This discussion is archived
8 Replies Latest reply: Nov 14, 2012 3:01 AM by 973756 RSS

Put Key Command Fail.(CLA=0x84)

973756 Newbie
Currently Being Moderated
Hello.

I have a problem to transmit Put Key Command.

I followed 'GP2.1.1 E4.4' to create a C-Mac using S-Mac Key but the result is failed.

I think there is something wrong in my calculating...

So, could you explain me how to create C-Mac of Put key Command ?

---------my log.------------
*Base Key
DES-ECB/
404142434445464748494a4b4c4d4e4f
1/2/DES-ECB/
404142434445464748494a4b4c4d4e4f
1/3/DES-ECB/
404142434445464748494a4b4c4d4e4f

*New Key
DES-ECB/
404142434445464748494a4b4c4d4e4f
2/2/DES-ECB/
404142434445464748494a4b4c4d4e4f
2/3/DES-ECB/
404142434445464748494a4b4c4d4e4f


=> 80 50 00 00 08 FD3FC82EB5403371
<= 611C

=> 00 C0 00 00 1C
<= 00001104000012A9089A0102002B6C04D3C7DDE8F5569C833019DDCE9000

=> 84 82 01 00 10 DDE15E5AE73CA146CC15FC59AC11787A
<= 9000

=> 84 D8 01 81 4B 0180101F2DE4D6C8509DFF2F8AC23D8370A6A6038BAF4780101F2DE4D6C8509DFF2F8AC23D8370A6A6038BAF4780101F2DE4D6C8509DFF2F8AC23D8370A6A6038BAF479F353241203729B0
<= 6982
--------------------------

---sample log(success)----
cm> set-key 1/1/
DES-ECB/
404142434445464748494a4b4c4d4e4f
1/2/DES-ECB/
404142434445464748494a4b4c4d4e4f
1/3/DES-ECB/
404142434445464748494a4b4c4d4e4f

cm> init-update 1
=> 80 50 01 00 08 D3 B3 00 7C 8B D1 5E 41
<= 00 00 70 15 00 05 94 91 11 07 01 02 00 01 6C 7F FC 11 3F B9 A9 76 C3 F9 AA 34 9D 46

cm> ext-auth mac
=> 84 82 01 00 10 951724B48FD378858B1ED7
D1 C5 2D 7E 45

<= 90 00 ..
Status: No Error
cm> set-key 2/1/
DES-ECB/
ffeeddccbbaa99887766554433221100
2/2/DES-ECB/
ffeeddccbbaa99887766554433221100
2/3/DES-ECB/
ffeeddccbbaa99887766554433221100

cm> put-keyset
=> 84 D8 00 81 4B 02 80 10 AE 25 9D AE 8A 7F 23 37 7F CF AD 42 5C B8 C3 EC 03 F3 9C 09 80 10 AE 25 9D AE 8A 7F 23 37 7F CF AD 42 5C B8 C3 EC 03 F3 9C 09 80 10 AE 25 9D AE 8A 7F 23 37 7F CF AD 42 5C B8 C3 EC 03 F3 9C 09 69 54 47 5D 25 8A AA 36
<= 02 F3 9C 09 F3 9C 09 F3 9C 09 90 00
Status: No Error
-------------------------------

Edited by: 970753 on 2012. 11. 12 오전 3:13
  • 1. Re: Put Key Command Fail.(CLA=0x84)
    safarmer Expert
    Currently Being Moderated
    There are two possibilities:

    1) The PUT-KEY command doesn't have the correct S-DEK encryption of the keys (or incorrect KCV)
    2) The MAC is wrong.

    To see if it is 2, try doing a GET-DATA command (say tag 00CF) to see if the MAC is correct.

    - Shane
  • 2. Re: Put Key Command Fail.(CLA=0x84)
    973756 Newbie
    Currently Being Moderated
    Hi, Shane.

    If the CLA=0x80(no Mac), a PUT KEY Command worked correctly.
    So, I think S-DEK is correct.

    And here is a Question, I tried GET-DATA command (say tag 00CF) that you suggested.
    But I still don't know how to check if the MAC is correct or not.
    A GET-DATA command (say tag 00CF) only returns "10 bytes card serial number used for key derivation".
    could you let me know how to check?
    I attached a log.

