29 May 2011

Nexus S Secure Element, Google Wallet

Nexus S does NFC but has no µSD Slot
Google&Mastercard want to control your wallet.


But:

DIY NFC using the Nexus S

Here's what we did next: Download the source (actually from CyanogenMod 7 to have the full build environment for the new Nexus S), make the appropriate changes to the code, recompile everything and put it back into the phone and it works — Nexus S supports card emulation and SWP!
Then we developed an Android app which we call "The Secure Element Manager" that gives the user full control over the secure elements in the phone as well as the NFC chip.
We are now able to fully control the PN65N from an Android app. Very nice, but not enough; we need more: an API for accessing the UICC (secure element) from an Android API.
nearfieldcommunicationsworld...................................................................................................
Luckily Giesecke & Devrient already supports the development of a smartcard stack for Android, SEEK, the Secure Element Evaluation Kit. This one is available for Android 2.2 and requires some adaption to work in Gingerbread, but after these changes we have a fully featured NFC phone using the Nexus S Hardware. Nice, isn't it?
aaa

http://groups.googlecom/group/android-developers/browse_thread/thread/418c9b370f08a9f7

__________________________________________________
Nokia C7 comes with a PN544 from NXP. .. ready for Single Wire Protocol support in order to use the UICC as the secure element.

.. Nokia only needs to provide firmware .. likely use NXP's FRI (Forum Reference Implementation), which is also used in the Google phone...
aaa

The FRI a basic software stack for managing the NFC chip through HCI (Host Controller Interface) Android's core and Symbian^3 are both implemented in C, so the stack ..can be ported to both ..

P2P/LLCP and card emulation using SWP or an embedded secure element.

On top of the FRI, Nokia will provide JSR257 (Java layer) in order to manage reading/writing functionality or exchanging of NDEF data structures. Depending on the configuration of the FRI, the phone can support SWP to offer card emulation using a UICC.

Nokia's C7 already provides JSR177 for J2ME applications to communicate with the UICC...
.......................
The Nexus S comes with a PN65N from NXP. This chip is a combination of the PN544 NFC controller and an embedded SmartMX secure element.
__________________________________________________



1. Is this the birth of a new payments network, or an old network in mobile form?

.. Google will be partnering with MasterCard to bring mobile payments ... If that turns out to be true, it's a definite win for the old guard. The current payments infrastructure is built on principles that were defined in the 1970s when credit cards as we know them appeared on the market. It's ripe for disruption and Google has the perfect skillset for doing so. Both MasterCard and Visa have looked at risk of disintermediation.

"secure element" in the case of the Google Nexus S, .. a chip embedded in the mobile phone during manufacturing. (Nexus has NO slot)
With a microSD, it can be anyone. With an embedded secure element, it would usually be the manufacturer of the phone. This is expected to be the case with RIM's forthcoming Blackberry NFC phones and is almost certain to be the case with a future Apple iPhone.
..........
Will any business be able to get access to Google mobile wallets — even direct competitors like Microsoft and Apple — or will Google lock them out? How about the likes of Groupon, PayPal, Facebook and Visa? And who will these businesses go to instead to access the new generation of mobile wallet technology if they can't access a Google Wallet?
nearfieldcommunicationsworld
__________________________________________________


The NXP PN65 .. the NFC radio controller, the embedded secure element and NFC software ...
nxp

Google Wallet, Google Offers, Google Prepaid Card and SingleTap, .. in conjunction with MasterCard, Citi, First Data and Sprint.
. add funds.. from any credit card.
Payments processing ..through MasterCard's PayPass network.
First Data for trusted service manager (TSM) ..such as provisioning card ..
..
nearfieldcommunicationsworld
hypercom

The Google Wallet limited to Nexus S 4G phones Sprint, not the 3G version for T-Mobile or other Android phones...
..Steve Owen, vice p id NXP ..all Android .. could potentially support the wallet
Google could try to control embedded chips and APIs, in other NFC phones ... at odds with mobile operators that want to control the application-bearing chips ..

