Relation between Security Domain and Applet in Personalization

Question

The Guide to Common Personalization describes the following process for Personlalization:

• Reset
• Atr
• Select AID to personalize
• initiate Secure Channel
• multiple Store-data commands

The Secure Channel is established with the Security Domain and Store-data commands holding DGIs are forwarded to the Applet. The Applet has the Application and the Personalization interface from org.globalplatform package and inherits processData methods to make use of the Store-data commands.

The question now is if I have to implement the init-update and external-authenticate command in my applet myself as the Security Domain is not selected anymore and my applet does not know these INS? Does the JCRE automatically detect these GlobalPlatform APDUs and forward them to the SecurityDomain? If not why isn't this hidden/filtered by the JCRE?

e: I have found an old example on the Global Platform website from 2006 called CPSDemonstrator: http://www.globalplatform.org/specificationform.asp?fid=6596 Beside deprecated API calls is this still the standard way to do it?

Answer 1

No, you don't need to implement the secure channel functions yourself: you can use the Security Domain for that. It is often a business decision: do you control the keys to that Security Domain yourself, or a trusted partner?

Let's say that you do. Then, the Secure Channel can be established to the Security Domain (selecting the Secure Channel's AID), which already implements all the necessary functionality. Once established, you can send STORE DATA APDUs to your applet if you first send an INSTALL[for personalization] APDU to the Security Domain, indicating your applet's AID within the command parameters. Step-by-step:

1. SELECT the Security Domain
2. Establish Secure Channel to the SD: INITIALIZE_UPDATE, EXTERNAL_AUTHENTICATE
3. INSTALL[for personalization]. In the command's data field, send your applet's AID
4. STORE DATA - it will be forwarded to your applet

Internally, inside the card, the Security Domain will decrypt these STORE DATA APDUs and forward them to your applet, calling its processData method.

INSTALL[for personalization] is meant to be used if you want to personalize your application before it has been "made selectable". Once the applet is selectable, you can set up a secure channel towards the applet's AID. The applet just needs to implement the SecureChannel interface (http://www.win.tue.nl/pinpasjc/docs/apis/gp211/org/globalplatform/SecureChannel.html) to delegate authentication and encryption to its associated Security Domain.

To answer your question: you DO NOT need to implement the security commands in your applet.