Card specific keys

My card implements the mutual authentication. For that purpose the external application and the card must share the set of secret keys. The first key is relevant for encryption and the other for the MAC calculation. At this point I am putting these keys on the card during the personalization. These keys are the same for all cards. Now I am thinking is this secure enough. I read that it is recommended to use derived (card specific) keys such that only one card is affected if a key is compromised. How can I calculate the card specific keys? If I will have this, then if someone finds out the initial secret keys and the algorithm how the card specific keys are made, then the card is again compromised. Right?

You said that the random key is more secure way. You mean that during the personalization I can generate random key on the card. The operating system takes care of the security of such object. But, this random key has to be shared with the external party which is communicating with the card. Both of them need it in order to establish the secure channel. At some point it has to be extracted and given to the terminal side. Right? Or the random key has to be generated on the perso dll during the personalization. Then the outside world has to have some kind of lookup table in which the relation token serial number, random key has to be stored and before executing the mutual authenticate method, the external party has to for the particular token serial number extract its random key. What if the secure channel has to be made from the middleware API that is installed on the user’s PC. If the lookup table is stored somewhere like HSM it is impossible use case because the user’s PC is located in his home. With random keys, each key would be generated at perso time and injected into the card manager with PUT KEY over a secure channel. You could use the unique card identifier as the label for the key in the HSM so there is no lookup table. You could use the same data you would use to diversify a key since it should also be unique. I am assuming you have some way of having a connection back to a HSM from the middleware? If not, this model sounds worrying to me. If you have your keys exposed to every client client then you are opening up a security risk. You can assume the client machine is secure.
You said:
It is easier to secure a single set of master keys (and rotate as required) that are used like this than a master key that is shared
I did not understand how this will work. In case of mutual authenticate method. The external party is using one master secret key from the set of secret key set. When the command comes to the card, the card has to verify it. But how the card knows with which key the message is encrypted.If you have keys in a HSM you need some way of knowing what key to use. You could map cards to a master key. Some security organisations recommendations on key rotation and usage policies which are designed to limit the exposure of sensitive keys. It adds overhead but you gain additional security (if a key is compromised only a limited number of your cards are compromised).
Cheers,
Shane

Similar Messages

  • Customer-Specific Key Figure and MCI3 analysis report

    Hi,
    We have created a "Customer-Specific Key Figures" in customizing and mapped the key with value category. But this new defined key figure is not available in the report MCI3.
    How to get this figure in the analysis report MCI3 etc , i.e. how to update the information structure S115.
    Regards

    Hello,
    You have to develope the new programme using that info structure and update that new value field in your customising logic programe .
    Regards,
    Rakesh

  • Assigning instruments to specific keys on a USB keyboard

    Is there a way to assign certain instruments to specific keys on a USB keyboard?
    I use an M-Audio Keystation 49e USB keyboard. It works fine, but I have no experience with MIDI and don't know what the "advanced functions" button on the keyboard allows me to do, although I'm sure with some pointers I can figure it out.
    (Some weeks back xs4ls recommended the JamPack 3 with the Studio Toolkit. Thanks for that recommendation. The stuff really improves upon the stock drumkit software instruments. But in the Studio Toolkit, certain instruments I might like to use together are often located more octaves apart than I can play at one time. The regular kits are generally organized on the keyboard such that I can play them "live" just like I do my actual drumset. This is how I prefer to lay down my drum parts. I'm also interested in assigning drum sounds from a various software kits to save as my own custom kit, if possible.)

    GB3 has a "programmable keyboard" feature that isn't as slick as the stock instruments, but it's better than nothing! (one of the good features of GB3)
    I found a bunch of old Qbert (the video game) noises on line, and created my own instrument with those. Pretty sweet.
    X
    p.s.
    Happy you liked the suggestion. I wish I could take credit for making the Jam Pack......

  • Application specific key-value pairs in jndi.properties

    Hello,
    Can I specify my application specific key-value pair in jndi.properties?
    I tried something like this
    java.naming.factory.initial=.jndi.WLInitialContextFactory
    java.naming.provider.url=t3://localhost:7001
    myVar=myVal
    When i tried looking up "myVar" from my client program, I got an error.
    The other parameters like weblogic.jndi.WLInitialContextFactory are picked up.
    Anyhelp will be appreciated
    Vasim

