[Globalplatform-users] Problem opening a secure channel on a java card

[Marcel C. <mco...@gm...>]

Hi Karsten,

    I appreciate your reply. I'm still having the same problem
establishing a secure channel with my card. In response for one of my
questions you posted:

> Hi,
>
> Nothing known to me. You are using processSecurity for all commands not
> known to your applet?
>
> Try to get a debug output and post the result.


The answer is yes. All not known APDUs are handled by the default
clause of a switch statement in the 'process' method and forwarded to:


   void SCPcommands ( APDU apdu ) {

        responseLength = MySecureChannel.processSecurity( apdu );
        if (responseLength != 0 )
            apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA,
responseLength );
    }

as I posted previously.

I tried the following script:

---------------------------------------------
establish_context
enable_trace
enable_timer
card_connect

select -AID F00100006203010C0101
open_sc -security 1 -keyind 0 -keyver 0 -mac_key
404142434445464748494a4b4c4d4e4f -enc_key
404142434445464748494a4b4c4d4e4f -kek_key
404142434445464748494a4b4c4d4e4f // Open secure channel

card_disconnect
release_context
-----------------------------------------------


And this is the DEBUG trace:


29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start
29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start
29/08 18:16:49  -OPGP_release_context in connection.c at line 132 :
end status 0, error code(0x0): Success
29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start
29/08 18:16:49 DYN_LoadLibrary: Using library name
"gppcscconnectionplugin" and version "1.0.1".
29/08 18:16:49  -DYN_LoadLibrary in dyn_unix.c at line 107 : end
status 0, error code(0x0): Success
29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
29/08 18:16:49  -DYN_GetAddress in dyn_unix.c at line 166 : end status
0, error code(0x0): Success
29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
29/08 18:16:49  -DYN_GetAddress in dyn_unix.c at line 166 : end status
0, error code(0x0): Success
29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
29/08 18:16:49  -DYN_GetAddress in dyn_unix.c at line 166 : end status
0, error code(0x0): Success
29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
29/08 18:16:49  -DYN_GetAddress in dyn_unix.c at line 166 : end status
0, error code(0x0): Success
29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
29/08 18:16:49  -DYN_GetAddress in dyn_unix.c at line 166 : end status
0, error code(0x0): Success
29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
29/08 18:16:49  -DYN_GetAddress in dyn_unix.c at line 166 : end status
0, error code(0x0): Success
29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c
at line 85 : start
29/08 18:16:49  -OPGP_PL_establish_context in gppcscconnectionplugin.c
at line 98 : end status 0, error code(0x0): Success
29/08 18:16:49  -OPGP_establish_context in connection.c at line 95 :
end status 0, error code(0x0): Success
29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start
29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at
line 137 : start
29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24
29/08 18:16:49  -OPGP_PL_list_readers in gppcscconnectionplugin.c at
line 176 : end status 0, error code(0x0): Success
29/08 18:16:49  -OPGP_list_readers in connection.c at line 151 : end
status 0, error code(0x0): Success
29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start
29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at
line 202 : start
29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS
ACR 38U-CCID 00 00 with protocol 2 in card state 524340
29/08 18:16:49 OPGP_PL_card_connect: Card ATR:
3BFD1800008131FE4550565F4A434F50323176323332E7
29/08 18:16:49  -OPGP_PL_card_connect in gppcscconnectionplugin.c at
line 242 : end status 0, error code(0x0): Success
29/08 18:16:49  -OPGP_card_connect in connection.c at line 172 : end
status 0, error code(0x0): Success
29/08 18:16:49 +select_application in globalplatform.c at line 413 : start
29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start
29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101
29/08 18:16:49 +wrap_command in crypto.c at line 841 : start
29/08 18:16:49  -wrap_command in crypto.c at line 1089 : end status 0,
error code(0x0): Success
29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
296 : start
29/08 18:16:49  -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
694 : end status 0, error code(0x80209000): 9000: Success. No error.
29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000
