Differents between SDA and DDA in JavaCard?

瘦欲@ 提交于 2019-12-19 04:59:47

问题


I have an applet (you can take a look at it there JavaCard applet is not working with RSA encryption). Applet generates RSA public and private keys in constructor and with APDU command encrypt some byte array.

Applet generates public and private keys with KeyBuilder.LENGTH_RSA_2048 in docs provided with cards sad that JavaCard supports 2048 bits key length only in DDA.

So question is what is DDA and SDA. Differences between them? And main question is: how to install (or run?) applet in this mode?

What I found out: Update 1: SDA -- Static Data Authentication DDA -- Dynamic Data Authentication


回答1:


So question is:

what is DDA and SDA. Differences between them?

SDA - SDA ensures the authenticity of ICC data. After SDA it is sure that the data from the ICC is real and hasn't changed by anyone. But SDA doesn't assure the uniqueness of ICC data. You can see the diagram of SDA is like,

Here you can see two RSA Pair is using during SDA,
(1) - IssuerRSA

(2) - CA_RSA

this diagram is very descriptive and clear to understand the flow of SDA. Also you can check EMV BOOK 2 for more description about SDA. while DDA flow is like ,

here you can see 3 RSA Pair is using in DDA,

1 - IssuerRSA

2- CA_RSA

3 - ICC RSA ( new RSA key which is unique in all card, Each card generate this RSA pair during personalization of card so this RSA Pair will be different for each card)

SDA guarantees that data on cards is valid because we trust a high level certification authority which signs the data. But an attacker can record a card session and build for example a new virtuel card because same data is used here for all session.

But in DDA flow - we can say it is checking SDA + giving random data to card by Terminal to sign and here this part makes cloning of card impossible because each session use different random number so recording a card session will not work in next card session.

hope it helps and more can you read from SDA and DDA , Gemalto




回答2:


DDA implies Cipher.ALG_RSA_NOPAD algorithm (which is sometimes referred to as raw RSA or CKM_RSA_X_509) -- as @Hai-Binh LE noted, have a look into the EMV Book 2 (probably Annex B2).

You are instantiating a Cipher.ALG_RSA_PKCS1 which is not used for DDA, thus might be unsupported by the card.

You could verify this by inspecting the thrown CryptoException for CryptoException.NO_SUCH_ALGORITHM reason code.



来源:https://stackoverflow.com/questions/33015169/differents-between-sda-and-dda-in-javacard

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!