    -Seira

    -------Get Date Log----------
    => 80 50 00 00 08 1D03A048A6439908
    <= 00001104000012A9089A01020004CB7EF1C202EA76C453700CEC62289000

    => 84 82 01 00 10 DC2A486C90E831889D33BF88956F15AE
    <= 9000

    => 84 D8 01 81 4B 018010301B9854B44A1120B80AD7652F23E59E03F10D328010301B9854B44A1120B80AD7652F23E59E03F10D328010301B9854B44A1120B80AD7652F23E59E03F10D3258CEBE74CB956881
    <= 6982

    => 00 CA 00 CF 0A
    <= 00001104000012A9089A
    -----------------------------------..

    Edited by: 970753 on 2012. 11. 12 오후 7:03
  • 3. Re: Put Key Command Fail.(CLA=0x84)
    safarmer Expert
    Currently Being Moderated
    970753 wrote:
    If the CLA=0x80(no Mac), a PUT KEY Command worked correctly.
    So, I think S-DEK is correct.
    I ran a test harness with your data and here are the results (=> is for APDU's I would have sent, -> is what you sent).
    EXT-AUTH
    => 8482010010dde15e5ae73ca146cc15fc59ac11787a
    -> 8482010010dde15e5ae73ca146cc15fc59ac11787a
    PUT-KEY
    => 84d801814b0180105d32c876e0ed6bb2cf82bbe390202931038baf4780105d32c876e0ed6bb2cf82bbe390202931038baf4780105d32c876e0ed6bb2cf82bbe390202931038baf47b51f86a666fdf8cb
    -> 84d801814b0180101f2de4d6c8509dff2f8ac23d8370a6a6038baf4780101f2de4d6c8509dff2f8ac23d8370a6a6038baf4780101f2de4d6c8509dff2f8ac23d8370a6a6038baf479f353241203729b0
    Both the MAC and the DEK encryption seems to be different.
    And here is a Question, I tried GET-DATA command (say tag 00CF) that you suggested.
    But I still don't know how to check if the MAC is correct or not.
    A GET-DATA command (say tag 00CF) only returns "10 bytes card serial number used for key derivation".
    could you let me know how to check?
    If you send GET-DATA in the secure channel, the card will tell you if the MAC is correct. Make sure you MAC the command and set CLA to 84. As an example, following the PUT-KEY above:
    => 84ca00cf0884bfeb8df9f731b900
    - Shane
  • 4. Re: Put Key Command Fail.(CLA=0x84)
    973756 Newbie
    Currently Being Moderated
    PUT-KEY
    => 84d801814b0180105d32c876e0ed6bb2cf82bbe390202931038baf4780105d32c876e0ed6bb2cf82bbe390202931038baf4780105d32c876e0ed6bb2cf82bbe390202931038baf47b51f86a666fdf8cb
    -> 84d801814b0180101f2de4d6c8509dff2f8ac23d8370a6a6038baf4780101f2de4d6c8509dff2f8ac23d8370a6a6038baf4780101f2de4d6c8509dff2f8ac23d8370a6a6038baf479f353241203729b0
    I don't understand why difference between yours and mine

    I think maybe the session DEK is different.

    my S-DEK = CBC_TDES(404142434445464748494A4B4C4D4E4F, 0181 || sequence counter(in this case is '002B') || 00000000000000000000)

