dcsimg
Use of card applications
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Adam_Southall
Posted On:   Monday, September 24, 2001 11:55 AM

Am I missing something really obvious, but why would someone put an application on a card instead of just using it to store data?
A terminal, CAD, whatever, still needs to house application / business logic in order to tell the card what to do. All functionality is "off-card" (which also makes upgrade distribution easier).
An oft-quoted example is a loyalty application - but the terminal / CAD still has to tell the card, via APDU messages, to "add points", "retrieve balance" etc. So, what have I missed?

Re: Use of card applications

Posted By:   Clement_SIMON  
Posted On:   Tuesday, September 25, 2001 04:32 AM

When it comes to security services (cryptography, PIN management), a strong degree of confidentiality is required.


For example, an secure applet will almost never allow an RSA private key to be extracted, except under very specific circumstances and with very strong security measures.


In other words, an applet will internally generate an RSA key pair, make the public key available to the outside world, and keep the private key to itself.


When a digital signature is requested, the applet will not divulge the private key. Rather, the CAD will send the data to sign, and the applet will internally compute the digital signature and return it.

That way, the sensitive data (private key) is always kept secret and never revealed to the outside world.


It was just an example for an RSA digital signature, but there are many more applications. In each case, the common denominator is SECURITY.

When it comes to confidential data (PINs & cryptographic keys), the data won't be readable, but the applet will provide the necessary commands to use it without revealing it.

About | Sitemap | Contact