10 Replies Latest reply: Aug 7, 2012 2:37 PM by safarmer RSS

    JC 2.2.2 prepersonalization - how to personalize

    950922
      Hi there,
      i didnt find topic about mu problem so i`m writing new one. I have gemalto card in standard 2.2.2 of JC. I know on the card i can find 2 applets. My problem is to use them. I have a lot of documentation aboout JC and these applets but still cant use it. It is in prepersonalization mode, and documentation said that i need to personalize it to use applet. I know that i need to send few APDU request in order: select, init update, extern auth and then sth else. 3 steps and a lot of problems. First step is quite easy. Using logical channel i send apdu request just like in doc. Second step should be easy too but its not. when i want from JC to run init update, i have error (secure status not enough). This problem is because i didnt create Security channel. And here is my question: how (using java code) to create secure channel? My documentation didnt say how to do this and i cant to find it in google.
      Please help me:)
      At this moment my code is doing sth like that scheme:
      sendApdu(SELECT_APPLET)
      getResponse>> 9000
      sendApdu(INIT_UPDATE)
      getResponse>>9382

      What i have to do?
      And sec question: what is MAC and how to get it? Just generate or provider should give it to me?
      Btw i need to do this in code without any external application like GPShell(dont know how to use it wissely)
      Sorry for my english, hopes u can understand it quite easy

      Thanks for help

      sevar
        • 1. Re: JC 2.2.2 prepersonalization - how to personalize
          950748
          Hi, Sevar.

          Please write the command of Init Update.

          I think this is a problem about key version.

          In INIT-update command you must put key version as shown below

          0x80,0x50,keySetVersion,0x00, hostChallenge, 0x00

          keySetVersion - it is byte of key veyversion,
          hostChallenge - random(8)
          • 2. Re: JC 2.2.2 prepersonalization - how to personalize
            950922
            Hi there, thank u for answer.

            I`m sending init_update as 8050010008121a9dc4c2d3e41c

            my doc said that key_version is a value between 0x01 and 0x7F so i just put first available, dont know which value is good or bad, for me all re same

            i red about some protocol calls SCP01 -SCP03 but I didnt implement it yet. Should I use it to create this security channel?

            sevar
            • 3. Re: JC 2.2.2 prepersonalization - how to personalize
              950748
              To do external Authentificate to Security Domen you must do The following steps:
              1. Select Secure DOmen
              2 INIT Update
              3 External Authentificate

              2. INIT Update
              In each security domain have one or many key-set(3 keys MAC,ENC,DEC)
              So, Every KeySet have a version. And when you send INIT-Update you say to Security Domain which KeySet you have and security Domain must use that key Set if it have. in your case i think there isn't keys with version 01/ You must contact Card Issuer to have information about KeySets.

              3. External Authentificate
              SCP01 - 03 - it is a type of algorithm to make Secure Channel and External Authentificate.(it is the same).
              Type of SCP - byte number 11 of InitUpdate Response

              Please contact Card Issuer. Is it new card?
              • 4. Re: JC 2.2.2 prepersonalization - how to personalize
                safarmer
                2. INIT Update
                In each security domain have one or many key-set(3 keys MAC,ENC,DEC)
                So, Every KeySet have a version. And when you send INIT-Update you say to Security Domain which KeySet you have and security Domain must use that key Set if it have. in your case i think there isn't keys with version 01/ You must contact Card Issuer to have information about KeySets.
                You can use key version 0 which will use the first available key of the security domain. The key version will be returned in the response.

                You can also send GET-DATA 00C0 (80CA00C000) to see what keys are present on the card. You do not need a secure channel for this command.

                Shane
                • 5. Re: JC 2.2.2 prepersonalization - how to personalize
                  950922
                  Card is new. I ve get it not directly from gemalto, just from my employer. I cant send "getdata" and even "getstatus", i heard today that this card could be blocked but dont know what i need and what i have to do to unlock it. i have 2 keys: ISK and mother key from card manager. Thats all.

                  @Safarmer: Card response: Unknow instruction code



                  P.S. how to check that card is blocked when i cant send even getStatus apdu?
                  The only APDU request that card accepted re: select SD and select AID(only 1 applet)
                  • 6. Re: JC 2.2.2 prepersonalization - how to personalize
                    safarmer
                    @Safarmer: Card response: Unknow instruction code
                    The GET-DATA command should always be available regardless of the card content state. There may be an issue where the JCRE has detected a security intrusion and has terminated the JCVM but I don't think this is the case if SELECT still works. Was this against the card manager or the default selected applet? If you did not before, you can try explicitly selecting the card manager before sending GET DATA.

