5

I have a JavaCard applet working on Gemalto SIM card in a smartphone. I would like to create an electronic wallet with validity to a specifed date and time.

I know this is impossible using a classic smartcard, which has no clock inside because of absence of the battery. However, with a SIM card it might be possible: a SIM card must have some access to network time (not the local system time, which can be changed by the user) when connected to the network and the last known network time value could be probably stored somewhere on the SIM card.

Is there any way to access the last known network time from my applet in a secure way? (I do not trust any application installed in the phone, because it could be easily hacked)

Do you think there is any other solution of my problem?

EDIT

I did not mention the reason why I think about this: I need to solve this problem without the Internet connection, because my customers are supposed to use my electronic wallet without the Internet connection in their phones. They need to use it in subway where there is no signal and some of them do not pay for the Internet connection at all. So my application must be able to find out the time offline.

EDIT 2

On Android phones, there is an option:

Android network time settings

That means there is some user-independent source of time. The question is, if it can be accessed somehow in a secure way from a JavaCard applet on the SIM card. (or if the last known value can be accessed in the case of no connection)

Ebrahim Ghasemi
  • 5,850
  • 10
  • 52
  • 113
vojta
  • 5,591
  • 2
  • 24
  • 64
  • Seems interesting. Shouldn't you write the mobile application yourself also? Can't you write your mobile application in a way that to receive an encrypted code every time from a server and send it to SIM card. The SIM can verify if it is a valid code or not? in cases of wrong code it deny executing you applet. – Ebrahim Ghasemi Mar 30 '15 at 12:25
  • @Abraham The problem is your solution needs internet connection. With internet connection it is easy - server can easily send signed timestamps. Please, see Edit... – vojta Mar 30 '15 at 13:38
  • OK. You can send and receive SMS with your phone application, right? So you can simply send an empty SMS to the same phone (you can require the user to enter his number in installation procedure). By default, operators sends the network time with incoming SMS-s to your phone. So you can synchronize the SIM applet time. Assume that each person normally use your applet 2 time per day, so if you do the synchronize process 1 time per 10 session, you synchronize the time every about 5 day. Note that new phones hide this network times (they replace it with the phone time) ...... – Ebrahim Ghasemi Mar 30 '15 at 14:11
  • ...... But you can see it in old mobile phone, in the end of received SMS-s. Simply change the time of your phone and send an SMS to yourself and take a look at the end of it. (I tried with Nokia 1100) – Ebrahim Ghasemi Mar 30 '15 at 14:12
  • Another solution is focusing on number of days instead of an expiration date. you can write the phone application in a way that it works for 30 days for example. you can also write it in a way that if the user changed the phone time, the difference added to the used time. BTW, we can wait for better answers :) – Ebrahim Ghasemi Mar 30 '15 at 14:16
  • You can take time from phone it self by issuing proactive command "provide local information" for more info read [link](http://www.etsi.org/deliver/etsi_ts/102200_102299/102223/09.04.00_60/ts_102223v090400p.pdf) page 44 hope this helps if not then i am still here :) – Anurag Sharma Mar 31 '15 at 05:06
  • @AnuragSharma Thank you for your replies! The link is interesting, but it says: "The terminal shall return the current date and time as set by the user". That is a problem. I need to access the "real" time, otherwise the user could cheat and change the date and time in order to make my electronic wallet valid again. I somehow need to access the "network time", that cannot be changed by the user... – vojta Mar 31 '15 at 05:40
  • Sim acts like a slave and mobile is master in this case you have to be dependent on mobile only.There is another workaround if the network service provider sent an Envelope which has the current time in it then it will be useful for you...but in this case you should contact your service provider to request this envelope. – Anurag Sharma Mar 31 '15 at 06:40
  • @AnuragSharma I guess that all SMS packets enveloped concatenated with current time of server. Can't he use this feature? – TheGoodUser Mar 31 '15 at 09:34
  • @TheGoodUser Sounds interesting... How could I access SMS packets from JavaCard applet without collaboration of (potentially hacked) Android application? – vojta Mar 31 '15 at 09:41
  • 1
    @TheGoodUser you can not get that value by using any API and also that envelope meant for your applet only which is specified by TAR.So this is mandatory that any proprietary envelope must be prepared by network and sent to the specified applet with time information.Java Applet can use ussd to trigger network to send envelope. – Anurag Sharma Mar 31 '15 at 09:51
  • Anurag is right. As far as I know, you have two option : 1- request your network operator to send a time envelope to your applet every day automatically. (Using this method you don't need to do anything in your phone application anymore) 2- Using the network-time section of SMS-s. (Using this method you need to require the SMS sending/receiving privilege from the phone in your phone app installation and you don't need to ask the operator to doing anything special for you!) – TheGoodUser Mar 31 '15 at 10:47
  • Just to be more clear : Normally, the operator sends its packets to a special applet on the card. i.e. the packets has a header that indicate the AID of their applet in the card. This packet data decrypt on the SIM and the body of it sends to the phone.In this procedure the data(encrypted and decrypted) are not shared on the SIM. so if you install an applet on the SIM, there is no way to gain those data and you must follow one of the above mechanism. – TheGoodUser Mar 31 '15 at 10:53
  • BTW, does the operator shared the SIM card keys with you?! typically they don't. So hoe did you installed your applet? – TheGoodUser Mar 31 '15 at 10:55
  • @TheGoodUser This could be a solution... Yes, we have a private security domain for our applet... – vojta Mar 31 '15 at 11:28
  • btw I added my solution to Abraham's answer below. – TheGoodUser Mar 31 '15 at 14:22

