This discussion is archived
1 2 3 4 5 Previous Next 71 Replies Latest reply: Oct 12, 2009 5:35 PM by safarmer Go to original post RSS
  • 60. Re: Global Platform- MACing MAC Retail
    843851 Newbie
    Currently Being Moderated
    I tried to do the following:
    cm>  init-update 255
     => 80 50 00 00 08 0B 33 D1 CE 59 A2 9D 2C 00          .P....3..Y..,.
     (2019 usec)
     <= 00 00 00 00 00 00 00 00 00 00 FF 02 00 00 93 73    ...............s
        3A B8 2C 0F 9C AB 6E B8 DC 93 19 56 90 00          :.,...n....V..
    cm>  /send 80500000080B33D1CE59A29D2C00
     => 80 50 00 00 08 0B 33 D1 CE 59 A2 9D 2C 00          .P....3..Y..,.
     (3595 usec)
     <= 00 00 00 00 00 00 00 00 00 00 FF 02 00 01 26 F7    ..............&.
        25 4D B0 B9 2A 75 96 BC BC 4D 27 F0 90 00          %M..*u...M'...
    And as you can see: the command issued is the same but the card response is diferent, maybe due to the 0001 message counter, my question now is: how do i add this to the MACing process?
  • 61. Re: Global Platform- MACing MAC Retail
    843851 Newbie
    Currently Being Moderated
    Read GP spec, Apendix D/E, SCP01/02. The secure sequence counter is included in the session key generation (together with some constants).
  • 62. Re: Global Platform- MACing MAC Retail
    843851 Newbie
    Currently Being Moderated
    Hi Lex, thank you for your response(although I've already been reading the Card Specs).

    Do you know whats the difference between:
    Cipher enc = Cipher.getInstance("TripleDES/ECB/NoPadding");
    and
    Cipher enc = Cipher.getInstance("DESede/ECB/NoPadding");
    ??

    By the way, does anyone know if there is a list of this/specification or whatever that explains how to use this strings? I'm "making code by example", but i would like to know more.

    Thanks in advance.

    Edited by: rochajoel on Sep 8, 2009 1:31 AM
  • 63. Re: Global Platform- MACing MAC Retail
    843851 Newbie
    Currently Being Moderated
    I don't know the difference but I think you can find that in the Java Cryptographic Architecture.

    Do you succeed in autentificate or you need my code (there is no well code yet) but it works.
  • 64. Re: Global Platform- MACing MAC Retail
    843851 Newbie
    Currently Being Moderated
    Do you have APDU example of a successfull install sequence please?
  • 65. Re: Global Platform- MACing MAC Retail
    843851 Newbie
    Currently Being Moderated
    After your post, i've made a class that's available here: [SessionKeyBuilder.java|http://intel.no.sapo.pt/SessionKeyBuilder.java]

    I guess that the sequence number (2bytes) + card random(6bytes) == card Challenge (but i'm not sure...)

    But i still can't make the card cryptogram, i don't know what's missing...

    I'm trying to do this:
    set-key 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f
    init-update 255
    
    => 80 50 00 00 08 C9 0A 6A DC C9 8B A0 30 00          .P.....j....0.
     (2084 usec)
     <= 00 00 00 00 00 00 00 00 00 00 FF 02 00 00 93 73    ...............s
        3A B8 2C 0F 79 7F EF 47 A5 11 A8 E5 90 00          :.,.y..G......
    hostChallenge = C9 0A 6A DC C9 8B A0 30
    cardChallenge = 00 00 93 73 3A B8 2C 0F

    cardCryptogram = 79 7F EF 47 A5 11 A8 E5
  • 66. Re: Global Platform- MACing MAC Retail
    843851 Newbie
    Currently Being Moderated
    Hi all,


    I would know if for computing the mac for each command, the ICV should be set to 0 or if the last ICV use for the previous message.

    Thanks,


    Adrien
  • 67. Re: Global Platform- MACing MAC Retail
    safarmer Expert
    Currently Being Moderated
    It is the ICV of the previous command.

    From GP Card Spec 2.1.1 Section E.4.4

    A C-MAC is generated by an off-card entity and applied across the full APDU command being transmitted to the card including the header and the data field in the command message. It does not include Le.

    C-MAC generation and verification uses the Secure Channel C-MAC session key, an ICV and the signature method described in Appendix B.1.2.2 - Single DES Plus Final Triple DES. (Prior to using the ICV, the ICV can be encrypted as described in Appendix E.3.4 - ICV Encryption)

    The ICV is used to chain the commands for command sequence integrity; the initial value of the ICV is described in Appendix E.3 - Cryptographic Algorithms. For any subsequent command following the first successful CMAC verification, the ICV is the C-MAC value successfully verified for the previous command received by the card.

