Menu
▾
▴
Re: [Globalplatform-users] Globalplatform-users Digest, Vol 18, Issue 2
|
From: Marcel C. <mco...@gm...> - 2011-08-31 00:01:42
|
Thanks Mike. Your reply was very helpful. I sent the GET DATA command you recommended and got the xx-yy bytes values you were mentioning. They turns out to be 0215, which stands for SCP02 with 0x15 implementation version as I was expecting from my card default values reference. The problem was a missing 'mode_211' command in the script that was making the underlying global platform library to have the wrong function querying the protocol version. After having this corrected I was able to establish the secure channel with my applet but I still needed to specify the 'scp' and 'scpimpl' options in order to avoid a "6D00: Invalid instruction byte / Command not supported or invalid" error I was getting. I'll be trying to fix that too later but for now passing the options will do just fine. Thanks again for your help. Greetings, Marcel On Tue, Aug 30, 2011 at 5:48 PM, <glo...@li...> wrote: > Send Globalplatform-users mailing list submissions to > glo...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/globalplatform-users > or, via email, send a message with subject or body 'help' to > glo...@li... > > You can reach the person managing the list at > glo...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Globalplatform-users digest..." > > > Today's Topics: > > 1. Problem opening a secure channel on a java card (Marcel Cordovi) > 2. Re: Problem opening a secure channel on a java card > (Michael StJohns) > 3. Re: Problem opening a secure channel on a java card (Karsten Ohme) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 29 Aug 2011 19:08:49 -0500 > From: Marcel Cordovi <mco...@gm...> > Subject: [Globalplatform-users] Problem opening a secure channel on a > java card > To: glo...@li... > Message-ID: > <CAL...@ma...> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi Karsten, > > ??? I appreciate your reply. I'm still having the same problem > establishing a secure channel with my card. In response for one of my > questions you posted: > >> Hi, >> >> Nothing known to me. You are using processSecurity for all commands not >> known to your applet? >> >> Try to get a debug output and post the result. > > > The answer is yes. All not known APDUs are handled by the default > clause of a switch statement in the 'process' method and forwarded to: > > > void SCPcommands ( APDU apdu ) { > > responseLength = MySecureChannel.processSecurity( apdu ); > if (responseLength != 0 ) > apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, > responseLength ); > } > > as I posted previously. > > I tried the following script: > > --------------------------------------------- > establish_context > enable_trace > enable_timer > card_connect > > select -AID F00100006203010C0101 > open_sc -security 1 -keyind 0 -keyver 0 -mac_key > 404142434445464748494a4b4c4d4e4f -enc_key > 404142434445464748494a4b4c4d4e4f -kek_key > 404142434445464748494a4b4c4d4e4f // Open secure channel > > card_disconnect > release_context > ----------------------------------------------- > > > And this is the DEBUG trace: > > > 29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start > 29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start > 29/08 18:16:49 -OPGP_release_context in connection.c at line 132 : > end status 0, error code(0x0): Success > 29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start > 29/08 18:16:49 DYN_LoadLibrary: Using library name > "gppcscconnectionplugin" and version "1.0.1". > 29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end > status 0, error code(0x0): Success > 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start > 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status > 0, error code(0x0): Success > 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start > 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status > 0, error code(0x0): Success > 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start > 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status > 0, error code(0x0): Success > 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start > 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status > 0, error code(0x0): Success > 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start > 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status > 0, error code(0x0): Success > 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start > 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status > 0, error code(0x0): Success > 29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c > at line 85 : start > 29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c > at line 98 : end status 0, error code(0x0): Success > 29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 : > end status 0, error code(0x0): Success > 29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start > 29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at > line 137 : start > 29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24 > 29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at > line 176 : end status 0, error code(0x0): Success > 29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end > status 0, error code(0x0): Success > 29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start > 29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at > line 202 : start > 29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS > ACR 38U-CCID 00 00 with protocol 2 in card state 524340 > 29/08 18:16:49 OPGP_PL_card_connect: Card ATR: > 3BFD1800008131FE4550565F4A434F50323176323332E7 > 29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at > line 242 : end status 0, error code(0x0): Success > 29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end > status 0, error code(0x0): Success > 29/08 18:16:49 +select_application in globalplatform.c at line 413 : start > 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start > 29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101 > 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start > 