Digital signatures with inserted private key to smart card

1
votes

I'm totally new with smart card programming and have a specific application in mind I want to develop.

I want to use contact less smart cards and develop an application with the following functionality:

  1. I want to be able to write a private key to the contact less smart card, that should not be possible to extract.
  2. I want to be able to send input to the smart card, and then produce a digital signature using the private key stored on the smart card with the input sent to the smart card. The result of the digital signature should then be sent as output.
  3. For the digital signature algorithm (ECDSA), I would like to be able to define or write the elliptic curve to the smart card.

I have bought some basic hardware to start the project, but I am not completely sure if the hardware I have bought is compatible the application I have in mind.

For the reader/writer I have bought a: ACR1251

For the contact less smart cards I have bought this type of card: Fudan 08 M1S50 with a FM1108 chip

After reading documentation of smart card programming, I'm confused as to what can be supported by the smart cards or not. From my understanding the OS of the smart card is defined by the manufacturer and cannot be changed or extended. Another OS cannot be added either. The OS also defines exactly which APDU commands are supported by the card. My question is therefore if the functionality that I am requesting would be possible to achieve with my current hardware?

If not, I would very much appreciate tips of what type smart cards would be able to support the functionality I'm requesting. When trying to find the answer myself, I have found that JavaCards supports Elliptic Curve Cryptography. If my current smart cards do not support the functionality I'm requesting, is Java Cards a good alternative that would allow me to define the elliptic curve myself?

Any other tips I could find useful, such as specific APDU commands to look into or other useful development tips, would be highly appreciated!

Thank you in advance.

2
smartcardjavacardapducontactless-smartcard

2 Answers

2
votes

If you want to program the cards I would strongly recommend a Java Card compliant card. Make sure it has your required ECC compatibility. In general you'd have to use curves over F(p), but that's probably what you want anyway.

You may want to consider other smart card solutions if you require low level access to big integer or ECC operations; Java Card provides a relatively high level interface (possibly extended with implementation specific functionality). You'd need a smart card / processor card with ECC capable co-processor and sufficient memory and, of course, a runtime and API with sufficient documentation and a development environment.

You'd be better off generating the public / private key pair on the card and then exporting the public key. You or any receiver of the signatures must trust the public key as well of course.

The reader you have is fine for contactless smart cards. What you currently have though seems to be a so called memory card, and those cannot be programmed. You may just be able to store some bytes (more or less securely).

1
votes

The Fudan card you mentioned seems to be a 1 kByte MIFARE classic card. This is no smart card, but as Maarten points out, a sort of contactless memory card. It is definitely on the other end of the performance spectrum compared to elliptic curve cryptography, actually it only uses some weak and broken symmetric cryptography.

Thera are also non-Java smart cards, which can't be programmed, but are able to generate and apply RSA as well as elliptic curve keys.