Menu
▾
▴
Re: [Globalplatform-users] Globalplatform-users Digest, Vol 18, Issue 2
|
From: Karsten O. <wid...@t-...> - 2011-08-31 00:26:15
|
Am 31.08.2011 02:01, schrieb Marcel Cordovi: > Thanks Mike. Your reply was very helpful. I sent the GET DATA command > you recommended and got the xx-yy bytes values you were mentioning. > They turns out to be 0215, which stands for SCP02 with 0x15 > implementation version as I was expecting from my card default values > reference. The problem was a missing 'mode_211' command in the script > that was making the underlying global platform library to have the > wrong function querying the protocol version. After having this > corrected I was able to establish the secure channel with my applet > but I still needed to specify the 'scp' and 'scpimpl' options in order > to avoid a "6D00: Invalid instruction byte / Command not supported or > invalid" error I was getting. I'll be trying to fix that too later but > for now passing the options will do just fine. Thanks again for your > help. The reason for the 6D00 is that you have selected the applet, not a security domain. The applet does not know of the GET DATA command, so this fails. I have documented this: https://sourceforge.net/apps/mediawiki/globalplatform/index.php?title=GPShell#Secure_Channel_Commands Karsten > Greetings, > > Marcel > > > > On Tue, Aug 30, 2011 at 5:48 PM, > <glo...@li...> wrote: >> Send Globalplatform-users mailing list submissions to >> glo...@li... >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> or, via email, send a message with subject or body 'help' to >> glo...@li... >> >> You can reach the person managing the list at >> glo...@li... >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Globalplatform-users digest..." >> >> >> Today's Topics: >> >> 1. Problem opening a secure channel on a java card (Marcel Cordovi) >> 2. Re: Problem opening a secure channel on a java card >> (Michael StJohns) >> 3. Re: Problem opening a secure channel on a java card (Karsten Ohme) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Mon, 29 Aug 2011 19:08:49 -0500 >> From: Marcel Cordovi <mco...@gm...> >> Subject: [Globalplatform-users] Problem opening a secure channel on a >> java card >> To: glo...@li... >> Message-ID: >> <CAL...@ma...> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Hi Karsten, >> >> ??? I appreciate your reply. I'm still having the same problem >> establishing a secure channel with my card. In response for one of my >> questions you posted: >> >>> Hi, >>> >>> Nothing known to me. You are using processSecurity for all commands not >>> known to your applet? >>> >>> Try to get a debug output and post the result. >> >> The answer is yes. All not known APDUs are handled by the default >> clause of a switch statement in the 'process' method and forwarded to: >> >> >> void SCPcommands ( APDU apdu ) { >> >> responseLength = MySecureChannel.processSecurity( apdu ); >> if (responseLength != 0 ) >> apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, >> responseLength ); >> } >> >> as I posted previously. >> >> I tried the following script: >> >> --------------------------------------------- >> establish_context >> enable_trace >> enable_timer >> card_connect >> >> select -AID F00100006203010C0101 >> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >> 404142434445464748494a4b4c4d4e4f -enc_key >> 404142434445464748494a4b4c4d4e4f -kek_key >> 404142434445464748494a4b4c4d4e4f // Open secure channel >> >> card_disconnect >> release_context >> ----------------------------------------------- >> >> >> And this is the DEBUG trace: >> >> >> 29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start >> 29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start >> 29/08 18:16:49 -OPGP_release_context in connection.c at line 132 : >> end status 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start >> 29/08 18:16:49 DYN_LoadLibrary: Using library name >> "gppcscconnectionplugin" and version "1.0.1". >> 29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end >> status 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >> 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >> 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >> 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >> 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >> 0, error code(0x0): Success >> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >> 0, error code(0x0): Success >> 29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c >> at line 85 : start >> 29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c >> at line 98 : end status 0, error code(0x0): Success >> 29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 : >> end status 0, error code(0x0): Success >> 29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start >> 29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at >> line 137 : start >> 29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24 >> 29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at >> line 176 : end status 0, error code(0x0): Success >> 29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end >> status 0, error code(0x0): Success >> 29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start >> 29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at >> line 202 : start >> 29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS >> ACR 38U-CCID 00 00 with protocol 2 in card state 524340 >> 29/08 18:16:49 OPGP_PL_card_connect: Card ATR: >> 3BFD1800008131FE4550565F4A434F50323176323332E7 >> 29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at >> line 242 : end status 0, error code(0x0): Success >> 29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end >> status 0, error code(0x0): Success >> 29/08 18:16:49 +select_application in globalplatform.c at line 413 : start >> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >> 29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101 >> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >> error code(0x0): Success >> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >> 296 : start >> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >> 29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000 >> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >> status 0, error code(0x0): Success >> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >> status 0, error code(0x80209000): 9000: Success. No error. >> 29/08 18:16:49 -select_application in globalplatform.c at line 444 : >> end status 0, error code(0x0): Success >> 29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start >> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01 >> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol >> Implementation: 0x05 >> 29/08 18:16:49 +get_random in crypto.c at line 1465 : start >> 29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0, >> error code(0x0): Success >> 29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA >> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >> * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00 >> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >> error code(0x0): Success >> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >> 296 : start >> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >> 29/08 18:16:49 OPGP_send_APDU: Response <-- >> 000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000 >> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >> status 0, error code(0x0): Success >> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >> status 0, error code(0x80209000): 9000: Success. No error. >> 29/08 18:16:49 mutual_authentication: Key Diversification Data: >> 00008247024411914208 >> 29/08 18:16:49 mutual_authentication: Key Information Data: 0102 >> 29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA >> 29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram: >> 1134FD4C1BECE9E5 >> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >> line 294 : start >> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >> line 338 : end status 0, error code(0x0): Success >> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >> end status 0, error code(0x0): Success >> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >> line 294 : start >> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >> line 338 : end status 0, error code(0x0): Success >> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >> end status 0, error code(0x0): Success >> 29/08 18:16:49 mutual_authentication: S-ENC Session Key: >> E374467F06501BB92057F15A8C860AAB >> 29/08 18:16:49 mutual_authentication: S-MAC Session Key: >> 29/08 18:16:49 mutual_authentication: Data Encryption Key: >> 404142434445464748494A4B4C4D4E4F >> 29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start >> 29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start >> 29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0, >> error code(0x0): Success >> * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at >> line 118 : end status 0, error code(0x0): Success >> 29/08 18:16:49 mutual_authentication: Card Cryptogram to compare: >> 683ED52BCE9F682F >> 29/08 18:16:49 -mutual_authentication in globalplatform.c at line >> 3898 : end status 1, error code(0x80302000): The verification of the >> card cryptogram failed. >> >> >> >From the marked lines ( * ) can be seen that gpshell is trying to use >> SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has >> support for SCP01 but with i=15 so there's still something wrong even >> in the case I accidentally change the protocol version without knowing >> it. I've tried to force the use of SCP02 by means of the 'sc' option, >> even when gpshell's documentation says there's no need to do it, but >> the result is the same, the SCP01 protocol is still being used and the >> cryptogram can't finally be verified. I also tried passing the 'visa2' >> value on the keyDerivation option since my card is a JCOP but there >> were no success. I tried every combination of parameters: passing the >> kek_key along with the enc_key and mac_key, passing only the -key with >> the keyDerivation, passing it all together without any results. >> >> Why is gpshell using the wrong protocol version and what can I do to >> ensure the use of the proper one? >> Is there some way of querying the card for the key derivation >> algorithm that it supports or has set by default? >> Is there anything else am I missing? >> >> Thanks in advance, >> >> Marcel >> >> >> >> ------------------------------ >> >> Message: 2 >> Date: Mon, 29 Aug 2011 22:11:23 -0400 >> From: Michael StJohns <mst...@co...> >> Subject: Re: [Globalplatform-users] Problem opening a secure channel >> on a java card >> To: Marcel Cordovi <mco...@gm...>, >> glo...@li... >> Message-ID: >> <mai...@li...> >> >> Content-Type: text/plain; charset="us-ascii" >> >> Hi Marcel - >> >> I think you've got a mismatch between what's in the card recognition data and what the card is configured for. >> >> I know this was a problem with the generic open_sc (where you were opening with the security domain) a while back - Karsten ended up providing a fix. I wonder if that's the same problem. >> >> If you can do a select of the AID and then a GET DATA with a P1 of 0 an d a P2 of 0x66 and paste it back here, it might be helpful. >> >> Look for a hex string 64 0B 06 09 2A 86 48 86 fc 6b 04 xx yy -- xx should be the SCP and YY the implementation options. My guess is that will be 01 05 to match what gpshell is trying to do. >> >> Which version of GPShell are you using? I thought this was patched. >> >> Mike >> >> >> At 08:08 PM 8/29/2011, Marcel Cordovi wrote: >>> Hi Karsten, >>> >>> I appreciate your reply. I'm still having the same problem >>> establishing a secure channel with my card. In response for one of my >>> questions you posted: >>> >>>> Hi, >>>> >>>> Nothing known to me. You are using processSecurity for all commands not >>>> known to your applet? >>>> >>>> Try to get a debug output and post the result. >>> >>> The answer is yes. All not known APDUs are handled by the default >>> clause of a switch statement in the 'process' method and forwarded to: >>> >>> >>> void SCPcommands ( APDU apdu ) { >>> >>> responseLength = MySecureChannel.processSecurity( apdu ); >>> if (responseLength != 0 ) >>> apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, >>> responseLength ); >>> } >>> >>> as I posted previously. >>> >>> I tried the following script: >>> >>> --------------------------------------------- >>> establish_context >>> enable_trace >>> enable_timer >>> card_connect >>> >>> select -AID F00100006203010C0101 >>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>> 404142434445464748494a4b4c4d4e4f -enc_key >>> 404142434445464748494a4b4c4d4e4f -kek_key >>> 404142434445464748494a4b4c4d4e4f // Open secure channel >>> >>> card_disconnect >>> release_context >>> ----------------------------------------------- >>> >>> >>> And this is the DEBUG trace: >>> >>> >>> 29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start >>> 29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start >>> 29/08 18:16:49 -OPGP_release_context in connection.c at line 132 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start >>> 29/08 18:16:49 DYN_LoadLibrary: Using library name >>> "gppcscconnectionplugin" and version "1.0.1". >>> 29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>> 0, error code(0x0): Success >>> 29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c >>> at line 85 : start >>> 29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c >>> at line 98 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start >>> 29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at >>> line 137 : start >>> 