JavaCard中SDA和DDA的区别? [英] Differents between SDA and DDA in JavaCard?

问题描述

我有一个小程序(你可以在那里查看它

在这里您可以看到 SDA 期间正在使用两个 RSA Pair，
(1) - 发行人RSA

(2) - CA_RSA

此图非常具有描述性，可以清晰地理解 SDA 的流程.您也可以查看

在这里您可以看到 DDA 中使用了 3 个 RSA Pair，

1 - 发行人RSA

2- CA_RSA

3 - ICC RSA(所有卡中唯一的新 RSA 密钥，每张卡在卡的个性化过程中生成此 RSA 对，因此此 RSA 对因每张卡而异)

SDA 保证卡上的数据有效，因为我们信任对数据进行签名的高级认证机构.但是攻击者可以记录卡片会话并构建例如新的美德卡片，因为这里所有会话都使用相同的数据.

但在 DDA 流程中 - 我们可以说它正在检查 SDA + 通过终端向卡提供随机数据进行签名，这里这部分使卡的克隆变得不可能，因为每个会话使用不同的随机数，因此记录卡会话将不起作用下一个卡片会话.

希望它有所帮助，您可以从 SDA 中阅读更多内容DDA , 金雅拓

I have an applet (you can take a look at it there JavaCard applet is not working with RSA encryption). Applet generates RSA public and private keys in constructor and with APDU command encrypt some byte array.

Applet generates public and private keys with KeyBuilder.LENGTH_RSA_2048 in docs provided with cards sad that JavaCard supports 2048 bits key length only in DDA.

So question is what is DDA and SDA. Differences between them? And main question is: how to install (or run?) applet in this mode?

What I found out: Update 1: SDA -- Static Data Authentication DDA -- Dynamic Data Authentication

解决方案

So question is:

what is DDA and SDA. Differences between them?

SDA - SDA ensures the authenticity of ICC data. After SDA it is sure that the data from the ICC is real and hasn't changed by anyone. But SDA doesn't assure the uniqueness of ICC data. You can see the diagram of SDA is like,

Here you can see two RSA Pair is using during SDA,
(1) - IssuerRSA

(2) - CA_RSA

this diagram is very descriptive and clear to understand the flow of SDA. Also you can check EMV BOOK 2 for more description about SDA. while DDA flow is like ,

here you can see 3 RSA Pair is using in DDA,

1 - IssuerRSA

2- CA_RSA

3 - ICC RSA ( new RSA key which is unique in all card, Each card generate this RSA pair during personalization of card so this RSA Pair will be different for each card)

SDA guarantees that data on cards is valid because we trust a high level certification authority which signs the data. But an attacker can record a card session and build for example a new virtuel card because same data is used here for all session.

But in DDA flow - we can say it is checking SDA + giving random data to card by Terminal to sign and here this part makes cloning of card impossible because each session use different random number so recording a card session will not work in next card session.

hope it helps and more can you read from SDA and DDA , Gemalto

这篇关于JavaCard中SDA和DDA的区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！