Re: [Globalplatform-users] Issues Authenticating to a Card

[Jeff F. <sf...@fc...>]

Thanks for your reply, although I must admit I did not fully understand
all of it and with limited attempts (5 left) before the phone is locked I
am wary of just trying things.

Actually today my JCOP engineering sample arrived so I was able activate
the eclipse plugin and have sucessfully authenticated to the engineering
card, however trying to authenticate to the phone doesn't work.

I realise this isn't a JCOP list however as you mentioned using JCOP
perhaps you have some experiences? Output from the JCOP Shell is:

cm>  /terminal "winscard:4|OMNIKEY CardMan 5x21-CL 0"
--Opening terminal
>  /card
--Waiting for card...
ATR=3B 88 80 01 00 73 C8 40 13 00 90 00 71             ;....s.@....q
ATR: T=0, T=1, Hist=0073C84013009000
 => 00 A4 04 00 07 A0 00 00 00 03 00 00 00             .............
 (38535 usec)
 <= 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65    o..............e
    01 FF 90 00                                        ....
Status: No Error
cm>  set-key 42/1/DES-ECB/404142434445464748494A4B4C4D4E4F
cm>  set-key 42/2/DES-ECB/404142434445464748494A4B4C4D4E4F
cm>  set-key 42/3/DES-ECB/404142434445464748494A4B4C4D4E4F
cm>  init-update 42
 => 80 50 2A 00 08 37 D0 24 87 C5 8D E7 05 00          .P*..7.$......
 (112921 usec)
 <= 00 00 63 42 80 07 F6 A8 01 09 2A 02 00 01 6C 7F    ..cB......*...l.
    FC 11 3F B9 22 49 CB 72 9D 57 DF EC 90 00          ..?."I.r.W....
Status: No Error
cm>  ext-auth
 => 84 82 00 00 10 5A 13 18 02 C5 87 A3 34 6D F7 33    .....Z......4m.3
    55 A4 C8 C9 6D                                     U...m
 (27528 usec)
 <= 69 85                                              i.
Status: Conditions of use not satisfied
jcshell: Error code: 6985 (Conditions of use not satisfied)
jcshell: Wrong response APDU: 6985

Any insight greatfully received.

