I'm still stuck and unable to open_sc to my Gem Xpresso 211PK_IS card.
Here are more informations about my systems in the hope that some one may have
the magic information that would allow me to progress.
See my comments below (and atttached file):
Le Tuesday 23 May 2006 19:31, Karsten Ohme a écrit :
> Olivier LAHAYE wrote:
> > Le Tuesday 23 May 2006 16:46, Karsten Ohme a écrit :
> >>>created a gpshell script to try to open a secure channel and test the
> >>>authentication.
> >>>After digging on the net, I found that the keys are:
> >>>Static keys: PK-IS
> >>>Kenc = CA CA CA CA CA CA CA CA 2D 2D 2D 2D 2D 2D 2D 2D
> >>>Kmac = 2D 2D 2D 2D 2D 2D 2D 2D CA CA CA CA CA CA CA CA
> >>>Kkek = CA 2D CA 2D CA 2D CA 2D CA 2D CA 2D CA 2D CA 2D
> >>
> >>The default key for GemXpresso cards is:
> >>
> >>static const BYTE OPGP_GEMXPRESSO_DEFAULT_KEY[] = {0x47, 0x45, 0x4d,
> >>0x58, 0x50, 0x52, 0x45, 0x53, 0x53, 0x4f, 0x53, 0x41, 0x4d, 0x50, 0x4c,
> >>0x45};
> >
> > Strange as I've also confirmed that the 3 keys Kenc, Kmac and Kkek above
> > are used by the Gem Xpresso Pro windows software.
>
> Can be, but in my docs this key is mentioned. Maybe you have a different
> card.
Must be the case as I'm pretty sure now that my keys are the correct ones as
they are in the windows software properties file (attached).
the manual:
http://www.informatik.uni-augsburg.de/lehrstuehle/swt/se/teaching/ws0506/javacard/Dokumentation/UserGuide.pdf
States the following:
The Card Manager daughter keys (KDCAUTH/ENC, KDCMAC, and KDCKEK)are
diversified from the mother key (KMC). The diversification method uses
3DES_ECB
with a 16-byte key (KMC) and 16 bytes of diversification data, D.
The data diversification method is as follows:
D = Dleft || Dright
KD = KDleft || KDright
KDleft = 3DES(Dleft, KMC)
KDright = 3DES(Dright, KMC)
Page 124 also speak about diversification. Any special commands in gpshell to
support this? (the attached propery file seems to indicate that I'm not using
diversification...)
Page 43 seems to explain that the security domain AID is A0 00 00 00 18 43 4D
and attached file seems to confirm that.
Page 44/45 explains the properties file format that I have attached and that
I'm using on the windows software.
As you can see in the property file, it seems that the 3 keys (the keyset) are
used for DES-ECB. Maybe gpshell/pcsc does not support this type of auth?
> >>Try this (without the surrounding stuff).
> >
> > You mean tha I should try this:?
> > open_sc -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45
> > -security 0
>
> yes, but with -enc -mac -kek ... with the same value.
Failed. :'-(
> >>Have you taken the latest versions of GlobalPlatform and GPShell from
> >> SVN?
> >
> > Unfortunately not as I'm behind a firewall. I'm using GPshell 1.3.1 from
> > March 24th, 2006. If you could sent to me a bzip2 tarball of the latest
> > SVN I'd apreciate a lot Karsten.
>
> OK.
Thanks for your archives, compilation went fine and I tested the new version:
same results. BTW, the GlobalPlatform you sent me (SVN) is numbered 2.1.1
while Changelog states 3.0.2. This is strange. I tested a diff -u on it with
the archive on the web and except autofiles that I've regenerated, there a
almos no differences in source code (only a small difference (a if case
remove in the version you sent to me)).
So now, I'm stuck :-(
As a sumup:
If I can talk to the card, then this should mean that my pcsc install is ok
right?
If I obtain the same results with 2 different car readers: O2Micro and GemPC
usb, it should confirm that my pcsc install is correct.
So what can I check?
Is there a way to check from A to Z my install?
Is there a way to simulate the authentication using send_apdu?
Any help would be realy realy apreciated...
Thanks a lot for all your patience and help.
Olivier.
--
Olivier LAHAYE
Motorola Labs IT Manager
Computer & Information Systems
European Communications Research
#====================================================================
#
# CARD INFORMATIONS
#
#====================================================================
#
# WARNING: For custom product, you may have to update the mother key.
#
#====================================================================
#
# card:
#
# issuer: GEMPLUS
# date: Mon May 15 16:30:23 CEST 2006
#
#====================================================================
this_file_format=1
#====== Application Identifier (hex or ascii format) ===============
aid.security_domain=hex/A0 00 00 00 18 43 4D
#====== Default key set version (in decimal format) ================
set_version=13
#========= mother keys for diversification and mode =================
#diversification= name / diversification mode / [/parameter for
diversification/...]
# name = logical name mode for the diversification
mode (user defined)
# diversification mode = diversification mode (VISA, ...)
# parameter for diversification = hexa key value or <NONE>
#
diversification=GXP211_PK_IS_fixedKey/NONE
#====== number of key sets (in decimal format) =====================
set_number=1
#==== Key Set <i> =====================================================
# number of keys in the set
#set<i>.key_number=n
#
#set<i>.set_index= set version
#set<i>.key1=algo/data
#set<i>.key2=algo/data
#.....................
#set<i>.keyn=algo/data
#
# where :
#
# - algo is one of the following algorythm
# des-ecb
# des-cbc
# rsa-crt
# rsa-priv
# rsa-pub
# dsa-priv
# dsa-pub
#
# - data is the value of the key
# for des-ecb or des-cbc, if K3 is not present K3=K1
#==== Key Set 1 =====================================================
set1.version=13
set1.key_number=3
set1.key1=des-ecb/CA CA CA CA CA CA CA CA 2D 2D 2D 2D 2D 2D 2D 2D
set1.key2=des-ecb/2D 2D 2D 2D 2D 2D 2D 2D CA CA CA CA CA CA CA CA
set1.key3=des-ecb/CA 2D CA 2D CA 2D CA 2D 2D CA 2D CA 2D CA 2D CA
#====================================================================
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
