[Muscle] Implementing Secure Messaging

Andreas Schwier andreas.schwier at cardcontact.de
Mon Jul 13 12:26:26 PDT 2009 

Hi Pedro,

there are several different ways to implement secure messaging. One path
is the JavaCard SCP01, SCP02 and SCP03 suite of protocols, the other
path are the ISO 7816-4 based secure messaging implementations. The
later are mainly used in native card operating systems, signature cards
and machine readable travel documents (Basic Access Control).

A good explanation of ISO secure messaging can be found in the CWA 18490
[1]. We've done an implementation for the OpenCard Framework (OCF) which
can be found at [2]. Look at the IsoSecureChannel class.

Andreas

[1] ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14890-01-2004-Mar.pdf
[2] http://www.openscdp.org/ocf/api/index.html

Joao Pedro schrieb:
> Hi all,
>
> I hope these are the correct mailing lists to discuss this matter.
> (opensc-devel and muscle).
>
> I would like to implement secure messaging in the Muscle applet (and
> OpenSC) when I have a little available time.
>
> Are there any good resources (books, documents, etc.) that explain how
> to implement it?
>
> I understand that there are three modes of "operation": MAC;
> Encryption; Mac + Encryption.
>
> Apparently there is also two methods of establishing the secure channel:
>
> 1. Using pre-shared symmetric keys (3DES);
> 2. Using Diffie-Hellman to establish the keys and certificates to
> authenticate both parties (I suppose in order to defeat possible
> man-in-the-middle attacks).
>
> By the way, is there any way to establish a secure session without
> mutual authentication. Could I just talk to the applet and use
> Diffie-Hellman and a Certificate present on the card to establish the
> keys and the applet's authenticity? I.e.: "applet authentication".
>
> Thank you,
> Joao
>
>
> _______________________________________________
> Muscle mailing list
> Muscle at lists.musclecard.com
> http://lists.drizzle.com/mailman/listinfo/muscle


-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 171 8334920
    ---------    http://www.cardcontact.de

More information about the Muscle mailing list