1 Answers1

2

It depends on your project. You have 3 solutions. one is for cases that you have access to Internet on the phone and two for cases you don't.

If you have Internet access :

  1. In the phone application installation step, it sends the IMSI of the SIM card to a server that you established already via a https channel(Optional!).
  2. Your server records that IMSI and the date of installation in a database table in the server.
  3. Henceforth, each time that the phone application want to start a session with the SIM applet, it must send a request to your server and the server respond that request with an encrypted(its current date+IMSI_counter).
  4. If the phone application receive the answer successfully sends it and the time of phone (in plain) to the SIM applet.
  5. The SIM applet encrypt the "plain phone date+IMSI+counter" itself with the same secret key that we used in server and then it compare the result with the value that its server sent to mobile phone.
  6. If both are equal, that means that the time of the phone is the same time of your server.

Using the above procedure, in cases that you don't want the SIM applet to work anymore, you can send an invalid encrypted value in the respond of phone application requests.

If you don't have Internet access :

All SMS packets enveloped concatenated with current time of server but normally, the operator sends its packets to a special applet on the card. I mean the packets has a header that indicate the AID of its applet in the card. The SIM card analyze and decrypt this packet data and the body of it return to phone (For calls and SMS-s, and not for OTA envelopes).In this procedure the data (both encrypted and decrypted) are not shared on the SIM. So if you install an applet on the SIM, there is no way to gain those data (Including the network current time) and you must use one of the following options :

  1. Request your network operator to send a time envelope to your applet (i.e. the header of the packet indicate your applet AID) every day and automatically. (Using this method you don't need to do anything in your phone application anymore)

or:

  1. Using the network-time section of other SMS-s on the phone using your phone application. (Using this method you need to require the SMS sending/receiving reading/writing privilege from the phone in your phone app installation and you don't need to ask the operator to do anything special for you!)
TheGoodUser
  • 1,188
  • 4
  • 26
  • 52
Ebrahim Ghasemi
  • 5,850
  • 10
  • 52
  • 113
  • Thank you! Could I use proactive commands to request the signed timestamp instead of sending a time envelope periodically? Could I response to my wallet APDU with a proactive command "send SMS" and wait for an SMS reply from the network operator? Can I intermix classic APDUs and proactive commands? – vojta Apr 07 '15 at 06:17
  • @vojta Sorry, unfortunately no Idea. for the second and third question I think the answer is "Yes"(I'm sure about 90%). but I don't know how! – Ebrahim Ghasemi Apr 07 '15 at 06:55