All,

First, sorry for the long post.

My problem is that I have to authenticate the terminal with a GemPlus
MPCOS-EMV smart card using the following algorithm (this is in the G+
MPCOS-EMV manual):

Known by both the card and the terminal: The "System" key, K, a 16-byte key.

1. The terminal generates an eight-byte random number, TRnd, and sends
it to the card.
2. The card then generates its own eight-byte random number, CRnd.
3. The card takes the 4 ms bytes of TRnd and CRnd and concatenates them
in to RN, so RN=TRnd7,...,TRnd4,CRnd7,...,CRnd4.
4. The card then computes the temporary administration key, Kats, where
Kats=3DES_16(RN,K).
5. Next, the card generates a cryptogram, CR, based on TRnd and Kats,
so CR=3DES(TRnd,K).
6. The card then returns the 4 ls bytes of CR and the entire RN to the
terminal, i.e., card returns CR3,...,CR0,RN7,...,RN0.
7. The terminal can then compute Kats, and CR to verify that Kats was
computed correctly.
8. The terminal then uses Kats to perform administrative functions on
the card.

NOTES:

The card docs show the following regarding the various DES:

3DES (EDE mode: Encrypt Decrypt Encrypt) -
        
        16-byte Key = KLeft + KRight
        8-byte plain text = Data

        r1 = DES(Data,KLeft)
        r2 = DES-1(r1,KRight)
        r3 = DES(r2,KLeft)

        3DES cryptogram (8-bytes) = r3

3DES-1 -
        
        16-byte Key = KLeft + KRight
        8-byte 3DES cryptogram = Data

        r1 = DES-1 (Data,KLeft)
        r2 = DES(r1,KRight)
        r3 = DES-1 (r2,KLeft)

        Plain text data (8-bytes) = r3
        
3DES_16 -

        16-byte Key = KLeft + KRight
        8-byte plain text = Data

        r1 = DES(Data,KLeft) r4 = DES(Data,KRight)
        r2 = DES-1(r1,KRight) r5 = DES-1(r4,KLeft)
        r3 = DES(r2,KLeft) r6 = DES(r5,KRight)

        3DES_16 cryptogram (16-bytes) = r3 + r6

        Note that 3DES_16 returns a 16-byte cryptogram given an 8-byte plain
text.

The documentation does not mention ECB or CBC, so I'm assuming ECB. It does
mention CBC mode for another process, computing the crypto checksum for
secure messaging, hence the assumption of ECB mode.

I have found several DES implementations on the web and also have the source
from Mastering Algorithms with C, O'Reilly 1999. All of the DES algorithms
I have tested are able to encrypt the plain text to a cryptogram and decrypt
the cryptogram to the correct plain text, but all the cryptograms generated
were different for each DES algorithm. Is this expected? Is the DES
algorithm not a standard as the name would lead you to believe? If the DES
implementations all generate different cryptograms, how can I be expected to
perform the necessary computations to generate Kats and authenicate the
terminal to the card? As my only method of verifing that I computed Kats
correctly is to generate CR and compare the results to that of the card.

After testing all of the DES routines, generating Kats and CR, I cannot
match what the card generates. These are test cards so the system key is
known ("TEST KEYTEST KEY" if interested).

If anyone has any insight, it would help.

Again, sorry for the long post.

Thanks,
JP

***************************************************************
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
http://www.linuxnet.com/smartcard/index.html
***************************************************************

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]