0

I am new to java card development.i want to know how we can store secure key values in the java card applet.because i want to use PKI (public key infrastructure) for the authentication.is it possible ?? if yes how we can store key in java card applet.

Sajith Vijesekara
  • 1,324
  • 2
  • 17
  • 52

2 Answers2

2

Yes, it is possible because javacard supports asymmetric cryptography i.e. RSA.

You can instantiate your keys during creation of the applet either using predefined arrays, applet specific installation parameter, or proprietary APDUs. Then the private keys shall be stored in RSAPrivateKey.

If your card support Global Platform, please take a look on the card specification. They provide variety ways of keys loading and content loading.

David
  • 3,957
  • 2
  • 28
  • 52
  • Thanks for your response.can you tell me is it possible to use PACE protocol for authentication in java card.. – Sajith Vijesekara Jun 11 '13 at 09:14
  • I haven't used PACE protocol before. I found explanation in http://de.wikipedia.org/wiki/PACE-Protokoll but it is very generic. You need get the standard specification and check for APDUs and algorithm(s) need to be supported by the card. – David Jun 11 '13 at 09:42
  • @YouKnows unfortunately PACE requires a few specific tricks that are hard to implement in Java Card to say the least. You may need some proprietary Java Card extensions to get around those. And you need to know every little trick in the book to create PACE on a smart card anyway. – Maarten Bodewes Jun 12 '13 at 21:40
  • Note that although this answer is basically correct, there are a few things that need some clarification. First of all, Java Card does not specify which cryptographic operations need to be present, nor the maximum key sizes supported. Furthermore, you should *never ever* store keys in byte arrays on Java Card. Instead you need to store the keys in the appropriate objects like `RSAPrivateKey`, and you should make sure you don't leave any key material in the persistent memory. – Maarten Bodewes Jun 12 '13 at 22:11
2

It is certainly possible, and you should do the following things:

  1. generate a key pair on card, try to go for the maximum key size (2048 bits), note that this may take a long time, and if the card or reader does not handle connection time-outs gracefully, you may be in trouble;
  2. create a PKCS#10 certificate request, on card on on the terminal - this is a data structure, which utilizes ASN.1 DER encoding;
  3. sign the PKCS#10 request with the private key of the key pair;
  4. send the PKCS#10 request to a Certification Authority (CA);
  5. import the returned certificate;

Your Java Card should support RSA or EC key pair generation and signature/verification operations. Most cards nowadays do, but there may be a few that don't have an asymmetric co-processor.

This answer assumes that you create a new key pair, as using an older private key is less safe. If you want to load an existing private key you can simply call all the setters of the RSAPrivateKey, or the faster RSAPrivateCrtKey. Both objects need to be created using a Java Card KeyBuilder instance.

Note that this may require a lot of knowledge. You might be better off using an open source solution like MuscleCard.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263