Isis AT&T, Verizon Wireless and T-Mobile wants to control the secure elements Sprint dropped out.
nfctimes
European.. business model for NFC is based on charging fees to banks and other service providers to put their NFC applications on SIM cards that the telcos issue.

But Google, in fact, is also seeking to recruit European banks ..the Nexus S also supports the single-wire protocol connection to the SIM card, it's possible that Google could block this.

PayPal accusing Google of stealing its trade secrets by recruiting Osama Bedier Google's head of payments. also names Tilenius, who worked at eBay.

__________________________________________________

the wallet will require an “app-specific PIN” to activate, and in the first release (sic), “all payment card credentials will be encrypted and stored on a chip.” (like, in later releases card credentials will be scattered about in clear?]

Update: It's possible Google could ... use Andorid API availability to prohibit other wallet service providers? ..
Google made a point of saying that the wallet would be open to other banks and service providers, along with other mobile carriers and handset makers. ..Google is likely to want to control which applications go into its wallet, ..APIs and master keys, managed by First Data.

__________________________________________________

24 May 2011

Secure Element, Kenya, ChangeKeyAES

Secure Element
The Mobile Security Card SE 1.0 is a standard flash memory mass storage card supplemented with an additional secure element, .. functionality for security operations such as PKI key management or key generation... e-mails, network access.. smartphones, the microSD™ format is the most adopted..
Mobile Commerce Extension protocol ( SDA) or via file.. »Generic Security Interface«,.. Giesecke & Devrient (G&D). The drivers offer a PC/SC (or similar) interface .. Windows Mobile™, ..Symbian OS, Android and Linux®. ..

Memory • 78 kB free EEPROM Mass storage capability • Min. 2 GB flash memory
..
• Hash algorithms: SHA-1, SHA256, MD5, RIPE-MD160 • Symmetric encryption: DES, 3-DES, AES up to 256 bit, Seed 128 bit • Asymmetric encryption: RSA® up to 2048 bit..DSA up to 1024 bi
aaa
gi

__________________________________________________
Smart Card based PKI (Public Key Infrastructure)
.. used by eMails (S/MIME), data encryption and secure authentication (VPN, SSL/TLS). It is based on public/private keys (typically RSA) and certificates, which bind a user identity to a public key.
..the private key is often stored on a smart card..
The most common API to access cryptographic smart card functions is the PKCS#11 interface, published by RSA Labs.
..Corresponding to the PKCS#11 interface, the PKCS#15 specification defines a file structure and description syntax for keys and certificates on the smart card.
google
____________________________________________________________________
State Snooping aka "foiling scalpers"
A real-name ticket sales system began operation Sunday in Beijing. .., aims to make buying a ticket more convenient and fair, by foiling scalpers.
..a ticket vending machine particularly installed with an ID card reader
passengers who forget or lose their ID cards can go to a special window opened by local police ..
Without an ID card, the office can't sell any tickets.
Regarding the new rule's inconvenience..passengers would feel they have no privacy any more."
___________________________________________
African NFC Money
By Griffins Omwenga and Kui Kinyanjui 16 May 2011 21:54
Nairobi. .InMobi, Pay4Me and MoMagic services in the next few months.. pay for goods and services through their mobile phones.
Mobile advert firm InMobi... to launch a new mobile payment system..SmartPay solution..
..a simple payment gateway..to receive money for goods sold online..
..one-time, no-cost, single point of integration across multiple countries.
Locally, it will take on solutions like Pesa Pal and M-Pesa,.. payment solution for e-commerce ventures .. due to low penetration of.. credit cards.
thecitizen.co.tz

