UICC: How to change ARA?

Question

I have an UICC (by Gemalto), which has some very strict APDU Access Rules. I would like to access an applet on UICC from an Android app, but these rules do not allow me to send any APDUs.

So I need to change these rules.

I tried following:

1. Sending "Store Data - Store AR-DO" command directly to ARA applet => I get status word "security status not satisfied"

2. Authenticating to Issuer Security Domain, sending Install For Personalization command to Issuer Security Domain and then sending Store Data through ISD. => The same result, "security status not satisfied".

Am I doing something wrong? Any idea? Do I need any extra authentication, passwords or keys to be able to change Access Rules? Is it even possible to change Access Rules once they are already set up?

Answer 1

• Security Status Not Satisfied error code occurs only when some pre-requisite authentication conditions are not satisfied before sending the APDU command.

• Updating APDU access rules (i.e. Access rules stored in ARA) required proper authentication, without doing proper authentication you can not update the AR in ARA applet, so only selecting applet and sending store data command is not enough, you need to do proper authentication, because in this case once the command routes to theUICC(or application exist on UICC) from any terminal or sever, then first authentication and integrity are checked to verify that the command comes from authenticated server or terminal. If authentication fails then the APDU command will fail with Security Status Not Satisfied error, which is happening in your case.

• The Access Rule (AR) is stored in the ARA and can be updated over the air with standardized Global Platform Secure Messaging or Remote Applet Management functionality, i.e. you need to send the APDU command (i.e. Store Data) under the security of Secure Channel Protocol (SCP02) or SCP80. Please refer Global Platform and ETSI specification for details of these protocols.

• After proper authentication, send Install[For Personalisation] command to the Security Domain, (generally the AR applet is associate to the ISD, so here the Security Domain may be ISD), then send Store Data command to change the ARA entry, as preceding command is Install[For Personalisation] so the next Store Data command will route to the ARA Applet.

• Please make it sure that all these APDU command should transfer after establishment of proper secure channel (in case of SCP02) or within proper secure envelope (in case of SCP80).

Thanks, Happy to help.

Answer 2

It is possible to change access rule you can...

1.Select ARA applet and then authenticate via SCP02. For this you should know the associated security domain of ARA applet and of course the keys.

2.Via install for personalization command what you are doing in this case is right but first check whether ARA is associated with ISD or some other SD.

It is possible to change ARA rules at any time.