Hi Karsten,
From: Karsten Ohme <[EMAIL PROTECTED]>
Reply-To: MUSCLE <[email protected]>
To: MUSCLE <[email protected]>
Subject: Re: [Muscle] muscleTool 2.1.0 & gpshell problem
Date: Tue, 07 Feb 2006 21:53:17 +0100
kammi cazze wrote:
> Hi,
>
> after some long vacation, i started to work on the smartcard stuff
> again, but still have some problems with the tools :(
>
> I compile muscletool-2.1.0 succesfully, but if i run the program and ask
> for tokens, the processor raise to 99% and stays there.
> I tried the same with muscleTool-0.9.2, but didn't had that problem.
This problem is fixed with the new release of pcsclite (and the
contained libmusclecard). If you compile it with gcc3.3 it works. It
seems GCC 4.0 does some stuff different then GCC 3.3.
I did compile with 3.4.4 so no 4.0 stuff. By the new release, do you mean
beta10 ?
>
> Another thing is with my GemXpresso Pro R3 cards. From the docs, the
> card supports both gp211 and op2.0.1'.
GemPlus use a key derivation scheme for getting the keys for mutual
authentication. Don't repeat the script to often or you card will be
locked!!!! You first must have the mother key and derive from their the
keys ...
This does not comply with the GlobalPlatform specification.
Matheus Ribeiro fixed this problem. See the added diff, which you must
apply and compile the result with the switch GEMPLUS enabled ... This is
not contained in the SVN. You must do it on you own.
Karsten
Will the Gemplus derivation scheme patch be applied to gpshell in the
future? Maybe with a config flag?
Another question, where can i get the master key? Does Gemplus have to give
it or is there a generic one available?
I think both my cards are blocked now, but how can i be sure? If i try to do
a get_status to get the life-cycle, i get a 6985 response, command not
allowed.
I can do a get_data to get the CPLC data.
Regards,
Pierre
>
> I tried this script with gpshell 1.2, both with mode_211 and mode_201
>
> mode_201 (mode_211)
> enable_trace
> establish_context
> card_connect
> select -AID a000000018434d
> card_disconnect
> release_context
>
> and got this back for both modes:
>
> mode_201 (mode_211)
> enable_trace
> establish_context
> card_connect
> select -AID a000000018434d
> --> 00A4040007A000000018434D
> <-- 6F188407A000000018434DA50D9F6E061291035633309F6501FF9000
> card_disconnect
> release_context
>
> If i now want to use the next script, i get different responce back from
> both modes, all failing :(
>
> mode_201
> enable_trace
> establish_context
> card_connect
> select -AID a000000018434d
> open_sc -security 1 -keyind 0 -keyver 0 -mac_key
> 404142434445464748494a4b4c4d4e4f -enc_key
> 404142434445464748494a4b4c4d4e4f // Open secure channel
> get_status -element e0
> card_disconnect
> release_context
>
> i get this back:
>
> mode_201
> enable_trace
> establish_context
> card_connect
> select -AID a000000018434d
> --> 00A4040007A000000018434D
> <-- 6F188407A000000018434DA50D9F6E061291035633309F6501FF9000
> open_sc -security 1 -keyind 0 -keyver 0 -mac_key
> 404142434445464748494a4b4c4d4e4f -enc_key
> 404142434445464748494a4b4c4d4e4f // Open secure channel
> --> 8050000008425A1BDDA8BC472300
> <-- 434D10159416191223C10D01C671894151329DA516BDD69A278053809000
> mutual_authentication() returns 0x80302000 (The verification of the card
> cryptogram failed.)
>
> and for the 211 script:
>
> mode_211
> enable_trace
> establish_context
> card_connect
> select -AID a000000018434d
> open_sc -security 1 -keyind 0 -keyver 0 -mac_key
> 404142434445464748494a4b4c4d4e4f -enc_key
> 404142434445464748494a4b4c4d4e4f // Open secure channel
> get_status -element 20
> card_disconnect
> release_context
>
> i got this back:
>
> mode_211
> enable_trace
> establish_context
> card_connect
> select -AID a000000018434d
> --> 00A4040007A000000018434D
> <-- 6F188407A000000018434DA50D9F6E061291035633309F6501FF9000
> open_sc -security 1 -keyind 0 -keyver 0 -mac_key
> 404142434445464748494a4b4c4d4e4f -enc_key
> 404142434445464748494a4b4c4d4e4f // Open secure channel
> --> 00CA006600
> <-- 6E00
> --> 8050000008FCF70277F3E05F1C00
> <-- 434D10159416191223C10D01861F156B46ED8FF3BC529AD43D11B5709000
> mutual_authentication() returns 0x8030F006 (The Secure Channel Protocol
> Implementation is invalid.)
