This content has been marked as final.
Show 5 replies

1. Re: PUT KEY  calculation of Encrypted Key value problem
801926 Jan 29, 2013 11:52 AM (in response to 970895)It depends what SCP and what option you use. Likely it's SCP02 option 55, there you need to take care to use ECB for DEK session key calculation (see GP 2.1.1, E.4.7). For SCP01, DEK key is static.1 person found this helpful 
2. Re: PUT KEY  calculation of Encrypted Key value problem
970895 Jan 29, 2013 12:56 PM (in response to 801926)Hi lexdabear,
thank you for your quick answer.
I am using SCP02 secure channel protocol, but I don't know which implementation option "i" I'm using...I suppose that 55 or 15. How can I check it?
I think, that in explicit secure channel session is all DES Session Keys(CMAC, RMAC, SENC, DEK) generated using tripleDES in CBC mode. In GPcard spec v2.2 is it written in E.4.1.
I have read something about cryptographics algorithms in GPcard spec and maybe I feel a source of problem  Initial chaining vector(ICV). Below, you can see the log from JCshell. I think, that in calculating the Encrypted Key Value I am using ICV with value also 0 and that is bad. In GPspec v2.2, part E.1.3, I read :
"The integrity of the sequence of APDU command or response messages being transmitted to the receiving entity is achieved by using the MAC from the current command or response as the (possibly encrypted) Initial Chaining Vector (ICV) for the subsequent command or response. This ensures the receiving entity that all messages in a sequence have been received. Computing the ICV is detailed in Appendix E.3  Cryptographic Algorithms."
So, is it needed to put as the ICV the calculated value of MAC from extauth command? Or the value of the ICV is calculated in a different way?
Thank you,
MIlanatik
My log:
cm> initupdate 255
=> 80 50 00 00 08 AB E6 0E 71 20 D4 E0 8E 00 .P......q ....
(69114 usec)
<= 00 00 20 66 00 06 85 95 90 42 FF 02 00 08 8B 32 .. f.....B.....2
0E C6 0E 9B 03 69 5E 27 D7 A4 F9 E2 90 00 .....i^'......

My note:
sequence number 0008
Card challenge: 8B320EC60E9B
Card cryptogram: 03695E27D7A4F9E2

Status: No Error
cm> extauth
=> 84 82 00 00 10 3B 2B BE 2C 53 6F BC 41 3A 41 60 .....;+.,So.A:A`
FC FB AD 58 3A ...X:

My note:
calculated Host cryptogram: 3B2BBE2C566FBC41
Calculated MAC: 3A4160FCFBAD583A
Initial Vector: 0

(77098 usec)
<= 90 00 ..
Status: No Error
cm> setkey 20/1/DESECB/101112131415161718191a1b1c1d1e1f
cm> setkey 20/2/DESECB/101112131415161718191a1b1c1d1e1f
cm> setkey 20/3/DESECB/101112131415161718191a1b1c1d1e1f
cm> printkey
20/1/DESECB/101112131415161718191A1B1C1D1E1F
20/2/DESECB/101112131415161718191A1B1C1D1E1F
20/3/DESECB/101112131415161718191A1B1C1D1E1F
cm> putkeyset 20
=> 80 D8 00 81 43 14 80 10 D6 AA 05 53 6E BB 5C 63 ....C......Sn.\c
E0 B1 8D 3A AE 9C D0 A5 03 FE 8A 09 80 10 D6 AA ...:............
05 53 6E BB 5C 63 E0 B1 8D 3A AE 9C D0 A5 03 FE .Sn.\c...:......
8A 09 80 10 D6 AA 05 53 6E BB 5C 63 E0 B1 8D 3A .......Sn.\c...:
AE 9C D0 A5 03 FE 8A 09 00 .........
(160237 usec)
<= 14 FE 8A 09 FE 8A 09 FE 8A 09 90 00 ............
Status: No Error 
3. Re: PUT KEY  calculation of Encrypted Key value problem
801926 Jan 29, 2013 1:41 PM (in response to 970895)GP 2.1.1:
ICV is zero for ENC and DEK keys.E.4.7 Sensitive Data Encryption and Decryption Data encryption is used when transmitting sensitive data to the card and is over and beyond the security level required for the Secure Channel; For instance all DES keys transmitted to a card (e.g. in a PUT KEY command) should be encrypted. The data encryption process uses the data encryption session key and the encryption method described in Appendix B.1.1.2 – Encryption/Decryption ECB Mode when using explicit initiation of the Secure Channel and ..

4. Re: PUT KEY  calculation of Encrypted Key value problem
970895 Jan 30, 2013 7:27 AM (in response to 801926)Hi lexdabear,
thank you for your answer, but now I'm really confused...
Can you write the brief sequence of steps, how to calculate the encrypted ked value? All needed data you can find on replies above.
Thank you,
Milan 
5. Re: PUT KEY  calculation of Encrypted Key value problem
970895 Jan 30, 2013 11:01 AM (in response to 970895)Hi all,
my problem have been solved! Thank lexdabear for hints.
Here are the steps to calculate Encrypted Key value for use in PUT KEY command for SCP02:
Sequence number : 0008 (obtain from INIT UPDATE command)
the default initiate key = 404142434445464748494a4b4c4d4e4f
I want set the New key = 101112131415161718191a1b1c1d1e1f
1. Calculate DEK Session Key
DEKSessionKey = TripleDES in CBC(0181 + 0008 + 00 00 00 00 00 00 00 00 00 00 00 00) with initiate key as the key
DEKSessionKey = B4 F7 5C E0 A9 5E A3 F8 6B BD 05 1C B7 7C 0F AE
2. Calculate Encrypted Key value
Encrypted Key Value = DES in ECB mode(value of the new key  101112131415161718191a1b1c1d1e1f) with DEKSessionKey as the key
Encrypted Key Value = D6 AA 05 53 6E BB 5C 63 E0 B1 8D 3A AE 9C D0 A5
3. Calculate Key check value  the first 3 bytes of the result
Key check Value = DES in ECB mode([0,0,0,0,0,0,0,0]) with new key as the key.
Key check Value = FE 8A 09
Now you have all what you need to construct PUT KEY command.
Mialn