    Cheers,
    Shane

    Edited by: safarmer on 10/09/2009 08:44
  • 68. Re: Global Platform- MACing MAC Retail
    843851 Newbie
    Currently Being Moderated
    Well thanks to Adrien I managed to build the init update, and i will explain here how we did it:

    First of all, the off card entity generates an init update challenge which will look like something like this:
    CLA INS P1 P2 Lc   + Host Challenge   + 00
    80  50  00 00 08   + C90A6ADCC98BA030 + 00
    The host challenge is just some random data...

    The card will respond with something like:
    Unknown data         + SCP version + card challenge   + card cryptogram  + Success Status Words
    00000000000000000000 + FF02        + 000093733AB82C0F + 797FEF47A511A8E5 + 90 00
    sequence counter(2bytes) + Random data(6bytes) == card challenge(8bytes)
    using the "404142434445464748494a4b4c4d4e4f" 2DES key.

    Now, on the card side, we have a sequence counter, it starts with 0 (when the key was never used) and goes to the greatest signed short, which should be 32767, it's never re-initialized, so it stays 32767 when it reaches its maximum(se GP 2.1.1 Spec page 214)

    The sequence counter should increment after a valid "ext authenticate" command is sent back to the card.

    On the card side, we receive the host challenge, we have the sequence counter(short), and we generate 6bytes of "secure random" and we concat everything like this:
    host challenge   + sequence counter + card secure random + 8000000000000000
    C90A6ADCC98BA030 + 0000             + 93733AB82C0F       + 8000000000000000
    Now you should have a 24bytes challenge that you have to encrypt using a pre-generated session key.
    (how do you generate the key?)
    You have to use the S-ENC static key: so first you generate the 'Derivation Data' described in page 219 of the GP 2.1.1 Specs E.4.1
    01 82 + sequence counter + 00 00 00 00 00 00 00 00 00 00 00 00
    in our case:
    01 82 + 00 00            + 00 00 00 00 00 00 00 00 00 00 00 00
    (if you have a 16bytes key, transform it into a 24bytes key before this step using the code below)
    Just copy the first 8 bytes of the 16bytes key to the last bytes of the 24bytes key like this:
    01 01 01 01 01 01 01 01 02 02 02 02 02 02 02 02
    this key will become:
    01 01 01 01 01 01 01 01 02 02 02 02 02 02 02 02 01 01 01 01 01 01 01 01
    You encrypt this derivation data, using your static S-ENC key using something like:
    Cipher enc = Cipher.getInstance(
                        Cipher.ALG_DES_CBC_NOPAD,
                        false/*No External access from other applets*/);
              
    enc.init(
              staticKey,
              Cipher.MODE_ENCRYPT);
    enc.doFinal(
              dd,              (byte)0, (byte)dd.length,
              sessionKey, (byte)0);
    You should now have a new 16bytes key, transform it again with the code above to get a 24bytes key.

    After this you just have to encrypt the 24bytes challenge created above with your newly created session key:
    host challenge   + sequence counter + card secure random + 8000000000000000
    C90A6ADCC98BA030 + 0000             + 93733AB82C0F       + 8000000000000000
    Cipher enc = Cipher.getInstance(
              Cipher.ALG_DES_CBC_NOPAD,
              false/*No External access from other applets*/);
              
    enc.init(sessionKey, Cipher.MODE_ENCRYPT);
    enc.doFinal(inData, inOffset, length, outData, outOffset);
    In you out data that must have 24bytes, you should have to extract the last 8 bytes (index 16-24) That will be your card cryptogram, that should be:
    797FEF47A511A8E5
    You can now build the response command that is:
    Unknown data         + SCP version + card challenge   + card cryptogram  + Success Status Words
    00000000000000000000 + FF02        + 000093733AB82C0F + 797FEF47A511A8E5 + 90 00
    Don't flame me, i just think this issue was very hard for me, and as i finded help within this forum i would like to retrieve that help.

    I will try to write another post explaining the Initial Chaining Vector value and how to use it.
  • 69. Re: Global Platform- MACing MAC Retail
    843851 Newbie
    Currently Being Moderated
    ok, here we are again :)

    i managed to build the C-MAC to sign the ext auth message: here's how i did it(i read a lot, thanks to lexdabear), and then i made the following:

