JCOP Security Domain

Similar Messages

• Provider Security Domain applet on JCOP

  hi, All
  I use the Eclipse plugin JCOP 3.0 tools, try to install myself Security Domain applet to OP.
  Is the JCOP card simulator support the Provider Security Domain ?
  If not, which JCOP real card can I use to upload & install my Security Domain ?
  thanks for advance!
  Andy Hua.

  MatiGdoc wrote:
  Hi,
  I'm newbie in JCOP programming, so I need help from "masters" ...
  Im using JCOP 10 v2.2 GP2.1.1 compliant with SCP02 support. I can compute sucesfully all neccessary session keys / cryptograms needed by initialize update / external authenticate commands.
  Original JCOP tools uses in external authenticate security mode "NO_SECURITY_LEVEL" - 84 82 00 00, so the load command contains plain Header, Directory, Import etc .cap files.
  But I want to load .cap in more secure way, using C_DECRYPTION mode. So, my questions are:
  - Is C_MAC mode mandatory with C_DECRYPTION ? In other way, can I use p1=0x02 instead of 0x03 in External Authenticate command ?C_DECRYPTION also mandates C_MAC. You can use for P1: 00, 01 and 03.
  - Which key must be used for Datafield encryption ? I suppose S_ENC key generated for secure channel, right ?Correct.
  - should datafield for Install_for_load command (80 E6 02) also be crypted with S_ENC ?Yes. Starting with C_MAC your class byte needs to be 84 though.
  - should the datafield also be padded before calculating the C_MAC ? You pad for C_MAC as first step, and then pad the data field as a second step, excluding C_MAC. Check out GP 2.1.1 card spec, figure E-6.

• Applet's associated security domain

  Hi All.
  I have the mobile device with embededd secure element:
  Global Platform version : 2.1.1
  Global Platform Secure Channel Protocol: 02 option 15
  Java Card version : 2.2
  There is the content of it:
  Card Manager AID : A000000003000000
  Card Manager state : SECURED
  Application: SELECTABLE (--------) "2PAY.SYS.DDF01"
  Application: SELECTABLE (--------) A0000000041010
  Application: SELECTABLE (--------) A0000000041010BB5449435301
  Sec. Domain:PERSONALIZED (S-------) A00000000353504101
  Load File : LOADED (--------) A0000000035350 (Security Domain)
  Module : A000000003535041
  Load File : LOADED (--------) 4D66344D0002
  Module : A0000003964D66344D0002
  Load File : LOADED (--------) "2PAY."
  Module : "2PAY.SYS.DDF01"
  Load File : LOADED (--------) A000000004
  Module : A00000000410100001
  Module : A0000000041010
  Applet with AID A0000000041010BB5449435301 has been extradited to supplementary security domain with AID A00000000353504101.
  Other applets belongs to ISD.
  Is there any possibilities to discover this relations?
  GP GET STATUS command does not have such options in GP Card Spec v2.1.1.
  In v2.2.1 I found optional tag CC (Associated Security Domain's AID) in GET STATUS command description and tag 2F00 (List of Applications belonging to the Security Domain) in GET DATA description.
  But I need to get this info from card 2.1.1.
  Thanks in advance.
  Vasiliy.
  Edited by: 1010453 on Jun 7, 2013 7:00 PM

  i have same problem in GP2.1.1,
  i think if Applet A associated with SD A, then when I select ISD, i cannot delete Applet A. but i'm wrong. JCOP also  deleted it

