NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > MUSCLE Smartcard Development> 2008-q1

Re: [Muscle] Re: JCOP31/Global Platform Secure Channel stuff - and GPShell (Michael StJohns)

From: Michael StJohns (mstjohnscomcast.net)
Date: Fri Jan 11 2008 - 10:39:41 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

$ !!
./GPShell <listgp211.txt
mode_211
enable_trace
establish_context
card_connect
* reader name Gemplus GemPC Express 0
select -AID a000000003000000
--> 00A4040008A000000003000000
<-- 6F108408A000000003000000A5049F6501FF9000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4
f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
--> 00CA006600
<-- 734A06072A864886FC6B01600C060A2A864886FC6B02020101630906072A864886FC6B03640B
06092A864886FC6B040215650B06092B8510864864020103660C060A2B060104012A026E01029000

--> 8050000008F72B300DCD49944000
<-- 00006306002264910677FF016783A0F116E618D317BA5C7B57DC75B99000
mutual_authentication() returns 0x80302000 (The verification of the card cryptog
ram failed.)

At 05:40 1/11/2008, Alexej Muehlberg wrote:

>Are you stating that the JCOP31 card shows via the INIT-UPDATE command SCP02, but is in reality doing SCP01? Can you please post the authentication APDU trace + identify command?

GPShell first does a GET DATA to retrieve the Card Recognition data. Part of the returned blob is an OID (defined in Appendix H) which describes the supposed SCP for the card - in this case, the data is "2A864886FC6B040215" - or an OID of 1.2.840.114283.4.2.21. The last two number define the SCP (2) and the options (21 dec - 15 hex).

The GlobalPlatform libraries - if told to use mode 211 - check this to figure out which SCP. The lib doesn't appear to check the returned value from the INITIALIZE UPDATE to make sure it really is SCP 02.

The card recognition data is obviously wrong - but the question is what's the right behavior here? Throw an error on the mismatch, or pay attention to the SCP value returned by INITUP and do the right thing?

The asn1 dump of the card recognition data is

$ ./dumpasn1 resp.bin
   0 74: [APPLICATION 19] {
   2 7: OBJECT IDENTIFIER gpRecognitionData (1 2 840 114283 1)
  11 12: [APPLICATION 0] {
  13 10: OBJECT IDENTIFIER gpMgtV211 (1 2 840 114283 2 2 1 1)
         : }
  25 9: [APPLICATION 3] {
  27 7: OBJECT IDENTIFIER gpCardIDScheme (1 2 840 114283 3)
         : }
  36 11: [APPLICATION 4] {
  38 9: OBJECT IDENTIFIER gpSecureChanProtv2s21 (1 2 840 114283 4 2 21)
         : }
  49 11: [APPLICATION 5] {
  51 9: OBJECT IDENTIFIER '1 3 656 840 100 2 1 3'
         : }
  62 12: [APPLICATION 6] {
  64 10: OBJECT IDENTIFIER '1 3 6 1 4 1 42 2 110 1 2'
         : }
         : }

>_______________________________________________
>Muscle mailing list
>Musclelists.musclecard.com
>http://lists.drizzle.com/mailman/listinfo/muscle

_______________________________________________
Muscle mailing list
Musclelists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]