Government Smart Card Interoperability Spec

Hi all,
I have recently been reading up on standards in smart card systems and specifically Java Card and Global Platform. I was beginning to think that these two standards were enough to create a secure smart card system but now I come across the Government Smart Card Interoperability Specification from NIST...Can anyone briefly tell me what role this spec would play in a multi-app, post-issuance smart card system?
Thanks in advance,
Ann

The GSCIS is a seperate specification that is geared for Government. It's written to use file based cards or Java Cards. There are two portions of the GSCIS spec, card edge, and off card. The off card API's borrows from PCSC. It's not necessary to use PCSC and you can use proprietary libraries.
The card edge defines APDUs that the off card would use.
Using GSCIS doesn't replace Global Platform. The defacto standard for governement deployment is Java Cards/Global Platform and GSCIS applets.
To deploy to the government, the middleware must be able conformant in the sense that it must know how to read a GSCIS applet. This can be done by calling the card edge APDU's or the off card, known as the Basic Service Interface.
Need more info ?

Similar Messages

  • Government CAC (Smart Cards) interface to Oracle 10g Forms and Reports

    Am working an Oracle Forms and Oracle Reports (10g) WEB applications for an Air Force customer. They are wanting to use Smart Cards (CAC) to log onto their PCs and do not want to have to enter logon and passsword to enter my Oracle WEB appliaction.
    Has anyone or does anyone know of a government customer that has an Oracle forms and reports application that does not require a login and password, but uses the CAC card information to connect? If so can you please provide name of organization and contact information. thanks [email protected]

    Hi,
    I have been researching a CAC card solution for a DOD customer.
    We plan (hope) to authenticate users against their Active Directory accounts using Oracle Internet Directory and Single Sign-on Server. Active directory reads the CAC card, and Oracle verifies they are authenticated in Active Directory.
    Oracle Windows Native Authentication (WNA) may be what you're looking for.
    Here's an OBE on enabling WNA:
    http://www.oracle.com/technology/obe/obe_as_10g/im/wna/wna.htm
    Chapter 43 of the Oracle Internet Directory (9.0.4) guide discusses integration with Windows Active Directory:
    http://download-east.oracle.com/docs/cd/B10464_05/manage.904/b12118/odip_act.htm#127412
    If you haven't already done it, search these forums for "CAC". You'll find other posts from people who have implemented CAC authentication in their Oracle products.
    Good luck!
    Jim

  • Safari can use my CAC (Smart) Card to login to government websites but Firefox cannot.

    Safari and even Google Crome can access my CAC Card and login to government websites, however Firefox just doesn't seem to even try. OSX Lion, Apple Macbook Pro, Firefox 5.0.1.

    Try:
    * [/questions/808161] Trying to use a CAC smart card reader with Mac version of Firefox
    * https://militarycac.com/firefox.htm

  • Controlling Access to OS with Smart Card

    Does any one know if there is a program built within OS X (Tiger) or either a third party program that will allow a machine running Tiger to be set up to only be accessed when using a "Smart Card" (similar to the system used on a lot of government machines)?
    Also, where would a person obtain the Smart Card to use with the program. Thanks!!!

    You might look into a hardware product called "SecuriKey":
    http://www.securikey.com/mac_security.html
    =
    There was a MacWorld review a few years ago of what might have been an earlier version:
    http://www.macworld.com/article/42927/2005/02/securikey.html

  • Default applets on brand new java card and spec support

    Hi,
    I have got brand new java card reader and real java card.
    I want to just access it using Java and see if I can access stuff on the java card before i go ahead with next things.
    I was thinking of just doing select on some applet which is present on brand new java card by default.
    1. Does anyone know if any default applet is present on java card?
    2. If yes, AID of that?
    3. Is there any APDU by which I can find out which java card spec that card supports?
    Btw, I am using Java Card 2.2.2 and the card i have should also have same support.
    Edited by: unic.man on Jul 12, 2008 2:11 AM

