Peter Williams wrote: > > > >> From: Karsten Ohme <[EMAIL PROTECTED]> >> Reply-To: MUSCLE <[email protected]> >> To: MUSCLE <[email protected]> >> Subject: [Muscle] GlobalPlatform R-MAC >> Date: Tue, 13 Dec 2005 14:02:00 +0100 >> >> Hello, >> >> The secure channel protocol 02 of the GlobalPlatform specification >> allows to use a R-Mac (response MAC). In the specification is mentioned >> that the R-MAC is applied to all the subsequent command/response >> messages. Is this really true? Or is the R-MAC only applied to real >> command APDUs containing data and not to protocol APDUs like Get >> Response or on errors like Wrong Length (6C,61,...). >> >> Are there any cards which support R-MAC? > > > Yes.
OK, which brand? Which company? > > FIPS 201 essentially requires an R-MAC capable SCP - for remote > management of the GCs, as the content silos are instantiated - and > rented off to other agencies/businesses. > > I have not personally encountered SCP 02 et al. over T0, in an off the > shelf card. > > You might want to investigate SCP.n proposals. Our IBM colleagues may be > able to faciliate controlled R&D access to GP.next drafts. The draft for version 2.2 is available for public review, but does not clarify this. The encryption and the C-MAC is also not applied to GET RESPONSE messages. Maybe it works the same. > > In 7816 terms, secure messaging and logical channel support is > applicable to all APDU transfers. A polling response is just a response. > > Its more fun to question whether the T0 procedure bytes and time request > bytes (over USB relays in particular) are secured by the logical > channel, and its binding to secure messaging. One assumes not. One > assumes that the combination of T0 and the more advanced SCPs are really > not "future-compatible". What are the problems/security considerations/risks? Karsten > > >> Thanks, Karsten >> _______________________________________________ >> Muscle mailing list >> [email protected] >> http://lists.drizzle.com/mailman/listinfo/muscle > > > > _______________________________________________ > Muscle mailing list > [email protected] > http://lists.drizzle.com/mailman/listinfo/muscle _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
