso7816-8 compliant.

> Is there an up-to-date and reasonably complete list of these cards anywhere?

the source code ;-) or somewhere in the wiki ...

>
> We've been presented by a potential supplier with a card which has
> on-board crypto hardware, but supports neither an ISO-7816-4 file system
> (can be added via applet

in other words: a java card

> and then the structure could of course be
> ISO-7816-15 compliant) nor the ISO-7816-8 crypto operations. Am I
> correct that getting OpenSC to support such cards is well nigh impossible?

OpenSC doesn' supply an applet, so it's impossible to answer this
question until you know what applet do you want to use (and something
like a generic applet support is impossible). Actually if you want
to use a java card you should already know which applet to use.
Btw: in case you are interested in open source support for your card
use a card supplier which gives card manuals etc. freely (without a
NDA etc.) to opensc source developers.

>
> Assuming that an EMV + ISO-7816-8 + ISO-7816-15 card is automatically
> supported,

I wouldn't assume this (I haven't heard of anyone successfully using the
opensc emv support yet, but it should be possible to make it work).

> do we know about any such cards out there? We're just
> beginning the procurement process and if the perfect card exists out
> there, we'd really like to hear about it!

never used a emv card so far

Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Help choosing EMV + ID cards

Logi Ragnarsson
Nils Larsch wrote:

> Logi Ragnarsson wrote:
>
>> Hello,
>>
>> I'm working for an institution which is about to start issuing
>> EMV-based payment cards and we are also planing to include private
>> keys and x.509 certificates for authentication and non-repudiation on
>> the same cards.
>>
>> Obviously we'd like to be as compatible as possible and I'm trying to
>> work out what's required for OpenSC-based software to use the
>> authentication/signature functions on the card. I would, for example,
>> really like to be able to use my card for authentication in firefox
>> and/or konqueror on the linux machine at home.
>
> since when does konqueror support pkcs11 ?

So it'll be "or" then. I haven't looked exactly how KDE's support for
smart cards works, but I'm pretty sure it is there in some form.

>> It seems that OpenSC uses PKCS#15, more specifically ISO-7816-15 for the
>
> pkcs15 is specific enough (and I prefer open standards anyway)

Are you implying that ISO's slight adaption and adoption of PKCS#15 is
somehow closed? I've not compared the two standards in detail, but as I
understand it ISO simply adopted the PKCS standard (as they often do),
but made the language more specific to smart cards and references other
7816 standards as appropriate.

>> card layout. The ISO-7816-15 merely recommends support for
>> ISO-7816-8, but is that an implicit requirement of OpenSC as well? I
>> can't quite see how actual crypto operations would otherwise be
>> performed on-card.
>
> only the card driver needs to know how the crypto operation is performed

Right. But 7816-8 is a standard set of commands for performing crypto
operations. Is that standard supported well enough that I can be
relatively confident that a compliant card with an ISO-7816-15 card
structure will work? Perhaps through a generic ISO-7816-8 card driver?

>> It then seems that there is additional support for selected cards
>> through other means.
>
> you mean the pkcs15 emulations (pkcs15-netkey.c etc.) ? Yep, some
> non-pkcs15 cards are supported by the pkcs15 emulation.

Yes, and apparently there is support for some proprietary APDUs for
performing crypto operations.

>> Is there an up-to-date and reasonably complete list of these cards
>> anywhere?
>
> the source code ;-) or somewhere in the wiki ...

Yes, the wiki was somewhat helpful, but if that's a complete list then
we're in trouble. Also, the listed cards tend to be slightly older
models and not the EMV capable ones. Of course they could be perfectly
compatible, but it's a bit difficult to see from where I'm sitting.

>> We've been presented by a potential supplier with a card which has
>> on-board crypto hardware, but supports neither an ISO-7816-4 file
>> system (can be added via applet
>
> in other words: a java card


>> and then the structure could of course be ISO-7816-15 compliant) nor
>> the ISO-7816-8 crypto operations. Am I correct that getting OpenSC to
>> support such cards is well nigh impossible?
>
> OpenSC doesn' supply an applet, so it's impossible to answer this
> question until you know what applet do you want to use (and something
> like a generic applet support is impossible). Actually if you want
> to use a java card you should already know which applet to use.
> Btw: in case you are interested in open source support for your card
> use a card supplier which gives card manuals etc. freely (without a
> NDA etc.) to opensc source developers.