29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24 >>> 29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at >>> line 176 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start >>> 29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at >>> line 202 : start >>> 29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS >>> ACR 38U-CCID 00 00 with protocol 2 in card state 524340 >>> 29/08 18:16:49 OPGP_PL_card_connect: Card ATR: >>> 3BFD1800008131FE4550565F4A434F50323176323332E7 >>> 29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at >>> line 242 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 +select_application in globalplatform.c at line 413 : start >>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>> 29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101 >>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>> error code(0x0): Success >>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 296 : start >>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000 >>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>> status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 -select_application in globalplatform.c at line 444 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start >>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01 >>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol >>> Implementation: 0x05 >>> 29/08 18:16:49 +get_random in crypto.c at line 1465 : start >>> 29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0, >>> error code(0x0): Success >>> 29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA >>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>> * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00 >>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>> error code(0x0): Success >>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 296 : start >>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 OPGP_send_APDU: Response <-- >>> 000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000 >>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>> status 0, error code(0x0): Success >>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>> status 0, error code(0x80209000): 9000: Success. No error. >>> 29/08 18:16:49 mutual_authentication: Key Diversification Data: >>> 00008247024411914208 >>> 29/08 18:16:49 mutual_authentication: Key Information Data: 0102 >>> 29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA >>> 29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram: >>> 1134FD4C1BECE9E5 >>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 294 : start >>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 338 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 294 : start >>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>> line 338 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>> end status 0, error code(0x0): Success >>> 29/08 18:16:49 mutual_authentication: S-ENC Session Key: >>> E374467F06501BB92057F15A8C860AAB >>> 29/08 18:16:49 mutual_authentication: S-MAC Session Key: >>> 29/08 18:16:49 mutual_authentication: Data Encryption Key: >>> 404142434445464748494A4B4C4D4E4F >>> 29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start >>> 29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start >>> 29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0, >>> error code(0x0): Success >>> * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at >>> line 118 : end status 0, error code(0x0): Success >>> 29/08 18:16:49 mutual_authentication: Card Cryptogram to compare: >>> 683ED52BCE9F682F >>> 29/08 18:16:49 -mutual_authentication in globalplatform.c at line >>> 3898 : end status 1, error code(0x80302000): The verification of the >>> card cryptogram failed. >>> >>> >>> >From the marked lines ( * ) can be seen that gpshell is trying to use >>> SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has >>> support for SCP01 but with i=15 so there's still something wrong even >>> in the case I accidentally change the protocol version without knowing >>> it. I've tried to force the use of SCP02 by means of the 'sc' option, >>> even when gpshell's documentation says there's no need to do it, but >>> the result is the same, the SCP01 protocol is still being used and the >>> cryptogram can't finally be verified. I also tried passing the 'visa2' >>> value on the keyDerivation option since my card is a JCOP but there >>> were no success. I tried every combination of parameters: passing the >>> kek_key along with the enc_key and mac_key, passing only the -key with >>> the