This discussion is archived
10 Replies Latest reply: Aug 7, 2012 12:37 PM by safarmer RSS

JC 2.2.2 prepersonalization - how to personalize

950922 Newbie
Currently Being Moderated
Hi there,
i didnt find topic about mu problem so i`m writing new one. I have gemalto card in standard 2.2.2 of JC. I know on the card i can find 2 applets. My problem is to use them. I have a lot of documentation aboout JC and these applets but still cant use it. It is in prepersonalization mode, and documentation said that i need to personalize it to use applet. I know that i need to send few APDU request in order: select, init update, extern auth and then sth else. 3 steps and a lot of problems. First step is quite easy. Using logical channel i send apdu request just like in doc. Second step should be easy too but its not. when i want from JC to run init update, i have error (secure status not enough). This problem is because i didnt create Security channel. And here is my question: how (using java code) to create secure channel? My documentation didnt say how to do this and i cant to find it in google.
Please help me:)
At this moment my code is doing sth like that scheme:
sendApdu(SELECT_APPLET)
getResponse>> 9000
sendApdu(INIT_UPDATE)
getResponse>>9382

What i have to do?
And sec question: what is MAC and how to get it? Just generate or provider should give it to me?
Btw i need to do this in code without any external application like GPShell(dont know how to use it wissely)
Sorry for my english, hopes u can understand it quite easy

Thanks for help

sevar
  • 1. Re: JC 2.2.2 prepersonalization - how to personalize
    950748 Newbie
    Currently Being Moderated
    Hi, Sevar.

    Please write the command of Init Update.

    I think this is a problem about key version.

    In INIT-update command you must put key version as shown below

    0x80,0x50,keySetVersion,0x00, hostChallenge, 0x00

    keySetVersion - it is byte of key veyversion,
    hostChallenge - random(8)
  • 2. Re: JC 2.2.2 prepersonalization - how to personalize
    950922 Newbie
    Currently Being Moderated
    Hi there, thank u for answer.

    I`m sending init_update as 8050010008121a9dc4c2d3e41c

    my doc said that key_version is a value between 0x01 and 0x7F so i just put first available, dont know which value is good or bad, for me all re same

    i red about some protocol calls SCP01 -SCP03 but I didnt implement it yet. Should I use it to create this security channel?

    sevar
  • 3. Re: JC 2.2.2 prepersonalization - how to personalize
    950748 Newbie
    Currently Being Moderated
    To do external Authentificate to Security Domen you must do The following steps:
    1. Select Secure DOmen
    2 INIT Update
    3 External Authentificate

    2. INIT Update
    In each security domain have one or many key-set(3 keys MAC,ENC,DEC)
    So, Every KeySet have a version. And when you send INIT-Update you say to Security Domain which KeySet you have and security Domain must use that key Set if it have. in your case i think there isn't keys with version 01/ You must contact Card Issuer to have information about KeySets.

    3. External Authentificate
    SCP01 - 03 - it is a type of algorithm to make Secure Channel and External Authentificate.(it is the same).
    Type of SCP - byte number 11 of InitUpdate Response

    Please contact Card Issuer. Is it new card?
  • 4. Re: JC 2.2.2 prepersonalization - how to personalize
    safarmer Expert
    Currently Being Moderated
    2. INIT Update
    In each security domain have one or many key-set(3 keys MAC,ENC,DEC)
    So, Every KeySet have a version. And when you send INIT-Update you say to Security Domain which KeySet you have and security Domain must use that key Set if it have. in your case i think there isn't keys with version 01/ You must contact Card Issuer to have information about KeySets.
    You can use key version 0 which will use the first available key of the security domain. The key version will be returned in the response.

    You can also send GET-DATA 00C0 (80CA00C000) to see what keys are present on the card. You do not need a secure channel for this command.

    Shane
  • 5. Re: JC 2.2.2 prepersonalization - how to personalize
    950922 Newbie
    Currently Being Moderated
    Card is new. I ve get it not directly from gemalto, just from my employer. I cant send "getdata" and even "getstatus", i heard today that this card could be blocked but dont know what i need and what i have to do to unlock it. i have 2 keys: ISK and mother key from card manager. Thats all.

    @Safarmer: Card response: Unknow instruction code



    P.S. how to check that card is blocked when i cant send even getStatus apdu?
    The only APDU request that card accepted re: select SD and select AID(only 1 applet)
  • 6. Re: JC 2.2.2 prepersonalization - how to personalize
    safarmer Expert
    Currently Being Moderated
    @Safarmer: Card response: Unknow instruction code
    The GET-DATA command should always be available regardless of the card content state. There may be an issue where the JCRE has detected a security intrusion and has terminated the JCVM but I don't think this is the case if SELECT still works. Was this against the card manager or the default selected applet? If you did not before, you can try explicitly selecting the card manager before sending GET DATA.

