Enable security from the issuer to the card holder
The Secure Channel is a protected data channel between the PCR and the on-line banking server. Once the channel established, the command is transmitted directly from the on-line banking to the PCR, the card holder interacts with the PCR and the response is directly sent back to the on-line banking server. All security aspects are out of the scope of EWC. The PCR and the on-line banking server negotiate the security and then protect the communication with secret keys that are not shared over the Internet.
EWC exposes a few functions compliant with the "Secure Channel 2010" specification from MasterCard.
The function secureChannelEstablishment establishes the Secure Channel. You have to provide the
secure channel configuration for security negotiation with the PCR. Once the command sent, the PCR responds
with its secure channel configuration.
From this exchange, all commands are sent to the PCR using the function sendAPDUAsynchronous
to send the protected commands in asynchrone mode.
The function secureChannelTermination is provided to close the Secure Channel. Actually, this command has to be
sent by the online baking server as a protected command as all others except the establishment one.
In your JavaScript file, you have to call the function secureChannelEstablishment to send to the PCR the etablishment command.
var cnx = enex.getConnection( ); if( !cnx ) { alert( "no available connection to the smart card" ); return; } var resultCallback = { success : function( a_oArgs ) { alert("Operation succeeded - The reader returned the following data (" + a_oArgs + ")" ); }, failure : function( a_oError ) { var message = "Operation FAILED."; message += " Error (" + a_oError.errorCode + ")."; message += " Message (" + a_oError.message + ")"; alert(message); } }; var sUnpredictableNumber = "94882455"; var sSecureChannelConfiguration = "20109840000011223344111222330000"; var sPassCodeConfiguration = null; var sApplicationSelectionList = null; var bEncryption_Indicator = 0; var bTerminate_Secure_Channel_Indicator = 0; var bWait_Card_Indicator = 0; cnx.secureChannelEstablishment( resultCallback, sUnpredictableNumber, sSecureChannelConfiguration, sPassCodeConfiguration, sApplicationSelectionList, bEncryption_Indicator, bTerminate_Secure_Channel_Indicator, bWait_Card_Indicator );
In your JavaScript file, you have to call the function getSecureChannelState to know if the Secure Channel is already established or not.
var cnx = enex.getConnection( ); if( ( null == cnx ) || ( typeof( cnx ) == "undefined" ) ) { alert( "no available connection to the smart card" ); return; } // Create a callback to treat the return of the getSecureChannelState function var resultCallback = { success : function( a_oArgs ) { // The result is the state as a boolean value ("true" or "false") alert( "is Secure Channel active ? (" + a_oArgs + ")" ); }, failure : function( a_oError ) { var message = "Operation FAILED."; message += " Error (" + a_oError.errorCode + ")."; message += " Message (" + a_oError.message + ")"; alert(message); } }; cnx.getSecureChannelState(resultCallback);
Click the button to know about the current Secure Channel state
In your JavaScript file, you have to call the function sendAPDUAsynchronous to send a command.
You have to provide to the function a valid APDU compliant with the Secure Channel security model in use (MAC / MAC + encryption).
var cnx = enex.getConnection( ); if( ( null == cnx ) || ( typeof( cnx ) == "undefined" ) ) { alert("no available connection to the smart card" ); return; } // Create a callback to treat the return of the asynchronous function var resultCallback = { success : function( a_oArgs ) { alert("status word (" + a_oArgs.statusWord + ") - data (" + a_oArgs.dataOut + ")" ); }, failure : function( a_oError ) { var message = "Operation FAILED."; message += " Error (" + a_oError.errorCode + ")."; message += " Message (" + a_oError.message + ")"; alert(message); } }; // Send a CAP mode 2 command (no encryption/MAC in this case) cnx.sendAPDUAsynchronous("8012030100", resultCallback);
Click the button to send an APDU
In your JavaScript file, you have to call the function secureChannelTermination to send to the PCR the terminate command.
You have to provide a valid MAC to the function. In any case, PCR will terminate the Secure Channel.
var cnx = enex.getConnection( ); if( !cnx ) { showResult( g_sTitleKO, "no available connection to the smart card" ); return; } var a_Encryption_Indicator = 0; var a_MAC = "18C634123D170614"; // Create a callback to treat the return of the asynchronous function var resultCallback = { success : function( a_oArgs ) { alert("Secured Channel Terminated. PCR returned " + a_oArgs ); }, failure : function( a_oError ) { var message = "Operation FAILED."; message += " Error (" + a_oError.errorCode + ")."; message += " Message (" + a_oError.message + ")"; alert(message); } }; cnx.secureChannelTermination( resultCallback, a_Encryption_Indicator, a_MAC );
Click the button to establish the Secure Channel