This discussion is archived
1 2 Previous Next 20 Replies Latest reply: Jul 19, 2012 2:32 AM by Umer RSS

jcshell: Error code: -5 (Authentication failed)

805963 Newbie
Currently Being Moderated
Hey guys,

I need help with my JC project. I want to deploy/download a simple applet onto a real card which actually developed by some company and has some applet. Firstly, I got the following error:
Status: No Error
jcshell: Error code: -8 (Failed (no diagnosis))
jcshell: Command failed: No such key: 1/1
Unexpected error; aborting execution
The Shane explained a solution to the problem in another thread (Which are the keys for JCOP31C232 used in command "init-update" Now I get another error:
cm> /term "winscard:4|OMNIKEY CardMan 5x21 0"
/card -a a000000003000000 -c com.ibm.jc.CardManager
ATR: 3BF81800FF8131FE454A434F507632343143
ATR:
T = 1
cm> set-key 1/1/DES-ECB/404142434445464748494a4b4c4d4e4f 1/2/DES-ECB/404142434445464748494a4b4c4d4e4f 1/3/DES-ECB/404142434445464748494a4b4c4d4e4f
cm> init-update 1
jcshell: Error code: -5 (Authentication failed)
jcshell: Wrong response APDU: 00000353021436954415010200020090758652BBBB0F31871AC812479000
Unexpected error; aborting execution
Is it possible that the card is locked for changes?

Thanks for any help.

Regards,
errno
  • 1. Re: jcshell: Error code: -5 (Authentication failed)
    Umer Journeyer
    Currently Being Moderated
    if you attempted more than 10 times then you have blocked it.
  • 2. Re: jcshell: Error code: -5 (Authentication failed)
    805963 Newbie
    Currently Being Moderated
    No - I didn't. I tried maybe two or three times.

    Could it be possible that the card is locked by the owner company so that I cannot download own applets?

    Thanks
  • 3. Re: jcshell: Error code: -5 (Authentication failed)
    Umer Journeyer
    Currently Being Moderated
    There are two possibilities one is card is blocked and the other is the default keys have been changed by someone (most probably by the card issuer).
  • 4. Re: jcshell: Error code: -5 (Authentication failed)
    805963 Newbie
    Currently Being Moderated
    Is there any way to find out which of these two possibilities is right in this case? with issuer you mean NXP I suppose - it's a JCOP card and not the company that has developed the applet that is ready on the card. Any way to find out whether a card is locked?

    Thanks and best regards,
    errno
  • 5. Re: jcshell: Error code: -5 (Authentication failed)
    safarmer Expert
    Currently Being Moderated
    Your card is not locked. You would get an error status word, not a real response. It is most likely the wrong keys for your card. The error is a failed authentication. To find the keys you need to talk to who you got the cards from. Have you managed to authenticate to one of these cards before?

    Shane
  • 6. Re: jcshell: Error code: -5 (Authentication failed)
    safarmer Expert
    Currently Being Moderated
    Your card is not locked. You would get an error status word, not a real response. It is most likely the wrong keys for your card. The error is a failed authentication. To find the keys you need to talk to who you got the cards from. Have you managed to authenticate to one of these cards before?

    Shane
  • 7. Re: jcshell: Error code: -5 (Authentication failed)
    safarmer Expert
    Currently Being Moderated
    with issuer you mean NXP I suppose - it's a JCOP card
    If it where the default keys on a development card, the keys would not be in key version 1. It is most likely they have been changed.
    the company that has developed the applet that is ready on the card. Any way to find out whether a card is locked?
    Check with the company that loaded the other applet onto the card. They most likely rotated the keys when they loaded their applet.

    Shane
  • 8. Re: jcshell: Error code: -5 (Authentication failed)
    805963 Newbie
    Currently Being Moderated
    Thanks Shane for your help. I'll try to find out what are the new keys. These keys are used for an internal authentication right? Is it possible to add additional keys so that I can download my applets to the card as well? In that case, I suppose, it doesn't matter beacuse we have an access to the key repository (not sure how this is really called).

    Thanks for your help and regards,
    errno
  • 9. Re: jcshell: Error code: -5 (Authentication failed)
    safarmer Expert
    Currently Being Moderated
    Once you have these keys you can perform a mutual authentication and it will give you full access to the card manager to load and install applets.

    Shane
  • 10. Re: jcshell: Error code: -5 (Authentication failed)
    Umer Journeyer
    Currently Being Moderated
    Is it possible to add additional keys so that I can download my applets to the card as well? In that case, I suppose, it doesn't matter beacuse we have an access to the key repository (not sure how this is really called).
    No cannot. You first have to authenticate the card and then you can define new or change the existing keys. It is a security feature of java card otherwise any entity would be able to install applications on other's card.
  • 11. Re: jcshell: Error code: -5 (Authentication failed)
    805963 Newbie
    Currently Being Moderated
    Maybe I expressed myself not correctly - is it possible for the card owner company to add additional key(s) which is then only for me useable? Of course I cannot change anything now. Is this process of authentication described some where? Is it not possible to protect a single applet slots - why should I lock the card for new deployments when the security of my applet is not a problem?

    Thanks and regards,
    errno
  • 12. Re: jcshell: Error code: -5 (Authentication failed)
    safarmer Expert
    Currently Being Moderated
    Umer wrote:
    Is it possible to add additional keys so that I can download my applets to the card as well? In that case, I suppose, it doesn't matter beacuse we have an access to the key repository (not sure how this is really called).
    No cannot. You first have to authenticate the card and then you can define new or change the existing keys. It is a security feature of java card otherwise any entity would be able to install applications on other's card.
    That is the issue they are facing now. Once they have the keys they can install applets without changing keys if they want. It is a good idea to change the keys before you ship a card though (put the CDK keys replacing the existing keys and secure the card manager). For development though, this is not required.

    Shane
  • 13. Re: jcshell: Error code: -5 (Authentication failed)
    805963 Newbie
    Currently Being Moderated
    Hello Shane and Umer,

    why is that a good idea? when I buy a car I can install new accessories. When I pay the card - that's then mine. Now, why would someone protect/lock the whole card if there is no way to do bad things with an applet of the company I bought the card from? Is this kind of authentication describes somewhere?

    Thanks and regards,
    errno
  • 14. Re: jcshell: Error code: -5 (Authentication failed)
    safarmer Expert
    Currently Being Moderated
    is it possible for the card owner company to add additional key(s) which is then only for me useable?
    Not really. In GP 2.2 it may be possible to have multiple security domains where different developers can load applets but there is still a main issuer than can delete your applets (or security domain). I have not had much of a chance to look at cards that support GP 2.2 so I do not have all the details on this. In GP 2.1.1 it is not possible. If you have the keys for the ISD you can do what ever you like to the card.
    Is this process of authentication described some where?
    Yes. It is in the GP card spec. Look for the appendix on secure channel protocol 02.
    Is it not possible to protect a single applet slots - why should I lock the card for new deployments when the security of my applet is not a problem?
    Secured is a card manager state that doesn't look you out of the card, it just means some things are not possible (like starting a secure channel without MAC'ing). When you are developing you can keep the card in OP_READY or INITIALIZED.

    Shane
1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points