3

I have a ACR38 samrt-card-reader and a number of Javacard [2.1.1] compliant with GP Spec [02].

As I know, there is two kind of APDU, Short-APDU [APDU with LC or/and LE shorter than 255] and Extended-APDU [APDU with LC or/and LE greater than 255].

is that right?

We send Short-APDU in T=0 protocol and send Extended-APDU in T=1 protocol.

is that right?

I sent Short-APDU to my card successfully. [via GPJ, GPShell, OpenSC-Tool].

And now, I want to know:

1: if I want to use Extended APDU, my card must support it? or my Reader must support it? or both!? or all the cards and all the readers support both Short-APDUs and Extended-APDUs?

2: if them must support EXTENDED-APDU, how I can check those are compliant or not?

3: Am I need another tool or I can use same GPJ,GPShell and Opensc-tool to send Extended-APDU? how?

Update: I found below data here, but I'll be thankful if someone give me more detailed data :

To be able to use an extended APDU you need to have:

  • A T=1 card
  • A smart card reader working in TPDU or Extended APDU

A smart card reader can work using 4 different exchange levels:

  • Character
  • TPDU
  • Short APDU
  • Short and extended APDU

Character level: Only very few readers work using this method. I don't know if/how they support extended APDU.

TPDU level: With this exchange level a lot of the work is done in the driver. In particular support of extended APDU is managed by the driver and the CCID driver implements it.

Short APDU: These readers are easy to use at a driver point of view but are then limited to short APDU only. Support of extended APDU is then not possible.

Some readers claim they support short APDU only but can use extended APDU when used with the manufacturer Windows driver. Maybe the Windows driver switches the reader in TPDU mode or something similar. That is not a documented CCID feature and so is not used in my CCID driver. If you can get information on this from the reader manufacturer I may include support of extended APDU for the reader in my driver.

Short and extended APDU: Support of extended APDU is offered by the reader.

I think base on the above update section I conclude that the card and the reader must support EXTENDED-APDU.and for check if those are compliant with extended APDU, I must search for the product documents and also the sites that give us a list of readers that support extended APDU. is it right?

TheGoodUser
  • 1,188
  • 4
  • 26
  • 52
  • You have reached to answer of your question by yourself. Is there something more that you want to ask? – Anurag Sharma Jun 16 '14 at 11:51
  • 1
    FYI...you can send Extended APDU in T=0 as well but for that your card must be supported "javacardx.apdu". Please refer javadoc [link](http://www.win.tue.nl/pinpasjc/docs/apis/jc222/) – Anurag Sharma Jun 16 '14 at 12:31
  • dear @AnuragSharma I don't know the answer of section **3** in my question yet . Am I need any other tools? or GPJ and opensc-tool is enough? and how I can understand that my card support "javacardx.apdu" or not? thanks – TheGoodUser Jun 16 '14 at 12:56
  • 1
    To know does your card support javacardx.apdu you can code an applet which implement this interface then load that cap file on ur card if success then ur card supports this. I dont have deeper knowledge abt these tools(so leaving fr someone else to answer). – Anurag Sharma Jun 16 '14 at 15:35

1 Answers1

2

you can send Extended APDU in T=0 as well but for that your card must be supported "javacardx.apdu". Please refer javadoc link

Here is method to know what is supported by your card.

00 A4 04 00 <length of Card manager AID> <AID> [Select card manager]

00 20 00 00 08 <Card manager PIN> [verify card manager PIN]

00 80 F2 20 00 02 4F 00 - [get status command with P1 20] and [Executable Load Files and Executable Modules 4F00]

You will get all the package AID in response of this command then search for AID "A0000000620209".

if available then javacardx.apdu is supported. For more info abt "Get status" command please refer GP 2.2.1