    We have a similar problem.
    We would like to configure our PROVIDER_URL for a specific web application - not
    for the entire server. Since the URL should be different in development, test
    and production environments, we would prefer to just set it in the deployment
    descriptor. And we have a lot of code that just uses
    ctx = new InitialContext();
    when looking up EJBs, queues etc.
    Actually, to take the problem one step further, it should be expected that later
    we will have EJB's deployed on different machines/clusters - so we will actually
    need specific urls for each EJB.
    Is there a good way to do this? Or will we have to custom-develop our own jndi
    configuration standard using application parameters to set which JNDI provider
    each EJB should be looked up with?
    Alternativaely, can we "import" the JNDI trees of the app server in the JNDI tree
    of the web servers?
    So, how should we go about this?
    Robert Patrick <[email protected]> wrote:
    Vasim wrote:
    Hi Robert,
    You are right. But The object "myVar" which I am trying to look upis not in
    the JNDI tree nor am I interesed in binding it . But my requirementis that
    I have one application specific variable which I am trying to lookup and I
    dont want to have a separare config file for this..and hence the question..So, put the properties you want in the jndi.properties file and load
    the properties
    file from your code by doing something like this:
    Properties props = new Properties();
    ClassLoader cl = Thread.currentThread().getContextClassLoader();
    if (cl == null)
    cl = System.getSystemClassLoader();
    InputStream is = cl.getResourceAsStream("jndi.properties");
    props.load(is);
    Personally, I would not use this file and would create an application-specific
    file
    or, as Daniel suggested, define your properties as a System property
    and use
    System.getProperty("myVar").
    btw, is jndi.properties only for those objects which are bound to jnditree?
    jndi.properties is only used for creating the JNDI InitialContext. The
    whole idea
    of this file is that in remote client code (without the jndi.properties
    file), you
    need to do something like this to tell the JNDI classes how to connect
    to the JNDI
    provider:
    Properties props = new Properties();
    props.put(Context.PROVIDER_URL, "t3://myservername:7001");
    props.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
    InitialContext ctx = new InitialContext(props);
    but inside the server, you only need to do this because the server is
    the provider
    and already knows how to connect to itself:
    InitialContext ctx = new InitialContext();
    Therefore, the jndi.properties file allows you to externalize this property-setting
    code that sets up the properties to be passed to the InitialContext constructor
    so
    that the remote client code can now look exactly like the code inside
    the server.
    The InitialContext constructor will look for this jndi.properties file
    in your
    classpath and load it to get the necessary configuration information
    to determine
    how to connect to the JNDI provider.
    Hope this helps,
    Robert

  • Application specific key-value pair in jndi.properties

    Hello,
    Can I specify my application specific key-value pair in jndi.properties?
    I tried something like this
    java.naming.factory.initial=.jndi.WLInitialContextFactory
    java.naming.provider.url=t3://localhost:7001
    myVar=myVal
    When i tried looking up "myVar" from my client program, I got an error.
    The other parameters like weblogic.jndi.WLInitialContextFactory are picked up.
    Anyhelp will be appreciated
    Vasim

    Hello,
    Can I specify my application specific key-value pair in jndi.properties?
    I tried something like this
    java.naming.factory.initial=.jndi.WLInitialContextFactory
    java.naming.provider.url=t3://localhost:7001
    myVar=myVal
    When i tried looking up "myVar" from my client program, I got an error.
    The other parameters like weblogic.jndi.WLInitialContextFactory are picked up.
    Anyhelp will be appreciated
    Vasim

  • WAD question: fix each chart series to a specific key figure

    Hi All,
    I hope you can help.
    In WAD is it possible to fix each series in a chart to a specific key figure from the data provider (query)?
    We need to be able to do this because the opening position of our query has a number of hidden key figures, that are displayed later in navigation.
    Without being able to fix the series to key figures, in the opening view some key figures are appearing as columns rather than lines and vice versa.
    Thanks and regards
    IM

    Thanks for your help, Pcrao.
    My scenario is:
    I have 15 key figures in the columns of my query (data provider).
    The first 12 of these KFs are to be displayed as bars (columns) and the last 3 as lines in the chart of my web query.
    I can set this no problem in WAD.
    But my problem is that because a number of my key figures are set as hide in the query designer (to be unhidden later in navigation) the last three KF's are displaying (incorrectly) as bars until I unhide all KF's in the navigation.
    In other words, it seems to me that I need to fix each series in the chart editing to a specific key figure. But I don't know how.
    Thanks again and regards
    IM

  • About CVM in GP Card Specification

    Dear all, while i read GP Card Specification, i found the methods of init and verify PIN in "org.globalplatform" in GP211 APIS.
    But also , i found the similar methods about init and verify PIN in "javacard.framework" in JC221 APIS.
    So, i wanna know what is the difference.
    Thanks so much .

    hello
    The javacard pin is standalone. You can use it as you wish in your app. You can even have more than one.
    The gp pin is global to the card. you update in app A, the change is reflected in app B. Which is a neat idea, but is probably less secure than intended, since I can design an app that will change the pin of other apps in their back.
    </>
    Anyways, I don't know a lot of applications that use this, because there is no way to know how securely this is implemented in practice.
    The pin will almost always be reimplemented in a "more secure way" to suit the application requirements. usually, this involves redundancy and tampering protection (checksum, CRC, etc), as well as secure update methods (ciphered, etc). The provided PIN APIs also prevent any readback, which is not always insecure, and not always desirable. It depends

  • Suppress specific key beeing processed

    Hi,
    does anybody now an elegant way of suppressing a specific key? In my case I dont wont the CAPS LOCK Key beeing processed in such way that it is switched on or off. Pressing the Key should be completly ingnored and this should work Application wide not only for one component.
    Any Ideas?
    Thanks.

