Security Domain
Hello , Im a newbie to Java Card and have loads of questions, but ill start with the Security Domain. Could the experts please help me on this topic?? Main question :
1) What is a Security Domaain?? GP spec. says it is an application.
2) If it is an application, is it implemented in Java???
3) Are the metods unwrap(), decrypt() etc specified in GP spec. called within the Security Domain??
3) Any reference to Security Domain [ doc/implementation] apart from GP spec ?
Any pseudo code for implementing a SD would be highly appreciated. Thanks.
1) What is a Security Domaain?? GP spec. says it is an application.correect. it's an app with special privileges, such as interaction with the OS.
>2) If it is an application, is it implemented in Java???
no, or maybe some parts only.
>3) Are the metods unwrap(), decrypt() etc specified in GP spec. called within the Security Domain??
no, called within the applet using native tricks to use the sec dom keys, this is unspecified and vendor dependent.
>3) Any reference to Security Domain [ doc/implementation] apart from GP spec ?
google
>Any pseudo code for implementing a SD would be highly appreciated. Thanks.
my turn:
1) why would you want to implement a SD?
2) good luck. no. wake up instead, and lurk moar about GlobalPlatform, young padawan. if you want to play with security domains, you'd better work within a company that builds javacard/GP OSes.
regards
Similar Messages
-
In RSA Authentication Manager 7.1, how create multiple security domains
Hi,
RSA Authentication Manager 7.1 in configured with LDAP(Sun java system directory server); how create multiple security domains 7.1, is this security domains is releted to LDAP?
thanksI think what you need to do is create an identity sequence with RSA as the selection in
Authentication and Attribute Retrieval Search List and AD in Additional Attribute Retrieval Search List. Then select this sequence as the result in the identity policy for the service -
How can I create a new Security Domain ?
Hi everyone,
I would like to know how can I create an Security Domain other than ISD ?(If my card support multi SD and delegated management)
I read Global Platform v2.1.1 ,but I don't know how can I create new SD practically(how can I write it's code ,how can I install it and how can I associate an applet to it,...).
if there is any document or link can help me ,please inform me.
I'll appreciate for any one if explain it to me step by step.
yours sincerely.
Orchid.You're right, it is not visible looking at your script, but at the APDU log. /card is an internal JCShell script to do the following:
cm> /card
resetCard with timeout: 0 (ms)First the card is reset. This is analogous with /atr
--Waiting for card...
ATR=3B FA 13 00 00 81 31 FE 45 4A 43 4F 50 34 31 56 ;.....1.EJCOP41V
32 33 31 97 231.
ATR: T=1, FI=1/DI=3 (93clk/etu), N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP41V231"Then an /identify command is issued.
=> 00 A4 04 00 09 A0 00 00 01 67 41 30 00 FF .........gA0..
(163429 nsec)
<= 09 01 01 29 00 00 00 00 50 48 36 35 30 41 00 00 ...)....PH650A..
6A 82 j.
Status: File not foundNow the Issuer Security Domain (ISD) is selected. You can do the same sending the JCShell 'select' command.
=> 00 A4 04 00 07 A0 00 00 00 03 00 00 00 .............
(650082 nsec)
<= 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65 oe...........Y.e
01 FF 9F 6E 06 40 51 70 92 29 00 73 4A 06 07 2A ...n.@Qp.).sJ..*
86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B .H..k.`...*.H..k
02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64 ....c...*.H..k.d
0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09 ...*.H..k...e...
2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01 +...Hd...f...+..
04 01 2A 02 6E 01 02 90 00 ..*.n....
Status: No ErrorThe answer is the File Control Information (FCI) returned by the ISD. The format is also described in GP. -
INSTALL[for load] command without Security Domain AID
Hello all,
I have a question for the INSTALL[for load] command.
The Security Domain AID is optional field, so I'm wondering if I didn't specify the AID, then which Security Domain performs the INSTALL[for load] command?
Thanks,
Julie.Which ever one you are sending your APDU commands to. Which SD did you select ? Usually, the default applet is the ISD, so the commands are going to that applet.