Or even better, use one which simply implements the standard command
sets and structures and there is no work to be done? Am I being too
optimistic?

>> Assuming that an EMV + ISO-7816-8 + ISO-7816-15 card is automatically
>> supported,
>
> I wouldn't assume this (I haven't heard of anyone successfully using the
> opensc emv support yet, but it should be possible to make it work).

Sorry, I wasn't very clear. We only need the EMV support to work with
our in-house proprietary systems and with the actual EMV terminals. We
also only need card initialization and personalization to work with our
in-house proprietary systems. We'd then like the same cards to be as
easy as possible to use for authentication and signatures in an
arbitrary system.

Regards,
Logi

Fyrirvari/Disclaimer: http://www.landsbanki.is/index.aspx?GroupId=275
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Help choosing EMV + ID cards [u]

Andreas Jellinghaus-2
In reply to this post by Logi Ragnarsson
Hi Logi,

> It seems that OpenSC uses PKCS#15, more specifically ISO-7816-15 for the
> card layout. The ISO-7816-15 merely recommends support for ISO-7816-8,
> but is that an implicit requirement of OpenSC as well? I can't quite see
> how actual crypto operations would otherwise be performed on-card.

I guess most cards are older than ISO-7816-8 so they have non-standard
commands. So we have a driver for each card implementing the crypto
APDU that card needs. see src/libopensc/card-*.c

> i.e. bypassing ISO-7816-15, or is there also support for proprietary,
> non-ISO-7816-8 cryptographic operations? Is there an up-to-date and
> reasonably complete list of these cards anywhere?

http://www.opensc.org/opensc/wiki/CardsAndTokens
but some have not been tested for a long time, and some
code is broken now, and some drivers. e.g. cyberflex work only
with specific versions of the card (e.g. only oder cyberflex which
still had a filesystem).

> We've been presented by a potential supplier with a card which has
> on-board crypto hardware, but supports neither an ISO-7816-4 file system

in that case you need to write a card driver and an emulation layer for
your card. opensc supports ibm jcop and oberthur authentIC, if I remember
correctly both are javacards. opensc also supports a number of non pkcs#15
compatible formats using emulation layers.

> (can be added via applet and then the structure could of course be
> ISO-7816-15 compliant) nor the ISO-7816-8 crypto operations. Am I
> correct that getting OpenSC to support such cards is well nigh impossible?

opensc does not support that, but you need to write a driver.
so if you know which APDU you need to send and how the data structures
need to look if you want for example generate a key or sign some data,
then it is not hard to write those functions for your card.

the big design decission is: do you want to initialize blank cards
with opensc? or do you only want to use already initialized cards
with opensc, but not be able to change them (except pin changes
and pin unblocking). the former is much more functionality and thus
much work. but both has been done for other cards.

> Assuming that an EMV + ISO-7816-8 + ISO-7816-15 card is automatically
> supported
I don't know of any two cards from different vendors that are compatible
so they work without their own driver. so far we have generic code, and
some cards need more special code, some need less, but as far as I know
each card needs some special code.

but depending on where you buy your card, some code might already be
in opensc.

also note: it is a very good thing, if all manualy for your smart card
are public available. noone can help you, if that is not the case.

personal note: stay away from any vendor that does not have public
documentation. that could be a sign of bad quality, shameless copying
from the competition or not having any useful documentation.

personal note2: look at schlumberger/axalot cards. millions of cards
sold, working well, cheap, fast, latest technology, 2048 bit keys,
and of course: open documentation. for each alternative ask yourself:
what are they doing better than schlumberger/axalto? is that something
you realy need? is it worth the price, is it worth to divert from something
know and stable to an unknown and unchartered path? why not stay with
some standard component?

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Help choosing EMV + ID cards

Nils Larsch
In reply to this post by Logi Ragnarsson
Logi Ragnarsson wrote:
...
> Are you implying that ISO's slight adaption and adoption of PKCS#15 is
> somehow closed?

are the iso working groups open for everyone ? are the standards freely
available ?

...