___________________________________________
Near Field Communication (NFC) Apple will not include in the next version of the iPhone.
pple's next iPhone, said to be called the 4S, will not have the mobile payment support through NFC (near field communication) says Bernstein in a note this morning.
businessinsider

businessinsider

___________________________________________________
Neat Drive
The GoFlex Satellite is a 500Gb external (Seagate) .. Wi-Fi access and a lithium-polymer battery.
USB interface ( 3.0.. 10x faster),..recharging and moving files. Video, music, photo..
..pressing a power button.. Wi-Fi access mode. ..shows up as a wireless network on your Wi-Fi-enabled device, .. iPad, iPhone, iPod touch, Android tablet, smartphone or a laptop.
..www.goflexsatellite.com in the device’s browse..Movies, Pictures, Music and Documents ..
..media files have to be compatible with Apple devices.. video has to be in H.264, MPEG4 or Motion-JPEG format.
However, using the $5 OPlayer HD iPad app, I was able to play media files in any format on my iPad...
..play three videos at once from the drive, stutter-free and in very good quality...
..$200 .. cf $500 16Gb Wi-Fi only iPad and $700 64Gb iPad

___________________________________________________
Odd DESFire Fact
When changing a Key on a DESFire SAM using AES
you can only do it once!
To change tha key again you have to restart the program.
Even an ATR does not enable that second key change..
So I wrote a "hot-swap" program which enables SAM change...
the original SAM can still only change a key once ...
There must be something in the Javax.smartcardio that gets initialized on program startup
which then only lets you change a key once!
___________________________________________________

16 May 2011

Peer To Peer

Peer to Peer
I doubt whether MasterCard/Visa are enthusiastic about Actual Peer-to-Peer
- because that would cut them out of the picture.
All you need is a retailer or bank at the receivers end who has a deal with the
PtoP system operator. they might well settle using conventional EFTPOS or even Visa credit.
But the PtoP doesnt need any CreditCardCompany
__________________________________________________
Google gets it, and says its too hard
"I'd love to see peer-to-peer used for payment," Google's Nick Pelly
...Typically, the hardware is set up to do card emulation through the secure element. Right now, we don't have any APIs to talk to the secure element. And we think that we probably won't be getting APIs to do that anytime in the near future in the SDK.
..to talk to the secure elements, even from applications on the phone, you need to authenticate yourself properly.
And if you improperly authenticate yourself a certain number of times, there are secure elements out there that will physically destroy themselves and can never be recovered. So that's something that we really think would be a bad experience for users, and we don't want developers getting blamed for, you know, breaking hardware
nearfieldcommunicationsworld
__________________________________________________
Some places arent even getting started:
Smartcards delayed for seven years .. 13 May 2011
..commuters in Scotland will not benefit from queue-busting travel smartcards until at least 2018 because companies involved are reluctant to share their tickets..
heraldscotland

___________________________________________________
Third World types really get it:

The strides Kenya has made in mobile banking .. Mobile Money Transfer Conference in Nairobi.
..“Kenya is a pioneer in the mobile payment industry ..
..Mobile money transfer platforms like M-Pesa by Safaricom, YuCash by Yu, Orange Money by Orange and Airtel Money enable people to access money through mobile phones, ..
...“Idle soft currency kept under the mattress is not safe, but once it is in the mobile wallet it can be lent out for traders to do business for additional revenue streams.”(???)
..nation

__________________________________________________
MasterCard want to stay in the picture .. but really, we dont need them ..
..May 16 2011
MasterCard demonstrates.. iPhone attachment running its contactless PayPass ..
..iCarte (Wireless Dynamics) .. MasterCard PayPass application in an embedded secure chip,...tap their iPhone 4 handsets .. where the PayPass is accepted...
.. Singapore Cassis Intl as trusted service manager to provision the PayPass
..Singapore’s EZ-Link .. used for transit,.. some retail ..also issues a MasterCard branded prepaid card.. Fevo.
..whether EZ-Link..would also be on the phones, though likely not.

..another trial of an NFC bridge .. a SIM attached to a flexible contactless antenna, (Gemalto).. mobile operator StarHub and DBS Bank. ..

In Malaysia.. Maxis Communications ..some interest..
.
Visa Europe ..trial in Turkey ..United Kingdom of the iCarte...Visa has trialed contactless microSD cards in the iPhone and other..