    I made a method to get the host cryptogram like this:
    First build this challenge:
    sequence counter + card secure random + host challenge   + 8000000000000000
    0000             + 93733AB82C0F       + C90A6ADCC98BA030 + 8000000000000000
    then encrypt it using your S-ENC session key:
    Cipher enc = Cipher.getInstance("TripleDES/CBC/NoPadding");
              
    enc.init(
              Cipher.ENCRYPT_MODE,
              SessionKeyBuilder.getSecretKeyObj(sessionKey),
              new IvParameterSpec(new byte[8]));
              
    return enc.doFinal(challenge);
    Then you extract the final 8bytes and you get the Host Cryptogram
    17c8393ec33f3f5d
    after this you build the ext-auth message that needs to be signed:
    CLA INS P1 P2 Lc   + Host Cryptogram
    84  82  00 00 10   + 17C8393EC33F3F5D
    Note that P1 is set to 00 meaning that i want "ext-auth plain" (no security) the next commands must be sent in "plain text" without signature whatsoever
    Also note that Lc is set to 10 meaning 16bytes of data, this means that i'm already counting with the CMAC data
    Another thing to worry about is the fact that this is not 8bytes block aligned.

    You have generate the C-MAC key, report to page 219 of the GP 2.1.1 Specs E.4.1
    That's the same routine used to get the S-ENC session key just change the derivation data:
    01 01 + sequence counter + 00 00 00 00 00 00 00 00 00 00 00 00
    in our case:
    01 01 + 00 00            + 00 00 00 00 00 00 00 00 00 00 00 00
    You have to sign the 16bytes below using your C-MAC session key
    CLA INS P1 P2 Lc   + Host Cryptogram
    84  82  00 00 10   + 17C8393EC33F3F5D + 800000
    To sign the message you have to implement the method described as Retail MAC in GP 2.1.1 Specs B1.2.2 Single DES plus final TripleDES
    (How do you do this?)

    You have to encrypt the first 8 bytes of the 16bytes (padded) message using the first 8 bytes of the C-MAC session key:
    Cipher enc = Cipher.getInstance("DES/ECB/NoPadding");
    then you have to xor the first 8bytes that were encrypted with the last 8bytes of "plain text"
    private byte[] xorFst8Bytes(byte[] singleDES, byte[] plain) {
         for(byte i = 0; i < 8; i++)
              singleDES[i] ^= plain[i+8];
              
         return singleDES;
    }
    Then you just have to encrypt this 8bytes using the final TripleDES:
    Cipher enc = Cipher.getInstance("TripleDES/ECB/NoPadding");
    SecretKeySpec key = new SecretKeySpec(sessionKey, "TripleDES");
              
    enc.init(Cipher.ENCRYPT_MODE,
              key);
              
    return enc.doFinal(challenge);
    And that's it, you should now have the value:
    CBAF504179F0A846
    the full ext-auth plain command is now:
    CLA INS P1 P2 Lc   + Host Cryptogram
    84  82  00 00 10   + 17C8393EC33F3F5D + CBAF504179F0A846
    This mac is also your ICV for CBC mode so remember to save a copy so that you can send more secure messages :)
  • 70. Re: Global Platform- MACing MAC Retail
    843851 Newbie
    Currently Being Moderated
    I was trying to create the MAC for the messages that follow the external authenticate but i'm not being able to... does anyone know how to do it?

    I've already made the handshake according to GPSpecs but there is something missing in my design and i don't know what

    Does the previous ICV(CMAC) needs to be encrypted? How? ECB? CBC? And what ICV do i use to encrypt that?

    In the Retail MAC process:
    The SingleDES encryption is CBC. Is the ICV an array of 8 binary zeroes? Is it the previous ICV?
    The TripleDES encryption is CBC. Is the ICV an array of 8 binary zeroes? Is it the previous ICV?
  • 71. Re: Global Platform- MACing MAC Retail
    safarmer Expert
    Currently Being Moderated
    rochajoel wrote:
    Does the previous ICV(CMAC) needs to be encrypted? How? ECB? CBC? And what ICV do i use to encrypt that?
    This depends on the SCP implementation option (i value for the SCP). If your i value is 0x14 or 0x15, it has an encrypted ICV. The ICV uses DES/CBC/NoPadding for the cipher with an ICV of 8 zeroes.

    From GP Card Spec:
    GP 2.1.1 Card Spec:
    E.3.4 ICV Encryption
    As an enhancement to the C-MAC mechanism, the ICV is encrypted before being applied to the calculation of the next C-MAC. The encryption mechanism used is single DES with the first half of the Secure Channel C-MAC session key.
    In the Retail MAC process:
    The SingleDES encryption is CBC. Is the ICV an array of 8 binary zeroes? Is it the previous ICV?
    The TripleDES encryption is CBC. Is the ICV an array of 8 binary zeroes? Is it the previous ICV?
    In the retail MAC process, the initial ICV is the MAC from the previous command. The rest of the processing is the same (the result of each DES operation is the ICV for the next). The only time the ICV is 8 zeroes is when performing the DES operation for the first time.

    Cheers,
    Shane
1 2 3 4 5 Previous Next