Skip navigation
> RoadTest Reviews

Infineon Blockchain Starter Kit - Review

Scoring

Product Performed to Expectations: 9
Specifications were sufficient to design with: 9
Demo Software was of good quality: 7
Product was easy to use: 7
Support materials were available: 7
The price to performance ratio was good: 8
TotalScore: 47 / 60
  • RoadTest: Infineon Blockchain Starter Kit
  • Buy Now
  • Evaluation Type: Development Boards & Tools
  • Was everything in the box required?: Yes
  • Comparable Products/Other parts you considered: European eID
  • What were the biggest problems encountered?: find an NFC reader that's compatible with the Python software examples understanding how the card supports blockchain

  • Detailed Review:

    The Infineon Security 2Go Smart Cards are NFC tags that have on-board logic to support blockchain processes.

    The Starter Kit is a set of 5 smart cards, an Android app and a set of examples that show how the cards can support safe blockchain operation.

    android app customised for the road test

     

     

    What's in the Starter Kit and What Can these Smart Cards Do?

     

    The starter kit box contains 5 Infineon 2Go smart cards and a flyer. That's it. But it's enough.

    You actually own 5 little computers. Each capable of holding secrets and performing security related actions.

     

    A smart, by default, is a microcontroller + antenna hidden in a credit card sized plastic tag.

    The controller has non-volatile memory to store public and private keys. It also has it's own fixed keypair.

    It's pre-programmed to perform key-related activities.

    Communication and supplying power are via the antenna.

     

     

    Some highlights of the functionality:

    • Generate and store 255 public/private key pairs
    • has a fixed master key pair that can be used to generate the other ones.
    • industry standard APDU API to communicate with the card.
    • query function to retrieve public keys
    • function to sign a block of data
    • support for PIN/PUK codes
    • NO support for retrieving the private keys. And that's good. That's the highlight of the Security 2Go cards

     

    Additional Starter Kit Resources

     

    There's a number of additional resources, documentation and software.

    The wealth of supporting resources more than makes up for the sparse box content.

     

    Documents:

    • Product Brief: a 2 page intro into the capabilitie, key features and very short blockchain intro.
    • Short Product Overview: 4 page flyer with some more infp of the capabbilities.
    • User Manual: a 31 page document that explains how the cards fit in a blockchain scenario, and specifies the APDU API. This is the one you'll be using most.
    • Android App User Guide: 16 page instructions to the phone app that comes with the kit
    • Python Library and Examples on GitHub. Full source available.
    • coinfinity Android App on Google Play Store and on GitHub. Also full source available.
    • A video that hows how to transfer crypto currency using the app and cards.

     

     

    image source: User Manual Blockchain Security 2Go Starter Kit

     

    After reviewing all resources of the kit, I'd say that the easiest way to learn the value of the cards is to load the app source code in Android Studio.

    Then connect your smartphone to your PC and use the Studio's debug functionality to load the app.

    Set a breakpoint at some interesting points, use the app and inspect the code and variables. Then step through the code.

    I found that the 3 most interesting points were when a card is detected, when a transaction is sent to a blockchain network and when a vote is sent.

    All other documentation (and maybe my posts I'm linking in below) will then help you to understand what's happening.

     

     

    Blockchain

     

    minimal description

    If I have to describe blockchain as simple as I can, I'd say it's a linked list.

    A list where you can only put transactions at the tail of the list. And only if you are an agreed participant.

    You can only do that if that transaction is properly signed and verified.

    A transaction can be a transfer of currency between two blockchain addresses. It can also be the execution of an approved contract.

    There is a mechanism to detect that you are trying to meddle with existing transactions.

     

    little deeper explanation

    A participant in blockchain is represented by a blockchain address. The address is derived from your public key.

    When you put a new transaction on the chain, you have provide a signature that represents that transaction's data. The signature is created using your private key.

    The signature of the last transaction has to be included as a data member when calculating the new signature. That takes care that it's terribly difficult to meddle with data and sequence later.

    Blockchains are expected to be distributed. Many players should run an instance of the chain. They have then the chance to validate and accept or reject any new transaction.

    The validators use your public key to validate the signature you put in the transaction.

    Smart Contracts are a specific kind of transaction. They are a block of executable logic that has been reviewed and approved by the players. When executed, it can transfer amounts of goods between accounts based on the algorithm.

     

    Blockchain and Infineon 2Go Smart Cards

     

    The cards support these main functions:

    • create and store accounts and keypairs. When asked, give the neccessary info (public key) to make yourself known
    • sign the transactions using the private key

     

    Creation of Safe Accounts

     

    image source: User Manual Blockchain Security 2Go Starter Kit

     

    The first part you usually do once. You create the key and the card stores it.

    Every time you need to make yourself known (e.g. to play sender or receiver in a transaction in the app), the public key can be retrieved.

    There are then APIs (not on the card, public available code), to render that into the blockchain representation.

     

     

    Sign Transactions Before they go on the Chain

     

    image source: User Manual Blockchain Security 2Go Starter Kit

     

    This is the spectacular part. The private key that's stored on the card is used to sign the data that you want to push up the chain.

    You use the APDU API to send a hashed representation to the card, and it replies with a signature. Made using the private key. Can be verified as valid by anyone that holds your public key.

    One of the main dangers with electronic signing is that someone gets hold of your private key.