    Table 9-1 of GP card spec 2.1.1 has a table of what commands are supported in each card content state.
    P.S. how to check that card is blocked when i cant send even getStatus apdu?
    If the card is blocked because of numbver of failed attempts, INIT-UPDATE will return security condition not satisfied.
    The only APDU request that card accepted re: select SD and select AID(only 1 applet)
    Are you selecting an SSD or the ISD? Does sending 00a40400 work and what is the response?

    Shane
  • 7. Re: JC 2.2.2 prepersonalization - how to personalize
    950922 Newbie
    Currently Being Moderated
    i have 2 cards now. First still dont work, second:

    i ve get "getdata" from gpshell mean 80CA9F7F00
    response in terminal: 90 00
    response in gpshell:
    Response <-- 9F7F2A40906685129192890200019933022B2A20861292214312932143129421430000002000000000000000009000
    9F7F2A40906685129192890200019933022B2A2086129221431293214312942143000000200000000000000000

    How is this possible?

    send: 00a40400
    response: 90 00
    Nothing else.
    I was selecting SSD

    i didnt use this doc, just documentation from my employer but now i see there is a lot more information than in their doc.

    So now i ll read this document, and ll try to write my own script to gpshell (guess it ll be quite good idea to move toward)
    And then when i learn it, i ll back there with problems

    Thanks to everyone who help me to this moment especially to safarmer. Realy big thanks :)

    P.S. i saw that another script need command calls "set manufacturing info". Ofcourse this apdu is in their document so i guess to use it i need select this applet first. Am i right?

    Edited by: Sevar on 2012-07-26 23:58
  • 8. Re: JC 2.2.2 prepersonalization - how to personalize
    safarmer Expert
    Currently Being Moderated
    Sevar wrote:
    i have 2 cards now. First still dont work, second:

    i ve get "getdata" from gpshell mean 80CA9F7F00
    response in terminal: 90 00
    response in gpshell:
    Response <-- 9F7F2A40906685129192890200019933022B2A20861292214312932143129421430000002000000000000000009000
    9F7F2A40906685129192890200019933022B2A2086129221431293214312942143000000200000000000000000

    How is this possible?
    What do you mean by response in terminal?
    send: 00a40400
    response: 90 00
    Nothing else.
    You may get more response data with an Le of 00 (00a4040000) some cards will not return a response if you do not ask for one.
    i didnt use this doc, just documentation from my employer but now i see there is a lot more information than in their doc.

    So now i ll read this document, and ll try to write my own script to gpshell (guess it ll be quite good idea to move toward)
    And then when i learn it, i ll back there with problems
    That sounds like a good plan. There is also a lot of good information in README for GPShell that explains the commands it supports.
    P.S. i saw that another script need command calls "set manufacturing info". Ofcourse this apdu is in their document so i guess to use it i need select this applet first. Am i right?
    This could be for setting parts of the CPLC that refer to the personalisation of the card. Some parts of the CPLC reflect who personalised the card and what equipment was used etc. If this is outlined in the documentation though, you should have no problem creating scripts to perform these commands.

    Shane
  • 9. Re: JC 2.2.2 prepersonalization - how to personalize
    950922 Newbie
    Currently Being Moderated
    Hello again!

    terminal mean my aplication - it can send and receive apdu - i know what i ve done wrong - APDU have method getData() and i didnt notice it earlier :)
    GPShell is already quite easy.

    My another question: how to authorize card using MAC? I need to send APDU when DATA is RND.ICC || RND. IFD || MAC[KISK_AUT1](RND.IFD || RND.ICC)
    where:
    RND.ICC is 8 bytes generated by card
    RND.IFD is same byt generated by terminal
    MAC[KISK_AUT1](RND.IFD || RND.ICC) is MAC generated using other numbers

    but dont know how to create this MAC. I found javacard.security.Signature could do this but dont know how. May I ask for example or link to information about it? All i found is pure doc and i didnt use that struct before.

    Thanks

    Sevar
  • 10. Re: JC 2.2.2 prepersonalization - how to personalize
    safarmer Expert
    Currently Being Moderated
    A MAC (http://en.wikipedia.org/wiki/Message_authentication_code) is a generic term. You need to find out what MAC algorithm is used. This should be in what ever documentation you are following.

    - Shane

    Edited by: safarmer on Aug 7, 2012 12:36 PM - Oracle needs to stop messing with the controls. Why have a link button that doesn't insert links :(

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points