    If your key is not registered to generate an event I don't see the problem.
    However if what you want is that the key should be completely disabled ie. the caps lock light on your keyboard doesn't turn on then this should probably be done in native code (if it is possible that is without breaking your keyboard :-) ) because I don't think Java can handle such low level tasks...
    By the way are you using? java.awt.event.KeyListener or javax.swing.KeyStroke?
    The latter avoids switch case statements to determine what key has been pressed (if I remember correctly).
    Thanks,
    Nikolas.

  • Open RegEdit to a Specific Key

    I have searched and tried various solutions (vbs, bat), but none seem to work properly.  I am simply looking for a script (or technique) that will enable me to open RegEdit on a specific key.  It will be used on WinXP and Win7 machines (x86 and
    x64).
    Any help is appreciated.

    use reg.exe to set the LastKey value, then open regedit.
    reg add hkcu\software\microsoft\windows\currentversion\applets\regedit /v lastkey /d "My Computer\HKEY_CURRENT_USER\Software
    \Microsoft\Windows\CurrentVersion\Applets\Regedit"
    start regedit.exe
    Change the bit after the /d to whichever key you want to open to.
    If you're not sure how to format the string, then open regedit, go to the key you want to open to, then close regedit. Run the reg query below to get the exact string.
    reg query hkcu\software\microsoft\windows\currentversion\applets\regedit /v lastkey

  • How to study GlobalPlatform Card Specification 2.1.1?

    I'm a learner of GlobalPlatform Card Specification 2.1.1.Now,I have studied this document.I may didn't hold the important information,So can you give me some advice or some question about it.
    thanks.wait for your replies.

    For what purpose did you study GlobalPlatform? All depends on that for me

  • Getting a Behavior class to respond to specific key presses

    Hello,
    My Problem is this:
    I have a keyboard behavior class which extends the behavior class, i want the behavior to wakeupOn a specific key press, ie KeyEvent.VK_UP, however, the class will only seem to respond to the the KEY_PRESSED, KEY_RELEASED and KEY_TYPED variables.
    Any help on how to get the behavior to wake up on specific key presses would be gratefull.
    Paul

    The normal event model, as far as I can tell, is to wake up on keypressed and then check which key it was that has been pressed and respond accordingly.

  • Wild Card as key field value in Content Conversion

    Hi,
         Can any one please tell me that can a wild card such as '*' be used as key field value.
    Thnx,
    Pravesh Puria.

    Hi Pravesh
    For the file name in the sender file adapter you can use the '*' or '?'(as a placeholder for exactly one character)
    You can also enable the "Advanced Selection for Source File" in the sender file adapter, where you can do two things:
    a)you can specify an exclusion mask for the file name specified above.
    b)you can specify/lits multiple directories with a file name and an associated exclusion mask, e.g. in file name you put ".txt" and in the associated exclusion mask "a". The every file with ".txt" except "a" will be fetched from that directory. 
    Try it out.
    Regards,
    Goekhan

  • Re: Video Card specifications

    Good Day to everyone!
    My search goes on for my ultimate video editing computer and my quest has lead me to the specifications of my videocard.
    I was wondering if the ATI HD4670 DD3 1GB 128 bit is enough for my video editing needs?
    Also since my motherboard is equipped with crossfire Im planning to add another HD4670.
    My question is, would that be good enough? Coz ive been reading about GPU cards lately and maybe I should just save for it instead of buying another ATI HD4670.
    Hope you guys can help me out.
    Thanks
    curlyman26

    Thanks for the feedback. Im still wondering though why I still get problems importing my clips to cs4. My computer specs, I believe, is more than enough for the minimum requirements required by the program (i7-930, 4GB DDR3 RAM, (1) 320GB and (1) TB 7200RPM SATA Drives, ATI 4670 VC). and I already converted my Xacti1010 clips to HD avi/mov/mp4 even avchd as suggested by Mr. Milaard on my previous post http://forums.adobe.com/thread/682651?tstart=0.
    Side question though, does the proper sequence selection affect the importing of files to cs4?
    Thank you and hope to learn more from you guys.

