arekinath / PivApplet

PIV applet for JavaCard 2.2.2 and 3.0.4+ with full ECDSA/ECDH support
111 stars 37 forks source link

Want support for GP Secure Channel (SCP03) #57

Open arekinath opened 3 years ago

arekinath commented 3 years ago

Since Yubico have added support for sending their admin commands over GP secure channel (SCP03) in the latest firmware, we should probably support it as well in some way, to keep feature parity.

Note that this is not the same as PIV Secure Messaging or VCI (#32)

mistial-dev commented 2 years ago

Would this fall under FIPS 201 2.9.2?

A PIV Card post issuance update may be done locally (performed with the issuer in physical custody of the PIV Card) or remotely (performed with the PIV Card at a remote location). Post issuance updates shall be performed with issuer security controls equivalent to those applied during PIV Card reissuance. For remote post issuance updates, the following shall apply:

  • Communication between the PIV Card issuer and the PIV Card shall occur only over mutually authenticated secure sessions between tested and validated cryptographic modules (one being the PIV Card).
  • Data transmitted between the PIV Card issuer and PIV Card shall be encrypted and contain data integrity checks.
  • The PIV Card Application will communicate with no end point entity other than the PIV Card issuer during the remote post issuance update.

This seems consistent with SP-800-85A-4:

AS05.03: The PIV Card Application shall return the status word of '6A 81' (Function not supported) when it receives a card command on the contactless interface marked “No” in the Contactless Interface column in Table 2, Part 2 of SP 800-73-4.

The PIV Card Application may return a different status word (e.g., '69 82') if the card command can be performed over the contactless interface in support of card management. The PIV Card Application will only perform the command in support of card management if the requirements specified in Section 2.9.2 of FIPS 201-2 are satisfied.

That would seem to indicate that card management functionality could be performed over a GP channel without violating the spec, as long as the security level was sufficient.

mistial-dev commented 1 year ago

Reading through the comments of SP 800-73-4, https://csrc.nist.gov/CSRC/media/Publications/sp/800-73/4/archive/2015-05-29/documents/sp800_73-4_2013_draft_comments_and_dispositions.pdf , NIST seems to make it clear that card management itself is out of scope (so is fine to use SCP03 or whatever).

They also make it clear that they don't want PIV operations being done over alternate mechanisms.

Specifically:

"Declined. While other secure messaging protocols (e.g., GlobalPlatform SCP03) may be used for CMS to PIV Card communication, only the protocol specified in SP 800-73-4, for interoperability reasons, may be used to perform non-card-management operations within the PIV Card Application."