    >
    1. I know that any smart-card has a universally unique id which can be retrieved pro grammatically. Can you please tell me the APDU/API to retrieve it on Host app side? If not, card side at least?
    I don't know much about unique IDs but basically you've got the ATR which is given to you every time the card is powered on. The ATR identifies a particular family of cards. If you want to identify each card you need to have a look at the GET DATA command (in Global Platform) and especially the CPLC (Card Production Life Cycle). Apparently you can get a unique ID by combining the IC batch identifier and the IC serial number.
    2. I'm also struggling with deploying the app. It is not detecting the default installer applet via apdutool. I found some articles and netbeans plug-in talking about keys to download applet on card. Do you know standard keys/derivated keys to start secured channel?I don't think you can use the JCDK to install an applet on a real card. If you have a JCOP card I advise you to get the JCOP tools. And yes you will need the keys to establish a secure channel but I don't know what the default keys are on a JCOP card.

  • Commands in smart cards

    hellow!
    I'm student and I'm trying to get information about the meaning of this command used in smart cards:
    80 B8 00 00 12
    I have discovered that this command could identify smart cards but I don't know how it works.
    Could you help me?

    First learn what APDUs are.
    Then check what spec does ur card implements.
    Then search for the command ...

  • Upload an applet into smart card

    Hello,
    I worked with eclipse and plugin JCOP I compile the appllet so I have the file . cap
    but I can't upload it into smart card
    and I want to know what 's the deffierence between AID of applet and AID of the package
    thanks

    Check out GP 2.1.1 card spec. Package has the same definition as in Java SE. Applet is the class within the package. It shall have another AID than the package.
    Paste your APDU log.

  • Problem with CertificateRequest when using a smart card

    Hello,
    I have used the ssl debug statement to determine that ssl server is sending a CertificateRequest and a list of CAs. The smart card is opened via a password and I think X509KeyManagerImpl compares the Issuer of the smart card certificates with the server sent CAs. However since the issuer is an intermediate CA and only the root CA is in this list, the smartcard certificates are rejected. I CAN'T have the intermediate CA place in the ssl server list.
    Using SSLConnect (KeyManager, X509TrustManager, null). The KeyManager is using NSS and the TrustManager is using opensc-pkcs11 via SunPKCS11. The OS is Linux, kernel 2.6.35.10-74.fc14.i686.
    The intermediate CA is in the local cert store.
    The application being used is DavMail.
    Am I correct in stating that the the smart card certificates are checked against the server sent CAs?
    Does anyone know how to get Java to use he local cert store to find the intermediate CA and then verify it against the Root CA in the server sent list?

    Placed in wrong forum. Moved it to Security Java Secure Socket Extension (JSSE)

  • RDS Gateway + Smart Card Error [ The specified user name does not exist.]

    I have the following Windows Server 2008 R2 servers:
    addsdc.contoso.com, AD DS Domain Controller for contoso.com
    adcsca.contoso.com, AD CS Enterprise CA, CDPs/AIAs published externally.
    fileserver.contoso.com, RDS Session Host for Administration enabled
    rdsgateway.contoso.com, RDS Gateway enabled
    tmgserver.contoso.com, 'Publishing' rdsgateway.contoso.com but with pass-through authentication
    And the following Windows 7 PCs:
    internalclient.contoso.com
    externalclient.fabrikam.com
    There's no trust between the domains, the external client is completely separate on the internet but the CA certificate for contoso.com has been installed in the trusted Root CA store. All servers have certificates for secure RDP.
    I enrolled for a custom 'Smart Card Authentication' certificate with Client Authentication and Smart Card Logon EKUs from the CA, stored on my new Gemalto smart card using the Microsoft Base Smart Card CSP.
    From internalclient.contoso.com, I can RDP to fileserver.contoso.com
    using the smart card just fine with no certificate errors.
    From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
    via rdsgateway.contoso.com using a username and password just fine with no certificate errors.
    From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
    via rdsgateway.contoso.com using the smart card to authenticate to the gateway, and a username and password to authenticate to the end server, just fine.
    BUT from when using a smart card to authenticate to the end server via the gateway, it fails with:
         The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support. 
    When I move the client into the internal network and try the connection again (still via the RDS Gateway), it works fine - the only thing I can think of is being outside the network and not being able to contact the AD DS DC for Kerberos is causing the issue
    - but I'm pretty sure this is a supported scenario?
    The smart card works fine internally, the subject of the certificate is the user's common name (John Smith) and the only SAN is
    [email protected] which matches the UPN of the user account as it was auto-enrolled.
    Does anyone have any ideas?

