What are Secure Access Modules (SAM) needed for?

Question

I am working on understanding Secure Access Modules (SAM). Why are they needed? What is the difference between a SAM-based and SAM-less approach when used along with RFID card readers?

Answer 1

A secure access module (SAM) is a safe place to store sensitive key material used to access content/applications on smartcards. Typically a SAM is a smartcard itself. The idea behind using a SAM is that you store the keys to access some smartcard application, etc. on it and the keys can never leave the SAM again (i.e. an attacker would not be able to extract the raw key material from it). Instead, whenever the reader application accesses the smartcard application, it actually lets the SAM communicate with the smartcard. This could be done by having the SAM as a proxy between the reader application and the smartcard application, so that unencrypted/unauthenticated reader-side communication would be wrapped into encrypted/authenticated communication that is then forwarded to the smartcard application:

                        unencrypted/            encrypted/
                      unauthenticated         authenticated/
READER APPLICATION  <-----------------> SAM <=================> SMARTCARD APPLICATION

Note that, in fact, the actual APDUs will probably be routed in a slightly different way:

+--------------------+                    +--------+                    +-----+
| READER APPLICATION | <----------------> |        | <----------------> |     |
+--------------------+                    |  SAM   |                    |     |
                                          | READER |                    | SAM |
       +-------------+                    |        |                    |     |
       |             | <================> |        | <================> |     |
       |    PROXY    |                    +--------+                    +-----+
       | APPLICATION |
       |             |               +------------------+               +-----------------------+
       |             | <===========> | SMARTCARD READER | <===========> | SMARTCARD APPLICATION |
       +-------------+               +------------------+               +-----------------------+

Alternatively, the SAM could only be used to compute ephemeral challenges, responses, session keys, etc. for authentication and encryption that are then integrated into the actual communication protocol by the reader application.

In a SAM-less approach, the key meterial to access the smartcard application would need to be available to the reader application itself. SInce that application would typically run on a platform that is incapable of sufficiently protecting the secret key material, this would result in a security risk.