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, > error code(0x0): Success > 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line > 296 : start > 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line > 694 : end status 0, error code(0x80209000): 9000: Success. No error. > 29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000 > 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start > 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end > status 0, error code(0x0): Success > 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end > status 0, error code(0x80209000): 9000: Success. No error. > 29/08 18:16:49 -select_application in globalplatform.c at line 444 : > end status 0, error code(0x0): Success > 29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start > * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01 > * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol > Implementation: 0x05 > 29/08 18:16:49 +get_random in crypto.c at line 1465 : start > 29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0, > error code(0x0): Success > 29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA > 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start > * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00 > 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start > 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, > error code(0x0): Success > 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line > 296 : start > 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line > 694 : end status 0, error code(0x80209000): 9000: Success. No error. > 29/08 18:16:49 OPGP_send_APDU: Response <-- > 000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000 > 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start > 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end > status 0, error code(0x0): Success > 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end > status 0, error code(0x80209000): 9000: Success. No error. > 29/08 18:16:49 mutual_authentication: Key Diversification Data: > 00008247024411914208 > 29/08 18:16:49 mutual_authentication: Key Information Data: 0102 > 29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA > 29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram: > 1134FD4C1BECE9E5 > 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start > 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at > line 294 : start > 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at > line 338 : end status 0, error code(0x0): Success > 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : > end status 0, error code(0x0): Success > 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start > 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at > line 294 : start > 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at > line 338 : end status 0, error code(0x0): Success > 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : > end status 0, error code(0x0): Success > 29/08 18:16:49 mutual_authentication: S-ENC Session Key: > E374467F06501BB92057F15A8C860AAB > 29/08 18:16:49 mutual_authentication: S-MAC Session Key: > 29/08 18:16:49 mutual_authentication: Data Encryption Key: > 404142434445464748494A4B4C4D4E4F > 29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start > 29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start > 29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0, > error code(0x0): Success > * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at > line 118 : end status 0, error code(0x0): Success > 29/08 18:16:49 mutual_authentication: Card Cryptogram to compare: > 683ED52BCE9F682F > 29/08 18:16:49 -mutual_authentication in globalplatform.c at line > 3898 : end status 1, error code(0x80302000): The verification of the > card cryptogram failed. > > > >From the marked lines ( * ) can be seen that gpshell is trying to use > SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has > support for SCP01 but with i=15 so there's still something wrong even > in the case I accidentally change the protocol version without knowing > it. I've tried to force the use of SCP02 by means of the 'sc' option, > even when gpshell's documentation says there's no need to do it, but > the result is the same, the SCP01 protocol is still being used and the > cryptogram can't finally be verified. I also tried passing the 'visa2' > value on the keyDerivation option since my card is a JCOP but there > were no success. I tried every combination of parameters: passing the > kek_key along with the enc_key and mac_key, passing only the -key with > the keyDerivation, passing it all together without any results. > > Why is gpshell using the wrong protocol version and what can I do to > ensure the use of the proper one? > Is there some way of querying the card for the key derivation > algorithm that it supports or has set by default? > Is there anything else am I missing? > > Thanks in advance, > > Marcel > > > > ------------------------------ > > Message: 2 > Date: Mon, 29 Aug 2011 22:11:23 -0400 > From: Michael StJohns <mst...@co...> > Subject: Re: [Globalplatform-users] Problem opening a secure channel > on a java card > To: Marcel Cordovi <mco...@gm...>, > glo...@li... > Message-ID: > <mai...@li...