keyDerivation, passing it all together without any results. >>> >>> Why is gpshell using the wrong protocol version and what can I do to >>> ensure the use of the proper one? >>> Is there some way of querying the card for the key derivation >>> algorithm that it supports or has set by default? >>> Is there anything else am I missing? >>> >>> Thanks in advance, >>> >>> Marcel >>> >>> ------------------------------------------------------------------------------ >>> Special Offer -- Download ArcSight Logger for FREE! >>> Finally, a world-class log management solution at an even better >>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>> download Logger. Secure your free ArcSight Logger TODAY! >>> http://p.sf.net/sfu/arcsisghtdev2dev >>> _______________________________________________ >>> Globalplatform-users mailing list >>> Glo...@li... >>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Wed, 31 Aug 2011 00:48:25 +0200 >> From: Karsten Ohme <wid...@t-...> >> Subject: Re: [Globalplatform-users] Problem opening a secure channel >> on a java card >> To: glo...@li... >> Message-ID: <4E5...@t-...> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Hi, >> >> Ah! I guess I found it. You are using a GlobalPlatform 2.1.1 compliant >> card. So you have to specify the mode in the beginning of the script >> fail. Otherwise it falls back to the OpenPlatform 2.0.1 mode. >> >> Start you file with: >> >> mode_211 >> >> Karsten >> >> Am 30.08.2011 04:11, schrieb Michael StJohns: >>> Hi Marcel - >>> >>> I think you've got a mismatch between what's in the card recognition data and what the card is configured for. >>> >>> I know this was a problem with the generic open_sc (where you were opening with the security domain) a while back - Karsten ended up providing a fix. I wonder if that's the same problem. >>> >>> If you can do a select of the AID and then a GET DATA with a P1 of 0 an d a P2 of 0x66 and paste it back here, it might be helpful. >>> >>> Look for a hex string 64 0B 06 09 2A 86 48 86 fc 6b 04 xx yy -- xx should be the SCP and YY the implementation options. My guess is that will be 01 05 to match what gpshell is trying to do. >>> >>> Which version of GPShell are you using? I thought this was patched. >>> >>> Mike >>> >>> >>> At 08:08 PM 8/29/2011, Marcel Cordovi wrote: >>>> Hi Karsten, >>>> >>>> I appreciate your reply. I'm still having the same problem >>>> establishing a secure channel with my card. In response for one of my >>>> questions you posted: >>>> >>>>> Hi, >>>>> >>>>> Nothing known to me. You are using processSecurity for all commands not >>>>> known to your applet? >>>>> >>>>> Try to get a debug output and post the result. >>>> The answer is yes. All not known APDUs are handled by the default >>>> clause of a switch statement in the 'process' method and forwarded to: >>>> >>>> >>>> void SCPcommands ( APDU apdu ) { >>>> >>>> responseLength = MySecureChannel.processSecurity( apdu ); >>>> if (responseLength != 0 ) >>>> apdu.setOutgoingAndSend( (short) ISO7816.OFFSET_CDATA, >>>> responseLength ); >>>> } >>>> >>>> as I posted previously. >>>> >>>> I tried the following script: >>>> >>>> --------------------------------------------- >>>> establish_context >>>> enable_trace >>>> enable_timer >>>> card_connect >>>> >>>> select -AID F00100006203010C0101 >>>> open_sc -security 1 -keyind 0 -keyver 0 -mac_key >>>> 404142434445464748494a4b4c4d4e4f -enc_key >>>> 404142434445464748494a4b4c4d4e4f -kek_key >>>> 404142434445464748494a4b4c4d4e4f // Open secure channel >>>> >>>> card_disconnect >>>> release_context >>>> ----------------------------------------------- >>>> >>>> >>>> And this is the DEBUG trace: >>>> >>>> >>>> 29/08 18:16:49 +OPGP_establish_context in connection.c at line 56 : start >>>> 29/08 18:16:49 +OPGP_release_context in connection.c at line 108 : start >>>> 29/08 18:16:49 -OPGP_release_context in connection.c at line 132 : >>>> end status 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_LoadLibrary in dyn_unix.c at line 60 : start >>>> 29/08 18:16:49 DYN_LoadLibrary: Using library name >>>> "gppcscconnectionplugin" and version "1.0.1". >>>> 29/08 18:16:49 -DYN_LoadLibrary in dyn_unix.c at line 107 : end >>>> status 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>>> 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>>> 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>>> 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>>> 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>>> 0, error code(0x0): Success >>>> 29/08 18:16:49 +DYN_GetAddress in dyn_unix.c at line 145 : start >>>> 29/08 18:16:49 -DYN_GetAddress in dyn_unix.c at line 166 : end status >>>> 0, error code(0x0): Success >>>> 29/08 18:16:49 +OPGP_PL_establish_context in gppcscconnectionplugin.c >>>> at line 85 : start >>>> 29/08 18:16:49 -OPGP_PL_establish_context in gppcscconnectionplugin.c >>>> at line 98 : end status 0, error code(0x0): Success >>>> 29/08 18:16:49 -OPGP_establish_context in connection.c at line 95 : >>>> end status 0, error code(0x0): Success >>>> 29/08 18:16:49 +OPGP_list_readers in connection.c at line 148 : start >>>> 29/08 18:16:49 +OPGP_PL_list_readers in gppcscconnectionplugin.c at >>>> line 137 : start >>>> 29/08 18:16:49 OPGP_PL_list_readers: readerSize: 24 >>>> 29/08 18:16:49 -OPGP_PL_list_readers in gppcscconnectionplugin.c at >>>> line 176 : end status 0, error code(0x0): Success >>>> 29/08 18:16:49 -OPGP_list_readers in connection.c at line 151 : end >>>> status 0, error code(0x0): Success >>>> 29/08 18:16:49 +OPGP_card_connect in connection.c at line 167 : start >>>> 29/08 18:16:49 +OPGP_PL_card_connect in gppcscconnectionplugin.c at >>>> line 202 : start >>>> 29/08 18:16:49 OPGP_PL_card_connect: Connected to card in reader ACS >>>> ACR 38U-CCID 00 00 with protocol 2 in card state 524340 >>>> 29/08 18:16:49 OPGP_PL_card_connect: Card ATR: >>>> 3BFD1800008131FE4550565F4A434F50323176323332E7 >>>> 29/08 18:16:49 -OPGP_PL_card_connect in gppcscconnectionplugin.c at >>>> line 242 : end status 0, error code(0x0): Success >>>> 29/08 18:16:49 -OPGP_card_connect in connection.c at line 172 : end >>>> status 0, error code(0x0): Success >>>> 29/08 18:16:49 +select_application in globalplatform.c at line 413 : start >>>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>>> 29/08 18:16:49 OPGP_send_APDU: Command --> 00A404000AF00100006203010C0101 >>>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>>> error code(0x0): Success >>>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>>> 296 : start >>>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>>> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >>>> 29/08 18:16:49 OPGP_send_APDU: Response <-- 6F0E840AF00100006203010C0101A5009000 >>>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>>> status 0, error code(0x0): Success >>>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>>> status 0, error code(0x80209000): 9000: Success. No error. >>>> 29/08 18:16:49 -select_application in globalplatform.c at line 444 : >>>> end status 0, error code(0x0): Success >>>> 29/08 18:16:49 +mutual_authentication in globalplatform.c at line 3584 : start >>>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol: 0x01 >>>> * 29/08 18:16:49 mutual_authentication: Secure Channel Protocol >>>> Implementation: 0x05 >>>> 29/08 18:16:49 +get_random in crypto.c at line 1465 : start >>>> 29/08 18:16:49 -get_random in crypto.c at line 1472 : end status 0, >>>> error code(0x0): Success >>>> 29/08 18:16:49 mutual_authentication: Generated Host Challenge: D4BF67725B6928EA >>>> 29/08 18:16:49 +OPGP_send_APDU in connection.c at line 210 : start >>>> * 29/08 18:16:49 OPGP_send_APDU: Command --> 8050000008D4BF67725B6928EA00 >>>> 29/08 18:16:49 +wrap_command in crypto.c at line 841 : start >>>> 29/08 18:16:49 -wrap_command in crypto.c at line 1089 : end status 0, >>>> error code(0x0): Success >>>> 29/08 18:16:49 +OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>>> 296 : start >>>> 29/08 18:16:49 -OPGP_PL_send_APDU in gppcscconnectionplugin.c at line >>>> 694 : end status 0, error code(0x80209000): 9000: Success. No error. >>>> 29/08 18:16:49 OPGP_send_APDU: Response <-- >>>> 000082470244119142080102001FC04F087547DA1134FD4C1BECE9E59000 >>>> 29/08 18:16:49 +GP211_check_R_MAC in crypto.c at line 1251 : start >>>> 29/08 18:16:49 -GP211_check_R_MAC in crypto.c at line 1302 : end >>>> status 0, error code(0x0): Success >>>> 29/08 18:16:49 -OPGP_send_APDU in connection.c at line 264 : end >>>> status 0, error code(0x80209000): 9000: Success. No error. >>>> 29/08 18:16:49 mutual_authentication: Key Diversification Data: >>>> 00008247024411914208 >>>> 29/08 18:16:49 mutual_authentication: Key Information Data: 0102 >>>> 29/08 18:16:49 mutual_authentication: Card Challenge: 001FC04F087547DA >>>> 29/08 18:16:49 mutual_authentication: Retrieved Card Cryptogram: >>>> 1134FD4C1BECE9E5 >>>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>>> line 294 : start >>>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>>> line 338 : end status 0, error code(0x0): Success >>>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>>> end status 0, error