-
Who shall create a specific Security Domain compliant to GP 2.1?
Particularly, in case of the delegated management, the GP card specification 2.1.1 decribes as follows:
"Security Domains authorized by the Card Issuer to perform Card Content changes shall request the OPEN to load, install, extradite, and delete applications."
I think that the Security Domain is implemented by the Application Provider using GP API. The OPEN is ,however, the component of the Card Manager which should be implemented by a GP compliant JCVM provider or a GP component provider.
My questions are:
1. How does a Security Domain request the OPEN to load, install.. ? How do they interface with each other? Does the GP compliant JCVM provider have to provide the specific interfaces used to change Card Contents for the Application Providers who implement their own Security Domain?
2. If the GP compliant JCVM provider is also responsible for implementing a specific Security Domain, what is the role of the Application Provider? only as a provider of his own security policy for the GP compliant JCVM provider? Can't a Application Provider implement his own Security Domain himself (using only GP2.1 public API)?
I am grateful to you for a kind assistance.I think that the Security Domain is implemented by theApplication Provider using GP API. The OPEN is
,however, the component of the Card Manager which
should be implemented by a GP compliant JCVM provider
or a GP component provider. Typically and due to the fact that the GP specification is missing the API that would allow a Security Domain to be loaded on the card, Security Domains are developed by the card vendor and present on the card at production. The vendor can decide which features are implemented in the Security Domain e.g. Secure Channel services, DAP Verification, Delegated Management. If, as an Application Provider, you wish to develop your own Security Domain, your vendor may be willing to provide you with details of their proprietary API but this would be specific to this vendors product.
>
My questions are:
1. How does a Security Domain request the OPEN to
load, install.. ? How do they interface with each
other? Does the GP compliant JCVM provider have to
provide the specific interfaces used to change Card
Contents for the Application Providers who implement
their own Security Domain?Yes.
>
2. If the GP compliant JCVM provider is also
responsible for implementing a specific Security
Domain, what is the role of the Application Provider?
only as a provider of his own security policy for the
GP compliant JCVM provider? Can't a Application
Provider implement his own Security Domain himself
(using only GP2.1 public API)?No.
>
I am grateful to you for a kind assistance. -
Use of robots.txt to disallow system/secure domain names?
I've got a client who's system and secure domains are ranking very high on google. My SEO advisor has mentioned that a key way to eliminate these URLs from google is through the use of disallowing content through robots.txt. Given BC's unique nature of dealing with system and secure domains I'm not too sure if this is even possible as any disallowances I've seen or used before have been directories and not absolute URL's, nor have I seen any mention of this possibility around. Any help or advice would be great!
Hi Mike
Under Site Manager > Pages, when accessing a specific page, you can open the SEO Metadata section and tick “Hide this page for search engines”
Aside from this, using the robots.txt file is indeed an efficient way of instructing search engine robots which pages are not to be indexed. -
Session cookie not setting for secure domain in Chrome
I've been fighting with a login issue for the past few hours thinking it was my fault. I'm tired, so my IQ is cut in half right now. Makes for a very plausible scenario. However, I finally tried it in Firefox without issue.
It's just a simple login form, where the action is supposed to log me into both the secure and insecure domains. Here's the action:
action="{module_secureurl}/ZoneProcess.aspx?ZoneID=51&Referrer={module_siteurl,true,true}&OID={module_oid}&OTYPE={module_otype}"
That looks right to me. I also checked on my own site's login and had the same issue. I had just never noticed before because I don't use my secure domain.
Looks like either a bug in BC, or a bug in Chrome. Either way, I think it's worth having BC look into.I've been fighting with a login issue for the past few hours thinking it was my fault. I'm tired, so my IQ is cut in half right now. Makes for a very plausible scenario. However, I finally tried it in Firefox without issue.
