[Pcsclite-muscle] Fwd: Question about RSA and ECC on smart cards

[wully]

Hi all

I was in the muscle at lists.musclecard.com last time asking questions
around 2017. So, I was sending my new request to the wrong list-address

I hope, that I am now at the right address again.

Thank you

best regards
wully


-------- Forwarded Message --------
Subject: Question about RSA and ECC on smart cards
Date: Mon, 3 Nov 2025 16:16:23 +0100
From: wully <wully at bluewin.ch>
To: muscle at lists.musclecard.com

Hi all

Currently, I am working with ATOS-Cards cardosV5.3 which support
ECDH-derivation.

Since these cards have "plenty" of memory (about 90kByte), it would be
interesting, to store not only keys, certificates etc. on the card, but
also store somewhat larger data (e.g. 10 or more kB) on the card. But
to transfer the data between the card and the host, it would be good to
use an AES-Encryption where the key ist derived by ECDH-Method on the card.

The generation of an AES-Key on my PC by using ECDH from the card works
perfectly (using pkcs#11). I can encrypt testdata in PC-Memory by using
C_Encrypt with the derived AES-Key and then decrypt the encrypteddata by
using the AES-Key on the PC. So the basic mechanism works.

But now I would like to use this secure "channel" between the card and
the PC to transfer secret data stored on the Smartcard to the PC, so an
eavesdropper on the USB can not decode the exchanged data.

As far as I understand, the current PKCS#11-standard does not allow to
encrypt a data object (CKA_VALUE) on the card directly by using a
*handle* to this data. Since the ATOS-Cards are not Java-Cards, one can
not use a Java-Applet on this card.

Is there a possibility, to do this?

The other direction would be similar: after establishing the secure
"channel", secret data from the PC could be AES-ecrypted and sent over
the channel to the card. But then, the data should be decrypted INSIDE
the smartcard and then stored in a CKA_VALUE.

That would be a wonderfull possibility.

Any suggestions are welcome.

wully