[SmartcardServices-Users] Custom Smart Card Source

Miller, Timothy J. tmiller at mitre.org
Tue Jul 27 07:02:42 PDT 2010


>Does Snow Leopard, as shipped, have that capability to create/initialize
>the Smart Card/USB token?  If yes, can you steer me towards some
>documentation or if not, how would you do it?

Card initialization and personalization are usually done via a secure channel; this basically means that security-sensitive commands such as those used to install applications or generate keys are encrypted under a symmetric key unique to a specific card (injected on the card at manufacture--key ceremonies for this are fun to examine if you're into that kind of thing).  These encrypted commands can originate on the host platform, or on another machine entirely (which blinds the host to the operations--very useful for card personalization in an enterprise environment).

As a result, initialization and personalization is very much specific to the card platform and the token management system.  There are a few standards; JCOP, GSC-IS, and NIST SP800-73 all cover different (but related) APIs that include initialization and personalization commands.  Just to keep things interesting, every card management vendor does things differently.  E.g., ActivIdentity's Token Management System creates PIV-compatible cards atop JCOP smartcard platforms.  Cards are initialized using the JCOP API, personalized using the GSC-IS API, but operate using the NIST SP800-73 API.

Yes, it's a twisty maze of different standards, all similar.  :)

If you're bootstrapping a token-based PKI, it's simpler in the short run but more expensive in the long run to find a complete end-to-end solution from a single vendor--to include card supplies.  However, the trade-off vs. running it yourself is critically dependent on scale and card churn rates.

-- Tim



More information about the SmartcardServices-Users mailing list