Menu
▾
▴
Re: [Globalplatform-users] Problem opening a secure channel on a java card
|
From: Karsten O. <wid...@t-...> - 2011-08-27 16:13:34
|
Am 27.08.2011 03:04, schrieb Marcel Cordovi: > > Hi, > > I'm having problems establishing a secure channel with an applet > I've just installed in a javacard. The card is in an INITIALIZED state > with its three keys set to the default value > (404142434445464748494A4B4C4D4E4F). I know I'm able to establish a > secure channel with the Card Manager using these keys because I can > successfully install my own applets using this gpshell script: > > mode_211 > enable_trace > enable_timer > > establish_context > card_connect > select -AID a000000003000000 > open_sc -security 1 -keyind 0 -keyver 0 -mac_key > 404142434445464748494a4b4c4d4e4f -enc_key > 404142434445464748494a4b4c4d4e4f // Open secure channel > delete -AID F00100006203010C0101 > delete -AID F00100006203010C01 > install -file samples.cap -priv 2 > # getdata > # close_sc // Close secure channel > # putkey // Put key > // options: > // -keyind Key index > // -keyver Key version > // -key Key value in hex > card_disconnect > release_context > > The sample applet I'm using for testing purposes is taken from > http://www.globalplatform.org/specificationform.asp?fid=6306. I can > infer from the code that the security command processing is performed > inside the following code snippet: > > void SCPcommands ( APDU apdu ) { > > responseLength = MySecureChannel.processSecurity( apdu ); > if (responseLength != 0 ) > apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, > responseLength ); > } > > so the SCP02's management is being left to the Security Domain the > applet is associated with (the ISD I assume since the Card Manager was > used to install the applet). > > The problem arise when trying to establish a secure channel with the > applet using the gpshell script: > > establish_context > enable_trace > enable_timer > card_connect > > select -AID F00100006203010C0101 > open_sc -security 1 -keyind 0 -keyver 0 -mac_key > 404142434445464748494a4b4c4d4e4f -enc_key > 404142434445464748494a4b4c4d4e4f // Open secure channel > > card_disconnect > release_context > > gpshell keeps returning an error in an early stage of the SCP02 as a > result of sending the INITIALIZE UPDATE command. The card cryptogram > cannot be verified as can be seen in the trace: > > establish_context > enable_trace > enable_timer > card_connect > command time: 0 ms > select -AID F00100006203010C0101 > Command --> 00A404000AF00100006203010C0101 > Wrapped command --> 00A404000AF00100006203010C0101 > Response <-- 6F0E840AF00100006203010C0101A5009000 > command time: 22 ms > open_sc -security 1 -keyind 0 -keyver 0 -mac_key > 404142434445464748494a4b4c4d4e4f -enc_key > 404142434445464748494a4b4c4d4e4f // Open secure channel > Command --> 805000000818594C319FFDF58C00 > Wrapped command --> 805000000818594C319FFDF58C00 > Response <-- 000082470244119142080102001AE08851C2967C0CC37A11A2F1FE579000 > mutual_authentication() returns 0x80302000 (The verification of the > card cryptogram failed.) > > > Am I missing some applet specific parameters in the open_sc commands? Hi, Nothing known to me. You are using processSecurity for all commands not known to your applet? Try to get a debug output and post the result: http://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell#Debug_output > Am I using the right keys? > Do I need to establish new keys for the applet other than the default > ones set for the ISD? > How do I install my own security domain and associate custom applets > with it? Security domain packages are preinstalled on the card. You have to list all load files and execute a install_for_install command to install the security domain. Then execute the install -file ... -sdAID sdAID command. The sdAID is important here. Maybe you also have to pass some privileges. Without a manual of your smart card vendor this will be a pain. When buying cards actually always you will not receive such a manual. INSTALL [for extradition] which is only available in the GP Library behind GPShell might also be useful to associate the applet with an SD. But this is not available in GPShell for now. Delegated management, i.e. especially giving a Security domain the right to install applications is not very well tested because of lacking sample cards and unknown card behaviors. Karsten > > I would appreciate any help. > > Thanks. > > Marcel > > > > > > > ------------------------------------------------------------------------------ > EMC VNX: the world's simplest storage, starting under $10K > The only unified storage solution that offers unified management > Up to 160% more powerful than alternatives and 25% more efficient. > Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev > > > _______________________________________________ > Globalplatform-users mailing list > Glo...@li... > https://lists.sourceforge.net/lists/listinfo/globalplatform-users |
