Why doesn’t Fidesmo use default ISD keys?

July 14th, 2015

We have been asked several times: how come Fidesmo Cards are personalized with secret ISD keys? If you want to be developer-friendly, why don’t you distribute them with the default ISD keys, so developers are able to install whatever they want?

There are several reasons for that:

It would decrease the system’s overall security

Our platform promises that your applet or MIFARE Classic “virtual card” can coexist in a Fidesmo Card with any other applets your user installs. To ensure that an applet cannot attack other applets on the card, we first run an off-card verifier on the applet CAP files that are uploaded onto our servers. If we leave a side channel open, we break the Java Card security model.

It would reduce the support for commercial services

Fidesmo wants to provide a system that allows FOSS applications to co-exist on the same card/device with already deployed smart card based services used in for instance ticketing and access control scenarios. The security of such commercial smart card-based services is in some cases based on initial secrets supplied during the personalisation process, and/or depends on licensed software that should be kept confidential from a commercial perspective. In order to have an attractive solution for such services, we need to be able to provide a secure channel to the card/device.

It would reduce functionality

One of our main design requirements is to increase usability of (previously opaque) smart card-based services, by means of our smartphone app. Maintaining its ability to access the card is thus crucial. If we shipped our cards with default ISD keys, anyone would be able to change them. Then, we would not be able to perform any more operations on the card, thus removing it from the system.

That could be fine for a developer that knows what’s going on, but what about non technical users? A simple script running on a contactless reader could do a lot of harm…

It is unnecessary

We provide the necessary tools and APIs to load JavaCard applets, execute management operations and communicate with them. The same applies to MIFARE Classic “virtual cards”. A developer might want even more flexibility, but

  • our service is ready for “production”: developers can upload their services and make them available to anybody with a Fidesmo Card. No need to have two different development processes.
  • we are not in the business of providing ‘blank’ cards with default keys. Such cards can be easily obtained as development samples from many suppliers, and we don’t think we would add any value there.

We are ready for your applet

Our platform is up and running and ready for you to upload your applet. Our cards are ready for users to install your applet. The ideas above are open for discussion and if you have any questions or feel like something isn’t clear please do ask us in any channel. We want and care about your thoughts about our model.