>
> I tried this all with different cards, but they all gave me the same
> result. Does this mean my cards are blocked? How can i see it if they
> are blocked? Which of the 2 modes is better to use if it support both (i
> think so but am not sure getting the above result with gp211)?
>
> Any ID?
>
> Regards,
>
> Pierre
>
>
> _______________________________________________
> Muscle mailing list
> [email protected]
> http://lists.drizzle.com/mailman/listinfo/muscle
2412,2413d2411
< /* Switch on, if R-MAC is only applied to last command of session. */
< secInfo->securityLevel |= GP211_SCP02_SECURITY_LEVEL_R_MAC;
4882a4881,4905
> #ifdef GEMPLUS
> /**
> * Generate a daughter key based on the mother key, as Gemplus spec.
> */
> static LONG create_daughter_key(BYTE motherKey[16], BYTE
derivationData[16], BYTE daughterKey[16]){
> LONG result;
> unsigned char derivation_data[16];
> int outl;
> BYTE left_diversifier[8];
> BYTE right_diversifier[8];
> BYTE diversifier[16];
>
> LOG_START(_T("create_daughter_key"));
>
> result = calculate_enc_ecb_two_key_triple_des(motherKey,
derivationData, 16, daughterKey, &outl);
> if (result != OPGP_ERROR_SUCCESS) {
> goto end;
> }
> { result = OPGP_ERROR_SUCCESS; goto end; }
> end:
> LOG_END(_T("create_daughter_key"), result);
> return result;
> }
> #endif
>
4897c4920,4924
<
---
> // matheus: teste
> BYTE left_diversifier[8];
> BYTE right_diversifier[8];
> BYTE diversifier[16];
>
4898a4926,4934
> #if 1
> // matheus: create diversifier
> memcpy(left_diversifier, cardChallenge+4, 4);
> memcpy(left_diversifier+4, hostChallenge, 4);
> memcpy(right_diversifier, cardChallenge, 4);
> memcpy(right_diversifier+4, hostChallenge+4, 4);
> memcpy(diversifier, left_diversifier, 8);
> memcpy(diversifier+8, right_diversifier, 8);
> #else
4902a4939
> #endif
4904c4941
< result = calculate_enc_ecb_two_key_triple_des(key, derivation_data, 16,
sessionKey, &outl);
---
> result = calculate_enc_ecb_two_key_triple_des(key,
diversifier/*derivation_data*/, 16, sessionKey, &outl);
4913a4951
>
4945a4984,5003
> /*
> static LONG calculate_3des_sessionkey(BYTE diversifier[8], BYTE
staticKey[16], BYTE outKey[16]){
> LONG result;
> int i,outl;
> EVP_CIPHER_CTX ctx;
>
> // initialize context
> EVP_CIPHER_CTX_init(&ctx);
> if (result != 1) {
> { result = OPGP_OPENSSL_ERROR; goto end; }
> }
>
> end:
> if (EVP_CIPHER_CTX_cleanup(&ctx) != 1) {
> { result = OPGP_OPENSSL_ERROR; goto end; }
> }
> LOG_END(_T("calculate_enc_ecb_two_key_triple_des"), result);
> return result;
>
> }*/
5431c5489
< // random for host challenge
---
>
5496a5555,5556
>
>
5596a5657,5678
> #ifdef GEMPLUS
> // daughter key
> BYTE daughterKey[16];
> // this comes from card diversification
> BYTE derivationData[16];
>
> // derivation left
> memcpy(derivationData, key_diversification_data, 2);
> memcpy(derivationData+2, key_diversification_data+4, 4);
> derivationData[6] = 0xF0;
> derivationData[7] = 0x01;
> // derivation right
> memcpy(derivationData+8, key_diversification_data, 2);
> memcpy(derivationData+10, key_diversification_data+4, 4);
> derivationData[14] = 0x0F;
> derivationData[15] = 0x01;
>
> // generate daughter key
> result = create_daughter_key(S_ENC, derivationData,
daughterKey);
> // and session key
> result = create_session_key_SCP01(daughterKey, cardChallengeSCP01,
hostChallenge, secInfo->encryptionSessionKey);
> #else
5597a5680,5681
> #endif
>
5602a5687,5699
> #ifdef GEMPLUS
> // left derivation for MAC
> derivationData[6] = 0xF0;
> derivationData[7] = 0x02;
> // right derivation for MAC
> derivationData[14] = 0x0F;
> derivationData[15] = 0x02;
>
> // daughter key
> result = create_daughter_key(S_MAC, derivationData,
daughterKey);
> // and session key
> result = create_session_key_SCP01(daughterKey, cardChallengeSCP01,
hostChallenge, secInfo->C_MACSessionKey);
> #else
5603a5701
> #endif
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
