Forum Stats

  • 3,854,954 Users
  • 2,264,439 Discussions
  • 7,905,846 Comments

Discussions

JCOP Cards: The verification of the card cryptogram failed

873691
873691 Member Posts: 13
edited Aug 16, 2011 1:31AM in Java Card
Hi,

I know this topic is not too fresh, but I found no solution that worked so far in:
9583581
or 9553618
or 9615554

I think I understood the following:
- Cards have a special applet called Card Manager (or Security Domain) for example to load and delete other applets
- Communication with the Card Manager goes over a secure channel with specific keys

Questions:
- Are these keys 'open' so they can be used for every card of the same type?
- Are these keys set by the factory and maybe reset by a distributor?

I tried to connect to three different Cards with GPShell but had no success
The Cards are:
- P531G072, JCOP31 V 2.3.1
- P541G072, JCOP41 V 2.3.1
- J3A080, JCOP31 V 2.4.1
AFAIK they all have Java Card 2.2.2 and Global Platform 2.1.1

Here is the GPShell output:
--------
mode_211
enable_trace
establish_context
card_connect
select -AID a000000003000000
Command --> 00A4040008A000000003000000
Wrapped Command --> 00A4040008A000000003000000
Response <-- 6F658408A000000003000000A5599F6501FF9F6E06...(I'll post all bytes if necessary)...9000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f
Command --> 80 CA006600
WrappedCommand --> 80 CA006600
Response <-- 664C734A0607...(I'll post all bytes if necessary)...9000
Command --> 8050000008C5AF0346CEE0CBC000
WrappedCommand --> 8050000008C5AF0346CEE0CBC000
Response <-- 0000835800116091458101020000DA5C543DB2A6502B6FF5905B0BC19000
mutual_authentication() returns 0x80302000 (The verification of the card cryptogram failed.)
-----

Can I somehow check if my Card is already blocked (too much failed attempts?) without waisting another attempt?

Thanks in Advance,
Max

Edited by: 870688 on 06.07.2011 08:18
Tagged:

Answers

  • 882393
    882393 Member Posts: 2
    Hi,

    Max: Have you found a solution?

    I am having the same problem with but with a JCOP21 V 2.3.1 card.

    What I have done to keep it from locking is to after a few tries open the card using the client software I got with the card (in my case SafeSign).

    Regards,
    Markus
  • safarmer
    safarmer Member Posts: 2,829 Bronze Trophy
    I think I understood the following:
    - Cards have a special applet called Card Manager (or Security Domain) for example to load and delete other applets
    - Communication with the Card Manager goes over a secure channel with specific keys
    That is correct
    Questions:
    - Are these keys 'open' so they can be used for every card of the same type?
    Development cards generally have know keys that can be used. When you go into production, your cards will have a unique (each card in fact will have its own key)
    - Are these keys set by the factory and maybe reset by a distributor?
    Both. The card issue can also set the keys before sending the card out. Check the GlobalPlatform Key Management System specification from the GP website for more details on key management.
    WrappedCommand --> 80 CA006600
    Response <-- 664C734A0607...(I'll post all bytes if necessary)...9000
    Can you provide the full response from the card?
    Can I somehow check if my Card is already blocked (too much failed attempts?) without waisting another attempt?
    No. If you have exceeded the tries your next INIT UPDATE will fail. You should have 10 per card with the JCOP cards from memory. Some Gemalto cards lock after 5.

    Cheers,
    Shane
This discussion has been closed.