>>> card layout. The ISO-7816-15 merely recommends support for
>>> ISO-7816-8, but is that an implicit requirement of OpenSC as well? I
>>> can't quite see how actual crypto operations would otherwise be
>>> performed on-card.
>>
>>
>> only the card driver needs to know how the crypto operation is performed
>
>
> Right. But 7816-8 is a standard set of commands for performing crypto
> operations. Is that standard supported well enough that I can be
> relatively confident that a compliant card with an ISO-7816-15 card
> structure will work? Perhaps through a generic ISO-7816-8 card driver?

I haven't seen such a card so far but this of course doesn't mean
it doesn't exists.

...
> Yes, the wiki was somewhat helpful, but if that's a complete list then
> we're in trouble. Also, the listed cards tend to be slightly older
> models and not the EMV capable ones.

We support card for which there's a demand from users and which
we can actually test (this is important: implementing a driver you
can't test is more less a waste of time and time is precious).

> Of course they could be perfectly
> compatible, but it's a bit difficult to see from where I'm sitting.

you never know unless you have a card to test.

...
> Or even better, use one which simply implements the standard command
> sets and structures and there is no work to be done? Am I being too
> optimistic?

so far I haven't seen a card that works "out of the box" with
the opensc iso7816 driver (as every card producer seems to have
their own interpretation of what iso7816-* compliance means).

...
> Sorry, I wasn't very clear. We only need the EMV support to work with
> our in-house proprietary systems and with the actual EMV terminals. We
> also only need card initialization and personalization to work with our
> in-house proprietary systems. We'd then like the same cards to be as
> easy as possible to use for authentication and signatures in an
> arbitrary system.

ok you want a EMV capable card on which you could put some
(additional ?) keys and x509 certificates (and/or public keys) and
you want a pkcs11 lib and/or a csp for various platforms (which ?).
In case you want to use opensc for the pkcs11 part we need a card
driver and optional a pkcs15 emulation lib. If the card works with
the default iso driver fine, if it uses pkcs15 even better but
that's not really necessary (writting [emulation] driver isn't really
difficult if the card has a somewhat reasonable os and the docu is
publicly available).

Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Help choosing EMV + ID cards [u]

Logi Ragnarsson
In reply to this post by Andreas Jellinghaus-2
Andreas Jellinghaus [c] wrote:

>>Assuming that an EMV + ISO-7816-8 + ISO-7816-15 card is automatically
>>supported
>>    
>>
>I don't know of any two cards from different vendors that are compatible
>so they work without their own driver. so far we have generic code, and
>some cards need more special code, some need less, but as far as I know
>each card needs some special code.
>
>but depending on where you buy your card, some code might already be
>in opensc.
>
>also note: it is a very good thing, if all manualy for your smart card
>are public available. noone can help you, if that is not the case.
>
>personal note: stay away from any vendor that does not have public
>documentation. that could be a sign of bad quality, shameless copying
>from the competition or not having any useful documentation.
>
>personal note2: look at schlumberger/axalot cards. millions of cards
>sold, working well, cheap, fast, latest technology, 2048 bit keys,
>and of course: open documentation. for each alternative ask yourself:
>what are they doing better than schlumberger/axalto? is that something
>you realy need? is it worth the price, is it worth to divert from something
>know and stable to an unknown and unchartered path? why not stay with
>some standard component?
>  
>
OK, thanks Nils, Jan and Andreas for the information.

I did a bit of interfacing with smart cards in java in 2000 and I had
hoped the state of standardization would have improved somewhat in the
meantime. I remember cursing my then employer for not going with
Schlumberger at back then, but forcing me to chase down documentation
for a year. Eventually I cornered a techie in a small town in Austria
and didn't let her go until I had the APDU and card structure
documentation -- under NDA of course.

We'll have proprietary Windows software available for clients to use and
that may be the only officially supported setup. However, I'd very much
like to have other options open, especially for non-Windows users and to
insulate ourselves a bit from the software provider.

I'll mention OpenSC compatibility as a plus when contacting the vendors.
If nothing else, it may be counted as a vote for them making
documentation available or even implementing drivers.

Thanks again,
Logi

Fyrirvari/Disclaimer: http://www.landsbanki.is/index.aspx?GroupId=275
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user