• Security Domain privileges

  I'm trying to install a security domain using the JCOP simulator with a Token Management privileges.
  I've installed the security domain with the available privileges by the INSTALL [for install] command provided by JCOP shell:
  cm>  install -s -e -b -m -q C90145 -i A000000151535041 A0000001515350 A000000151535041
  => 80 E6 0C 00 21 07 A0 00 00 01 51 53 50 08 A0 00
      00 01 51 53 50 41 08 A0 00 00 01 51 53 50 41 01
      E1 03 C9 01 45 00 00
  (12088 usec)
  <= 00 90 00         
  Status: No Error
  then tried to update the privileges using INSTALL [for registry update] command:
  cm>  send 80E6400011000008A00000015153504103E12000000000
  => 80 E6 40 00 11 00 00 08 A0 00 00 01 51 53 50 41
      03 E1 20 00 00 00 00
  (5642 usec)
  <= 6A 80              
  Status: Wrong data
  Also, I tried to set the privilege bytes while installing the Security domain but failed too
  cm>  send 80E60C002307A000000151535008A00000015153504108A00000015153504103E1200003C901450000
  => 80 E6 0C 00 23 07 A0 00 00 01 51 53 50 08 A0 00
      00 01 51 53 50 41 08 A0 00 00 01 51 53 50 41 03 
      E1 20 00 03 C9 01 45 00 00
  (7888 usec)
  <= 6A 80             
  Status: Wrong data
  Anyone can help
  thanks in advance,
  Khadrawy

  Hi,
  It seems, you are trying to Install Security Domain with Delegated Management Privilege (Privilege Byte 1 - 0xE1) and Token Verification Privilege(Privilege Byte 2 - 0x20).
  According to GP Specification 2.2.1, Token Verification and Receipt generation privilege can not be assigned to Security Domain with Delegated Management privilege.
  Token Verification and Receipt generation privilege may be assigned to security domain with Authorized Management privilege.
  Hope this helps you.
  regards,
  Karthik

• Security domain with mandated dap privilege

  Can I delete a security domain having mandated dap privilege as per global platform .

  Hi,
  I have the same problem. I created a SSD with mandated DAP, now I can not delete it. I have a JCOP card and the following so far:
  Card Manager AID   :  A0000001510000
  Card Manager state :  OP_READY
      Sec. Domain:PERSONALIZED (SVE----M) A000000004000001
      Sec. Domain:PERSONALIZED  (SV-----M) A000000004000002
      Load File  :                    LOADED (--------) A0000000035350   (Security Domain)
       Module    :                                             A0000001510000
       Module    :                                             A000000003535041
       Module    :                                             A0000000030000
  As you can see both A000000004000001 and A000000004000002 have mandated DAP privilege. Now I can not delete them.
  cm>  delete A000000004000001
  => 80 E4 00 00 0A 4F 08 A0 00 00 00 04 00 00 01 00    .....O..........
  (195345 usec)
  <= 69 85                                              i.
  Status: Conditions of use not satisfied
  jcshell: Error code: 6985 (Conditions of use not satisfied)
  Sadly I can not Load to them either. First I created the SSD with A000000004000001. Then I tried to LOAD a CAP with the appropriate load token and DAP(A000000004000001). It failed with 6985.
  After that I instantiated a second SSD (because I realized that I can not delete the first one). I Tried to LOAD a CAP with the necessary DAP(A000000004000002) but it failed with 6985 as well. Now I'm stuck.
  Please tell me if there is any way to get rid of these SSDs. And besides what am I missing with the LOAD? Mandated DAP only means that if I try to load a CAP into a Security Domain with mDAP the CAP file has to have an appropriate DAP block, right? DAP meant if it exsits it will be checked but if there is no DAP provided it will pass.
  Many Thanks!
  -András

• In RSA Authentication Manager 7.1, how create multiple security domains

  Hi,
  RSA Authentication Manager 7.1 in configured with LDAP(Sun java system directory server); how create multiple security domains 7.1, is this security domains is releted to LDAP?
  thanks

  I think what you need to do is create an identity sequence with RSA as the selection in
  Authentication and Attribute Retrieval Search List and AD in Additional Attribute Retrieval Search List. Then select this sequence as the result in the identity policy for the service

• How can I create a new Security Domain ?

