OK, I will go on with my hypothesis. What I think is that your card is using SCP02 option 55.
In this mode the card random is still generated internally, so the GP spec still holds, but the random does not come from a random generator. Instead, with option 55, the card random is a hash value computed from the card diversifier and sequence counter, the "well-known pseudo-random algorithm". This algorithm is not documented in GP specs, so I believe it depends on the card provider. The goal of this option is to allow precomputation in advance of all secure commands for use in, e.g. over the air protocols. step 1) the relevant information is read from the card (usually via GET DATA, not via init update) on the client side. step 2) the secure server receives this info, computes all commands (including init up and ext auth, and all loading commands and their mac and encryption) - the host challenge is generated at this moment. step 3) the list of apdus is sent to the remote card. All responses are gathered and sent back to the server for checking. This avoids lots of two-way communications between server and client for the initial authentication steps. So I think you understand now: Each time you send init update, the returned random is the same, since it depends on constant data. Once external authenticate is successful, the sequence counter is incremented, and you get a new challenge based on the new value of the counter. That's why I wanted to get the response from Select application OR from GET DATA with tag 66h or 73h, because this data contains the information about the SCP option. You were talking about a GP2.2 card, and the only GP 2.2 card I know are recent SIM cards, so the 55h options makes full sense for such cards. If you really need a real random at each call, use (or find card that use) option 15h instead. With Option 55h, a repeated random is normal. At least that's my analysis and opinion. You would check with your provider to confirm my hypothesis. BR Sébastien Lorquet Le 20/09/2013 16:47, landyman70 a écrit : > true. when I get the init update, I then do some client side authentication > and do a comparison of the card challenge, and as they don't match, I do not > proceed to the ext auth with the card. > Should I there fore just press on, knowing that the ext auth will fail? > > > > -- > View this message in context: > http://musclecard.996296.n3.nabble.com/GP-2-2-INITIALIZE-UPDATE-0x50-oddness-tp5042p5062.html > Sent from the MuscleCard mailing list archive at Nabble.com. > > _______________________________________________ > Muscle mailing list > [email protected] > http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com > _______________________________________________ Muscle mailing list [email protected] http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com