It's just a simple login form, where the action is supposed to log me into both the secure and insecure domains. Here's the action:
action="{module_secureurl}/ZoneProcess.aspx?ZoneID=51&Referrer={module_siteurl,true,true}&OID={module_oid}&OTYPE={module_otype}"
That looks right to me. I also checked on my own site's login and had the same issue. I had just never noticed before because I don't use my secure domain.
Looks like either a bug in BC, or a bug in Chrome. Either way, I think it's worth having BC look into. -
Redirect subdomain to a secure domain
Is there any way to redirect a subdomain to a secure domain without getting certificate errors?
I have my subdomain CNAME (campus.unikemia.com) redirecting to another domain which is secure (unikemia.blackboard.com)Is there any way to redirect a subdomain to a secure domain without getting certificate errors?
I have my subdomain CNAME (campus.unikemia.com) redirecting to another domain which is secure (unikemia.blackboard.com) -
Extradition of an AID to a security domain that is in "selectable" state
following this post: http://forum.java.sun.com/thread.jspa?messageID=10227711
in following this example (i've found it very helpful), i want to know if it is a requirement that the SSD be personalized instead of in "Selectable" state? if so, that would explain the errors i get when i try to extradite an AID to it from the ISD.
your example:
GP 2.1.1, SSD section (concept) and APDU commands Install [for load], [install] and [extradition].
Example:
- select ISD
- open a secure channel
- Install [for install & make selectable] on a pre-loaded SD package/module --> optionally you need to specify in the install parameters that this SD accepts extradition
- select SSD
- open a secure channel (using the default keys)
- personalize (put secure channel keys)
- install [for load] an application, specify the SSD to be associatedClemson wrote:
... errors i get when i try to extradite an AID to it from the ISD.
GlobalPlatform Card Specification 2.1.1, 03/25/2003, p. 70
+6.4.3 Content Extradition+
The GlobalPlatform Card Content extradition process is designed to allow the association, to a different Security Domain, of a previously installed Application. The Issuer Security Domain shall verify the extradition request before the OPEN will allow the extradition.
Runtime Behavior
The following runtime behavior requirements apply to the OPEN during the Card Content extradition process.
The OPEN shall:
+...+
Check that this Security Domain is in a valid Life Cycle State (i.e. PERSONALIZED)+,
+...+
Therefore, the SD which should accept the applet has to be in state PERSONALIZED. -
Loadfile to install a Supplementary Security Domain in GP 2.2?
Hi all,
I have Secure Elements with GP 2.2 and would like install Supplementary Security Domains there.
In my previously chips GP 2.1 that was not a problem, there was a preloaded Loadfile with AID:A0000000035350 (Security Domain)
For my Supplementary Security Domains I just made an instance of this Loadfile AID:A0000000035350, and I had an Security domain Instance.
Now, in the new version I have no such a Loadfile for a Security Domain. So How I can install Supplementary Security Domains instances in GP 2.2?
Attached a GET STATUS Response with all Loadfiles and Modules in the new chip.
Anybody any idea? It would be really helpful.
br Markus
GET STATUS:
e3 42
4f 09 a00000001884010102 9f70 02 0100 ce 02 01 00
84 0a a0000000188401010201
84 0a a0000000188401010202
84 0a a0000000188401010203
cc 08 a000000151000000
e3 1e
4f 09 a00000001884010101
9f 70 02 0100
ce 02 01 00
cc 08 a000000151000000
e3 36
4f 09 a00000001820010108
9f 70 02 01 00
ce 02 01 00
84 0a a0000000182001010801
84 0a a0000000182001010802
cc 08 a000000151000000
e3 42
4f 09 a00000001820010106
9f 70 02 01 00
ce 020100
84 0a a0000000182001010302
84 0a a0000000182001010300
84 0a a0000000182001010301
cc 08 a0000001510000006310You will either need to tell us what card you are using or contact the manufacturer/vendor to get the developer documentation for it.
