lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu Nov 24 09:49:54 2005
From: Patrick.Smith at centrica.co.uk (Scott, Patrick)
Subject: SmartCards programming...

Hi,
 
>From memory the goldcard uses a microchip pic device (16F84 I think) there
is also a small serial eeprom on board. You can pick up a full ide for the
controller  from www.microchip.com <http://www.microchip.com>  but be a bit
prepared to have to code down the assembler level if you want total control.
You can use this ide to compile the .hex file you require.
 
IMHO the goldcard is probably not the most ideal choice for this type of
project, the controller used on the card is lacking in some of the nice
hardware features of other cards, as already mentioned, if you look around
you can find other card types with hardware RSA and a full iso card io
implementation, with the goldcard you're pretty much looking at coding these
from scratch.
 
>From a security point of view the goldcard is less than ideal, the pic can
be programmed with a fuse to prevent code being read out - see the
datasheets on the above site, but I'm sure I've seen exploits for this
around the net. Also the onboard eeprom on the goldcards is a potential
weakness. In order to program the eeprom you will need to use a loader -
essentially a bit of code that runs on the cards processor and writes data
received by the card to the eeprom. In order to read the data back all the
attacker need do is reload a loader to the card and read the eeprom contents
back out, so if you're using the eeprom to hold keys etc, be a bit careful.
 
Goldcards have been the friend of the satelitte tv hacking crowd for a long
time, have a google around for the old seca hacks (start with secanix) for
some examples of source code used to emulate official paytv smart cards
which should give you some good pointers on how to implement a card io layer
and access the eeprom etc.
 
Cheers, Pat.
 

-----Original Message-----
From: khaalel [mailto:khaalel@...il.com]
Sent: 23 November 2005 15:17
To: adityad2005@...rs.sourceforge.net
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] SmartCards programming...


HI (again),

I found nothing about the language to use with Infinity USB, it asks me to
provide it a .hex file... but what that? and how I can compile a code and
convert it into a .hex file???

Can I use the  <http://209.68.36.204/downloads/BasicCardKit.zip> BasicCard
Kit Setup  to program something and compile it... then use the Infinity USB
writer to place the compiled file into my GoldCard?

khaalel  <http://209.68.36.204/downloads/BasicCardKit.zip> 


On 11/23/05, khaalel <  <mailto:khaalel@...il.com> khaalel@...il.com> wrote:


Thank you for all your informations...this morning, I assisted to a
conference given by AXALTO (I found a contact that accepted to help me)  and
I learned a lot of things... 

I bought 2 Goldcards (one of my teacher advised me to buy a such card to do
what I want... but I think a physical attack can allow someone to copy the
content of the card or the stored key when the authentication is doing but
to begin its perhaps the more simple card I can find ...)

If you have more infromations, please give me them... for the moment I read
the manual of the Infinity USB and there is no information about the
language I can use to program the cards, Iwill search again with Google and
perphaps on the usenet...


khaalel 



On 11/23/05, Aditya Deshmukh <
<mailto:aditya.deshmukh@...ine.gateway.strangled.net>
aditya.deshmukh@...ine.gateway.strangled.net > wrote: 


Sorry for the top post

If you are going to do something like this then RSA cards are the best 
specially securid
It can be implemented almost out of the box and it has great lib support
also.

________________________________

        From: full-disclosure-bounces@...ts.grok.org.uk
<mailto:full-disclosure-bounces@...ts.grok.org.uk> 
[mailto: full-disclosure-bounces@...ts.grok.org.uk
<mailto:full-disclosure-bounces@...ts.grok.org.uk> ] On Behalf Of khaalel
        Sent: Wednesday, November 23, 2005 2:12 PM 
        To: full-disclosure@...ts.grok.org.uk
<mailto:full-disclosure@...ts.grok.org.uk> 
        Subject: [Full-disclosure] SmartCards programming... 


        Hello,

        I have to achieve a technical project for my french high school... 
And the subject is about cryptography and smart cards...
        The goal is to write the programs and all the associated stuff... in
order to create a  DRM-like system: when an user enter his card, a software
check his key (or certificate or...) and if  the authentication succeed, the
wanted file (document, video, audio...) is open by the software...
        Yesterday I bought a programmer/writer : the Infinity USB but I 
wanna know if someone could give me some interresting links about smart card
programming (java, basic, .....). I already know some things about
cryptography but I am a newbie in smart card programming. Wich language I 
have to learn? Which type of smart cards I have to buy? Which algorithms I
can use (DES, RSA, Elliptic Curves, AES...)??

        thanks...
        khaalel




________________________________________________________________________ 
Delivered using the Free Personal Edition of Mailtraq ( www.mailtraq.com
<http://www.mailtraq.com> )






_____________________________________________________________________
The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside England and Wales).
The views expressed in this email are not necessarily the views of Centrica plc, and the company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051124/fae55b3d/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