Read Citizen Data from JavaCard

Question

Our government has started issuing Smart National ID Card (SNIC)

I have a Smart Card Reader (ACR38-IPC)

When I inserted my SNIC into reader, Windows detected it and installed the driver, now it appears in Device Manager as: ActivIdentity Mini Driver (Oberthur ID-One Cosmo V7.0 128K)

I have found out that it is a JavaCard v2.2.2

I want to read my National ID Card Number from SNIC using reader in a C# application.

I have searched on internet but didn't find appropriate answer. I don't want to build an applet and load it on to the card, I just want to read the Citizen Information stored on the card.

I have also installed the software provided by other countries to their citizen for reading their cards, but those can't read my card.

My main problem is that SNIC issuing authorities don't tell me anything about card (totally ridiculous), they are not even giving me my PIN (isn't it amazing???) (maybe they don't want general public to develop applications using this card, they will let their own people to do this and get benefits: nepotism)

All I know is the type of card, and I want to extract my information from card (I think it should not protected by PIN and can be read even if I don't know PIN)

Please help me how to start

this is the ATR parsing for my card: ATR Parsing

Answer 1

Taking a look at the ATR, it seems that the card claims to have an EF.DIR. This probably means that the APDU interface is ISO 7816-4 compliant. It also means that the card is likely to be ISO 7816-15 compliant, and that standard is based on the publicly available PKCS#15 standard (warning, ftp link to version 1.1 of the standard in PDF format). Java Cards themselves only contain very basic support for ISO 7816-4 APDU's, even though the communication layer (ISO 7816-3) is (more or less) adhered to. The rest is up to the Java Card developer.

The way to start reading this card is getting access to a copy of ISO 7816-4. Furthermore, you need to read into BER and DER structures, as understanding ASN.1 structures is very likely to be required. After that you should be able to read data using the SELECT and READ BINARY APDU's. After reading EF.DIR, take a look what is inside that file.

If you are lucky the card is ISO 7816-15 compliant. ISO 7816-15 describes a way to discover all the files and objects on the card. The only issue is that parsing ISO 7816-15 is not something that can be done on an afternoon. To get an idea, take a look at the PKCS#15 standard which the ISO standard is based upon.

Unfortunately the smart card business is one of exceptions. Having some kind of official documentation would be very helpful indeed. A claim that a card is ISO 7816-4 compliant means next to nothing (ISO 7816-4 is more of an umbrella standard, useful for people that are creating their own standards, and it is a terrible standard even for that purpose).

Unfortunately ISO/IEC standards are strictly payware. You might want to find libraries and such that implement it though. Googling for ISO/IEC 7816-4 should return plenty information (probably including illegal downloads of the standard).

Answer 2

Without any useful input data (like the issuing country, or obviously the SNIC specification) it's hard to come up with a meaningful answer.

Some hints:

• Java cards have only one fixed instruction, SELECT, which definitely can't read the desired information and is unlikely to be needed here, since the default application is presumably the one, you are interested in.
• A PIN may be present or not; its not obvious, that it is your PIN, it might be foreseen for a future application, which is not yet on the card ( e.g. digital signature application) or never be needed at all.
• Even if no PIN is needed for reading out the data, an authentication from the background system may be required; it is perfectly possible, that nothing can be read without that. Without substantial additional information this is not going to change. Posession of the card alone will not help to progress.
• If the card is ICAO compliant and/or has a contactless interface, its in your interest that no eavesdropper can read the information from your pocket. Typically one has to perform an action, that shows agreement with reading like Basic Access Control, which needs information printed on the card.