- Shane -
How to create a Supplementary security domain
Hi all, i am new to javaCard. i want to create a Supplementary security domain, but i have no idea.
is it that i need to create an applet implements SecureChannel, then install the applet with the privileges 0x80(security domain)?
is it right? Anybody any suggest? It would be really helpful.I've seen this if the database is down or in a funky state. Try shutting down BPEL, and restart the database, then bring BPEL back up. If you're using Oracle Lite just use the "Stop SOA Suite" GUI from the Start Menu.
-
Hi ,
According to the visa Open platform architecture, each Java card applet is associated with a Security domain.
I am using GemXpressoRAD211 toolkit for developing Java Card applets.
In the Gemxpresso211IS card, the default security domain is the Card Manager, whose AID is A0 00 00 00 03 00 00 . It is basically the card issuer security domain.
When I install an applet to the card , the Card Manager is assumed to be the associated security domain .
My questions are....
1.
How can I associate my applet to application provider security domain rather than the card issuer security domain? Form where Do I get this security domain ? Do I need to write my own security domain, or some body else provide it ?there's a card issuer, with its ISD
then there's another company who wants to have ability to install/remove some applets on this card
we create another SD for this company and "delegate" some limited capabilities to manage the contents of the card
read about the delegated managament in GP
regards
Kuba -
Understanding security domains and http vs https
I recently ran into an issue where my application swf would no longer load its modules. All were hosted in a single bucket on amazon's s3 service.
It turned out that the issue was that the application was being loaded at https, while the modules are being loaded at http, causing the security domain error.
I think I have two options.
1) Is it possible to set the security permissions in a way that a swf loaded at https can load a module at http? If so, how?
2) Is it possible for the application swf to know whether it was just loaded over ssl or not, without invoking javascript or passing a flashvar from the page?
Thanks!
AaronAs per option #1, neither Security.allowDomain nor Security.allowInsecureDomain worked, though it seems like it should have.
I ended up using option two, using Application.application.url in the main document. That gave me the swf's url, which I could then use to create a static variable that avoids the conflicting secure and non-secure loading problems.
I hope this helps someone else. -
Help: Fail to retrieve Security Domains. Please try again later.
Fail to retrieve Security Domains. Please try again later. - [DOM_10072] The master gateway node to the domain is currently not available.
Can anyone help with this error on the web admin informatica.Please post full details Informatica version, OS, is this first install, did you apply hot fixes like 8.6 and P4?
you could also look at this thread, but we need to understand you are trying to do, fully:
Re: BI AP - Informatica 8.6.0 config (linux)
Thanks -
Sharing between different Security Domains..
Hello!
there are two different security domains and i have two applets which are under different sD.
is it possible to communicate with each other by using classic shareable interface methods.
Thanks a lot in advance!Hi,
I have not tried this but I cannot see any reason it would not work. The applets are still in the same JCRE context. Your best best is to set up a simple SOI that works under one SD and then try it with two.
Cheers,
Shane
Maybe you are looking for
-
TS1424 Why is house season 8 only by episode only and not available in HD?
The option to buy the episodes on HD isn't available and I cant buy the season in its entirety. Please Help! Thanks
-
Standard report for budget allocated, actual consumed, amount capitalize
Hi, I need report for following condition: Is there any standard report for the same? Once the project is capitalized, the system should provide in one report the budget allocated, amount incurred, amount capitalized, Date of capitalization and remai
-
I signed in for I tunes Switzerland. How can I get english spoken movies?
I signed in for I tunes Switzerland, but I would like to download movies spoken in english. Is this possible? I tried to change my page to USA but I need then a new account. Do I have problems with two accounts when I use my I Pad?
-
Project plant is different and Plant in PO is different
Hi, I have a situation in production environment as: Project is created with plant TG01. No network/activity is in the project. Direct PO is made with 'Q'. But the user has put plant in PO as TD01. GR has been made. Quality inspection is through. Pro
-
After insall'g SAP can a backup be restored from another server?
I have installed SAP onto Server B, and would like to use a backup (third part vendor 'commvault') created by commvault on server A, to restore to Server B. The SIDs are the same, and the same CDs were used to install SAP, the ONLY differneces are th