Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 963
- Points
- 113
For a long time working with smart cards, I myself did not have a very clear idea of their insides. Having received a document describing the structure and operation of a smart card, I share this information.
A smart card with a USB controller, or a USB dongle, can be represented as a diagram (by and large, a USB dongle differs from a smart card only in the presence / absence of a USB bus controller):
As you can see from the figure, there are 3 memory sections in the smart card:
Accordingly, the processor works with these three memory areas, it is possible to read and write to all of the above memory areas.
To work with the processor at a low level, APDU (Application Protocol Data Unit) commands are used. Using APDU commands, it is even possible to access the file system of a smart card, although this is strongly discouraged.
The most interesting component is the smart card chip, which provides:
The capabilities of smart card chips vary from manufacturer to manufacturer, but the differences are minor. The differences are related to algorithms, hardware implementation of encryption and hashing algorithms, different manufacturers implement different algorithms. But such algorithms as RSA (asymmetric encryption), DES (symmetric encryption) and SHA-1 (hashing), I think, are implemented in almost all smart card chips.
Since the main purpose of a smart card is to work with digital certificates, this work can be represented as follows:
P.S. This topic was written based on materials from Aladdin. If someone has a technical description of the hardware component of dongles from other manufacturers, please share, I will be very grateful.
A smart card with a USB controller, or a USB dongle, can be represented as a diagram (by and large, a USB dongle differs from a smart card only in the presence / absence of a USB bus controller):
As you can see from the figure, there are 3 memory sections in the smart card:
- System memory - contains the file system and the operating system. It stores the data necessary to check the correctness of the entered PIN-codes and administrator passwords.
- Open memory - contains data that can be read without a PIN code. Smart card name, smart card ID, and others.
- Closed memory - contains data that can be accessed only by PIN-code.
Accordingly, the processor works with these three memory areas, it is possible to read and write to all of the above memory areas.
To work with the processor at a low level, APDU (Application Protocol Data Unit) commands are used. Using APDU commands, it is even possible to access the file system of a smart card, although this is strongly discouraged.
The most interesting component is the smart card chip, which provides:
- Storing information in the internal storage of the smart card chip. Moreover, it should be noted that it is impossible to extract information from this storage. The smart card chip does not contain a command to retrieve data from storage. This store contains the private keys of digital certificates (a somewhat illiterate phrase, but the essence is clear).
- Key pair generation. The chip of a smart card contains a random number generator (I don’t know why it is called a “sensor” in the domestic literature, I used to call it a random number generator from school). After the key pair is generated, the private key enters the storage of the smart card chip and never leaves the smart card chip, the public key is transferred to the processor, which generates a certificate request and sends it outside the smart card (to the digital certificate issuing center).
- Hardware implementation of symmetric encryption algorithms. However, due to limited resources, symmetric encryption in a smart card chip is a very long process. In this regard, it is not recommended to perform symmetric encryption of large amounts of information by means of a smart card chip.
- Hardware implementation of hashing algorithms.
- Hardware implementation of asymmetric algorithms.
The capabilities of smart card chips vary from manufacturer to manufacturer, but the differences are minor. The differences are related to algorithms, hardware implementation of encryption and hashing algorithms, different manufacturers implement different algorithms. But such algorithms as RSA (asymmetric encryption), DES (symmetric encryption) and SHA-1 (hashing), I think, are implemented in almost all smart card chips.
Since the main purpose of a smart card is to work with digital certificates, this work can be represented as follows:
- The processor receives a key pair generation command from the external environment.
- The processor translates this command to the smart card chip.
- In a smart card chip, a random number generator generates a key pair, the private key of which is placed in the storage of the smart card chip, and the public key is transmitted to the processor.
- The processor generates a certificate request (in PKCS # 10 format) that contains the public key of the generated key pair.
- The processor passes the generated request to the external environment. This request goes to the certificate issuing center and, based on this request, issues a certificate, which is returned to the smart card.
- After receiving the certificate, the processor writes it to a private memory area.
P.S. This topic was written based on materials from Aladdin. If someone has a technical description of the hardware component of dongles from other manufacturers, please share, I will be very grateful.
