Le Tuesday 23 May 2006 16:46, Karsten Ohme a écrit :
> > created a gpshell script to try to open a secure channel and test the
> > authentication.
> > After digging on the net, I found that the keys are:
> > Static keys: PK-IS
> > Kenc = CA CA CA CA CA CA CA CA 2D 2D 2D 2D 2D 2D 2D 2D
> > Kmac = 2D 2D 2D 2D 2D 2D 2D 2D CA CA CA CA CA CA CA CA
> > Kkek = CA 2D CA 2D CA 2D CA 2D CA 2D CA 2D CA 2D CA 2D
>
> The default key for GemXpresso cards is:
>
> static const BYTE OPGP_GEMXPRESSO_DEFAULT_KEY[] = {0x47, 0x45, 0x4d,
> 0x58, 0x50, 0x52, 0x45, 0x53, 0x53, 0x4f, 0x53, 0x41, 0x4d, 0x50, 0x4c,
> 0x45};
Strange as I've also confirmed that the 3 keys Kenc, Kmac and Kkek above are
used by the Gem Xpresso Pro windows software.
What is the default key you're taking above? (GEMXPRESSOSAMPLE)
what the open_sc command could look like? Is there a specific order to follow
for the key switches: -enc_key -mac_key -kek_key ?
> Try this (without the surrounding stuff).
You mean tha I should try this:?
open_sc -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45 -security 0
> > Thus I tried the following gpshell script with no success:(note that I
> > reset the unsuccessfull failed attempt counter to open the secure channel
> > by using the windows Gem Xpresso Pro software on windows 2000 and
> > authenticate the card)
> > Note: the open_sc line is on 1 single line
> > -----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<---
> >-- gemXpressoPro
> > enable_trace
> >
> > establish_context
> > card_connect
> > select -AID a000000018434d # example of AID to test AID selection works
> > open_sc -security 0 -enc_key cacacacacacacaca2d2d2d2d2d2d2d2d -mac_key
> > 2d2d2d2d2d2d2d2dcacacacacacacaca -kek_key
> > ca2dca2dca2dca2dca2dca2dca2dca2d // Open secure channel
> > get_status -element e0
> > close_sc // Close secure channel
> > card_disconnect
> > release_context
> > -----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<---
> >-- The gpshell version is 1.3.1
> > What means -keyind 0 -keyver 0 ?
>
> key index is teh key position in a key version. E.g the MAC, KEK and ENC
> key are in one key version, there is a order, I believe ENC, MAC, KEK in
> a keyset. key index specifies the offset in the key version to start
> looking for these keys. So 0 is OK. (Should, else it is a strange card.)
> key version 0 means: take the first availbale key version. This should
> be OK for your card, if 13 is really the first available key version.
>
> Maybe also see the README of gpshell.
Unfortunately, I red it up and down and down to up :)
> Can you please submit a log from the enable_trace?
rpm/BUILD/gpshell-1.3.1 $ gpshell < Nesrine.txt
gemXpressoPro
enable_trace
establish_context
card_connect
select -AID a000000018434d
--> 00A4040007A000000018434D
<-- 6F188407A000000018434DA50D9F6E063231030033309F6501FF9000
open_sc -security 0 -keyind 0 -keyver 0 -mac_key
2d2d2d2d2d2d2d2dcacacacacacacaca -kek_key ca2dca2dca2dca2dca2dca2dca2dca2d
-enc_key cacacacacacacaca2d2d2d2d2d2d2d2d // Open secure channel
--> 80CA9F7F00
<--
9F7F2A0004001532310300333003490000859800CB1292300112933001000000000000000000000000000000009000
--> 8050000008C53AB0323EC1F6D500
<-- 434D03490000859800CB0D0115C962009EC0B2FD3442D9FF2629C9769000
mutual_authentication() returns 0x80302000 (The verification of the card
cryptogram failed.)
> Have you taken the latest versions of GlobalPlatform and GPShell from SVN?
Unfortunately not as I'm behind a firewall. I'm using GPshell 1.3.1 from March
24th, 2006. If you could sent to me a bzip2 tarball of the latest SVN I'd
apreciate a lot Karsten.
Olivier.
--
Olivier LAHAYE
Motorola Labs IT Manager
Computer & Information Systems
European Communications Research
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
