tags:

views:

20

answers:

1
Q: 

Get access to specific ADPU functions from cryptoApi or CAPICOM using 3rd party CSP

I have tried for the last 2 months without success and I think it's time I ask here.

I have a smart card and got a CSP from my client. I have documents that describe APDU commands that I can (and know how to) run.

I need to save small files (data) to the card like name, address, photo etc. And later on save certificates.

In the documentation I read that you have to do do external authentication to later use secure messaging to access the files on the card. I have an error somewhere in the mutual authentication algorithm (requires calculating a MAC, DES, TRIPPLE DES etc and i have tried for weeks to get it working...) I know how to do everything on the card except for functions that require mutual authentication.

I looked at the functions provided by the CSP and don't see any external authentication there. The only place i saw non APDU level external auth was in "Windows Smart Card Minidriver Specification" where i see functions like: CardAuthenticateEx. But i dont know how to call them (which dll they are in). Should these functions be in the CSP?

Is it a wrong approach to go low level with APDU commands when i have the CSP. Should I instead use CryptoAPI or CAPICOM? If so then how can i external authenticate and use files if there are no (or i can't find) functions that would write to a file. (again all these functions are in the "Windows Smart Card Minidriver Specification".

+1  A: 

Many smartcards follow the Global Platform specification, which (depending on the installed applets on the card and how they are configured) may require a security handshake before communicating with the card.

If you need to write files to the card, you will NOT be using the CSP. The CSP supports OS level cryptographic interactions by re-routing certain crypto calls to the card's processor. To write to a file on the card, you'll be sending APDUs to the card that perform the following functions:

  • Authenticate with the card
  • (optionally) Select an applet/cardlet using the AID (applet ID)
  • Select a directory
  • Select a file
  • Write data to the file

My company makes a plugin for IE and Firefox browsers that helps with this, it includes handshake functions for global platform, and we have a "sandbox" form on our site that lets you test your scripts for card interactions.

Check out https://cardboss.cometway.com for more information.

Damien  2010-09-24 21:31:16

related questions

WinHttp: How to use a temporary certificate store?
Wincrypt: Unable to decrypt file which was encrypted in C#. NTE_BAD_DATA at CryptDecrypt
Non Repudiation Via Microsoft's CAPI from browser?
cryptoapi windows 7 support
Invalid Algorithm Specified CryptoAPI
Decrypting data files with wincrypt. Having trouble. Example shows CBase64Utils?
Decryption with AES and CryptoAPI? When you know the KEY/SALT
Basic questions on Microsoft CryptoAPI
cryptoapi for dummies
Load an X509 PEM file into Windows CryptoApi
CryptGetProvParam PP_ENUMCONTAINERS shows me only default certificate on smart card
PKCS#10 request for a object key pair from PKCS#11
is cryptoapi good?
Hard coded AES-256 key with WinCrypt & CryptImportKey
Associate private key to certificate for PFXExportCertStoreEx
Crypto API <-> .NET RSA interoperability
Microsoft CryptoAPI Book
P/Invoking CryptImportKey and marshaling structs
Java security - MSCAPI provider: How to use without password popup?
Does Microsoft Provides a PKCS #11 provider that connects to its own MS CryptoAPI?
Is there a way to create a private key using CryptoAPI and seed it?
How to encrypt small data block with only RSA public key using Microsoft ECSP?
I'm using Wincrypt for Diffie-Hellman-- can I export the shared secret in plain text?
I have P & G-- how do I use the Wincrypt API to generate a Diffie-Hellman keypair?
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?