Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Want support for GP Secure Channel (SCP03) #57

Open
arekinath opened this issue Aug 2, 2021 · 2 comments
Open

Want support for GP Secure Channel (SCP03) #57

arekinath opened this issue Aug 2, 2021 · 2 comments

Comments

@arekinath
Copy link
Owner

Since Yubico have added support for sending their admin commands over GP secure channel (SCP03) in the latest firmware, we should probably support it as well in some way, to keep feature parity.

Note that this is not the same as PIV Secure Messaging or VCI (#32)
@mistial-dev
Copy link
Contributor

Would this fall under FIPS 201 2.9.2?

A PIV Card post issuance update may be done locally (performed with the issuer in physical custody of the PIV Card) or remotely (performed with the PIV Card at a remote location). Post issuance updates shall be performed with issuer security controls equivalent to those applied during PIV Card reissuance. For remote post issuance updates, the following shall apply:

  • Communication between the PIV Card issuer and the PIV Card shall occur only over mutually authenticated secure sessions between tested and validated cryptographic modules (one being the PIV Card).
  • Data transmitted between the PIV Card issuer and PIV Card shall be encrypted and contain data integrity checks.
  • The PIV Card Application will communicate with no end point entity other than the PIV Card issuer during the remote post issuance update.

This seems consistent with SP-800-85A-4:

AS05.03: The PIV Card Application shall return the status word of '6A 81' (Function not supported) when it receives a card command on the contactless interface marked “No” in the Contactless Interface column in Table 2, Part 2 of SP 800-73-4.

The PIV Card Application may return a different status word (e.g., '69 82') if the card command can be performed over the contactless interface in support of card management. The PIV Card Application will only perform the command in support of card management if the requirements specified in Section 2.9.2 of FIPS 201-2 are satisfied.

That would seem to indicate that card management functionality could be performed over a GP channel without violating the spec, as long as the security level was sufficient.

@mistial-dev
Copy link
Contributor

Reading through the comments of SP 800-73-4, https://csrc.nist.gov/CSRC/media/Publications/sp/800-73/4/archive/2015-05-29/documents/sp800_73-4_2013_draft_comments_and_dispositions.pdf , NIST seems to make it clear that card management itself is out of scope (so is fine to use SCP03 or whatever).

They also make it clear that they don't want PIV operations being done over alternate mechanisms.

Specifically:

"Declined. While other secure messaging protocols (e.g., GlobalPlatform SCP03) may be used for CMS to PIV Card communication, only the protocol specified in SP 800-73-4, for interoperability reasons, may be used to perform non-card-management operations within the PIV Card Application."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arekinath @mistial-dev