Menu
▾
▴
Re: [Globalplatform-users] Problem opening a secure channel on a java card
|
From: Karsten O. <wid...@t-...> - 2011-08-30 22:48:47
|
Hi,
Ah! I guess I found it. You are using a GlobalPlatform 2.1.1 compliant
card. So you have to specify the mode in the beginning of the script
fail. Otherwise it falls back to the OpenPlatform 2.0.1 mode.
Start you file with:
mode_211
Karsten
Am 30.08.2011 04:11, schrieb Michael StJohns:
> Hi Marcel -
>
> I think you've got a mismatch between what's in the card recognition data and what the card is configured for.
>
> I know this was a problem with the generic open_sc (where you were opening with the security domain) a while back - Karsten ended up providing a fix. I wonder if that's the same problem.
>
> If you can do a select of the AID and then a GET DATA with a P1 of 0 an d a P2 of 0x66 and paste it back here, it might be helpful.
>
> Look for a hex string 64 0B 06 09 2A 86 48 86 fc 6b 04 xx yy -- xx should be the SCP and YY the implementation options. My guess is that will be 01 05 to match what gpshell is trying to do.
>
> Which version of GPShell are you using? I thought this was patched.
>
> Mike
>
>
> At 08:08 PM 8/29/2011, Marcel Cordovi wrote:
>> Hi Karsten,
>>
>> I appreciate your reply. I'm still having the same problem
>> establishing a secure channel with my card. In response for one of my
>> questions you posted:
>>
>>> Hi,
>>>
>>> Nothing known to me. You are using processSecurity for all commands not
>>> known to your applet?
>>>
>>> Try to get a debug output and post the result.
>>
>> The answer is yes. All not known APDUs are handled by the default
>> clause of a switch statement in the 'process' method and forwarded to:
>>
>>
>> void SCPcommands ( APDU apdu ) {
>>
>> responseLength = MySecureChannel.processSecurity( apdu );
>> if (responseLength != 0 )
>> apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA,
>> responseLength );
>> }
>>
>> as I posted previously.
>>
>> I tried the following script:
>>
>> ---------------------------------------------
>> establish_context
>> enable_trace
>> enable_timer
>> card_connect
>>
>> select -AID F00100006203010C0101
>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key
>> 404142434445464748494a4b4c4d4e4f -enc_key
>> 404142434445464748494a4b4c4d4e4f -kek_key
>> 404142434445464748494a4b4c4d4e4f // Open secure channel
>>
>> card_disconnect
>> release_context
>> -----------------------------------------------
>>
>>
>> And this is the DEBUG trace:
>>
>>
>> 29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start
>> 29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start
>> 29/08 18:16:49 -OPGP_release_context in connection.c at line 132 :
>> end status 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start
>> 29/08 18:16:49 DYN_LoadLibrary: Using library name
>> "gppcscconnectionplugin" and version "1.0.1".
>> 29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end
>> status 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>> 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>> 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>> 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>> 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>> 0, error code(0x0): Success
>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start
>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status
>> 0, error code(0x0): Success
>> 29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c
>> at line 85 : start
>> 29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c
>> at line 98 : end status 0, error code(0x0): Success
>> 29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 :
>> end status 0, error code(0x0): Success
>> 29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start
>> 29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at
>> line 137 : start
>> 29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24
>> 29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at
>> line 176 : end status 0, error code(0x0): Success
>> 29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end
>> status 0, error code(0x0): Success
>> 29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start
>> 29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at
>> line 202 : start
>> 29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS
>> ACR 38U-CCID 00 00 with protocol 2 in card state 524340
>> 29/08 18:16:49 OPGP_PL_card_connect: Card ATR:
>> 3BFD1800008131FE4550565F4A434F50323176323332E7
>> 29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at
>> line 242 : end status 0, error code(0x0): Success
>> 29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end
>> status 0, error code(0x0): Success
>> 29/08 18:16:49 +select_application in globalplatform.c at line 413 : start
>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start
>> 29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101
>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start
>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0,
>> error code(0x0): Success
>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
>> 296 : start
>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
>> 694 : end status 0, error code(0x80209000): 9000: Success. No error.
