0

I am able to read a smart card from PB's Tactivo smart card reader on Android, however am not familiar with the validation process. Here is an example of what I have to read the input: 

...
channel = card.getBasicChannel();

        // See www.globalplatform.org for more information about this command.
        // CLA = 0x80
        // INS = 0xCa
        // P1 = 0x9F
        // P2 = 0x7F
        // Le = 0x00
        CommandAPDU GET_DATA_CardProductionLifeCycle = new CommandAPDU(0x80, 0xCA, 0x9F, 0x7F, 0x00);

        ResponseAPDU cardResponse;

        // Send the command to the card
        cardResponse = channel.transmit(GET_DATA_CardProductionLifeCycle);

        // Check SW1 if we provided wrong Le
        if (cardResponse.getSW1() == 0x6C) {
            // Modify the command with correct Le reported by the card in SW2.
            GET_DATA_CardProductionLifeCycle = new CommandAPDU(0x80, 0xCA, 0x9F, 0x7F, cardResponse.getSW2());
            // Re-send the command but now with correct Le
            cardResponse = channel.transmit(GET_DATA_CardProductionLifeCycle);
        }

        // Check if the card has data for us to collect
        if (cardResponse.getSW1() == 0x61) {
            // Issue a GET RESPONSE command using SW2 as Le
            CommandAPDU GET_RESPONSE =  new CommandAPDU(0x00, 0xC0, 0x00, 0x00, cardResponse.getSW2());
            cardResponse = channel.transmit(GET_RESPONSE);
        }

        // Check the final result of the GET DATA CPLC command
        if (cardResponse.getSW() != 0x9000) {
            // The card does not support Global Platform
            System.out.println(String.format("8Card responded with SW:%04x", cardResponse.getSW()));// some sort of SW from the card here... Read as "SW: 6a82
            System.out.println("9This card does not support the Global Platform " + "GET CPLC command");

            return;
        }

        // we do not validate the data in this example - we assume that it is
        // correct...
...

If anyone has experience with smart card/CAC card valitaion/authentication please give me some guidance, example, or something to work off of. Because There is very little documentation of this out there.

UPDATE: I have an Android App that I want to secure with a smart card. I am able to read any smart card's input using a Precise Biometrics Tactivo Smart Card reader. How can I validate/authenticate this input to allow only certain users to access the App?

now_world
  • 940
  • 7
  • 21
  • 56
  • 1
    I don't understand the android tag. Please also try to get your question more specific to avoid down votes or close requests: is it the reader, the CAC application, smart cards in general? What input do you refer to (PIN, finger print)? And what do you mean by validation? – guidot Jun 12 '15 at 07:04
  • See update. The input I am referring to is the input that I get when I plug in the smart card to the card reader. I can get an input with: `String UID = card.getATR().toString();` How can I validate this? Or is this the incorrect variable to validate in the first place? – now_world Jun 15 '15 at 14:02

1 Answers1

1

The ATR is inappropriate for validation of any kind, since it is typically shared by thousands of cards.

While cards have a unique identifier (manufacturer specific), this can be easily faked after a valid one has been found out.

The typical means of requiring a certain card (as a component of a two-factor authorization, adding something you have to the something yo know e.g. PIN, password) is execution of an external authentication. Since for that you need to store a key of your own on the card, it will not be an option for a card, which you just happen to possess.

guidot
  • 5,095
  • 2
  • 25
  • 37
  • dear guidot, for god please change your avatar to a more friendly picture :( A rocky man that his face ruined because of acid rain? :( why? (Temporary comment) – Ebrahim Ghasemi Jun 17 '15 at 07:35