0

I want to read data from a smartcard, but at the same time I need to make sure that the card is valid. The idea is that I want to receive on my server the card id and a signature of the card witch I can check if it is valid or not. I do not have access to any private keys the card provides.

I noticed some efs like card_certificate, but I'm not sure in what structure that binary has.

Daniel
  • 2,320
  • 1
  • 14
  • 27

1 Answers1

0

I don't see significant chances to succeed with the approach (as I understand it) due to these reasons:

  • Card ids are not necessarily unique.
  • The standard solution to prove validity of a smart card is by a applying a secret key contained in the card to a random number previously queried, to thwart a simple replay attack. No static data data exchange will achieve this.
  • Cards get lost; without 2 factor authorization the lost card becomes a security risk.
  • On the server side you have nothing to rely on but the arriving byte stream (which may originate from a card or not); if this does not comply to a water-tight security scheme, the whole system is easily compromised. X.509 certificates are complicated, but they need to be to fill their purpose.
  • Inside knowledge may be necessary to read something from the card.

My expectation: without substantial know-how the most likely result is a system employing smart (?) cards but only achieving a quite low security level.

guidot
  • 5,095
  • 2
  • 25
  • 37