Anurag Sharma
  • 502
  • 3
  • 8
  • thankyou dear anurag. what about the tools? as I know, **GPJ**, **GPShell** and **opensc-tool** work in T=0 by default.is that right? if yes, how I can change it? Is it possible or I must use another tool? And, what is the `Card manager PIN`?! Is it something different from those 3 KEYs? (`40414243...4F`) - what is this verification for?! I use this command before, but for Memory cards such as SLE4432/42 , not for javacard! – TheGoodUser Jun 17 '14 at 18:59
  • 1
    @user3739919 Cardmanager is the central administrator of the card and Card manager key verifies that you are the authentic user.This is valid for all cards which follows Global plateform specification.And yes for sending extended APDU i will suggest you to make your own program in java using "SmartcardIO" and send extended APDU via this program...so there will be no dependencies on tools any more:) – Anurag Sharma Jun 18 '14 at 06:07
  • Having **S_ENC**, **S_MAC** and **DEK** keys doesn't prove that I am the authentic user?! What is the Card Manager default key? And, When I use this `Verify Card Manager PIN` command? After `Initial Update` and `External Authentication` Commands or before? What capabilities of card will activate to use after this verification? Thank you. – TheGoodUser Jun 18 '14 at 07:03
  • 1
    @user3739919 if you are usinf ext auth then forget abt car manager you are already in secure channel now send "Get status" command after ext auth. – Anurag Sharma Jun 18 '14 at 08:07
  • Did you mean I can prove to card manager that I am the authentic user by either `External-Authenticate` command or `Verify-PIN` command? All javacards support both or each card use one of this methods? I think PIN is usually for **Sim-Cards** and **Mifares** and **Memory-Cards** and authentication is for **Java Cards**.What is the default value of 8-byte Card-Manager-PIN? – TheGoodUser Jun 18 '14 at 08:58
  • @user3739919 Cardmanager is owner of the card and The Card Manager can be viewed as three entities: • The GlobalPlatform Environment (OPEN); • The Issuer Security Domain; and • Cardholder Verification Method Services. So to run any GP command you have to verify yourself to cardmanager....using init update and external auth you are opening secure channel to perform admin task with card which are again GP commands.Carmanager PIN depends on vendor.To learn more about Global plateform see [link] http://www.win.tue.nl/pinpasjc/docs/GPCardSpec_v2.2.pdf and read page no 18 to learn more abt card arh. – Anurag Sharma Jun 18 '14 at 10:17
  • @user3739919 FYI... mifare cards dont follow GP secifications. – Anurag Sharma Jun 18 '14 at 10:25
  • Dear sharma, I have a javacard and I use all the GP functions (install applets, delete them , send APDU and receive SWs of it's applets) without verifying! I can do anything after External Authentication! What's wrong? I don't feel that I need to verifying! – TheGoodUser Jun 18 '14 at 10:41
  • 1
    @user3739919 thats what i am saying there are 2 methods to reach carmanager one is select card manager and verify card manager PIN then send GP commands....another is init update and ext auth commands by which you open secure channel to run admin related commands. – Anurag Sharma Jun 18 '14 at 10:48
  • OK! God bless you! [If you believe him :) ] – TheGoodUser Jun 18 '14 at 10:50
  • @user3739919 Thanks a lot... ya i do believe :) – Anurag Sharma Jun 18 '14 at 11:04
  • Actually as per Global Platform there are various types of authentication security are provided as per the usages : 1-Verify CARD MANAGER PIN security (i.e. CVM PIN-Cardholder Verification PIN): basically this PIN is used to check whether Card is used by the verified Card holder to whom the Card is issued.Means after successfully verifying this global PIN, you can send commands to Card Manager (ISD). 2- SCP security : SCP02 basically provide better security than just Verify PIN, SCP02 (InitializedUpdate + ExternalAuthenticate) provides Mutual authentication,Integrity, and confidentiality all. – Bhanu Nov 30 '14 at 11:13
  • Due to security reasons now a days verify PIN security disabled in post production Card state (i.e. when card is in market). Post production states means Card life Cycle state after Secured and at this time SCP (may be SCP02, SCP03 or SCP80) security is used, as SCP provide more security and also take care of Mutual Authentication, Integrity and Confidentiality, which VerifyPIN do not provide. For more details please refer Global Platform GPC_Specification 2.2.1 Happy to help -> Ankit – Bhanu Nov 30 '14 at 11:17