Smart card asymmetric key generation

Question

I'm at a dead end in researching how to generate asymmetric keys from a PIV card. I've looked through the NIST sp800-73-3 standards but I am not able to accomplish this. Outlined in part 3 of that document it shows them using INS 47 to do this but I get a 6D00 error. Is there another command that needs to be sent before this can be obtained?

Also, please correct me if I am wrong, but from my understanding when a key is generated, the private key gets stored on the card while the public key is returned. In order to encrypt the data with the private key, the data must be sent to the card and the encrypted information is returned. Is this accurate? How many keys can a card store at once?

Answer 1

Standards are a fine thing but mostly not sufficient for smart cards. You need a manual of your specific card, describing which parts of the standards it supports. For key generation it is a good idea to have a look into ISO 7816, part 8 (in addition to the card manual). There are command variants returning the public key and others leaving it silently in the card for later retrieval. For your error: It is possible, that your card is in a life cycle phase, where key generation is no longer available, but also the even instruction code 46 is worth a try.

The command for encrypting is Perform Security Operation also described in 7816-8. Note, that using an asymmetric key for encryption is unusual for substantial amount of plaintext. Typically the text is encrypted using a symmetric cipher and just the symmetric key transmitted using asymmetric encryption for performance reasons.