This discussion is archived
1 Reply Latest reply: Nov 12, 2012 4:05 PM by safarmer RSS

Put Key order

930592 Newbie
Currently Being Moderated
Hello eveyone,

I've sucessfully changed the KMAC, KENC & KEK keys through GPshell, but there is something i do not understand when it constructs the APDU.

*[1]* Using GPshell, and changing only the KMAC key it changes all three keys (I just wanted to change KMAC) I was unable to find in the GP specification, nor in GP Key Management System
documents why this happens.

The command used is:
#put_sc_key -keyver 4 -newkeyver 5 -mac_key 414142434445464748494A4B4C4D4E4E

The execution of this command is:
CLA ins          P1(Kver)          P2(Kid)          LC
80      D8          04               81     43

N.V. number
05
Ktype     Kle          New Key                                                            L.CValue     K.V
80          10          EF BE E6 C6 D9 9D 7B 70 BD E9 D7 E9 27 F0 20 AF      03               8B AF 47
80          10          B3 CD A7 9E AF DA 24 14 CC 32 1B 9C 7A 91 16 CE      03               8B AF 47     
80          10          EF BE E6 C6 D9 9D 7B 70 BD E9 D7 E9 27 F0 20 AF      03               8B AF 47


As can be seen, it sets an unknown (DES+CBC) key on the first and third place, and in the second the actual KMAC.

*[2]* When setting in GPshell only "-enc_key"
It changes the two first keys and sets the third key to an unknown (DES+CBC) key.

80 D8 06 81 43 07
8010 B3CDA79EAFDA2414C81268ADFF4D471903AE7589
8010 B3CDA79EAFDA2414C81268ADFF4D471903AE7589
8010 EFBEE6C6D99D7B70BDE9D7E927F020AF038BAF47
00


*[3]* Finally, the same operation in GPshell with only "-kek_key" it changes all three keys to the same value.

80 D8 07 81 43 08
8010 F4A8CAA63DD4F371AA0A1E5903EE51FB03AE7589
8010 F4A8CAA63DD4F371AA0A1E5903EE51FB03AE7589
8010 F4A8CAA63DD4F37190D37089B5FB024903AE7589
00

Someone knows where this behavior is explained in detail? it doesn't make sense to me.

Thanks,
  • 1. Re: Put Key order
    safarmer Expert
    Currently Being Moderated
    This is most likely an issue with the GPShell code. The GP card spec says you can specify a key version and key ID in the PUT KEY command. As a workaround you can try to set the other two keys to the current value.

    - Shane

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points