security of elliptic curve parameters for SE050

fus · ‎06-23-2021

In order to use elliptic curves I was thinking about creating the necessary ones during provisioning. Doing this requires the "CreateECCuve" and "SetECCurveParam" APDU commands. For "CreateECCuve" the curve ID must be specified which is fixed and specified in the documentation. But the curve parameters have to be set separately with "SetECCurveParam".

Would an attacker be able to create bogus parameters if platform SCP is not set to SCP_REQUIRED? I.e. is this one more reason why platform SCP must be used and set to required even if a secure applet session is used?

Kan_Li · ‎06-27-2021

Hi @fus ,

No, the curve parameters are checked in the applet if they are correct (using a hash value) to prevent uploading any other ecc curve parameter than what is allowed in the list.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

在原帖中查看解决方案

Kan_Li · ‎06-27-2021

Hi @fus ,

No, the curve parameters are checked in the applet if they are correct (using a hash value) to prevent uploading any other ecc curve parameter than what is allowed in the list.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------