> > > Content-Type: text/plain; charset="us-ascii" > > Hi Marcel - > > I think you've got a mismatch between what's in the card recognition data and what the card is configured for. > > I know this was a problem with the generic open_sc (where you were opening with the security domain) a while back - Karsten ended up providing a fix. I wonder if that's the same problem. > > If you can do a select of the AID and then a GET DATA with a P1 of 0 an d a P2 of 0x66 and paste it back here, it might be helpful. > > Look for a hex string 64 0B 06 09 2A 86 48 86 fc 6b 04 xx yy -- xx should be the SCP and YY the implementation options. My guess is that will be 01 05 to match what gpshell is trying to do. > > Which version of GPShell are you using? I thought this was patched. > > Mike > > > At 08:08 PM 8/29/2011, Marcel Cordovi wrote: >>Hi Karsten, >> >> I appreciate your reply. I'm still having the same problem >>establishing a secure channel with my card. In response for one of my >>questions you posted: >> >>> Hi, >>> >>> Nothing known to me. You are using processSecurity for all commands not >>> known to your applet? >>> >>> Try to get a debug output and post the result. >> >> >>The answer is yes. All not known APDUs are handled by the default >>clause of a switch statement in the 'process' method and forwarded to: >> >> >> void SCPcommands ( APDU apdu ) { >> >> responseLength = MySecureChannel.processSecurity( apdu ); >> if (responseLength != 0 ) >> apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, >>responseLength ); >> } >> >>as I posted previously. >> >>I tried the following script: >> >>--------------------------------------------- >>establish_context >>enable_trace >>enable_timer >>card_connect >> >>select -AID F00100006203010C0101 >>open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>404142434445464748494a4b4c4d4e4f -enc_key >>404142434445464748494a4b4c4d4e4f -kek_key >>404142434445464748494a4b4c4d4e4f // Open secure channel >> >>card_disconnect >>release_context >>----------------------------------------------- >> >> >>And this is the DEBUG trace: >> >> >>29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start >>29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start >>29/08 18:16:49 -OPGP_release_context in connection.c at line 132 : >>end status 0, error code(0x0): Success >>29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start >>29/08 18:16:49 DYN_LoadLibrary: Using library name >>"gppcscconnectionplugin" and version "1.0.1". >>29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end >>status 0, error code(0x0): Success >>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>0, error code(0x0): Success >>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>0, error code(0x0): Success >>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>0, error code(0x0): Success >>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>0, error code(0x0): Success >>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>0, error code(0x0): Success >>29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>0, error code(0x0): Success >>29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c >>at line 85 : start >>29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c >>at line 98 : end status 0, error code(0x0): Success >>29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 : >>end status 0, error code(0x0): Success >>29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start >>29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at >>line 137 : start >>29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24 >>29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at >>line 176 : end status 0, error code(0x0): Success >>29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end >>status 0, error code(0x0): Success >>29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start >>29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at >>line 202 : start >>29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS >>ACR 38U-CCID 00 00 with protocol 2 in card state 524340 >>29/08 18:16:49 OPGP_PL_card_connect: Card ATR: >>3BFD1800008131FE4550565F4A434F50323176323332E7 >>29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at >>line 242 : end status 0, error code(0x0): Success >>29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end >>status 0, error code(0x0): Success >>29/08 18:16:49 +select_application in globalplatform.c at line 413 : start >>29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101 >>29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>error code(0x0): Success >>29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>296 : start >>29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>694 : end status 0, error code(0x80209000): 9000: Success. No error. >>29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000 >>29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>status 0, error code(0x0): Success >>29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>status 0, error code(0x80209000): 9000: Success. No error. >>29/08 18:16:49 -select_application in globalplatform.c at line 444 : >>end status 0, error code(0x0): Success >>29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start >> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01 >> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol >>Implementation: 0x05 >>29/08 18:16:49 +get_random in crypto.c at line 1465 : start >>29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0, >>error code(0x0): Success >>29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA >>29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >> * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00 >>29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>error code(0x0): Success >>29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>296 : start >>29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>694 : end status 0, error code(0x80209000): 9000: Success. No error. >>29/08 18:16:49 OPGP_send_APDU: Response <-- >>000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000 >>29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>status 0, error code(0x0): Success >>29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>status 0, error code(0x80209000): 9000: Success. No error. >>29/08 18:16:49 mutual_authentication: Key Diversification Data: >>00008247024411914208 >>29/08 18:16:49 mutual_authentication: Key Information Data: 0102 >>29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA >>29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram: >>1134FD4C1BECE9E5 >>29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>line 294 : start >>29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>line 338 : end status 0, error code(0x0): Success >>29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>end status 0, error code(0x0): Success >>29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>line 294 : start >>29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>line 338 : end status 