    I had a similar issue where I am using a smart card through a Remote Desktop Gateway. I had to disable Network Level Authentication (NLA) on the destination Remote Desktop Server. If anyone has another way around this, I'd appreciate hearing it. I'd prefer
    to use NLA.

  • How to include the user as a recipient of the email generated when a smart card certificate is issued by an Enrollment Agent on behalf of a user.

    How can I add the requester name in the To: field of the email generated when a Smart Card certificate is issued on his behalf.
    I want to address the possibility of someone (Enrollment Agent) issuing a Smart Card certificate on behalf of a user, assign a PIN and use it without the user's knowledge.
    There doesn't seem to be a way in the registry to define a variable to be used in a manner similar to the TitleArg & TitleFormat way of using %1.
    Jamal Saket OSFI Canada

    Hi,
    Thank you for your question.  
    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. 
    Thank you for your understanding and support.
    TechNet Subscriber Support
    If you are
    TechNet Subscription
    user and have any feedback on our support quality, please send your feedback
    here.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • How to use Smart Card API's (OCF) in Web Application

    Hi frnds,
    For our new smart card based project, i have few queries,
    1. Can we choose web based application for smart card based projects?
    2. How servlet will communicate with opencard CTListener class?
    3. While the card insertion and remove how the event will be reflet the servlet?
    4. For that is it needed to design the client UI by using Swing?
    5. Without Swing will servlet give all solution for smart card connection and events?
    Rgrds,
    dhaya.

    I am also looking for smart card Authentication using web. Any info really appreciated

  • How to load the .cap file in a Smart Card?

    Dear All,
    Hello..!!
    I am using JCDK 2.2 and have used Eclipse JCDK.
    I have written a simple read/write applet and created a .cap file using Eclipse's Converter Java Card tool.
    What is the next step to be done?
    I have a smart card device and have installed its drivers.
    When do the APDU commands come into picture?
    Expecting help.
    Thanks a lot.
    Regards,
    Suril

