Calculating C-MAC in secure channel, ICV value, DES ECB/CBC
970895 Feb 1, 2013 6:54 AMHi all,
someone can tell me where I make a mistake during calculation of C-MAC in secured channel? I have java card with OS JCOP 2.4.2. If I doing whatever I can't get the correct value of the C-MAC value(79 91 3A 01 2A A2 5E B1) in SET STATE command.
I can calculate the MAC for ext-auth mac(ICV set to 0) - that is not problem. Problem occurs, when I need to use the calculated MAC in ext-auth command as ICV for computing C-MAC.
1. What is the correct input value of SET STATE command for calculating C-MAC?
a) 84 F0 80 7F 10 A0 00 00 00 03 00 00 00 + 80 00 00 ?
b) 80 F0 80 7F 08 A0 00 00 00 03 00 00 00 ?
2. The ICV used for computing C-MAC is before computed MAC. In this case this value is AC 2E 42 7C 67 5A 3A D9. Is it needed to perform DES ECB coding for this new ICV? Calculation: DES in ECB mode(AC 2E 42 7C 67 5A 3A D9) with first 8Bytes of Session C-MAC key as the key. The result is the new ICV.
Now I want to calculate the C-MAC with SingleDES Plus Final Triple DES.
I have the ICV, Session C-MAC key and I can perform:
3DES in CBC(input values of SET STATE command, calculated ICV) with Session C-MAC key as the key
Result of this not match the value of C-MAC like in code below. Is this calculating correct or where you can see the problem?
JCShell trace log, with correct C-MAC computing:
Thanks,
someone can tell me where I make a mistake during calculation of C-MAC in secured channel? I have java card with OS JCOP 2.4.2. If I doing whatever I can't get the correct value of the C-MAC value(79 91 3A 01 2A A2 5E B1) in SET STATE command.
I can calculate the MAC for ext-auth mac(ICV set to 0) - that is not problem. Problem occurs, when I need to use the calculated MAC in ext-auth command as ICV for computing C-MAC.
1. What is the correct input value of SET STATE command for calculating C-MAC?
a) 84 F0 80 7F 10 A0 00 00 00 03 00 00 00 + 80 00 00 ?
b) 80 F0 80 7F 08 A0 00 00 00 03 00 00 00 ?
2. The ICV used for computing C-MAC is before computed MAC. In this case this value is AC 2E 42 7C 67 5A 3A D9. Is it needed to perform DES ECB coding for this new ICV? Calculation: DES in ECB mode(AC 2E 42 7C 67 5A 3A D9) with first 8Bytes of Session C-MAC key as the key. The result is the new ICV.
Now I want to calculate the C-MAC with SingleDES Plus Final Triple DES.
I have the ICV, Session C-MAC key and I can perform:
3DES in CBC(input values of SET STATE command, calculated ICV) with Session C-MAC key as the key
Result of this not match the value of C-MAC like in code below. Is this calculating correct or where you can see the problem?
JCShell trace log, with correct C-MAC computing:
cm> set-key 19/1/DES-ECB/101112131415161718191a1b1c1d1e1f
cm> set-key 19/2/DES-ECB/101112131415161718191a1b1c1d1e1f
cm> set-key 19/3/DES-ECB/101112131415161718191a1b1c1d1e1f
cm> init-update 19
=> 80 50 13 00 08 42 4C A7 5B C7 14 D8 A8 00 .P...BL.[.....
(68861 usec)
<= 00 00 20 66 00 06 85 95 90 42 13 02 00 08 0A 96 .. f.....B......
9E 7F 92 2B 1B 0F BD 3E 9E 77 2F 29 90 00 ...+...>.w/)..
Status: No Error
cm> ext-auth mac
=> 84 82 01 00 10 C9 FA 6A 80 F9 D6 2B 2B AC 2E 42 .......j...++..B
7C 67 5A 3A D9 |gZ:.
(79202 usec)
<= 90 00 ..
Status: No Error
cm> session-info
Session State : Established & authenticated
Version : Global Platform 2.1.1
Secure Channel Protocol : SCP 02 option 15
Security Level : C-MAC
cm> set-state locked
=> 84 F0 80 7F 10 A0 00 00 00 03 00 00 00 79 91 3A .............y.:
01 2A A2 5E B1 .*.^.
(66375 usec)
<= 90 00 ..
Status: No Error
I will be grateful for any answer!Thanks,