Playing with Smart-Cards

Ever since reading the book “Kryptographie und IT-Sicherheit” where I first learned about how SmartCards work, I wanted to do some SmartCard programming. In the book it describes some inner workings of Smart Cards, and that some of them have a small Java VM inside. But it turned out that the entry was not as easy as in many other fields. First of all, you have many smart cards (SIM of your mobild phone, Credit Card, Debit Card, Health insurance card, …), but usually they are protected so you can’t install anything of your own. Technically, it would be possible to have many applications on the same card, like CreditCard, DebitCard, HealthInsurance, PublicTransport, and so on. But with very few exceptions, the issuers don’t feel confortable sharing a card with someone else. Then there seem to be many different standards, and the companies seem to bee keen to obscure as much as they can. And then you also need kind of specialized hardware, but that’s the easier part.

First I ordered a SIM Card Reader from Conrad. But then I learned that to do anything interesting on a SIM card, you would need the private key of your operator which you’ll never get from them.From china, one could order blank SIM cards, but I feel more like re using some cards that I already have, or something that’s easily available everywhere.

Then I thought about building a SmartCard reader myself, but instead ordered an argolis reader from ricardo.ch. I thought I’d experiment with expired credit and debit cards that I have before ordering a SmartCard SDK that might be pricy and less interesting. But the cards stayed quiet at my random tries, and yes of course you ‘ll never get the banks private key either. But maybe I can encrypt / decrypt some data with the cards private key. That way I could increase the security of some of my applications. So I looked for information on the internet. The first thing I found was http://www.postcard-sicherheit.ch where they say that “BC B0” is a standard command for bank cards. Too bad, I disposed my postcard when I cancelled the account last year. And my two test cards would still not respond. I found some list in the file /usr/share/pcsc/smartcard_list.txt of the package pcsc-tools which looks interesting, but I have yet to find out what to use it for. In general, it’s quite hard to find suitable informations. There are many sites that explain the basics such as this one, but no hands on to get you start doing something.

Somewhere I learned, that the ATR (Answer to Reset) gives information on how to communicate with the card. I had to insert the cards many times into the reader until I got something at 9600 baud that looks like a valid ATR sequence. For my expired credit card that’s “76 B4 01 01 60 71 D6 8C 61 1F” and for my expired debit card it’s “3B 67 00 00 00 31 80 71 86 90”.  Here is how to interpret these:

Character CreditCard DebitCard Description
TS 3B Indicates direct (3B) or inverse (3F) convention.
T0 67 TB1 and TC1 present, TA1 and TD1 absent; x indicates the number of historical bytes present.
TB1 00 VPP is not required.

For that I don’t always have to guess which FTDI device is the smart card reader, I finally learned how to write udev rules. In fact it’s really easy and well described on this page. For some reason that works for all other FTDI devices I tried except the smart card reader. It’s serial “1d6b” is only half as long as that of the others, though.

I got the impression, it’s going to be difficult to do anything interesting with these existing cards. Right at that time I learned, that it’s now possible to pay the crypto-stick from the German Privacy Foundation with BitCoins. What a nice coincidence…  It features a lot of documentation about smart cards in general and how to use them. Once it’s all worked out, my keys for ssh and email should be a lot more secure, and I might even finally set up a VPN or full disk encryption.

I hope smart cards will also be covered in the cryptography course that shall start today.

Leave a Reply

Your email address will not be published. Required fields are marked *