How to validate a Smart/CAC card using input from Precise Biometrics Tactivo

484 views Asked by At

I am able to read a smart card from PB's Tactivo smart card reader on Android, however am not familiar with the validation process. Here is an example of what I have to read the input:

...
channel = card.getBasicChannel();

        // See www.globalplatform.org for more information about this command.
        // CLA = 0x80
        // INS = 0xCa
        // P1 = 0x9F
        // P2 = 0x7F
        // Le = 0x00
        CommandAPDU GET_DATA_CardProductionLifeCycle = new CommandAPDU(0x80, 0xCA, 0x9F, 0x7F, 0x00);

        ResponseAPDU cardResponse;

        // Send the command to the card
        cardResponse = channel.transmit(GET_DATA_CardProductionLifeCycle);

        // Check SW1 if we provided wrong Le
        if (cardResponse.getSW1() == 0x6C) {
            // Modify the command with correct Le reported by the card in SW2.
            GET_DATA_CardProductionLifeCycle = new CommandAPDU(0x80, 0xCA, 0x9F, 0x7F, cardResponse.getSW2());
            // Re-send the command but now with correct Le
            cardResponse = channel.transmit(GET_DATA_CardProductionLifeCycle);
        }

        // Check if the card has data for us to collect
        if (cardResponse.getSW1() == 0x61) {
            // Issue a GET RESPONSE command using SW2 as Le
            CommandAPDU GET_RESPONSE =  new CommandAPDU(0x00, 0xC0, 0x00, 0x00, cardResponse.getSW2());
            cardResponse = channel.transmit(GET_RESPONSE);
        }

        // Check the final result of the GET DATA CPLC command
        if (cardResponse.getSW() != 0x9000) {
            // The card does not support Global Platform
            System.out.println(String.format("8Card responded with SW:%04x", cardResponse.getSW()));// some sort of SW from the card here... Read as "SW: 6a82
            System.out.println("9This card does not support the Global Platform " + "GET CPLC command");

            return;
        }

        // we do not validate the data in this example - we assume that it is
        // correct...
...

If anyone has experience with smart card/CAC card valitaion/authentication please give me some guidance, example, or something to work off of. Because There is very little documentation of this out there.

UPDATE: I have an Android App that I want to secure with a smart card. I am able to read any smart card's input using a Precise Biometrics Tactivo Smart Card reader. How can I validate/authenticate this input to allow only certain users to access the App?

1

There are 1 answers

1
guidot On BEST ANSWER

The ATR is inappropriate for validation of any kind, since it is typically shared by thousands of cards.

While cards have a unique identifier (manufacturer specific), this can be easily faked after a valid one has been found out.

The typical means of requiring a certain card (as a component of a two-factor authorization, adding something you have to the something yo know e.g. PIN, password) is execution of an external authentication. Since for that you need to store a key of your own on the card, it will not be an option for a card, which you just happen to possess.