    With these cards, there is no (known to man) way to retrieve the private keys. They are generated by the card, stored there but not accessible by anything but the signing algorythm.

     

    Typical Scenario: the Example Android App

     

    The app uses a scenario where you want to exchange Ethereum crypto currency between parties.

    When the app starts, it doesn't know any of the parties.

    I as a sender make myself known by tapping my card on the phone.

    The app uses my public key to find out my Ethereum address.

    It then connects to the Ethereum network to retrieve my balance and shows it in the app.

     

    image source: real test with my cards

     

    I can then say I want to send some of that balance to a receiver, you.

    I push the Send Currency button, and the app then expects a 2nd tap of a card. The card of the receiver.

    So you take my phone and tap your card against the back.

    I take the phone back and fill in the amount.

     

    image source: real test with my cards

     

    At this point, nothing secret has happened, but the card functionality has been used twice.

    Once to determine who I am (sender). Once to determine who you are (receiver).

    And the blockchain network is contacted 3 times:

    2 times because the app uses it's API to retrieve addresses from the public keys, and 1 time to get the sender Ethereum balance.

     

    Then the last point happens: confirming the transaction.

    Because it's the sender that has to give away the balance, it's normal that it's expected from that person to confirm the transfer.

    This is done by again holding the sender's (mine) card against the back of the phone.

    The app will then use the APDU API to send a hashed version of the transaction data (in this case, all fields you see on the screen, and the hash of the previous block in the chain) to the card.

    The card then sends that hash to the signing engine - that will use the private key to generate a signature that represents that hashed data.

    That signed value becomes part of the transaction that's pushed up the chain.

     

    At this point, because the transaction hasn't been validated by other members, both cards will show a theoretical amount, if you tap them to the app:

    image source: real test with my cards

     

    After some time, the transaction is verified by some partners and the balance is firm.

     

    image source: real test with my cards

     

    Check my post linked below for a very deep dive into the app and the code. There's an easter egg.

     

    Low Level: the APDU API

     

    I've used the term APDU a few times above without explaining it. It's the way to communicate with these smart cards.

    APDU is a low level protocol that only exists out of data blocks. Blocks you send and blocks that you receive.

    The sending payload contains info about the functionality you want to invoke, its parameters and the dataset that the function has to work on.

    The returning payload contains the exit status (sucess, error), and additional info such as a public key, PIN status, hash signature, ...

     

    image source: real test with my cards

     

    All programs I've seen have built a wrapper around these APDU calls. They are too abstract to be used in code and then to understand that code. It's arrays of bytes.

    In the Android app, they have done this very beautiful. A class per APDU function:

    image source: session in Android Studio

     

     

    What Did I Not Test

     

    I've tested almost everything, except these:

     

    PIN functionality: I haven't used PIN codes and the related APIs. Because I wanted to focus on the key generation and signing. PINs add an additional safety layer, but also the requirement of a human typing the PIN. And that interferes with the debug work I'm currently doing.

    I want to step through code without having to switch to the GUI view to type the PIN.

     

    The Python libraries: I don't have a matching NFC reader. There's a list with supported readers. I didn't find an easy-to-order one in the list, took a risk and bought a different one. That wasn't a success.

    I've been playing with part of the lybraries though. My Belgium eID, and the reader that comes with it, is compatible with some pieces of the libraries. But I didn't test the Infinity 2Go cards. Maybe something for one of the fellow road testers.

     

    Smart Contracts: The app has the functionality to test a smart contract: the Voting functionality. Although the app succeeds in building and signing the contract, then sending it to the BlockChain, it never appeared as a transaction.

    Stepping through the code helped me to understand how to use a contract in practice. Seeing the result would be that extra bonus. I think the error is on the Ethereum side (maybe no candidates to validate it anymore?). I logged a bug report.

    update: this works. Infineon support replied on my bug report. I did not supply enough gas. See comments for the results.

     

    Summary

     

    I learned a lot. Really. Installing my own blockchain. Understanding blockchain and smart contracts. Generate transactions and stepping through each part of the process.

    How an Android App works. Debugging on a Smartphone. RFC technology and the industry standards + APIs. A bit of GOLANG. A lot.

    Check out the links below to see the writedown of all of that. And:

    Thanks for the opportunity to road test the kit !

     

     

     

     

    Related Blog
    Blockchain - HyperLedger Fabric: post and search transactions on a distributed trusted ledger
    Blockchain - Hyperledger Burrow: set up a distributed ledger
    Blockchain - Get Some Crypto Currency on an Infineon Security 2Go Card
    Blockchain - Debug the Infineon Demo App with Android Studio and Your Phone
    Blockchain - Analyse the Infineon Android Demo App - part a: Detect Card
    Blockchain - Analyse the Infineon Android Demo App - part b: Retrieve Ethereum Crypto Currency Balance
    Blockchain - Analyse the Infineon Android Demo App - part c: Transaction, Move Crypto Currency to Another Account
    Blockchain - Talk Directly to the Infineon 2Go Smart Cards API
    Blockchain - Smart Contract Test
    Road Test notepad: Infineon Blockchain Starter Kit
    Infineon Blockchain Starter Kit - Review

Comments

Also Enrolling

Enrollment Closes: Dec 29 
Enroll
Enrollment Closes: Dec 6 
Enroll
Enrollment Closes: Dec 18 
Enroll
Enrollment Closes: Dec 15 
Enroll