    is there a something wrong on my encryption?
  • 5. Re: Put Key Command Fail.(CLA=0x84)
    safarmer Expert
    Currently Being Moderated
    The session key calculation looks fine to me. Here is some more tracing from my run. If you can hard code the init-update command and response to replay and dump the commands you can check, otherwise post a new run with as much logging as possible and I can put your values into my harness. The last command is a GET-DATA directly after the PUT-KEY.
    KeySet [version=1]
    S-ENC: 264f0d1aab549e439bc40e9e730e3b15264f0d1aab549e43
    S-MAC: 32864f766eba4961e3461abc1629c84932864f766eba4961
    S-DEK: 58fea1c1fe3b524cbac4cb7f201f947a58fea1c1fe3b524c
    Session IV: 0000000000000000
    => 8482010010dde15e5ae73ca146cc15fc59ac11787a
    -> 8482010010dde15e5ae73ca146cc15fc59ac11787a
    encrypted ENC: 5d32c876e0ed6bb2cf82bbe390202931
    encrypted MAC: 5d32c876e0ed6bb2cf82bbe390202931
    encrypted DEK: 5d32c876e0ed6bb2cf82bbe390202931
    Wrap APDU
    Session IV: e2d6f67e500c6b68
    => 84d801814b0180105d32c876e0ed6bb2cf82bbe390202931038baf4780105d32c876e0ed6bb2cf82bbe390202931038baf4780105d32c876e0ed6bb2cf82bbe390202931038baf47b51f86a666fdf8cb00
    -> 84d801814b0180101f2de4d6c8509dff2f8ac23d8370a6a6038baf4780101f2de4d6c8509dff2f8ac23d8370a6a6038baf4780101f2de4d6c8509dff2f8ac23d8370a6a6038baf479f353241203729b0
    Wrap APDU
    Session IV: a3ebc552034a5ba9
    => 84ca00cf0884bfeb8df9f731b900
    - Shane
  • 6. Re: Put Key Command Fail.(CLA=0x84)
    973756 Newbie
    Currently Being Moderated
    Here is my log.
    Session IV: 0000000000000000
    Session IV: e2d6f67e500c6b68
    I put all session IV equal "0000000000000000", but yours are every different. Where are they coming from?


    KeySet
    ENC : 404142434445464748494A4B4C4D4E4F
    MAC : 404142434445464748494A4B4C4D4E4F
    DEK : 404142434445464748494A4B4C4D4E4F

    Session Keys
    S-ENC : A2268F71917EFE0F33CC6166E1154E27
    S-MAC : 7A227D376A9DBE23AB50B7DCB45B2093
    S-DEK : F39FCFB2383B09578723B8C2E03B2729

    New KeySet
    ENC : 404142434445464748494A4B4C4D4E4F
    MAC : 404142434445464748494A4B4C4D4E4F
    DEK : 404142434445464748494A4B4C4D4E4F

    Encrypted Keys = ECB_TDES(S-DEK, NewKEY)
    ENC : 6CCC3D43CFC2CDE6CEABC760468B7EFF
    MAC : 6CCC3D43CFC2CDE6CEABC760468B7EFF
    DEK : 6CCC3D43CFC2CDE6CEABC760468B7EFF


    => 80 50 00 00 08 3A2A0051F957624F
    <= 611C

    => 00 C0 00 00 1C
    <= 00001104000012A9089A0102000710AF44C6064E6B91632B302205699000

    Session IV: 0000000000000000
    => 84 82 01 00 10 9C4DA4D81C5AB9E2A19A614FB880BFE0
    <= 9000

    Session IV: 0000000000000000
    => 84 D8 01 81 4B 0180106CCC3D43CFC2CDE6CEABC760468B7EFF038BAF4780106CCC3D43CFC2CDE6CEABC760468B7EFF038BAF4780106CCC3D43CFC2CDE6CEABC760468B7EFF038BAF47AB4BFB2D4F634E9C
    <= 6982


    Session IV: 0000000000000000
    => 84 CA 00 CF 08 2BD04A1545B7CC72
    <= 6985
  • 7. Re: Put Key Command Fail.(CLA=0x84)
    safarmer Expert
    Currently Being Moderated
    This would explain everything. The GP card spec says to use the previous MAC as the ICV for the next MAC. Depending on the SCP02 i value you may also need to encrypt the ICV before using it.

    From the GP card spec v2.1.1 - E.1.3:
    The integrity of the sequence of APDU command or response messages being transmitted to the receiving entity is achieved by using the MAC from the current command or response as the (possibly encrypted) Initial Chaining Vector (ICV) for the subsequent command or response. This ensures the receiving entity that all messages in a sequence have been received. Computing the ICV is detailed in Appendix E.3 - Cryptographic Algorithms.
    - Shane
  • 8. Re: Put Key Command Fail.(CLA=0x84)
    973756 Newbie
    Currently Being Moderated
    Thank you Shane!

    Problem solved. The ICV was a key...

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points