: Interface SecureCredential

OpenCard

OCF, the OpenCard Framework is a standard Java framework for working with Smart Cards.

Overview

Package

Class

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: INNER | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

com.ibm.opencard.access
Interface SecureCredential

All Known Implementing Classes:: DESSecureCredential

public abstract interface SecureCredential
extends SignCredential

A credential that supports functions needed for secure messaging (MAC and encryption). Credentials can be thought of as cryptographic algorithms that are parameterized by a fixed key. Instead of providing just the key and relying on a card service to implement the cryptographic algorithms, the application provides both.
The advantage of this concept is that the card services do not have to include cryptographic code which is subject to US export restrictions. Additionally, applications may implement the algorithm in a way appropriate for them, for example by mapping invocations to Java security classes, or by using special hardware support.
MFC smartcards use the DES and triple DES algorithms with symmetric keys for authentication and secure messaging. MFC smartcards with signature functionality also use RSA signatures for authentication.

Note: this class needs to be generalized (made card service neutral) and should then be moved to opencard.opt.security

Version:: $Id: SecureCredential.java,v 1.1 1999/12/02 16:06:02 damke Exp $

Method Summary
`void`	`decryptChained(byte[] data, int offset, int length)` Decrypts a series of data blocks.
`void`	`encryptChained(byte[] data, int offset, int length)` Encrypt a series of data blocks.
`byte[]`	`finishMAC(byte[] data)` Finishes a MAC computation and returns the message authentication code.
`byte[]`	`getStrongRandom()` Returns a cryptographically strong random number.
`void`	`setICV(byte[] icv)` Sets an initial chaining value (ICV).
`void`	`updateMAC(byte[] data)` Passes one data block of a multi-block message to compute a MAC for.

Methods inherited from interface opencard.opt.security.SignCredential

getInputLength, 
sign

Method Detail

getStrongRandom

public byte[] getStrongRandom()

Returns a cryptographically strong random number. For some of the protocols for secure communication with a smartcard, random numbers are needed. For DES and triple DES algorithms, each random number is a block of 8 bytes. The actual randomness of these numbers is crucial for the security of the protocols, so the application providing a credential should not have to rely on an appropriate implementation by a card service provider. Instead, it has to implement this method for each credential.
The byte array returned will not be modified by the credential until the next invocation of this method. Thus, it is possible to implement this method without creating new byte arrays for each invocation. The caller, however, cannot rely on this kind of implementation, the array returned may be a different one each time, or sometimes.

Returns:: a byte array holding an 8 byte random number

setICV

public void setICV(byte[] icv)

Sets an initial chaining value (ICV). Encryption of multi-block messages as well as their decryption and the computation of message authentication codes (MACs) requires to process several blocks of data. Processing of these blocks is chained by using the output of one step as part of the input to the next one. The output of one step is therefore called the chaining value.
Before the first block of a multi-block message can be processed, the initial chaining value must be defined, which is done by invoking this method. For DES and triple DES, the chaining value will be 8 byte long. The credential must leave the block passed as argument unchanged.
An invocation resets the internal state of the credential, so the encryption, decryption or MAC computation for a new series of data blocks can begin. While one of these operations is in progress, none of the others can be performed. To finish one operation and start a new one, this method must be invoked.

Parameters:: icv - the initial chaining value to use for subsequent processing
See Also:: encryptChained(byte[], int, int), decryptChained(byte[], int, int), updateMAC(byte[]), finishMAC(byte[])

encryptChained

public void encryptChained(byte[] data, int offset, int length)

Encrypt a series of data blocks. MFC smartcards use DES or triple DES in CBC mode to encrypt data that exceeds one block. On an invocation of this method, an array is passed in which one or more blocks have to be encrypted. Before encrypting, setICV must have been called.
Encryption is done in place, the plain data is replaced by the encrypted data. The length of the data to encrypt must be a multiple of the block size, which is 8 byte. Other parts of the array will not be changed.

Parameters:
data - the array holding the data to encrypt
offset - the index of the first byte to encrypt
length - the number of bytes to encrypt
See Also:
setICV(byte[]), decryptChained(byte[], int, int)

decryptChained

public void decryptChained(byte[] data, int offset, int length)

Decrypts a series of data blocks. MFC smartcards use DES or triple DES in CBC mode to encrypt data that exceeds one block. On an invocation of this method, an array is passed in which one or more blocks have to be decrypted. Before decrypting, setICV must have been called.
Decryption is done in place, the encrypted data is replaced by the plain data. The length of the data to decrypt must be a multiple of the block size, which is 8 byte. Other parts of the array will not be changed.

Parameters:
data - the array holding the data to decrypt
offset - the index of the first byte to decrypt
length - the number of bytes to decrypt
See Also:
setICV(byte[]), encryptChained(byte[], int, int)

updateMAC

public void updateMAC(byte[] data)

Passes one data block of a multi-block message to compute a MAC for. For single DES, message authentication code (MAC) computation and CBC encryption are basically the same. The MAC will be the last block of the CBC encrypted message. For triple DES, intermediate MACs have to be computed using single DES with a part of the triple DES key. Only for the last data block, triple DES is used.
This method is used to process every but the last block in the message. The last block will be processed by an invocation of finishMAC, which will return the MAC for the complete message. Every data block passed for MAC processing must have the standard block size of 8 bytes. Before MAC computation, setICV must have been called.

Parameters:
data - the next data block in the message to compute a MAC for
See Also:
setICV(byte[]), finishMAC(byte[])

finishMAC

public byte[] finishMAC(byte[] data)

Finishes a MAC computation and returns the message authentication code. As argument, the last block of the message to compute the MAc for has to be passed. The preceeding blocks must have been passed before by invoking updateMAC. If there is only one block, only setICV has to be invoked before. Every block, including the last one, must have the standard block size for DES algorithms, which is 8 bytes. For more details, see the description of updateMAC.

Parameters:
data - the last block of the message to compute the MAC for
Returns:
the MAC for the complete message
See Also:
updateMAC(byte[]), setICV(byte[])

Overview Package Class Tree Deprecated Index Help

PREV CLASS NEXT CLASS FRAMES NO FRAMES

SUMMARY: INNER | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

The world leader

in digital security

com.ibm.opencard.access
Interface SecureCredential

getStrongRandom

setICV

encryptChained

decryptChained

updateMAC

finishMAC

The world leader

in digital security

com.ibm.opencard.access Interface SecureCredential

getStrongRandom

setICV

encryptChained

decryptChained

updateMAC

finishMAC

com.ibm.opencard.access
Interface SecureCredential