  Hi everyone,
  I would like to know how can I create an Security Domain other than ISD ?(If my card support multi SD and delegated management)
  I read Global Platform v2.1.1 ,but I don't know how can I create new SD practically(how can I write it's code ,how can I install it and how can I associate an applet to it,...).
  if there is any document or link can help me ,please inform me.
  I'll appreciate for any one if explain it to me step by step.
  yours sincerely.
  Orchid.

  You're right, it is not visible looking at your script, but at the APDU log. /card is an internal JCShell script to do the following:
  cm>  /card
  resetCard with timeout: 0 (ms)First the card is reset. This is analogous with /atr
  --Waiting for card...
  ATR=3B FA 13 00 00 81 31 FE 45 4A 43 4F 50 34 31 56    ;.....1.EJCOP41V
      32 33 31 97                                        231.
  ATR: T=1, FI=1/DI=3 (93clk/etu), N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP41V231"Then an /identify command is issued.
  => 00 A4 04 00 09 A0 00 00 01 67 41 30 00 FF          .........gA0..
  (163429 nsec)
  <= 09 01 01 29 00 00 00 00 50 48 36 35 30 41 00 00    ...)....PH650A..
      6A 82                                              j.
  Status: File not foundNow the Issuer Security Domain (ISD) is selected. You can do the same sending the JCShell 'select' command.
  => 00 A4 04 00 07 A0 00 00 00 03 00 00 00             .............
  (650082 nsec)
  <= 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65    oe...........Y.e
      01 FF 9F 6E 06 40 51 70 92 29 00 73 4A 06 07 2A    ...n.@Qp.).sJ..*
      86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B    .H..k.`...*.H..k
      02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64    ....c...*.H..k.d
      0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09    ...*.H..k...e...
      2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01    +...Hd...f...+..
      04 01 2A 02 6E 01 02 90 00                         ..*.n....
  Status: No ErrorThe answer is the File Control Information (FCI) returned by the ISD. The format is also described in GP.

• INSTALL[for load] command without Security Domain AID

  Hello all,
  I have a question for the INSTALL[for load] command.
  The Security Domain AID is optional field, so I'm wondering if I didn't specify the AID, then which Security Domain performs the INSTALL[for load] command?
  Thanks,
  Julie.

  Which ever one you are sending your APDU commands to. Which SD did you select ? Usually, the default applet is the ISD, so the commands are going to that applet.

• Who shall create a specific Security Domain compliant to GP 2.1?

  Particularly, in case of the delegated management, the GP card specification 2.1.1 decribes as follows:
  "Security Domains authorized by the Card Issuer to perform Card Content changes shall request the OPEN to load, install, extradite, and delete applications."
  I think that the Security Domain is implemented by the Application Provider using GP API. The OPEN is ,however, the component of the Card Manager which should be implemented by a GP compliant JCVM provider or a GP component provider.
  My questions are:
  1. How does a Security Domain request the OPEN to load, install.. ? How do they interface with each other? Does the GP compliant JCVM provider have to provide the specific interfaces used to change Card Contents for the Application Providers who implement their own Security Domain?
  2. If the GP compliant JCVM provider is also responsible for implementing a specific Security Domain, what is the role of the Application Provider? only as a provider of his own security policy for the GP compliant JCVM provider? Can't a Application Provider implement his own Security Domain himself (using only GP2.1 public API)?
  I am grateful to you for a kind assistance.

