My Apex arrived last week, I haven’t had it installed yet. Does anyone know where I can get the default key to install cap files with Global Platform Pro? I would use fdsm but I haven’t been able to get a response from Fidesmo about a developer account.
It’s not possible to get the master key. This is the point of Fidesmo being able to leverage multiplication capability with larger companies like transit companies and payment. Releasing the master key would create a security issue for these companies and de-incentivise publishing applications and solutions on a shared chip environment.
What are you wanting to install? VivoKey is open to publishing OSS applications they can fork to the VivoKey GitHub org repo.
I want to install the Vivokey smartpgp applet, with the patches to allow for extended keylengths applied. I’ve already cloned it from GitHub - VivoKey/Flex-SmartPGP: SmartPGP is a JavaCard implementation of the OpenPGP card specifications and compiled a patched version, although I have no idea if it actually works without being able to load it onto my chip.
The version we published has extended 4096 key bit lengths enabled. The only thing not supported is secure channel comms, which should not be a problem since you’ll be scanning it yourself using known readers… So the chance of a sniffer between is quite low.
I installed the published version but wasn’t able to load or generate rsa4096 keypairs. You’re referring to the version available from Fidesmo correct (listed as
30c2ea30 - VivoKey SmartPGP (by VivoKey Technologies))?
Also failed to generate 4096 bit keys for me but I think you need to send it some config commands through a side channel to enable this?
What methods were you using? We’re you asking the chip to generate or pushing keys in?
This was generate on key, if I understand the interface correctly. Let me try again and document
Importing (not generating, however some frontends don’t actually generate on card but instead sideload a key generated on your PC) keys which are not RSA-2048 or NIST-P256 requires a specific reconfiguration command: flexsecure-applets/1-pgp.md at master · DangerousThings/flexsecure-applets · GitHub (Key import fail with "Invalid value" error · Issue #15 · ANSSI-FR/SmartPGP · GitHub). You can look at the CI tests for the SmartPGP applet at e.g. flexsecure-applets/SmartPGP.default.bats at master · DangerousThings/flexsecure-applets · GitHub and flexsecure-applets/SmartPGP.common.sh at master · DangerousThings/flexsecure-applets · GitHub for in-depth details.
Seemed to work this time, may be quite sensitive to field strength and positioning as attempt immediately beforehand failed, and then another try after removing and presenting the card again.
On the previous attempts where key generation has failed the card also stops responding to all commands until removing from the reader field and trying again.
PS C:\Users\ethan> gpg-card.exe Reader ...........: ACS ACR1252 1S CL Reader PICC 0 Serial number ....: [redacted] Application type .: OpenPGP Version ..........: 3.4 Displayed s/n ....: 000A 00000000 Manufacturer .....: VivoKey (a) Name of cardholder: Ethan Rose Language prefs ...: en Salutation .......: URL of public key : http://ethanrose.co.nz/0BB176B9.asc Login data .......: [not set] Signature PIN ....: not forced Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 0 Capabilities .....: key-import algo-change priv-data KDF setting ......: on Signature key ....: [none] keyref .....: OPENPGP.1 algorithm ..: rsa2048 Encryption key....: [none] keyref .....: OPENPGP.2 algorithm ..: rsa2048 Authentication key: [none] keyref .....: OPENPGP.3 algorithm ..: rsa2048 gpg/card> generate OpenPGP card no. 000A 00000000 detected Make off-card backup of encryption key? (Y/n) Y gpg/card> list Reader ...........: ACS ACR1252 1S CL Reader PICC 0 Serial number ....: [redacted] Application type .: OpenPGP Version ..........: 3.4 Displayed s/n ....: 000A 00000000 Manufacturer .....: VivoKey (a) Name of cardholder: Ethan Rose Language prefs ...: en Salutation .......: URL of public key : http://ethanrose.co.nz/0BB176B9.asc Login data .......: [not set] Signature PIN ....: not forced Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 0 Capabilities .....: key-import algo-change priv-data KDF setting ......: on Signature key ....: [redacted] keyref .....: OPENPGP.1 (sign,cert) algorithm ..: rsa2048 stored fpr .: [redacted] created ....: 2022-09-14 08:01:02 Encryption key....: [none] keyref .....: OPENPGP.2 algorithm ..: rsa2048 Authentication key: [none] keyref .....: OPENPGP.3 algorithm ..: rsa2048
This appears to be RSA2048 . In general, I’d recommend using elliptic curves instead of very large RSA keys (>=3072), due to memory usage - if your systems support these newer algorithms. Also keep in mind that generating large primes or elliptic coordinates takes considerable time (depending on available entropy and compute performance), so make sure to power your token long enough.
Also, importing a pre-existing key you generated before on your PC is faster than generating on-card and allows you to backup your keys a bit more easily. However, generating on-card might be required for your security model.
I have mailed Fidesmo as well for Developer Access (as a business). I got a nice response to provide some additional information (reason for the developers request, whether I want to talk about a partnership, etc.), but after that complete silence.
I requested whether they can still follow up on my developer access request or whether they need more information, but no reply.
Feel like Fidesmo is primary trying to spot business opportunities and if they do not see them, it has no priority at all.
I emailed to “activate” my old developer account and didn’t hear much back after they asked for commercial details either. The updated developer docs and site are way less intuitive…quite obstructive compared to previous.
Yep, just generated using defaults for a test
Same experience here - seems they have no interest in developer accounts for individuals anymore
Hi! I’m curious about the process of developing for the apex. I’ve found some info scattered around in this and other threads but I just wanted to double check and confirm everything:
- Is there a way to run custom code on the chip without needing to use a third party (Fidesmo)?
- If not, what is the process to run custom code on the chip? (Several posts above mention difficulties getting a developer account with Fidesmo. Does that mean it’s literally impossible for me to run custom code?)
- If it’s only possible to run code with Fidesmo in the middle, how much do they need to be trusted? I.e. are the builds reproducible? Given the source code of my applet (or e.g. the official vivokey applets), can I cryptographically confirm that the applet that was installed to the chip is the same as the applet I get by freshly compiling from source?
- Is it possible to buy “development” cards to not risk bricking the implant? I see Fidesmo P40 SmartMX Card - RFID & NFC Chip Implants and Biohacking products but it’s sold out (and IIUC it’s using the old chip so it wouldn’t be good anyway).
Thanks! I’ve been looking forward for a truly customizable implanted device for a long time now, happy to see this project advance.
Seems like it…
Yes, soon™ there will be Apex cards ^^
Completely. They hold your keys and could install any shit they want when you tap your phone.
I hiiiiighly doubt that, but I’d love to be corrected here. Btw I think you publish the built .cap file, not the source. So no reproducable build necessary (also what do you expect heh it’s java, as if you’d ever get 2 identical builds )
Currently getting your own P71 cards and have amal convert them is the “only” way to run your own code on implants.
Thing is, you then have to manage your keys yourself and might brick the implant.
It’s very sad fidesmo is taking this direction, but nothing we can do about it. It’s probably for the best, if we ever want payments, airplane tickets and whatnot enabled…
This thought did cross my mind recently! I have some dual interface cards on order but not sure if they would convert nicely.
Stay tuned for the future, you will be pleasantly surprised very soon
I thought this was about card payments