    Suril Sarvaiya wrote:
    Hi Shane....
    Thnx a lot....
    I have downloaded GP-Shell 1.4.4
    When I open its application and write any command and press enter ; the app window closes immendiately.
    Can you please help me on this?
    One more thing Shane......
    I'm writig a java class using javax.smartcardio
    I have installed drivers of Omnikey 3021
    but the TerminalFactory is not detecting it?
    Any idea on that?
    Thanks again...
    Regards,
    SurilHi all,
    Is Mr. thread starter has solved his problem?
    I profit this thread to post my question. I'm working with new environment and I have problem loading cap file into my smartcard.
    specification come first :-)
    - My smartcard is said to be JC2.2.1 and GP2.1.1 compatible
    - My code (for testing) is written in Java under eclipse Helios service 2 with JavaCard plugin (for JC2.2.2)
    I compile my code with JDK 1.3 (for compatible version) and using the JC plugin to generate cap file (along with exp and jca).
    My problem is exactly the same as one that was posted in this forum about 2 years ago but is not answered :-)
    [Problem Loading Application to Card |http://forums.oracle.com/forums/thread.jspa?threadID=1749334&tstart=420]
    + I successfully authenticate with smartcard
    + APDU command Install for Load is executed successfully
    + BUT the APDU command LOAD file fails with returned status word is 6424
    For details, I post here my javacard applet code and APDU command executed with my tool:
    package mksAuthSys;
    import javacard.framework.APDU;
    import javacard.framework.Applet;
    import javacard.framework.ISO7816;
    import javacard.framework.ISOException;
    import javacard.framework.OwnerPIN;
    public class Jcardlet extends Applet {
         private final static byte[] myPIN = { (byte) 0x01, (byte) 0x02, (byte) 0x03, (byte) 0x04};
         final static byte Jcardlet_CLA =(byte)0xB0;
         final static byte VERIFY = (byte) 0x20;
         final static byte PIN_TRY_LIMIT =(byte)0x03;
         final static byte MAX_PIN_SIZE =(byte)0x08;
         final static short SW_VERIFICATION_FAILED = 0x6300;
         OwnerPIN pin;
         private Jcardlet() {
              pin = new OwnerPIN(PIN_TRY_LIMIT, MAX_PIN_SIZE);
              pin.update(myPIN, (byte) 0, (byte) 4 );
             register();
         public static void install(byte bArray[], short bOffset, byte bLength)
                   throws ISOException {
              new Jcardlet().register();
         public boolean select() {
              if ( pin.getTriesRemaining() == 0 ) return false;
             return true;     
         public void deselect(){
              pin.reset();
         //@Override
         public void process(APDU apdu) throws ISOException {
              // TODO Auto-generated method stub
              byte[] buffer = apdu.getBuffer();
              if ((buffer[ISO7816.OFFSET_CLA] == 0) &&
                      (buffer[ISO7816.OFFSET_INS] == (byte)(0xA4))) return;          
              if (buffer[ISO7816.OFFSET_CLA] != Jcardlet_CLA)
                    ISOException.throwIt(ISO7816.SW_CLA_NOT_SUPPORTED);          
              switch (buffer[ISO7816.OFFSET_INS]) {
               case VERIFY: verify(apdu);
                 return;
               default: ISOException.throwIt (ISO7816.SW_INS_NOT_SUPPORTED);
         private void verify(APDU apdu) {
              // TODO Auto-generated method stub
             byte[] buffer = apdu.getBuffer();
             // retrieve the PIN data for validation.
             byte byteRead = (byte)(apdu.setIncomingAndReceive());
             // check pin
             // the PIN data is read into the APDU buffer
             // at the offset ISO7816.OFFSET_CDATA
             // the PIN data length = byteRead
             if ( pin.check(buffer, ISO7816.OFFSET_CDATA,byteRead) == false )
               ISOException.throwIt(SW_VERIFICATION_FAILED);          
    }And my APDU command:
    Loading "D:\mksAuthSys.cap" ...
    T - 80F28000024F00
    C - 08A000000003000000079E9000
    ISD AID : A000000003000000
    T - 80E602001508F23412345610000008A00000000300000000000000
    C - 009000
    T - 80E80000C8C482018B010012DECAFFED010204000108F23412345610000002001F0012001F000C001500420012009D0011001C0000009F00020001000402010004001502030107A0000000620101000107A000000062000103000C0108F234123456100001002306001200800301000104040000003DFFFF0030004507009D000510188C0003188F00013D0610088C00028700AD007B000403078B0005188B00067A02308F00073D8C00088B00067A0110AD008B00096104037804780110AD008B000A7A0221198B000B2D1A0300
    C - 6424
    Stopped loading due to unexpected status words.Urgently look forward to hearing from you.
    Thanks a bunch in advance
    Best Regards,
    JDL

  • Remote desktop and smart cards

    I frequently work from home using my mac to access my windows based desktop at the office. I use the microsoft remote desktop v. 1.0.3. for MAC. Now that my agency is moving to smart card identification requirements for access I need to be able to use the smart card at home to sign onto the office desktop.
    The RDC for MAC does not have an option for smart card readers (as opposed to the RDC for windows version). Is there alternative software that would be simple to install on my MAC (I am not an IT sophisticate) that will give me smart card access?

    Microsoft Remote Desktop Connection (RDC) for Mac and Apple Remote Desktop (ARD) are two completely different tools with marginally similar capabilities. Unfortunately, as you've already discovered, neither offers Smart Card capabilities to allow you to authenticate to your Windows computer at work.
    If your Mac is an Intel Mac then you could probably run Windows using Parallels or Boot Camp on your home computer and use the Windows RDC client to make your connection. I don't suggest trying to use VirtualPC if you have a PowerPC Mac simply because your Smart Card reader will most likely be USB and VirtualPC has a bad track record with USB devices.
    Hope this helps!
    bill
      Mac OS X (10.4.10)   1 GHz Powerbook G4

  • MS Remote Desktop and smart card reader

    I have installed MS Remote Desktop Conn. on my iMac and connected a smart card reader via the USB. Although my reader energizes when the computer is on, the computer doesn't seem to recognize the reader. When I insert a CAC card into the reader and try to log in remotely, I continue to get a "username/password" box instead of the CAC PIN number. Do I need to install some kind of smart card driver or does Apple already have it? I'm at a loss as to how to fix this.

