The combined mode process represents a higher level of security. The data portion of the APDU is no longer transmitted as a plaintext, but is replaced by an encrypted form, the process of which is an extension of the authentication mode process.
In the combined mode process, as in the authentication mode process, the data object protected with the cryptographic checksum is first padded into an integral multiple of 8 bytes and encrypted with the CBC mode DES algorithm, as shown in Figure 1. In this process, the header is omitted for compatibility with the T=0 protocol. If the header is also encrypted, the command sent to the card cannot be recognized, and the ENVELOPE command with T=0 must be used. Using a bit in the class byte indicates that secure communication is used and the data is already encrypted when transmitted over the interface. Since the recipient knows the secret key used for encryption, it can decrypt the APDU, and the receiver can verify the correctness of the decryption by recalculating the additional level of cryptographic checksum at the same level of the transport layer. Readers in reading Figure 1 should pay attention to the changes in CLA, h and LDATA (with or without ''').
When this process is employed, an attacker who eavesdrops on the I/O line cannot discover which data is exchanged between the card and the terminal's commands and responses. Since the DES using the CBC mode causes these blocks to be linked together, it is also impossible to replace an encrypted block in the APDU, and any substitution will immediately attract the attention of the receiver.
With regard to encryption algorithms, those explanations for the authentication mode process also apply here. In principle, any block encryption algorithm can be used. The key should be dynamic, as in the authentication mode process, using the derived key for each session.
Considering the advantages of security, it is generally recommended to use the combined mode process for all APDUs. However, the increase in security is accompanied by a significant reduction in data transmission rates.
Figure 1 uses the combined mode procedure to create a command APDU. The case 3 command (such as UPDATE BINARY) is used for this. The header is included in the cryptographic checksum (ccs). The reply APDU can be established in a similar way ('PB' is used as a padding). Byte indication)
A good approximation of the difference in transmission rate between the unprotected APDU and the APDU protected by the combined mode process is factor 4. The speed difference between the discriminating mode process and the combined mode process is factor 2. So, in each case, carefully check to make sure that the data is transmitted in that safe but time-consuming form.
Basic Info
Hand Cream Packaging Tubes
Hand Cream Packaging Tubes,Plastic Tube,Plastic Tube For Hand Cream Packaging,Plastic Hand Cream Packaging Tube
Yangzhou Guanyu Plastic Tube Co., Ltd. , https://www.tube-packaging.com