The microSDs, as well as the iCarte have corresponding apps .. to access the payment applications stored on the secure chips ..
..
nfctimes


___________________________________________________
Speed not a problem
TransferJet is a wireless technology that is said to combine the speed of Ultra Wide Band with the ease of Near Field Communications...560Mbit/s,.. effective throughput.. 375Mbit/s,.. 4.48GHz..
in V2 of the protocol, centre frequency of 60GHz.. data transfer rate to 2Gbit/s. Expect this chip in mid 2014.
___________________________________________________

05 May 2011

AES CMAC as used in DESFire AV2

AES CMAC
nb may need to chain the IV


import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import java.security.NoSuchAlgorithmException;
import javax.crypto.spec.SecretKeySpec;


/**
 *
 * @author Chris Skinner
 */
public class AES {


    static public byte[] K = new byte [16]; // 128 bit key
    static public byte[] K1 = new byte [16]; // 128 bit sub key
    static public byte[] K2 = new byte [16]; // 128 bit sub key
    static final public byte[] Z16  = new byte [16]; // 128 bit zero
    static Cipher cipher = null;


//♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧
    static void print (String s) {
        System.out.print(s);
    }
//♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧


    static byte[] shl (byte[] bin)  // << 16 byte array
    {
        byte[] bout = new byte[16];
        for (short j = 0; j < 15; j++)  // java b[0] is the highorder
        {
            int sot = ((bin[j+1] & 0x80) >> 7);
            int sef = ( bin[j] << 1 ) | sot;
            bout[j] = ( byte)sef;
        }
        bout[15] = (byte)(bin[15] << 1);
        return bout;
    }
//♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧
    static SecretKeySpec skeySpec = null;


    public static void subKeys(byte[] key) // make K1 K2 from key
    {
    /*
         +                    Algorithm Generate_Subkey                      +
   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
   +                                                                   +
   +   Input    : K (128-bit key)                                      +
   +   Output   : K1 (128-bit first subkey)                            +
   +              K2 (128-bit second subkey)                           +
   +-------------------------------------------------------------------+
   +                                                                   +
   +   Constants: const_Zero is 0x00000000000000000000000000000000     +
   +              const_Rb   is 0x00000000000000000000000000000087
    binary 10000111    +
   +   Variables: L          for output of AES-128 applied to 0^128    +
   +                                                                   +
   +   Step 1.  L := AES-128(K, const_Zero);                           +
   +   Step 2.  if MSB(L) is equal to 0                                +
   +            then    K1 := L << 1;                                  +
   +            else    K1 := (L << 1) XOR const_Rb;                   +
   +   Step 3.  if MSB(K1) is equal to 0                               +
   +            then    K2 := K1 << 1;                                 +
   +            else    K2 := (K1 << 1) XOR const_Rb;                  +
   +   Step 4.  return K1, K2;                                         +
   +                                                                   +
         */
    byte bRb = (byte)0x87; // Rb for AES128
    // key must be 16 bytes
    try
        {
        skeySpec = new SecretKeySpec(key, "AES");
        if (cipher == null)
            cipher = Cipher.getInstance("AES/ECB/NoPadding");
        cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
        K1 =  cipher.doFinal(Z16);
        }
        catch (Exception ex)  // nosuchalgorithm, invalidkey,nosuchpadding...
        {
             print("\n error 400 AES   " + ex.getMessage());
        }
        boolean highL = ((K1[0] & 0x80) != 0);
        K1 = shl(K1);
        if (highL)
            K1[15] = (byte)(K1[15] ^ bRb);
        highL =  ((K1[0] & 0x80) != 0);
        K2 = shl(K1);
        if (highL)
            K2[15] = (byte)(K2[15] ^ bRb);
    }
//♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧
    static byte[] xor16(byte[] ba, byte[] bb)
    {
        byte[] bout = new byte[ba.length];
        for (short j = 0; j < ba.length; j++)
            bout[j] = (byte)(ba[j] ^ bb[j]);
        return bout;
    }


//♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧


    static public byte[] CMAC(byte[] key, byte[] mesg)
    {
        /*
         +   Input    : K    ( 128-bit key )                                 +
   +            : M    ( message to be authenticated )                 +
   +            : len  ( length of the message in octets )             +
   +   Output   : T    ( message authentication code )                 +
   +
         +              const_Bsize is 16                                    +
   +                                                                   +
   +   Variables: K1, K2 for 128-bit subkeys                           +
   +              M_i is the i-th block (i=1..ceil(len/const_Bsize))   +
   +              M_last is the last block xor-ed with K1 or K2        +
   +              n      for number of blocks to be processed          +
   +              r      for number of octets of last block            +
   +              flag   for denoting if last block is complete or not +
   +                                                                   +
   +   Step 1.  (K1,K2) := Generate_Subkey(K);                         +
   +   Step 2.  n := ceil(len/const_Bsize);
         The smallest integer no smaller than x.
          ceil(3.5) is 4.  ceil(5) is 5.+
   +   Step 3.  if n = 0                                               +
   +            then                                                   +
   +                 n := 1;                                           +
   +                 flag := false;                                    +
   +            else                                                   +
   +                 if len mod const_Bsize is 0                       +
   +                 then flag := true;  no overflow                              +
   +                 else flag := false;                               +
   +                                                                   +
   +   Step 4.  if flag is true                                        +
   +            then M_last := M_n XOR K1;                             +
   +            else M_last := padding(M_n) XOR K2;                    +
   +   Step 5.  X := const_Zero;                                       +
   +   Step 6.  for i := 1 to n-1 do                                   +
   +                begin                                              +
   +                  Y := X XOR M_i;                                  +
   +                  X := AES-128(K,Y);                               +
   +                end                                                +
   +            Y := M_last XOR X;                                     +
   +            T := AES-128(K,Y);                                     +
   +   Step 7.  return T;                                              +
   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


         */
    subKeys(key);  // set K1,K2
    int mz = mesg.length ;
    print("\n\n message " + Uti.asString(mesg));  //✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦
    int n = mz / 16;  // number of 16byte chunks.. if overflow > 0 add 1 to this
    print("\n mz " + mz + "   first n " + n);  //✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦
    int m = n * 16;
    int v = mz - m; // overflow bytes 0..15
    print("       m " + m + "   v " + v);//✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦
    if (v > 0)
        n++;  // now the "actual" number of chunks  ie ceiling
    print("    new n " + n);//✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦


    byte[] MLast = new byte[16];
    int lastn = ( n-1 ) * 16;  //byte address of lastchunk within mesg
    int lastz = mz -lastn;  // number of bytes to copy to lastchunk
    System.arraycopy(mesg,lastn, MLast,0,lastz);
    print("\n MLast " + Uti.asString(MLast));  //✦✦✦✦✦✦✦✦✦✦✦✦✦✦✦
    if (v == 0)  // no overflow
       MLast = xor16(MLast,K1);
    else
    {
        MLast[lastz] = (byte)0x80;  // this does the padding
        print("\n v pre  MLast " + Uti.asString(MLast)); //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
        MLast = xor16(MLast,K2);
        print("\n v post MLast " + Uti.asString(MLast)); //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<




    }
    //todo: put MLast backk into mesg and do a normal CBC....
    // we should be able to use CBC...    // todo replace with CBC


    byte[] X     = new byte[16];  // zeros by default;
    //BUT updated IV has to be used in next CMAC or encryption
    byte[] plain = new byte[16];
    try
    {
        if (cipher == null)
            cipher = Cipher.getInstance("AES/ECB/NoPadding");
        cipher.init(Cipher.ENCRYPT_MODE, skeySpec);   // spec set in subkeys???


        for (short j = 0 ; j < n-1; j++)
        {
            int jx = j * 16;  // dont do this kind of thing...
            System.arraycopy(mesg,jx, plain,0,16);
            plain = xor16(plain,X);
            print("\n plain aaa   " + Uti.asString(plain)); //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
            X =  cipher.doFinal(plain);
        }
        plain = xor16(MLast,X);
        print("\n plain zzz   " + Uti.asString(plain)); //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
        X =  cipher.doFinal(plain);
        print("\n cipherzzz   " + Uti.asString(X)); //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    }
    catch (Exception ex)  // nosuchalgorithm, invalidkey,nosuchpadding...
    {
             print("\n error 400 AES   " + ex.getMessage());
    }
    return X;
    }
}//♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧ fin ♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧♧