Bringing Smart Cards into 2015, whether they like it or not!

KTH Wireless Seminar

13th February 2015

© Fidesmo AB 2015 | Page 2

Overview

› Fidesmo is doing to Smart Cards what Apple and Google have done to Smartphones

– Connectivity

– App store

– Usability for consumers

– Simple SDK for developers

› We want to achieve this while keeping all the original strong points of Smart Cards

– Secure

– Cheap

– Durable

– Passive (no internal power source)

© Fidesmo AB 2015 | Page 3

Part One: Background – What is a Smart Card?

– Communication tru APDUs

– MIFARE Classic

– JavaCard

– GlobalPlatform

– Mobile NFC

Agenda

Part Two: Enter Fidesmo – The Fidesmo Card

– Architecture

– Fidesmo App Store

– Fidesmo Cardapp concept

– Service Example

– Service Delivery concept

– SDK

Part One

Background

© Fidesmo AB 2015 | Page 5

›  A Smart Card is a low power CPU connected to a small amount of RAM and a slightly larger amount of EEPROM. An example:

›  3.5 KB RAM

›  40 KB EEPROM

›  200 KB ROM

›  The hardware architecture is secured against external tampering

›  Communication with the outside world is done via a so-called chip contact (ISO 7816) and/or an induction antenna (ISO 14443).

– The second method is often referred to as “contactless” and it is part of what is called NFC or RFID

What is a Smart Card?

68K-based microcontroller

Smart card with randomized glue logic obfuscating layout

© Fidesmo AB 2015 | Page 6

› Application Protocol Data Unit

› Communication unit between a Smart Card and the outside world

› Request-Response protocol, like HTTP

Smart Card Communication: APDU

CLA INS P1, P2 Le Lc Data

Request APDU

Command Class

Instruction Parameters Length of data

Expected length of response

SW1, SW2 Response Data

Response APDU

Status Bytes

© Fidesmo AB 2015 | Page 7

› MIFARE Classic was one of the first “secure” RFID cards –  It was later shown to be fairly easy to hack due to a predictable

random number generator

› MIFARE Classic is one of the most widespread Smart Cards in use

MIFARE Classic

Sec

tors

#1

- #31

Block #0

Block #1

Block #2

Trailer

16 bytes of user data

16 bytes of user data

16 bytes of user data

Key A (6 bytes) Access bits (4 bytes) Key B (6 bytes)

© Fidesmo AB 2015 | Page 8

JavaCard

applet space

system space

context 1

applet A

applet B

context 2

applet A

applet B

Package A Package B

JavaCard RE Context

applet firewall

© Fidesmo AB 2015 | Page 9

› Started out as OpenPlatform, driven by the payments industry (VISA and MasterCard)

›  It is a set of standardized commands to install, manage and delete applications

›  It is also a set of security protocols for issuing these commands in an authenticated and confidential manner

– SCP02 based on 3DES

– SCP03 based on AES

GlobalPlatform

© Fidesmo AB 2015 | Page 10

› State of the art – JavaCard

›  Java based application development tools (in theory)

› Multi-application execution environment

– GlobalPlatform

› Current pain points – Application management after card issuance

– Card connectivity

– Development tools

Wrapping Up Part One

Part Two

Enter Fidesmo

© Fidesmo AB 2015 | Page 12

The Fidesmo Card

› JavaCard capable Smart Card bundled with MIFARE Classic

– 7.5 KB RAM

– 144 KB EEPROM

› One of the most advanced Smart Cards on the market (the most advanced having MIFARE Classic)

›  100% off-the-shelf certified components – Common Criteria EAL 5+

© Fidesmo AB 2015 | Page 13

Architecture

Service Provider

Fidesmo Backend Server

Smartphone

Fidesmo App

Fidesmo

APIs

Fidesmo Card

Mobile App

© Fidesmo AB 2015 | Page 14

Fidesmo App Store

© Fidesmo AB 2015 | Page 15

Fidesmo Cardapp Concept

Cardapp

JavaCard Applet#1

JavaCard Applet#2

JavaCard Applet#N

…

MIFARE Classic

© Fidesmo AB 2015 | Page 16

› Service Delivery enables the App developer to bundle up several API operations into a single service, for example:

–  Install several JavaCard applets

– Upload content, e.g. a ticket

› Service Delivery is tightly coupled to service payment – During Service Delivery, payment is reserved

– When the service is successfully delivered, the service provider effectuates the payment

– Solves business logic problems, such as the user trying to by a service, let's say a monthly pass, that can not be purchased due to the user already having an active monthly pass

Service Delivery Concept

© Fidesmo AB 2015 | Page 17

Service Example

{ ! "title": "Top up", ! "price": { ! "total": 99.00 ! } !} !

© Fidesmo AB 2015 | Page 18

Service Delivery Flow

Service Provider

Fidesmo Backend Server

Fidesmo App

ServiceDelivery Request See service

description, approve payment

ServiceOperation Request

ServiceOperation Result

Repeat as

needed

ServiceDelivery Completed

Show new status

ServiceOperation Request

ServiceOperation Result

© Fidesmo AB 2015 | Page 19

› Our Software Development Kit is based on the popular Java build tool Gradle

– Also used by Google for their Android SDK

›  It is open source and can also be used for generic JavaCard development

JavaCard SDK

Local development environment

Java bytecode

gradle

Fidesmo gradle-javacard plugin

Java Card bytecode: CAP file

gradle

Fidesmo gradle-fidesmo plugin

Fidesmo Backend

CAP file

Fidesmo Card

Cardapp Contactless Reader

© Fidesmo AB 2015 | Page 20

Conclusions

Service Provider

Fidesmo Backend Server

Smartphone

Fidesmo App

Fidesmo

APIs

Fidesmo Card

Advanced chip

SDK

Application management after card issuance via Service Delivery SaaS

Consumer-friendly packaging of card

applications via App Store

Card connected via smartphone

© Fidesmo AB 2015 | Page 21

› Sign up at our developer portal where you will find a lot of documentation, tutorials and examples to get you started

https://developer.fidesmo.com We will send you a free Fidesmo Card!

› Our APIs are available at

https://developer.fidesmo.com/api

› SDK can be found at

https://github.com/fidesmo/gradle-fidesmo

Learn More