Re: [Globalplatform-users] Issues Authenticating to a Card

[Karsten O. <wid...@t-...>]

Jeff Fern schrieb:
> Hi All,
> 
> I have been working with a Nokia 6131 NFC phone (java programming), part
> of the phone has a secure element which is an integrated Java Card (G&D
> Implementation) and it is this which I am trying to write applets for -
> however I am stuck at the authentication stage.
> 
> I am aware of the 10 incorrect authentication issue (I have already locked
> 1 phone and am 4 attempts down on the last) which is why I am posting
> here.
> 
> The secure element has been 'unlocked' which has given me the following
> information:
> 
> Keyset 42 contains the ENC, MAC & KEY keys with the hex values 4041...4F.
> Access to the device requires ENC+MAC level authentication as specified in
> the GlobalPlatform spec 2.1.1 secure chanel protocol 02 (SCP02).
> 
> I also have a list of 4 Application IDs which I have been told NOT to
> delete, and 2 Application IDs which may be deleted if more space is
> required.
> 
> The last set of commands I tried were:
> mode_211
> enable_trace
> establish_context
> card_connect -readerNumber 0
> open_sc -security 3 -scp 2 -keyver 42 -mac_key
> 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F
> -kek_key 404142434445464748494A4B4C4D4E4F
> 
> Which gave the output:
> --> 00CA006600
> <--
> 734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A026E01029000
> 
> --> 80502A0008979FE2303D49553200
> <-- 000063428007F6A801092A0200016C7FFC113FB9FEBAFC314EA2F27A9000
> mutual_authentication() returns 0x8030F006 (The Secure Channel Protocol
> Implementation is invalid.)

Maybe you must pass also a Secure Channel Protocol implementation.
SCP02 can be combined with:

/* Secure Channel base key */
GP211_SCP02_IMPL_i04
GP211_SCP02_IMPL_i14)

/* 3 Secure Channel Keys */
GP211_SCP02_IMPL_i05
GP211_SCP02_IMPL_i15)

otherwise this exception will be thrown.

Actually it should be recognized automatically. In the output 00CA006600 
retrieves the data. 734A06072A8 ... is the answer. In the log should be 
mentioned something like OIDCardRecognitionData: ...

I have analyzed the data for you.
I split here the returned data:

Tag + length
734A
Tag + length + data
0607 2A864886FC6B01

600C
060A 2A864886FC6B02020101

6309
0607 2A864886FC6B03

Now the secure channel protocol details follow:
640B
0609 2A864886FC6B040255

The secure channel protocol is 02
and the impl is 55. 55 is a problem. This is mentioned in the amendment 
A to GP 2.1.1:

"i" = '55': Initiation mode explicit, C-MAC on modified APDU, ICV set to 
zero, ICV encryption for C-MAC session, 3 Secure Channel Keys, 
well-known pseudo-random algorithm (card challenge).”

GlobalPlatform does not know of this mode. I will fix it. So use 0x15. 
This should also work.

650B
0609 2B8510864864020103

660C
060A 2B060104012A026E0102

Status code for success:
9000

> 
> I have seen some references to having to issue a select command before the
> open_sc however do not know if this is necessary (I am a java programmer,
> completely new to these cards). After reading another post on this mailing
> list and which AID to select, one of the ones I shouldn't delete is
> "A0000000035350" which is the closest in looks to the suggestions (the
> others all being D276000...) however I don't know if not selecting this is
> causing the error, or even related.

Usually it is default delected. Maybe not. I it still does not work try 
it. Select to Card Manager / Card Manager Security Domain.

You my also enable debugging output from the GlobalPlatform library (if 
you compile it on your own, or the prebuilt version should include it):

I quote from the current Install.w32 (Windows):

If you need to get debugging output you must have built a debug version
and enable the debugging by setting the environment variable
GLOBALPLATFORM_DEBUG=1. If you explicitly set a log file with
the environment variable GLOBALPLATFORM_LOGFILE, this log file will be used.
The default log file is C:\Temp\GlobalPlatform.log. This must be 
writable for
the user. Keep in mind that the debugging output may contain sensitive
information, e.g. keys!

INSTALL (Unix, ...)

--enable-debug:

     If you need to get debugging output you must have built a debug version
and enable the debugging by setting the environment variable
GLOBALPLATFORM_DEBUG=1. If you explicitly set a log file with
the environment variable GLOBALPLATFORM_LOGFILE, this log file will be used.
The default log file is /tmp/GlobalPlatform.log. This must be writable 
for the
user. But if syslog is available during compile time the defualt for 
debugging
statement is to get syslogged. Keep in mind that the debugging output may
contain sensitive information, e.g. keys!

You can also try the JCOP tools. If you are lucky the JCOP tools for 
Eclipse will work for you. jcop tools.zip. Unfortunateyl it is not more 
available. Maybe you will find it somewhere. They can help you to 
authenticate to the card. Maybe.

Regards,
Karsten

> 
> Only having 6 attempts left before rending the phone (worth about £230!)
> useless I don't want to risk trying things in hope - this is how I locked
> the first one as I wasn't aware of the limit to 10 attempts.
> 
> Any advise or suggestions would be much appreciated.
> 
> Regards,
> -Jeff Fern
> 
>