status-keycard/UX_NOTES.md

101 lines
6.7 KiB
Markdown
Raw Normal View History

2018-12-04 07:20:43 +00:00
# Status Keycard UX guidelines
2018-07-18 10:48:00 +00:00
2018-12-04 07:20:43 +00:00
The scope of this document is to describe the interactions between the keycard, the user and client applications.
2018-07-18 10:48:00 +00:00
Technical details about the commands mentioned here are to be found in the [APPLICATION.MD](APPLICATION.MD) file.
## Physical interaction
The applet is installed on a regular Smart Card (plastic card) with contacted and/or contactless interface. Since the
card does not have any user input or output devices, all input and output happens through the host device. The host
device needs a card reader to interface with the card.
Each card will have a uniquely generated 12-digits PUK code (used to unblock the PIN) and a unique pairing code. The
2018-11-14 12:28:41 +00:00
pairing code is a password which must be converted to a 256-bit secret as defined in [CLIENT_NOTES.md](CLIENT_NOTES.md).
2018-07-18 10:48:00 +00:00
2018-11-14 12:28:41 +00:00
The initial PIN of the card can be set to "000000" or can be chosen by the user. The length is always 6 digits. The user
has 3 attempts to insert the correct PIN, after which it is blocked. The PIN can be reset by using the PUK. The user has
5 attempts to insert the correct PUK.
PIN, PUK and pairing password can be changed at any time by the user, after authenticating with the current PIN.
2018-07-18 10:48:00 +00:00
## Application selection
2018-12-04 07:20:43 +00:00
When the client detects a SmartCard, it should try to select the Status Keycard application by sending a selection command.
2018-07-18 10:48:00 +00:00
The applet will respond providing details useful for the next steps.
## PIN sessions
Many operations require the PIN to be authenticated. PIN entry scheme is the same as the one used for SIM-cards and follows
the rules described above. Once a PIN is authenticated, it remains authenticated until the card is reset, loses powers or
the application is re-selected. Since the card does not have a clock, if the client wants to reset PIN verification status
after a specific time/inactivity interval, it should keep track of the time itself and reset the session as described above.
## Pairing
A card can pair with up to 5 devices. The number of remaining pairing slot is given as a response to application selection.
The client will also receive an identifier, so it can recognize if it already paired with this card. Pairing must only
be done once and requires user interaction in form of pairing code entry. Keeping the generated pairing key secret is
critical to guarantee secure communication between card and client. However pairing alone does not give any access to the
keys stored on card or any other sensitive functionality, so the pairing code itself is not as sensitive.
## Unpairing
Unpairing allows to recover a pairing slot. An authenticated device can unpair itself or any other paired device. This
step requires PIN authorization. Since the card does not provide a list of paired devices, from a UI perspective the only
two options that make sense are "Unpair this device" and "Unpair all others".
## Initialization
2018-11-14 12:28:41 +00:00
When the card is delivered, it does not contain any secret so it is not able to operate properly. In this state only the
INIT command will work, which allows setting the initial PIN, PUK and pairing password using a temporary secure channel.
After this first initialization, a master key must be stored on the card. It can be recovered from a mnemonic phrase,
generated ex-novo using BIP39 or internally on the card.
The GET STATUS command can be used to determine if the card is ready to be used for signing or not.
2018-07-18 10:48:00 +00:00
The card is able to generate the mnemonic phrase internally and send it to the client as a sequence of 16-bit numbers which
are the indexes in the word dictionary. The actual key generation must happen off-card however, because the applet does not
implement PBKDF-2 to convert the phrase in a BIP-39 binary seed. The applet supports loading either the full master keypair
(private and public) or the binary seed. However the second option only works if the card supports public key derivation and
these are hard to get, since this function has been added to the JavaCard standard only in revision 3.0.5. It is critical
that the client destroys all copies of the key immediately after loading them to the card by explicitly clearing the memory
areas used to store them.
Initialization requires the PIN to be authenticated so it would be better if, upon detecting a new card, the client would
first prompt to change PIN (a step which includes PIN verification) and only after this step generates key.
The process of generating and loading new keys can also be repeated on an already initialized card. This step does not
reset the PIN to factory condition but permanently destroys the currently stored keys, so a fat huge warning must be
issued.
As with all HD-wallets, the client should show the mnemonic phrase to the user and prompt them to write down the words.
This will allow recovering the keys in case the card is lost, permanently blocked or re-initialized. Although the mnemonic
phrase could be generated by the client itself, it is safer to use the card facilities since their RNG is certified.
## Signing transactions
The main function of the card is indeed signing transactions (thus authorizing them). Signing requires the PIN to be
authenticated (except in a case mentioned below). All transaction details will be shown on the client, because of the
physical limitations of the card. The card support BIP32 HD wallets, but the key derivation (used to navigate the wallet
hierarchy) and sign steps are separate from each other. The key derivation step also requires PIN authentication
(except in a case mentioned below) but since both steps are likely to happen in the same session, this only needs to be
done once. The user does not need to interact in this key derivation step, but depending on the depth of the selected
wallet it might take a while (up to 2 seconds). Signing itself can also take a while, so it is a good idea to show a waiting
indicator during this step.
The card signs the hash of the transaction provided by client, so it can actually be used to sign any 256-bit value, making
it flexible to eventually use it contexts other than Ethereum transactions.
The card also support defining a wallet path which is PIN-less. This path can be changed but can only be one at a given time
and cannot be the master wallet. Transactions using this wallet will not require PIN entry. Setting a PIN-less path requires
PIN authorization, but the setting is retained across sessions.
The GET STATUS command can be used to query the currently selected wallet. This allows skipping the key derivation step
if the needed wallet is selected already. The selected wallet is also retained across sessions.
## Exporting keys
2018-11-14 12:28:41 +00:00
Exporting the private key is not allowed, except for specific key paths. This step requires PIN authorization. Public
keys can be exported for any path.