July 14th, 2015
We have been asked several times: how come Fidesmo Cards are personalized with secret ISD keys? If you want to be developer-friendly, why don’t you distribute them with the default ISD keys, so developers are able to install whatever they want?
There are several reasons for that:
It would decrease the system’s overall security
Our platform promises that your applet or MIFARE Classic “virtual card” can coexist in a Fidesmo Card with any other applets your user installs. To ensure that an applet cannot attack other applets on the card, we first run an off-card verifier on the applet CAP files that are uploaded onto our servers. If we leave a side channel open, we break the Java Card security model.
It would reduce the support for commercial services
Fidesmo wants to provide a system that allows FOSS applications to co-exist on the same card/device with already deployed smart card based services used in for instance ticketing and access control scenarios. The security of such commercial smart card-based services is in some cases based on initial secrets supplied during the personalisation process, and/or depends on licensed software that should be kept confidential from a commercial perspective. In order to have an attractive solution for such services, we need to be able to provide a secure channel to the card/device.
It would reduce functionality
One of our main design requirements is to increase usability of (previously opaque) smart card-based services, by means of our smartphone app. Maintaining its ability to access the card is thus crucial. If we shipped our cards with default ISD keys, anyone would be able to change them. Then, we would not be able to perform any more operations on the card, thus removing it from the system.
That could be fine for a developer that knows what’s going on, but what about non technical users? A simple script running on a contactless reader could do a lot of harm…
It is unnecessary
We provide the necessary tools and APIs to load JavaCard applets, execute management operations and communicate with them. The same applies to MIFARE Classic “virtual cards”. A developer might want even more flexibility, but
Our platform is up and running and ready for you to upload your applet. Our cards are ready for users to install your applet. The ideas above are open for discussion and if you have any questions or feel like something isn’t clear please do ask us in any channel. We want and care about your thoughts about our model.