Hi team We are responding to a tender clarification. Customer is interested in the MC7596 and our biometrics attachement but have asked if there is a hardware SAM (Secure Access Module) in the device.
A SAM securely stores the master key needed for secure mutual authentication between the card and the reader. It can also be used to stored the other keys needed to decrypt the data on the smart card.
If there is no hardware SAM in the unit, can suggest alternative solution (software SAM?) that can play that role. Thanks ken
3 Replies
One but rather clumsy alternate is to use the contact card interface as a SAM for the contactless interface. But, you will see the card jutting out when you use.This conforms to ID-1 form factor. I have heard that the SIM card slot of the device can be used to insert a SAM card, which is of ID-0 form factor (but not sure of any real implementations). But the NXP chip in the snap-on does the cryptographic functions required by SAM, so in cases where smart card application you want to execute conforms to what this chip also supports, you may not require a separate SAM. You may need multiple SAM slots to execute different applications. Hope this gives some idea.
Are there APIs available for partner to utilize the NXP chip for key programming and loading? Thanks ken
My understanding is that you will not call the cryptographic functions directly - this will compromise the security feature of the SAM. The partner will call the generic smartcard APIs, this will inturn trigger the cryptographic key exchanges (mainly challenge / response exchanges) between the reader and the card. What I meant by "application" in my earlier response is not the end app written by the partner, let me clarify a bit more. One application sample is electronic purse application consists of a value store and cryptographic protocol by which payments can be made from a purse (smartcard). This will involve a number of commands issued to the card by the terminal that will invoke the necessary responses. Another, quite different application example would be a access application, where by using a PIN and a signed response from the card to confirm the users' entity. This could invlove the invocation of a different set of crypotographic functions. All these application types are registered by an organisation to ensure uniformity and have a unique ID. An example of an solution writtern by a partner could invlove both these applications. I think the snapon supports MiFare DesFire protocol. You can check at the NXP sites what all apps this would contain Vs your tender requirements.