    I was able to get rdesktop 1.6.0 to install on my Mac and I was able to get CAC log-in to work.
    However, the installation is a little tricky. I downloaded rdesktop 1.6.0 from this link:
    <<http://www.rdesktop.org>>
    My instructions for installation:
    1. Make sure Xcode Tools is installed on your computer. It should be on your OS X install disk.
    2. Find out where your X11 libraries are located:
    -From the Finder menu, selct "Go" >> "Go to Folder..."
    -Type (without the quotes) "/usr/X11", and click "Go"
    You should see a bunch of folders. Make sure the "include" and "lib" folders are there. Otherwise you need to find out where the X11 "include" and "lib" folders are located on your computer.
    3. Download rdesktop and place the (unarchived) rdesktop-1.6.0 folder on your Desktop
    4. Open the X11 application (should be in your Utilities folder)
    5. In the X11 window type the following (without the quotes):
    "cd Desktop/rdesktop-1.6.0 && ./configure --enable-smartcard -x-includes=/usr/X11/include -x-libraries=/usr/X11/lib && make && sudo make install"
    4. Hit enter. When prompted, enter your administrator password and hit enter.
    rdesktop should now be installed in the following folder:
    /usr/local/bin
    So, to launch rdesktop with smartcard log in enabled, open the X11 application (or Terminal application) and type the following (without the quotes, and replace your.server.address with the server address):
    "cd /usr/local/bin && ./rdesktop -r scard your.server.address"
    Hit enter and it should launch a new X11 window that will try to access the remote server where you should be prompted for your PIN.
    To explore more options with rdesktop, open X11 and type the following (without quotes):
    "cd /usr/local/bin && ./rdesktop"
    Hit enter and you should get a list of options available to rdesktop.

  • Remote desktop and smart card

    Hi.
    I need to use a smart card while working with remote desktop.
    My office pc runs win XP and have a smart card connected. I can not use that card when working remotly, its not found. Like its disconnected.
    I also have a smart card connected to my Mac at home. The smart card works fine when the VPN connection ask for my code.
    The problem is that it does not get forwarded. I have tried to use MS Remote Desktop for mac and CoRD.
    But none of them supports the smart card.
    It works fine with parallels/win7 on my mac, I can then use my smart card.
    How ever I would like to not use the win/ on my mac.
    Do anybody have a soulution to this? Are there any Remote desktop applications that support forwarding of smart card for Mac OS?
    Thanx for any tips

    You can install rdesktop with Smart Card support.
    It is fairly easy if you use something like MacPorts, Fink, or Homebrew.
    I know MacPorts has a port for it that I used in the past.

Maybe you are looking for

  • Windows domain controller in a virtual machine: how dangerous is saving its state for a short period of time?

    I have a Windows Server 2012 R2 virtualization cluster. All the hosts are connected to an external storage system, and virtual machines' files are stored on external volumes (CSVs). All the hosts and virtual machines are a part of the same AD domain

  • Runtime flow sequence of receiver or interface determinations is based on

    There is interface whose message flows as mentioned below. System A <=> System B <=> System c BPM: Receive -> sync send 1 -> sync send 2 -> async send System A sends the sync message to System B, System b response as request to System c and System C

  • How to Format Line in UML

    Hi All, Please see the screenshot below, I insert an association line between Student class and Classroom class, I want to change the line style. Such as begin arrow type or dash line. I set them via Format Shape TaskPane. But no working. Why? If my

  • Error while installing SAP

    I am installing SAP Business ONE 2005 client on a machine.Engineering softwares are already installed on this machine i.e 1.UG NX 4.0 2.UG NX 6.0 3.AUTOCAD 2006 While installing SAP it gives error as, 1608:Unable to create InstallDriver instance.Retu

  • PhotoShop CS4 Feather Effect

    Windows Ultimate PhotoShop CS4 Dear friends I have a picture , which is cut from one side and I wanna smoothen the cut side by adding a "feather Effect" to make it look more natural I did this many times befor , but for some reason I can't remember h