  I think that the Security Domain is implemented by theApplication Provider using GP API. The OPEN is
  ,however, the component of the Card Manager which
  should be implemented by a GP compliant JCVM provider
  or a GP component provider. Typically and due to the fact that the GP specification is missing the API that would allow a Security Domain to be loaded on the card, Security Domains are developed by the card vendor and present on the card at production. The vendor can decide which features are implemented in the Security Domain e.g. Secure Channel services, DAP Verification, Delegated Management. If, as an Application Provider, you wish to develop your own Security Domain, your vendor may be willing to provide you with details of their proprietary API but this would be specific to this vendors product.
  >
  My questions are:
  1. How does a Security Domain request the OPEN to
  load, install.. ? How do they interface with each
  other? Does the GP compliant JCVM provider have to
  provide the specific interfaces used to change Card
  Contents for the Application Providers who implement
  their own Security Domain?Yes.
  >
  2. If the GP compliant JCVM provider is also
  responsible for implementing a specific Security
  Domain, what is the role of the Application Provider?
  only as a provider of his own security policy for the
  GP compliant JCVM provider? Can't a Application
  Provider implement his own Security Domain himself
  (using only GP2.1 public API)?No.
  >
  I am grateful to you for a kind assistance.

• Use of robots.txt to disallow system/secure domain names?

  I've got a client who's system and secure domains are ranking very high on google.  My SEO advisor has mentioned that a key way to eliminate these URLs from google is through the use of disallowing content through robots.txt.  Given BC's unique nature of dealing with system and secure domains I'm not too sure if this is even possible as any disallowances I've seen or used before have been directories and not absolute URL's, nor have I seen any mention of this possibility around.  Any help or advice would be great!

  Hi Mike
  Under Site Manager > Pages, when accessing a specific page, you can open the SEO Metadata section and tick “Hide this page for search engines”
  Aside from this, using the robots.txt file is indeed an efficient way of instructing search engine robots which pages are not to be indexed.

• Session cookie not setting for secure domain in Chrome

  I've been fighting with a login issue for the past few hours thinking it was my fault. I'm tired, so my IQ is cut in half right now. Makes for a very plausible scenario. However, I finally tried it in Firefox without issue.
  It's just a simple login form, where the action is supposed to log me into both the secure and insecure domains. Here's the action:
  action="{module_secureurl}/ZoneProcess.aspx?ZoneID=51&Referrer={module_siteurl,true,true}&OID={module_oid}&OTYPE={module_otype}"
  That looks right to me. I also checked on my own site's login and had the same issue. I had just never noticed before because I don't use my secure domain.
  Looks like either a bug in BC, or a bug in Chrome. Either way, I think it's worth having BC look into.

  I've been fighting with a login issue for the past few hours thinking it was my fault. I'm tired, so my IQ is cut in half right now. Makes for a very plausible scenario. However, I finally tried it in Firefox without issue.
  It's just a simple login form, where the action is supposed to log me into both the secure and insecure domains. Here's the action:
  action="{module_secureurl}/ZoneProcess.aspx?ZoneID=51&Referrer={module_siteurl,true,true}&OID={module_oid}&OTYPE={module_otype}"
  That looks right to me. I also checked on my own site's login and had the same issue. I had just never noticed before because I don't use my secure domain.
  Looks like either a bug in BC, or a bug in Chrome. Either way, I think it's worth having BC look into.

• Redirect subdomain to a secure domain

  Is there any way to redirect a subdomain to a secure domain without getting certificate errors?
  I have my subdomain CNAME (campus.unikemia.com) redirecting to another domain which is secure (unikemia.blackboard.com)

  Is there any way to redirect a subdomain to a secure domain without getting certificate errors?
  I have my subdomain CNAME (campus.unikemia.com) redirecting to another domain which is secure (unikemia.blackboard.com)

• Extradition of an AID to a security domain that is in "selectable" state

  following this post: http://forum.java.sun.com/thread.jspa?messageID=10227711
  in following this example (i've found it very helpful), i want to know if it is a requirement that the SSD be personalized instead of in "Selectable" state? if so, that would explain the errors i get when i try to extradite an AID to it from the ISD.
  your example:
  GP 2.1.1, SSD section (concept) and APDU commands Install [for load], [install] and [extradition].
  Example:
  - select ISD
  - open a secure channel
  - Install [for install & make selectable] on a pre-loaded SD package/module --> optionally you need to specify in the install parameters that this SD accepts extradition
  - select SSD
  - open a secure channel (using the default keys)
  - personalize (put secure channel keys)
  - install [for load] an application, specify the SSD to be associated

