    Put Key order

      Hello eveyone,

      I've sucessfully changed the KMAC, KENC & KEK keys through GPshell, but there is something i do not understand when it constructs the APDU.

      *[1]* Using GPshell, and changing only the KMAC key it changes all three keys (I just wanted to change KMAC) I was unable to find in the GP specification, nor in GP Key Management System
      documents why this happens.

      The command used is:
      #put_sc_key -keyver 4 -newkeyver 5 -mac_key 414142434445464748494A4B4C4D4E4E

      The execution of this command is:
      CLA ins          P1(Kver)          P2(Kid)          LC
      80      D8          04               81     43

      N.V. number
      Ktype     Kle          New Key                                                            L.CValue     K.V
      80          10          EF BE E6 C6 D9 9D 7B 70 BD E9 D7 E9 27 F0 20 AF      03               8B AF 47
      80          10          B3 CD A7 9E AF DA 24 14 CC 32 1B 9C 7A 91 16 CE      03               8B AF 47     
      80          10          EF BE E6 C6 D9 9D 7B 70 BD E9 D7 E9 27 F0 20 AF      03               8B AF 47

      As can be seen, it sets an unknown (DES+CBC) key on the first and third place, and in the second the actual KMAC.

      *[2]* When setting in GPshell only "-enc_key"
      It changes the two first keys and sets the third key to an unknown (DES+CBC) key.

      80 D8 06 81 43 07
      8010 B3CDA79EAFDA2414C81268ADFF4D471903AE7589
      8010 B3CDA79EAFDA2414C81268ADFF4D471903AE7589
      8010 EFBEE6C6D99D7B70BDE9D7E927F020AF038BAF47

      *[3]* Finally, the same operation in GPshell with only "-kek_key" it changes all three keys to the same value.

      80 D8 07 81 43 08
      8010 F4A8CAA63DD4F371AA0A1E5903EE51FB03AE7589
      8010 F4A8CAA63DD4F371AA0A1E5903EE51FB03AE7589
      8010 F4A8CAA63DD4F37190D37089B5FB024903AE7589

      Someone knows where this behavior is explained in detail? it doesn't make sense to me.

        • 1. Re: Put Key order
          This is most likely an issue with the GPShell code. The GP card spec says you can specify a key version and key ID in the PUT KEY command. As a workaround you can try to set the other two keys to the current value.

          - Shane