I am trying to learn the details of using a PIV / smartcard to sign an executable like a jar. Employing this is easy, but I'm curious about what information gets exchanged between my computer and the smartcard. I have searched around but I haven't found what I was hoping to find - some kind of flow or sequence diagram. The thing I'm most curious about is how much data gets sent to the device. It seems too fast to be sending the entire jar. Does it work something like how debian repository signatures work, where the computer generates a file of HMACs and only THAT is signed?
Asked
Active
Viewed 71 times
0
-
According to [this](https://docs.oracle.com/javase/tutorial/deployment/jar/intro.html) it is not an HMAC, but a full-blown cryptographic hash like SHA-1, which gets signed. (Hash can be done outside the card, since no confidentiality is required there, and as you note, it is much faster. For this reason many card do not bother to offer on-card-hashing at all). – guidot Mar 07 '19 at 22:33
1 Answers
1
According to the JAR file format specification, a message digest of the JAR file is signed, not the whole content of the JAR. Therefore, only the digest is sent to the card. For instance, with a digest like SHA-256, only 32 bytes must be sent to the smartcard.
Alexandre Fenyo
- 4,526
- 1
- 17
- 24