0, error code(0x0): Success >>29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>end status 0, error code(0x0): Success >>29/08 18:16:49 mutual_authentication: S-ENC Session Key: >>E374467F06501BB92057F15A8C860AAB >>29/08 18:16:49 mutual_authentication: S-MAC Session Key: >>29/08 18:16:49 mutual_authentication: Data Encryption Key: >>404142434445464748494A4B4C4D4E4F >>29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start >>29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start >>29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0, >>error code(0x0): Success >> * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at >>line 118 : end status 0, error code(0x0): Success >>29/08 18:16:49 mutual_authentication: Card Cryptogram to compare: >>683ED52BCE9F682F >>29/08 18:16:49 -mutual_authentication in globalplatform.c at line >>3898 : end status 1, error code(0x80302000): The verification of the >>card cryptogram failed. >> >> >>>From the marked lines ( * ) can be seen that gpshell is trying to use >>SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has >>support for SCP01 but with i=15 so there's still something wrong even >>in the case I accidentally change the protocol version without knowing >>it. I've tried to force the use of SCP02 by means of the 'sc' option, >>even when gpshell's documentation says there's no need to do it, but >>the result is the same, the SCP01 protocol is still being used and the >>cryptogram can't finally be verified. I also tried passing the 'visa2' >>value on the keyDerivation option since my card is a JCOP but there >>were no success. I tried every combination of parameters: passing the >>kek_key along with the enc_key and mac_key, passing only the -key with >>the keyDerivation, passing it all together without any results. >> >>Why is gpshell using the wrong protocol version and what can I do to >>ensure the use of the proper one? >>Is there some way of querying the card for the key derivation >>algorithm that it supports or has set by default? >>Is there anything else am I missing? >> >>Thanks in advance, >> >>Marcel >> >>------------------------------------------------------------------------------ >>Special Offer -- Download ArcSight Logger for FREE! >>Finally, a world-class log management solution at an even better >>price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>download Logger. Secure your free ArcSight Logger TODAY! >>http://p.sf.net/sfu/arcsisghtdev2dev >>_______________________________________________ >>Globalplatform-users mailing list >>Glo...@li... >>https://lists.sourceforge.net/lists/listinfo/globalplatform-users > > > > > > ------------------------------ > > Message: 3 > Date: Wed, 31 Aug 2011 00:48:25 +0200 > From: Karsten Ohme <wid...@t-...> > Subject: Re: [Globalplatform-users] Problem opening a secure channel > on a java card > To: glo...@li... > Message-ID: <4E5...@t-...> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi, > > Ah! I guess I found it. You are using a GlobalPlatform 2.1.1 compliant > card. So you have to specify the mode in the beginning of the script > fail. Otherwise it falls back to the OpenPlatform 2.0.1 mode. > > Start you file with: > > mode_211 > > Karsten > > Am 30.08.2011 04:11, schrieb Michael StJohns: >> Hi Marcel - >> >> I think you've got a mismatch between what's in the card recognition data and what the card is configured for. >> >> I know this was a problem with the generic open_sc (where you were opening with the security domain) a while back - Karsten ended up providing a fix. I wonder if that's the same problem. >> >> If you can do a select of the AID and then a GET DATA with a P1 of 0 an d a P2 of 0x66 and paste it back here, it might be helpful. >> >> Look for a hex string 64 0B 06 09 2A 86 48 86 fc 6b 04 xx yy -- xx should be the SCP and YY the implementation options. My guess is that will be 01 05 to match what gpshell is trying to do. >> >> Which version of GPShell are you using? I thought this was patched. >> >> Mike >> >> >> At 08:08 PM 8/29/2011, Marcel Cordovi wrote: >>> Hi Karsten, >>> >>> I appreciate your reply. I'm still having the same problem >>> establishing a secure channel with my card. In response for one of my >>> questions you posted: >>> >>>> Hi, >>>> >>>> Nothing known to me. You are using processSecurity for all commands not >>>> known to your applet? >>>> >>>> Try to get a debug output and post the result. >>> >>> The answer is yes. All not known APDUs are handled by the default >>> clause of a switch statement in the 'process' method and forwarded to: >>> >>> >>> void SCPcommands ( APDU apdu ) { >>> >>> responseLength = MySecureChannel.processSecurity( apdu ); >>> if (responseLength != 0 ) >>> apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, >>> responseLength ); >>> } >>> >>> as I posted previously. >>> >>> I tried the following script: >>> >>> --------------------------------------------- >>> establish_context >>> enable_trace >>> enable_timer >>> card_connect >>> >>> select -AID F00100006203010C0101 >>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>> 404142434445464748494a4b4c4d4e4f -enc_key >>> 404142434445464748494a4b4c4d4e4f -kek_key >>> 404142434445464748494a4b4c4d4e4f // Open secure channel >>> >>> card_disconnect >>> release_context >>> ----------------------------------------------- >>> >>> >>> And this is the DEBUG trace: >>> >>> >>> 29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start >>> 29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start >>> 29/08 18:16:49 -OPGP_release_context in connection.c at line 132 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start >>> 29/08 18:16:49 DYN_LoadLibrary: Using library name >>> "gppcscconnectionplugin" and version "1.0.1". >>> 29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c >>> at line 85 : start >>> 29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c >>> at line 98 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start >>> 29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at >>> line 137 : start >>> 29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24 >>> 