  • Re: I've lost Flash Card Function Keys

    Ive lost the flash cards that used to drop down at the top of the screen. Tried a few different things including updating the drivers from the website.
    At the minute, some of the function keys will work ok, ie brightness,lock - but the energy saving key and the wireless key no longer work.

    Hi Mafustokes,
    Which drivers you have updated exactly?
    The Flash Cards will be controlled from Value Added Package and you should update this tool. Dont know what notebook you have but you can get it here for example:
    http://eu.computers.toshiba-europe.com => Support & Downloads => Download Drivers

  • GP Card manager Key does not changed..

    hi all..
    I have a jcop card and I want to change the GP Caard Manager Key from Static 40~4F to 30~3F.
    Now the key version is 01.
    Like below..I succeed putkey cmd, but the key does not changed..
    What is the probem???
    [Power On - Gemplus USB Smart Card Reader 0]
    ATR : 3B 69 00 00 4A 43 4F 50 33 31 56 32 32
    [APDU - Gemplus USB Smart Card Reader 0]
    00 A4 04 00 08 A0 00 00 00 03 00 00 00 << 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65
    01 FF 9F 6E 06 47 91 73 51 2E 00 73 4A 06 07 2A
    86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B
    02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64
    0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09
    2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01
    04 01 2A 02 6E 01 02 90 00
    172ms
    [APDU - Gemplus USB Smart Card Reader 0]
    80 50 00 00 08 00 00 00 00 00 00 00 00 << 00 00 93 02 04 37 90 91 54 50 01 02 00 2C BE 39
    5E A5 07 55 D3 74 FF 65 DA B6 1C 0E 90 00
    125ms
    [APDU - Gemplus USB Smart Card Reader 0]
    84 82 00 00 10 78 E9 4A 72 8C 8A 58 C2 9C 60 70 A3 C9 F2 93 48
    << 90 00
    78ms
    [APDU - Gemplus USB Smart Card Reader 0]
    80 D8 01 81 43 00 80 10 D3 DD 37 F4 45 C0 EB C8 20 A9 7F 43 FB D6 61 A8 03 B7 3D 56 80 10 D3 DD
    37 F4 45 C0 EB C8 20 A9 7F 43 FB D6 61 A8 03 B7
    3D 56 80 10 D3 DD 37 F4 45 C0 EB C8 20 A9 7F 43
    FB D6 61 A8 03 B7 3D 56
    << 01 B7 3D 56 B7 3D 56 B7 3D 56 90 00
    203ms

    The only way that OneKey would be restored in your situation is by having Lenovo reimage your hard drive. Assuming they will do it under warranty. Once you repartition drive "C", you lose all functionality of OneKey partition. I was going to suggest that you extract the recovery image from the hidden partition but even that will be useless because the image was set up for the original partition setup.
    An alternative, is to use an OEM Windows XP [Greek] to install with the COA on the netbook, install the drivers and software that was preinstalled [from Lenovo] and create a recovery cd/dvd using OneKey 6.0 and VirtualCD.
    ***VirtualCD is a program that allows you to burn CDs and DVDs using a virtual CD/DVD writer.
    Message Edited by ortegaluis on 01-15-2009 09:13 AM
    \\ I do not respond to PM regarding individual tech support. Keep discussions in the forum for the benefit of others //

Maybe you are looking for

  • Issue in SAP Dialog process (Stop Workproc 3, PID 11754)

    Dear All, I have an issue in out system, We are using SAP ECC 6 (7.00), running in OS Sun SPARC 9. Oracle Database 10.2.0.4 last monday our Dialog server hung. If I check in SM21, it said that the process is stop. the log in the os level didn't very

  • Need Help in Customization of OTL Time Keeper Layout for Projects.

    Hi All, Need help in customization of OTL Time Keeper. Requirement: Required to change the Project Layout Template as Payroll Layout Template. In Payroll Layout Template the days consits of start and end time and total time per day. Similary need to

  • X2-01 : Blank entry in my call log!!!

    I updated my X2-01 to v08.63 yesterday.It had no other problems.But now there is a blank entry in the call log and i cant delete it.I've tried the backup and restore solution for blank msg bug,but it didnot work. Somebody please help me.....

  • Is annotation processing the same for Java 5 and Java 6?

    I've been trying to use a package of annotations and processors that was evidently originally designed to be used with "apt" and Java 5. When I try to use this stuff with Java 6 I was assuming that, since the Java 6 javac handles annotations, I could

  • How do people like the DNA with Jelly Bean?

    I have a very buggy Razrr Maxx that was unlocked so now I'm stuck with Ice Cream Sandwich and am looking to upgrade.