SDA与DDA在JavaCard中的区别？ [英] Differents between SDA and DDA in JavaCard?

问题描述

我有一个小程序（你可以看看它在那里

您可以在SDA中看到两个RSA对，

（1） - IssuerRSA

（2） - CA_RSA

这个图非常具有描述性和清晰性，可以了解SDA的流程。此外，您可以查看 EMV BOOK 2 了解有关SDA的更多说明。而DDA流程就像，

< img src =https://i.stack.imgur.com/G3T9w.pngalt =DDA FLOW>

这里你可以看到3 RSA对在DDA中使用

1 - 发行人RSA

2- CA_RSA

3 - ICC RSA（所有卡中唯一的新RSA密钥，每张卡在个性化卡期间生成此RSA对，因此每个卡的RSA对将不同）

SDA保证卡上的数据是有效的，因为我们信任签署数据的高级证书颁发机构。但攻击者可以记录一个卡会话，并建立一个新的美德卡，因为在这里使用的所有会话都使用相同的数据。

但是在DDA流程中 - 我们可以说正在检查SDA +通过终端给卡片提供随机数据进行签名，这里这部分克隆卡不可能，因为每个会话使用不同的随机数，所以记录卡会话将无法在下一个卡会话中工作。

希望可以帮助您，您可以从 SDA 和 DDA ，金雅拓

I have an applet (you can take a look at it there JavaCard applet is not working with RSA encryption). Applet generates RSA public and private keys in constructor and with APDU command encrypt some byte array.

Applet generates public and private keys with KeyBuilder.LENGTH_RSA_2048 in docs provided with cards sad that JavaCard supports 2048 bits key length only in DDA.

So question is what is DDA and SDA. Differences between them? And main question is: how to install (or run?) applet in this mode?

What I found out: Update 1: SDA -- Static Data Authentication DDA -- Dynamic Data Authentication

解决方案

So question is:

what is DDA and SDA. Differences between them?

SDA - SDA ensures the authenticity of ICC data. After SDA it is sure that the data from the ICC is real and hasn't changed by anyone. But SDA doesn't assure the uniqueness of ICC data. You can see the diagram of SDA is like,

Here you can see two RSA Pair is using during SDA,
(1) - IssuerRSA

(2) - CA_RSA

this diagram is very descriptive and clear to understand the flow of SDA. Also you can check EMV BOOK 2 for more description about SDA. while DDA flow is like ,

here you can see 3 RSA Pair is using in DDA,

1 - IssuerRSA

2- CA_RSA

3 - ICC RSA ( new RSA key which is unique in all card, Each card generate this RSA pair during personalization of card so this RSA Pair will be different for each card)

SDA guarantees that data on cards is valid because we trust a high level certification authority which signs the data. But an attacker can record a card session and build for example a new virtuel card because same data is used here for all session.

But in DDA flow - we can say it is checking SDA + giving random data to card by Terminal to sign and here this part makes cloning of card impossible because each session use different random number so recording a card session will not work in next card session.

hope it helps and more can you read from SDA and DDA , Gemalto

这篇关于SDA与DDA在JavaCard中的区别？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！