  Clemson wrote:
  ... errors i get when i try to extradite an AID to it from the ISD.
  GlobalPlatform Card Specification 2.1.1, 03/25/2003, p. 70
  +6.4.3 Content Extradition+
  The GlobalPlatform Card Content extradition process is designed to allow the association, to a different Security Domain, of a previously installed Application. The Issuer Security Domain shall verify the extradition request before the OPEN will allow the extradition.
  Runtime Behavior
  The following runtime behavior requirements apply to the OPEN during the Card Content extradition process.
  The OPEN shall:
  +...+
  Check that this Security Domain is in a valid Life Cycle State (i.e. PERSONALIZED)+,
  +...+
  Therefore, the SD which should accept the applet has to be in state PERSONALIZED.

• Security Domain

  Hello , Im a newbie to Java Card and have loads of questions, but ill start with the Security Domain. Could the experts please help me on this topic?? Main question :
  1) What is a Security Domaain?? GP spec. says it is an application.
  2) If it is an application, is it implemented in Java???
  3) Are the metods unwrap(), decrypt() etc specified in GP spec. called within the Security Domain??
  3) Any reference to Security Domain [ doc/implementation] apart from GP spec ?
  Any pseudo code for implementing a SD would be highly appreciated. Thanks.

  1) What is a Security Domaain?? GP spec. says it is an application.correect. it's an app with special privileges, such as interaction with the OS.
  >2) If it is an application, is it implemented in Java???
  no, or maybe some parts only.
  >3) Are the metods unwrap(), decrypt() etc specified in GP spec. called within the Security Domain??
  no, called within the applet using native tricks to use the sec dom keys, this is unspecified and vendor dependent.
  >3) Any reference to Security Domain [ doc/implementation] apart from GP spec ?
  google
  >Any pseudo code for implementing a SD would be highly appreciated. Thanks.
  my turn:
  1) why would you want to implement a SD?
  2) good luck. no. wake up instead, and lurk moar about GlobalPlatform, young padawan. if you want to play with security domains, you'd better work within a company that builds javacard/GP OSes.
  regards

• Loadfile to install a Supplementary Security Domain in GP 2.2?

  Hi all,
  I have Secure Elements with GP 2.2 and would like install Supplementary Security Domains there.
  In my previously chips GP 2.1 that was not a problem, there was a preloaded Loadfile with AID:A0000000035350 (Security Domain)
  For my Supplementary Security Domains I just made an instance of this Loadfile AID:A0000000035350, and I had an Security domain Instance.
  Now, in the new version I have no such a Loadfile for a Security Domain. So How I can install Supplementary Security Domains instances in GP 2.2?
  Attached a GET STATUS Response with all Loadfiles and Modules in the new chip.
  Anybody any idea? It would be really helpful.
  br Markus
  GET STATUS:
  e3 42
  4f 09 a00000001884010102 9f70 02 0100 ce 02 01 00
  84 0a a0000000188401010201
  84 0a a0000000188401010202
  84 0a a0000000188401010203
  cc 08 a000000151000000
  e3 1e
  4f 09 a00000001884010101
  9f 70 02 0100
  ce 02 01 00
  cc 08 a000000151000000
  e3 36
  4f 09 a00000001820010108
  9f 70 02 01 00
  ce 02 01 00
  84 0a a0000000182001010801
  84 0a a0000000182001010802
  cc 08 a000000151000000
  e3 42
  4f 09 a00000001820010106
  9f 70 02 01 00
  ce 020100
  84 0a a0000000182001010302
  84 0a a0000000182001010300
  84 0a a0000000182001010301
  cc 08 a0000001510000006310

  You will either need to tell us what card you are using or contact the manufacturer/vendor to get the developer documentation for it.
  - Shane