>> 29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000
>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start
>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end
>> status 0, error code(0x0): Success
>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end
>> status 0, error code(0x80209000): 9000: Success. No error.
>> 29/08 18:16:49 -select_application in globalplatform.c at line 444 :
>> end status 0, error code(0x0): Success
>> 29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start
>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01
>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol
>> Implementation: 0x05
>> 29/08 18:16:49 +get_random in crypto.c at line 1465 : start
>> 29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0,
>> error code(0x0): Success
>> 29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA
>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start
>> * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00
>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start
>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0,
>> error code(0x0): Success
>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
>> 296 : start
>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line
>> 694 : end status 0, error code(0x80209000): 9000: Success. No error.
>> 29/08 18:16:49 OPGP_send_APDU: Response <--
>> 000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000
>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start
>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end
>> status 0, error code(0x0): Success
>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end
>> status 0, error code(0x80209000): 9000: Success. No error.
>> 29/08 18:16:49 mutual_authentication: Key Diversification Data:
>> 00008247024411914208
>> 29/08 18:16:49 mutual_authentication: Key Information Data: 0102
>> 29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA
>> 29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram:
>> 1134FD4C1BECE9E5
>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start
>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at
>> line 294 : start
>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at
>> line 338 : end status 0, error code(0x0): Success
>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 :
>> end status 0, error code(0x0): Success
>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start
>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at
>> line 294 : start
>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at
>> line 338 : end status 0, error code(0x0): Success
>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 :
>> end status 0, error code(0x0): Success
>> 29/08 18:16:49 mutual_authentication: S-ENC Session Key:
>> E374467F06501BB92057F15A8C860AAB
>> 29/08 18:16:49 mutual_authentication: S-MAC Session Key:
>> 29/08 18:16:49 mutual_authentication: Data Encryption Key:
>> 404142434445464748494A4B4C4D4E4F
>> 29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start
>> 29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start
>> 29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0,
>> error code(0x0): Success
>> * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at
>> line 118 : end status 0, error code(0x0): Success
>> 29/08 18:16:49 mutual_authentication: Card Cryptogram to compare:
>> 683ED52BCE9F682F
>> 29/08 18:16:49 -mutual_authentication in globalplatform.c at line
>> 3898 : end status 1, error code(0x80302000): The verification of the
>> card cryptogram failed.
>>
>>
>> >From the marked lines ( * ) can be seen that gpshell is trying to use
>> SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has
>> support for SCP01 but with i=15 so there's still something wrong even
>> in the case I accidentally change the protocol version without knowing
>> it. I've tried to force the use of SCP02 by means of the 'sc' option,
>> even when gpshell's documentation says there's no need to do it, but
>> the result is the same, the SCP01 protocol is still being used and the
>> cryptogram can't finally be verified. I also tried passing the 'visa2'
>> value on the keyDerivation option since my card is a JCOP but there
>> were no success. I tried every combination of parameters: passing the
>> kek_key along with the enc_key and mac_key, passing only the -key with
>> the keyDerivation, passing it all together without any results.
>>
>> Why is gpshell using the wrong protocol version and what can I do to
>> ensure the use of the proper one?
>> Is there some way of querying the card for the key derivation
>> algorithm that it supports or has set by default?
>> Is there anything else am I missing?
>>
>> Thanks in advance,
>>
>> Marcel
>>
>> ------------------------------------------------------------------------------
>> Special Offer -- Download ArcSight Logger for FREE!
>> Finally, a world-class log management solution at an even better
>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you
>> download Logger. Secure your free ArcSight Logger TODAY!
>> http://p.sf.net/sfu/arcsisghtdev2dev
>> _______________________________________________
>> Globalplatform-users mailing list
>> Glo...@li...
>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users
>
>
> ------------------------------------------------------------------------------
> Special Offer -- Download ArcSight Logger for FREE!
> Finally, a world-class log management solution at an even better
> price-free! And you'll get a free "Love Thy Logs" t-shirt when you
> download Logger. Secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsisghtdev2dev
> _______________________________________________
> Globalplatform-users mailing list
> Glo...@li...
> https://lists.sourceforge.net/lists/listinfo/globalplatform-users
>
|