-Jeff

> Jeff Fern schrieb:
>> Hi All,
>>
>> I have been working with a Nokia 6131 NFC phone (java programming), part
>> of the phone has a secure element which is an integrated Java Card (G&D
>> Implementation) and it is this which I am trying to write applets for -
>> however I am stuck at the authentication stage.
>>
>> I am aware of the 10 incorrect authentication issue (I have already
>> locked
>> 1 phone and am 4 attempts down on the last) which is why I am posting
>> here.
>>
>> The secure element has been 'unlocked' which has given me the following
>> information:
>>
>> Keyset 42 contains the ENC, MAC & KEY keys with the hex values
>> 4041...4F.
>> Access to the device requires ENC+MAC level authentication as specified
>> in
>> the GlobalPlatform spec 2.1.1 secure chanel protocol 02 (SCP02).
>>
>> I also have a list of 4 Application IDs which I have been told NOT to
>> delete, and 2 Application IDs which may be deleted if more space is
>> required.
>>
>> The last set of commands I tried were:
>> mode_211
>> enable_trace
>> establish_context
>> card_connect -readerNumber 0
>> open_sc -security 3 -scp 2 -keyver 42 -mac_key
>> 404142434445464748494A4B4C4D4E4F -enc_key
>> 404142434445464748494A4B4C4D4E4F
>> -kek_key 404142434445464748494A4B4C4D4E4F
>>
>> Which gave the output:
>> --> 00CA006600
>> <--
>> 734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B06092A864886FC6B040255650B06092B8510864864020103660C060A2B060104012A026E01029000
>>
>> --> 80502A0008979FE2303D49553200
>> <-- 000063428007F6A801092A0200016C7FFC113FB9FEBAFC314EA2F27A9000
>> mutual_authentication() returns 0x8030F006 (The Secure Channel Protocol
>> Implementation is invalid.)
>
> Maybe you must pass also a Secure Channel Protocol implementation.
> SCP02 can be combined with:
>
> /* Secure Channel base key */
> GP211_SCP02_IMPL_i04
> GP211_SCP02_IMPL_i14)
>
> /* 3 Secure Channel Keys */
> GP211_SCP02_IMPL_i05
> GP211_SCP02_IMPL_i15)
>
> otherwise this exception will be thrown.
>
> Actually it should be recognized automatically. In the output 00CA006600
> retrieves the data. 734A06072A8 ... is the answer. In the log should be
> mentioned something like OIDCardRecognitionData: ...
>
> I have analyzed the data for you.
> I split here the returned data:
>
> Tag + length
> 734A
> Tag + length + data
> 0607 2A864886FC6B01
>
> 600C
> 060A 2A864886FC6B02020101
>
> 6309
> 0607 2A864886FC6B03
>
> Now the secure channel protocol details follow:
> 640B
> 0609 2A864886FC6B040255
>
> The secure channel protocol is 02
> and the impl is 55. 55 is a problem. This is mentioned in the amendment
> A to GP 2.1.1:
>
> "i" = '55': Initiation mode explicit, C-MAC on modified APDU, ICV set to
> zero, ICV encryption for C-MAC session, 3 Secure Channel Keys,
> well-known pseudo-random algorithm (card challenge).”
>
> GlobalPlatform does not know of this mode. I will fix it. So use 0x15.
> This should also work.
>
> 650B
> 0609 2B8510864864020103
>
> 660C
> 060A 2B060104012A026E0102
>
> Status code for success:
> 9000
>
>>
>> I have seen some references to having to issue a select command before
>> the
>> open_sc however do not know if this is necessary (I am a java
>> programmer,
>> completely new to these cards). After reading another post on this
>> mailing
>> list and which AID to select, one of the ones I shouldn't delete is
>> "A0000000035350" which is the closest in looks to the suggestions (the
>> others all being D276000...) however I don't know if not selecting this
>> is
>> causing the error, or even related.
>
> Usually it is default delected. Maybe not. I it still does not work try
> it. Select to Card Manager / Card Manager Security Domain.
>
> You my also enable debugging output from the GlobalPlatform library (if
> you compile it on your own, or the prebuilt version should include it):
>
> I quote from the current Install.w32 (Windows):
>
> If you need to get debugging output you must have built a debug version
> and enable the debugging by setting the environment variable
> GLOBALPLATFORM_DEBUG=1. If you explicitly set a log file with
> the environment variable GLOBALPLATFORM_LOGFILE, this log file will be
> used.
> The default log file is C:\Temp\GlobalPlatform.log. This must be
> writable for
> the user. Keep in mind that the debugging output may contain sensitive
> information, e.g. keys!
>
> INSTALL (Unix, ...)
>
> --enable-debug:
>
>      If you need to get debugging output you must have built a debug
> version
> and enable the debugging by setting the environment variable
> GLOBALPLATFORM_DEBUG=1. If you explicitly set a log file with
> the environment variable GLOBALPLATFORM_LOGFILE, this log file will be
> used.
> The default log file is /tmp/GlobalPlatform.log. This must be writable
> for the
> user. But if syslog is available during compile time the defualt for
> debugging
> statement is to get syslogged. Keep in mind that the debugging output may
> contain sensitive information, e.g. keys!
>
> You can also try the JCOP tools. If you are lucky the JCOP tools for
> Eclipse will work for you. jcop tools.zip. Unfortunateyl it is not more
> available. Maybe you will find it somewhere. They can help you to
> authenticate to the card. Maybe.
>
> Regards,
> Karsten
>
>>
>> Only having 6 attempts left before rending the phone (worth about £230!)
>> useless I don't want to risk trying things in hope - this is how I
>> locked
>> the first one as I wasn't aware of the limit to 10 attempts.
>>
>> Any advise or suggestions would be much appreciated.
>>
>> Regards,
>> -Jeff Fern
>>
>>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.