5

The reason that this question was born is that I am totally lost, so please forgive the trivial and senseless parts.

I have an Android app, a web-service, a MicroSD smart card (mobile security card). I need to know how can I use the card with ssl to securely communicate with the web-service. Rebuilding and flashing the OS is not an option.

What I know:

  • The API used to communicate with the MSC
  • How to write/deploy applets to the MSC
  • How to call a web-service

What I don't know:

  • SSL
  • Too much about certificates and cryptography (only shady academic stuff from the university)
  • How things come together and what should I use to accomplish this

seek-for-android has an OpenSC tutorial and library, but the OS needs to be patched for that. Is there a way to avoid that and still use the solution?

I know I could be much further into this with a little research, but my deadline is quite close (a few days), so I need help, much help, and very soon.. Thank you in advance!

EDIT:

More specifically:

I have a Smart Card SD card from Giesecke & Devrient, with Java Card OS and fine applets and dev tools. I also recieved an android service to communicate with the card (the applets) with APDUs. This is quite low-level, it acceps byte codes as commands and data.

I need to call a web-service via SSL authentication. Now I know that SSL uses (can use) hardware tokens with PKCS#11 interfaces.

There is a project called seek-for-android with a guide to patch the OS and have a standard PKCS#11 interface over the smart card (I believe this would be OpenSC). I CAN'T patch the OS.

So the questions again:

  • Can the Android SSL implementation use (custom) PKCS#11 interfaces in some way, if yes, how? (e.g. possibly with some security providers)
  • Can I use OpenSC (and other stuff mentioned in the linked guide) without patching the OS (e.g. extract the libs and include it in my application)?
  • Overall, how should I link the gap between the low-level smart card and the high level SSL? I kindly ask you for any material regarding this.
Vincent
  • 1,027
  • 1
  • 11
  • 20

3 Answers3

1

Use Bouncycastle (Spongycastle is the fork for Android) and implement your own Security Provider which uses the SmartCard instead of a file for stored certificates.

sweisgerber.dev
  • 1,726
  • 17
  • 36
1

As this is a special form of a Smart-Card encapsulated inside a microSD-card I assume that the API bases on special SD-Card read and write operations. Such operation may or may not be usable on Android without root access.

That depends on the certain implementation of the API. Usually such a microSD card already comes with Android libraries (as it is the most open relevant mobile platform) from the vendor. You should ask there for getting more information.

Robert
  • 39,162
  • 17
  • 99
  • 152
  • I do have a library with which I can access the card, but it only provides a standard interface to access Java Card applets. I also have a Java Card applet that provides PKI functionality, but I somehow need to wire this into the android ssl implementation and finally some kind of https transport class. – Vincent Feb 17 '12 at 09:52
  • 1
    @Vincent: The common way would be to implement your own security provider for providing an own java.security.KeyStoreSpi implementation. That is the way J2SE uses for accessing PKCS#11 modules like smartcards and I don't see a problem using the same way on Android. – Robert Feb 17 '12 at 11:13
  • :Thank you, this seems valueable. I will look into and and see if I have more questions. – Vincent Feb 17 '12 at 20:08
0

If you can access your card without patching the ROM, you can roll your own (requires knowledge of cryptography) SSL implementation on top of it.

If not, then AFAIK you need to patch Android to get access to the extra hardware. And the built-in SSL library has no support whatsoever for client-side "hardware tokens" AFAIK.

Martin Paljak
  • 4,119
  • 18
  • 20
  • I can access the card, but I can't afford to implement the whole SSL layer. I need standard interfaces and cooperating libs to accomplish this fast.. – Vincent Feb 17 '12 at 09:47