29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start
29/08 18:16:49  -GP211_check_R_MAC in crypto.c at line 1302 : end
status 0, error code(0x0): Success
29/08 18:16:49  -OPGP_send_APDU in connection.c at line 264 : end
status 0, error code(0x80209000): 9000: Success. No error.
29/08 18:16:49  -select_application in globalplatform.c at line 444 :
end status 0, error code(0x0): Success
29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start
 * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01
 * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol
Implementation: 0x05
29/08 18:16:49 +get_random in crypto.c at line 1465 : start
29/08 18:16:49  -get_random in crypto.c at line 1472 : end status 0,
error code(0x0): Success
29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA
29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start
 * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00
29/08 18:16:49 +wrap_command in crypto.c at line 841 : start
29/08 18:16:49  -wrap_command in crypto.c at line 1089 : end status 0,
error code(0x0): Success
29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
296 : start
29/08 18:16:49  -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
694 : end status 0, error code(0x80209000): 9000: Success. No error.
29/08 18:16:49 OPGP_send_APDU: Response <--
000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000
29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start
29/08 18:16:49  -GP211_check_R_MAC in crypto.c at line 1302 : end
status 0, error code(0x0): Success
29/08 18:16:49  -OPGP_send_APDU in connection.c at line 264 : end
status 0, error code(0x80209000): 9000: Success. No error.
29/08 18:16:49 mutual_authentication: Key Diversification Data:
00008247024411914208
29/08 18:16:49 mutual_authentication: Key Information Data: 0102
29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA
29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram:
1134FD4C1BECE9E5
29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start
29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at
line 294 : start
29/08 18:16:49  -calculate_enc_ecb_two_key_triple_des in crypto.c at
line 338 : end status 0, error code(0x0): Success
29/08 18:16:49  -create_session_key_SCP01 in crypto.c at line 240 :
end status 0, error code(0x0): Success
29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start
29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at
line 294 : start
29/08 18:16:49  -calculate_enc_ecb_two_key_triple_des in crypto.c at
line 338 : end status 0, error code(0x0): Success
29/08 18:16:49  -create_session_key_SCP01 in crypto.c at line 240 :
end status 0, error code(0x0): Success
29/08 18:16:49 mutual_authentication: S-ENC Session Key:
E374467F06501BB92057F15A8C860AAB
29/08 18:16:49 mutual_authentication: S-MAC Session Key:
29/08 18:16:49 mutual_authentication: Data Encryption Key:
404142434445464748494A4B4C4D4E4F
29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start
29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start
29/08 18:16:49  -calculate_MAC in crypto.c at line 460 : end status 0,
error code(0x0): Success
 * 29/08 18:16:49  -calculate_card_cryptogram_SCP01 in crypto.c at
line 118 : end status 0, error code(0x0): Success
29/08 18:16:49 mutual_authentication: Card Cryptogram to compare:
683ED52BCE9F682F
29/08 18:16:49  -mutual_authentication in globalplatform.c at line
3898 : end status 1, error code(0x80302000): The verification of the
card cryptogram failed.


>From the marked lines ( * ) can be seen that gpshell is trying to use
SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has
support for SCP01 but with i=15 so there's still something wrong even
in the case I accidentally change the protocol version without knowing
it. I've tried to force the use of SCP02 by means of the 'sc' option,
even when gpshell's documentation says there's no need to do it, but
the result is the same, the SCP01 protocol is still being used and the
cryptogram can't finally be verified. I also tried passing the 'visa2'
value on the keyDerivation option since my card is a JCOP but there
were no success. I tried every combination of parameters: passing the
kek_key along with the enc_key and mac_key, passing only the -key with
the keyDerivation, passing it all together without any results.

Why is gpshell using the wrong protocol version and what can I do to
ensure the use of the proper one?
Is there some way of querying the card for the key derivation
algorithm that it supports or has set by default?
Is there anything else am I missing?

Thanks in advance,

Marcel