Reputation: 1198
Does the smart card readers do any cryptography function?
As far as we know, smart cards use a Mutual-Authentication method to clarify security between the card and the reader.
I want to know, where the cryptography operations done?(except in the card) In the reader or in the computer?
I mean, whether the reader do any cryptography operation? or it is only a translator for USB / COM protocol to the protocol that card use to transfer data?
In the other word, can I retrieve the [encrypted] data that transfer between the card and the reader, using a sniffer on my computer USB port that my reader conneted to? (Indeed I need to delete some bytes from head and tail of what I see in sniffing. but am I need to do any cryptography function also?)
Note that I need the same data that transfer between card and card reader. and I don't want to have decrypted data.
Upvotes: 0
Views: 389
Answers (3)
Reputation: 417
In fact, there are smart card readers doing cryptography. For example the Reiner SCT comfort is able to create some secure messaging (PACE, used for id cards and some passports) between smart card and smart card reader, using its own pin pad to collect the credential (value for some pin) from the card holder. So... there are pin-pad smart card readers doing some crypto.
Upvotes: 0
Reputation: 5333
I have not yet encountered a reader doing cryptography (besides Mifare and similar), even if there may be specialized devices doing some. I also don't see this as a disadvantage for two reasons:
- as you mention, doing the cryptography in your application ensures, that the vulnerable device communication is still protected (apart from man in the middle attack types)
- quite often Mutual Authenticate not only performes an authentication, but also negotiates a session key derived from exchanged random numbers. For that quite a number of different methods exist and I would not rely on the manufacturer incorporating the correct variant in firmware while holding my breath.
Upvotes: 2
Reputation: 93948
That depends. For memory based cards and such a lot of things can be done within the readers. If the card is however accessed through PCSC / ISO 7816-4 compatible APDU's then all the crypto is normally performed by the application (this is likely to be true for your situation).
If you want to catch that stuff without messing with the USB itself, I would propose to connect your application to a virtual smart card reader and then forward the APDU's again to a real reader. You can have a hint on how to do this here.
Upvotes: 3
Related Questions
- Authentication keys in smart cards
- Do all smart cards support Java Card?
- Can I use Javacard without reader and physical card?
- Do smart-card readers support all smart-cards models?
- How to interact with a smart card in Java?
- How to implement passive authentication in smart card reader?
- list of algorithms that supported by the card?
- Read smart card information without PIN?
- What card readers support Java Card?
- Java and contactless smartcards