The objective of the project is the following: we are given a javacard (a card with a chip that can run java programs) with its associated reader, and we have to make two things:
- a program running on the card, that waits for the computer to send a PIN code, and that, when the correct PIN code has been sent, generates a 512 bytes RSA key pair. Then it waits for the computer to send a string, that will be encoded with the generated key. Then it waits for the computer to ask for the public key informations, and it sends informations to the computer.
- a terminal running on the computer where the javacard reader is plugged, that will be a user-friendly command-line program to use the encrypter on the card. Any language can be used for this part.
writing a Javacard program and make it run on the card is not that easy. The steps to follow to achieve it are the following:
- Write a Java class extending the Applet class (an applet is a program that can run on a Javacard)
- Compile this program with the help of the javacard JDK (the javacard SDK repository is included as a git submodule)
- Transform the obtained .class file into a .cap file thanks to an existing tool included in the SDK
- Delete the previous version of the applet that is on the card (if you've never sent the program to the card, this step is thus not required)
- Send the program to the card
Once done with these steps, we can start communicating ith the card, sending it APDUs, which are messages exchanged between a computer and a card. The applet you've written will receive the APDU and process it the way you've coded it.
To use the toolchain, I've made a bunch of scripts usable for each step previously explained:
- The java applet is defined in
project/Encrypter.java. Feel free to edit the code to see how the javacard ecosystem work. - To compile the applet and transform the obtained .class into a .cap file, use the
scripts/compile.shscript. It performs both these operations. - To delete the previous version of the applet on the card, use
scripts/delete_applet.sh. - To send your applet on the card, use
scripts/send_applet.sh - Finally, to test your applet, use
scripts/test_applet.sh. It will activate the right applet and send to the card an APDU with operation code 0x40, hich we define to be a sort of ping, that the card should answer with a certain special message, to make sure the applet is running and working just fine.
WARNING: to run these scripts, be sure to be in the project's root folder! I'm not a bash specialist, and the bash scripts will not work if run from somehere else.
You must have the following programs are installed in order for your toolchain to work:
- The following
aptpackages:sudo apt update && sudo apt install libusb-dev libusb-1.0-0-dev libccid pcscd libpcsclite1 libpcsclite-dev libpcsc-perl pcsc-tools - The
pcscdservice must run: use thesudo service pcscd statuscommand to check if it is running, and if not, use thesudo service pcscd startcommand - Java 7 or 8, NOT NEWER ; the javacard toolchain is sadly legacy, and a java version more recent than java 8 is not supported
- The
gpshellprogram, installable in brew withbrew install kaoh/globalplatform/globalplatform. Make surebrewis installed on your computer
- JC_HOME_TOOLS: must be the path to the javacard 2.1.1 SDK (provided in the repository as a submodule)
- JAVA_HOME: your java (7 or 8) installation path
- PATH: add $JC_HOME_TOOLS/bin and $JAVA_HOME/bin to your $PATH
We provide two files:
- the Applet Encryptions.java which is load on the card.
- the terminal.py which is use by the Client to interract with the card.
What we implemented :
- The card is protected with a PIN code that as to be provided by the end-user. No more than three failures.
- The other actions are not possible if the PIN code is not valided.
- An RSA 512-bit key pair is generated by the card when the PIN code is validated.
- The end-user is able to see informations about the public key : exposent and modulus.
- The end-user is able to send data to be encrypted to the card.
Infortunalty, we didn't manage to archieve every goals of this work. Indeed we had to face a lot of time the 6f 00 error which is diagnosis not possible : we lost a lot of time trying to understand where was mistakes. So the Encryption on the card is not implemented yet. We tryed to use Cipher from javacardx.crypto be errors killed this ideas. But we know how to send data from the end-user to the card (like we did for the PIN code) and how to send data from the card to the end-user (like we did for the public key informations), so the problem is just to find something to bypass Cipher.
To run the terminal-side goes in the root of the project and run python projet/terminal.py Instructions will appear. First end-user has to put a PIN code. Then he is able to see some informations avout the public key, then he can put some data to be encrypted. If the end-user makes a mistakes, somme error message will appear.
The main part of the Applet is a switch case, that looks for the instruction of the APDU.
- 0x00, was for resest the card, but we didn't manage to do it properly
- 0x01 , for the PIN instruction and so the key pair
- 0x02 , for the encryption of some data
- 0x03 , for informations about the modulus of the public key
- 0x04 , for insofrmations about the exponent of the public key
The terminal-side is some functions. Functions send a different APDU to the card regarding what the function is used for.