                    Table 9-1 of GP card spec 2.1.1 has a table of what commands are supported in each card content state.
                    P.S. how to check that card is blocked when i cant send even getStatus apdu?
                    If the card is blocked because of numbver of failed attempts, INIT-UPDATE will return security condition not satisfied.
                    The only APDU request that card accepted re: select SD and select AID(only 1 applet)
                    Are you selecting an SSD or the ISD? Does sending 00a40400 work and what is the response?

                    Shane
                    • 7. Re: JC 2.2.2 prepersonalization - how to personalize
                      950922
                      i have 2 cards now. First still dont work, second:

                      i ve get "getdata" from gpshell mean 80CA9F7F00
                      response in terminal: 90 00
                      response in gpshell:
                      Response <-- 9F7F2A40906685129192890200019933022B2A20861292214312932143129421430000002000000000000000009000
                      9F7F2A40906685129192890200019933022B2A2086129221431293214312942143000000200000000000000000

                      How is this possible?

                      send: 00a40400
                      response: 90 00
                      Nothing else.
                      I was selecting SSD

                      i didnt use this doc, just documentation from my employer but now i see there is a lot more information than in their doc.

                      So now i ll read this document, and ll try to write my own script to gpshell (guess it ll be quite good idea to move toward)
                      And then when i learn it, i ll back there with problems

                      Thanks to everyone who help me to this moment especially to safarmer. Realy big thanks :)

                      P.S. i saw that another script need command calls "set manufacturing info". Ofcourse this apdu is in their document so i guess to use it i need select this applet first. Am i right?

                      Edited by: Sevar on 2012-07-26 23:58
                      • 8. Re: JC 2.2.2 prepersonalization - how to personalize
                        safarmer
                        Sevar wrote:
                        i have 2 cards now. First still dont work, second:

                        i ve get "getdata" from gpshell mean 80CA9F7F00
                        response in terminal: 90 00
                        response in gpshell:
                        Response <-- 9F7F2A40906685129192890200019933022B2A20861292214312932143129421430000002000000000000000009000
                        9F7F2A40906685129192890200019933022B2A2086129221431293214312942143000000200000000000000000

                        How is this possible?
                        What do you mean by response in terminal?
                        send: 00a40400
                        response: 90 00
                        Nothing else.
                        You may get more response data with an Le of 00 (00a4040000) some cards will not return a response if you do not ask for one.
                        i didnt use this doc, just documentation from my employer but now i see there is a lot more information than in their doc.

                        So now i ll read this document, and ll try to write my own script to gpshell (guess it ll be quite good idea to move toward)
                        And then when i learn it, i ll back there with problems
                        That sounds like a good plan. There is also a lot of good information in README for GPShell that explains the commands it supports.
                        P.S. i saw that another script need command calls "set manufacturing info". Ofcourse this apdu is in their document so i guess to use it i need select this applet first. Am i right?
                        This could be for setting parts of the CPLC that refer to the personalisation of the card. Some parts of the CPLC reflect who personalised the card and what equipment was used etc. If this is outlined in the documentation though, you should have no problem creating scripts to perform these commands.

                        Shane
                        • 9. Re: JC 2.2.2 prepersonalization - how to personalize
                          950922
                          Hello again!

                          terminal mean my aplication - it can send and receive apdu - i know what i ve done wrong - APDU have method getData() and i didnt notice it earlier :)
                          GPShell is already quite easy.

                          My another question: how to authorize card using MAC? I need to send APDU when DATA is RND.ICC || RND. IFD || MAC[KISK_AUT1](RND.IFD || RND.ICC)
                          where:
                          RND.ICC is 8 bytes generated by card
                          RND.IFD is same byt generated by terminal
                          MAC[KISK_AUT1](RND.IFD || RND.ICC) is MAC generated using other numbers

                          but dont know how to create this MAC. I found javacard.security.Signature could do this but dont know how. May I ask for example or link to information about it? All i found is pure doc and i didnt use that struct before.

                          Thanks

                          Sevar
                          • 10. Re: JC 2.2.2 prepersonalization - how to personalize
                            safarmer
                            A MAC (http://en.wikipedia.org/wiki/Message_authentication_code) is a generic term. You need to find out what MAC algorithm is used. This should be in what ever documentation you are following.

                            - Shane

                            Edited by: safarmer on Aug 7, 2012 12:36 PM - Oracle needs to stop messing with the controls. Why have a link button that doesn't insert links :(