29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at >>> line 176 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start >>> 29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at >>> line 202 : start >>> 29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS >>> ACR 38U-CCID 00 00 with protocol 2 in card state 524340 >>> 29/08 18:16:49 OPGP_PL_card_connect: Card ATR: >>> 3BFD1800008131FE4550565F4A434F50323176323332E7 >>> 29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at >>> line 242 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 +select_application in globalplatform.c at line 413 : start >>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>> 29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101 >>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>> error code(0x0): Success >>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 296 : start >>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000 >>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>> status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 -select_application in globalplatform.c at line 444 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start >>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01 >>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol >>> Implementation: 0x05 >>> 29/08 18:16:49 +get_random in crypto.c at line 1465 : start >>> 29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0, >>> error code(0x0): Success >>> 29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA >>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>> * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00 >>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>> error code(0x0): Success >>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 296 : start >>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 OPGP_send_APDU: Response <-- >>> 000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000 >>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>> status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 mutual_authentication: Key Diversification Data: >>> 00008247024411914208 >>> 29/08 18:16:49 mutual_authentication: Key Information Data: 0102 >>> 29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA >>> 29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram: >>> 1134FD4C1BECE9E5 >>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 294 : start >>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 338 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 294 : start >>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 338 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 mutual_authentication: S-ENC Session Key: >>> E374467F06501BB92057F15A8C860AAB >>> 29/08 18:16:49 mutual_authentication: S-MAC Session Key: >>> 29/08 18:16:49 mutual_authentication: Data Encryption Key: >>> 404142434445464748494A4B4C4D4E4F >>> 29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start >>> 29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start >>> 29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0, >>> error code(0x0): Success >>> * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at >>> line 118 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 mutual_authentication: Card Cryptogram to compare: >>> 683ED52BCE9F682F >>> 29/08 18:16:49 -mutual_authentication in globalplatform.c at line >>> 3898 : end status 1, error code(0x80302000): The verification of the >>> card cryptogram failed. >>> >>> >>> >From the marked lines ( * ) can be seen that gpshell is trying to use >>> SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has >>> support for SCP01 but with i=15 so there's still something wrong even >>> in the case I accidentally change the protocol version without knowing >>> it. I've tried to force the use of SCP02 by means of the 'sc' option, >>> even when gpshell's documentation says there's no need to do it, but >>> the result is the same, the SCP01 protocol is still being used and the >>> cryptogram can't finally be verified. I also tried passing the 'visa2' >>> value on the keyDerivation option since my card is a JCOP but there >>> were no success. I tried every combination of parameters: passing the >>> kek_key along with the enc_key and mac_key, passing only the -key with >>> the keyDerivation, passing it all together without any results. >>> >>> Why is gpshell using the wrong protocol version and what can I do to >>> ensure the use of the proper one? >>> Is there some way of querying the card for the key derivation >>> algorithm that it supports or has set by default? >>> Is there anything else am I missing? >>> >>> Thanks in advance, >>> >>> Marcel >>> >>> ------------------------------------------------------------------------------ >>> Special Offer -- Download ArcSight Logger for FREE! >>> Finally, a world-class log management solution at an even better >>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>> download Logger. Secure your free ArcSight Logger TODAY! >>> http://p.sf.net/sfu/arcsisghtdev2dev >>> _______________________________________________ >>> Globalplatform-users mailing list >>> Glo...@li... >>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> >> >> ------------------------------------------------------------------------------ >> Special Offer -- Download ArcSight Logger for FREE! >> Finally, a world-class log management solution at an even better >> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >> download Logger. Secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsisghtdev2dev >> _______________________________________________ >> Globalplatform-users mailing list >> Glo...@li... >> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> > > > > > ------------------------------ > > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > > ------------------------------ > > _______________________________________________ > Globalplatform-users mailing list > Glo...@li... > https://lists.sourceforge.net/lists/listinfo/globalplatform-users > > > End of Globalplatform-users Digest, Vol 18, Issue 2 > *************************************************** > |