code(0x0): Success >>>> 29/08 18:16:49 +create_session_key_SCP01 in crypto.c at line 227 : start >>>> 29/08 18:16:49 +calculate_enc_ecb_two_key_triple_des in crypto.c at >>>> line 294 : start >>>> 29/08 18:16:49 -calculate_enc_ecb_two_key_triple_des in crypto.c at >>>> line 338 : end status 0, error code(0x0): Success >>>> 29/08 18:16:49 -create_session_key_SCP01 in crypto.c at line 240 : >>>> end status 0, error code(0x0): Success >>>> 29/08 18:16:49 mutual_authentication: S-ENC Session Key: >>>> E374467F06501BB92057F15A8C860AAB >>>> 29/08 18:16:49 mutual_authentication: S-MAC Session Key: >>>> 29/08 18:16:49 mutual_authentication: Data Encryption Key: >>>> 404142434445464748494A4B4C4D4E4F >>>> 29/08 18:16:49 +calculate_card_cryptogram_SCP01 in crypto.c at line 108 : start >>>> 29/08 18:16:49 +calculate_MAC in crypto.c at line 422 : start >>>> 29/08 18:16:49 -calculate_MAC in crypto.c at line 460 : end status 0, >>>> error code(0x0): Success >>>> * 29/08 18:16:49 -calculate_card_cryptogram_SCP01 in crypto.c at >>>> line 118 : end status 0, error code(0x0): Success >>>> 29/08 18:16:49 mutual_authentication: Card Cryptogram to compare: >>>> 683ED52BCE9F682F >>>> 29/08 18:16:49 -mutual_authentication in globalplatform.c at line >>>> 3898 : end status 1, error code(0x80302000): The verification of the >>>> card cryptogram failed. >>>> >>>> >>>> >From the marked lines ( * ) can be seen that gpshell is trying to use >>>> SCP01 (i=5) but my card uses by default SCP02 (i=55). It also has >>>> support for SCP01 but with i=15 so there's still something wrong even >>>> in the case I accidentally change the protocol version without knowing >>>> it. I've tried to force the use of SCP02 by means of the 'sc' option, >>>> even when gpshell's documentation says there's no need to do it, but >>>> the result is the same, the SCP01 protocol is still being used and the >>>> cryptogram can't finally be verified. I also tried passing the 'visa2' >>>> value on the keyDerivation option since my card is a JCOP but there >>>> were no success. I tried every combination of parameters: passing the >>>> kek_key along with the enc_key and mac_key, passing only the -key with >>>> the keyDerivation, passing it all together without any results. >>>> >>>> Why is gpshell using the wrong protocol version and what can I do to >>>> ensure the use of the proper one? >>>> Is there some way of querying the card for the key derivation >>>> algorithm that it supports or has set by default? >>>> Is there anything else am I missing? >>>> >>>> Thanks in advance, >>>> >>>> Marcel >>>> >>>> ------------------------------------------------------------------------------ >>>> Special Offer -- Download ArcSight Logger for FREE! >>>> Finally, a world-class log management solution at an even better >>>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>>> download Logger. Secure your free ArcSight Logger TODAY! >>>> http://p.sf.net/sfu/arcsisghtdev2dev >>>> _______________________________________________ >>>> Globalplatform-users mailing list >>>> Glo...@li... >>>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >>> >>> ------------------------------------------------------------------------------ >>> Special Offer -- Download ArcSight Logger for FREE! >>> Finally, a world-class log management solution at an even better >>> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >>> download Logger. Secure your free ArcSight Logger TODAY! >>> http://p.sf.net/sfu/arcsisghtdev2dev >>> _______________________________________________ >>> Globalplatform-users mailing list >>> Glo...@li... >>> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >>> >> >> >> >> ------------------------------ >> >> ------------------------------------------------------------------------------ >> Special Offer -- Download ArcSight Logger for FREE! >> Finally, a world-class log management solution at an even better >> price-free! And you'll get a free "Love Thy Logs" t-shirt when you >> download Logger. Secure your free ArcSight Logger TODAY! >> http://p.sf.net/sfu/arcsisghtdev2dev >> >> ------------------------------ >> >> _______________________________________________ >> Globalplatform-users mailing list >> Glo...@li... >> https://lists.sourceforge.net/lists/listinfo/globalplatform-users >> >> >> End of Globalplatform-users Digest, Vol 18, Issue 2 >> *************************************************** >> > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > Globalplatform-users mailing list > Glo...@li... > https://lists.sourceforge.net/lists/listinfo/globalplatform-users > |
