From: Karsten Ohme <[EMAIL PROTECTED]>
Reply-To: MUSCLE <[email protected]>
To: MUSCLE <[email protected]>
Subject: [Muscle] GlobalPlatform R-MAC
Date: Tue, 13 Dec 2005 14:02:00 +0100
Hello,
The secure channel protocol 02 of the GlobalPlatform specification
allows to use a R-Mac (response MAC). In the specification is mentioned
that the R-MAC is applied to all the subsequent command/response
messages. Is this really true? Or is the R-MAC only applied to real
command APDUs containing data and not to protocol APDUs like Get
Response or on errors like Wrong Length (6C,61,...).
Are there any cards which support R-MAC?
Yes.
FIPS 201 essentially requires an R-MAC capable SCP - for remote management
of the GCs, as the content silos are instantiated - and rented off to other
agencies/businesses.
I have not personally encountered SCP 02 et al. over T0, in an off the shelf
card.
You might want to investigate SCP.n proposals. Our IBM colleagues may be
able to faciliate controlled R&D access to GP.next drafts.
In 7816 terms, secure messaging and logical channel support is applicable to
all APDU transfers. A polling response is just a response.
Its more fun to question whether the T0 procedure bytes and time request
bytes (over USB relays in particular) are secured by the logical channel,
and its binding to secure messaging. One assumes not. One assumes that the
combination of T0 and the more advanced SCPs are really not
"future-compatible".
Thanks, Karsten
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
