Versions Compared

Old Version 4

changes.mady.by.user user-9bc78

Saved on

compared with

New Version 5

changes.mady.by.user user-9bc78

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Public read mode
    In public read mode we can create / destroy temporary public non token objects – also called public session objects. Furthermore we can see all objects on the token which are tagged as public.

  2. Public read / write mode
    In this mode we have the same features as in the previous mode. Furthermore we can persistently write public objects to the card such as a certificate, a public data object or a public key. We also can destroy those objects.

    Image Modified

    The applet installed on our smartcards supports the import of public keys BUT does not support internal calculations with them. This has the following reason:
    Whenever a keypair (public / private key) is imported or generated the necessary information for doing cryptographical calculations is completely stored within the private key record. A public key record will be also written but this is just for completeness. On APDU level whether doing a public (encrypt / verify) or a private (decrypt / sign) calculation always needs the private key to be selected!
    It is possible to store a single public key in a public key record BUT the applet will not be able to use it to encrypt or verify data. In order to support those calculations for single public keys or session objects (session objects are not stored on the token resulting in not being able to use the cards cryptographic processing unit) we offer this in software.

  3. User read mode
    In this mode we have the same options as in the first mode. Furthermore we can read the private objects stored on the token and access them for cryptographic operations. Additionally we can create and destroy private session objects.

  4. User read / write mode
    In this mode we have the same options as in the previous mode. Furthermore we have full access to create and destroy objects on the token. This mode is necessary to import or generate keypairs, secret keys or private data objects

  5. SO mode
    In this mode we have the same options as in the first mode. Furthermore we can set (reset) the users PIN and install public root certificates (by tagging them with TRUSTED – this is not supported yet). We do NOT have any access to private objects but can create and destroy public token objects.

...

The mix-up of sessions having different session states is very limited:

  1. When a user session exists no SO session can be created and vice versa

  2. As soon as a session switches to user mode all open sessions switch to user mode
    => When a SO session exists no user session can be established due to 1.

  3. A SO session can not be created out of a read session

  4. As soon as a session switches to SO mode all open sessions switch to SO mode.

=> When a user session exists SO mode can NOT be established due to 1.

=> When a read session exists (and even no user is logged in) SO mode can NOT be established due to 3.


Anchor
_Toc453149746
_Toc453149746
Anchor
_Toc453920102
_Toc453920102

...

Image Added

Anchor
_Ref452724889
_Ref452724889
Figure 2: session states

Anchor
_Toc453149747
_Toc453149747
Session objects

...