How can I check INITIALIZE UPDATE and EXTERNAL AUTHENTICATE correctness?

Asked 7/6, 2014 at 4:46 Answered 7/6, 2014 at 8:57

Solved cryptography smartcard javacard apdu globalplatform

enter image description here

I sent 80 50 00 00 08 00 00 00 00 00 00 00 00 [INITILIZE UPDATE Command] via opensc-tool to my java card and received 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 11 79 11 36 5D 71 00 A5 A5 EC 63 BB DC 05 CC [Init Response] as its response from the card.

As you see:

In the command,I send 00 00 00 00 00 00 00 00 as Host Challenge, And in the response :

00 00 11 60 01 00 8A 79 0A F9 = Key diversification data

FF 02 = Key information

00 11 79 11 36 5D 71 00 = Card challenge

A5 A5 EC 63 BB DC 05 CC = Card cryptogram

Now I want to check myself,if the card cryptogram is OK or not. How I can do it? for example I encrypt 00 00 00 00 00 00 00 00 in this site under a 3DES cryptography algorithm [with keys of my card = 4041...4F], but the output is not equal with card cryptogram that I wrote above. Why?

And the next question is, if I want to send EXTERNAL AUTHENTICATION command to the card, what is its data field (after the above INITILIZE UPDATE)?

Update:

This is GPJ output :

C:\Users\ghasemi\Desktop\gpj-20120310>GPJ
C:\Users\ghasemi\Desktop\gpj-20120310>java -jar gpj.jar
Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0
ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00
.
.
.
DEBUG: Command  APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00

DEBUG: Command  APDU: 80 50 00 00 08 7F 41 A9 E7 19 37 83 FA
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 1B 9B 95 B9 5E 5E BC BA 51 34 84 D9 C1 B9 6E 90 00
DEBUG: Command  APDU: 84 82 00 00 10 13 3B 4E C5 2C 9E D8 24 50 71 83 3A 78 AE 75 23
DEBUG: Response APDU: 90 00
DEBUG: Command  APDU: 84 82 00 00 08 13 3B 4E C5 2C 9E D8 24
DEBUG: Response APDU: 90 00

C:\Users\ghasemi\Desktop\gpj-20120310>

So :

Host_Challenge :: 7F41A9E7193783FA

Diversification_Data :: 0000116001008A790AF9

Key_Information :: FF02

Sequence_Counter :: 001B

Card_Challenge :: 9B95B95E5EBC

Card_Cryptogram :: BA513484D9C1B96E

Host_Cryptogram[16,24] = 13 3B 4E C5 2C 9E D8 24

Now,lets make our Host_Cryptogram Manually :

Derivation_data=derivation_const_ENC|sequence_counter|0000 0000 0000 0000 0000 0000

Derivation_Data = 0182001B000000000000000000000000

k_ENC :: 404142434445464748494A4B4C4D4E4F

IV = 00 00 00 00 00 00 00 00

S_ENC = encrypt(TDES_CBC, K_ENC, IV, derivation_data)

So :

I used http://tripledes.online-domain-tools.com/ and its output for above values was :

S_ENC = 448b0a5967ca246d058703ff0c694f15

And :

Padding_DES = 80 00 00 00 00 00 00 00
Host_auth_data = sequence_counter | card_challenge | host_challenge | padding_DES
IV = Card_Cryptogram :: BA513484D9C1B96E
host_cryptogram = encrypt(TDES_CBC, S_ENC, IV, host_auth_data)

So :

Host_Authentication_Data : 001B9B95B95E5EBC7F41A9E7193783FA8000000000000000

Again, I used http://tripledes.online-domain-tools.com/

and :

Host_Cryptogram : 3587b531db71ac52392493c08cff189ce7b9061029c63b62

So :

Host_Cryptogram[16,24] = e7b9061029c63b62

Why these two way [manually and GPJ output] give us two host cryptogram?

Ectoderm answered 7/6, 2014 at 4:46 Comment(0)

From the INITIALIZE UPDATE command you send, you get

host_challenge = 00 00 00 00 00 00 00 00

In response to the INITIALIZE UPDATE command, you get

diversification_data = 00 00 11 60 01 00 8A 79 0A F9
key_information = FF 02
sequence_counter = 00 11
card_challenge = 79 11 36 5D 71 00
card_cryptogram = A5 A5 EC 63 BB DC 05 CC

The key information indicates SCP02 (02). The key diversification data may be used to derive the card-specific K_ENC. Lets assume we have a K_ENC like this

K_ENC = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

We can then derive the session encryption key like this

derivation_const_ENC = 01 82
derivation_data = derivation_const_ENC | sequence_counter |  00 00 00 00 00 00 00 00 00 00 00 00

IV = 00 00 00 00 00 00 00 00
S_ENC = encrypt(TDES_CBC, K_ENC, IV, derivation_data)

Next, we can assemble the authentication data used to calculate the host cryptogram:

padding_DES = 80 00 00 00 00 00 00 00
host_auth_data = sequence_counter | card_challenge | host_challenge | padding_DES

Then we can use the session encryption key to encrypt the authentication data:

IV = 00 00 00 00 00 00 00 00
host_cryptogram = encrypt(TDES_CBC, S_ENC, IV, host_auth_data)

The last 8 bytes of the encrypted authentication data are the actual host cryptogram that we would send to the card:

EXTERNAL_AUTHENTICATE_data = host_cryptogram[16, 24]

Now we can assemble the EXTERNAL AUTHENTICATE command:

EXTERNAL_AUTHENTICATE = 84 82 03 00 08 | EXTERNAL_AUTHENTICATE_data

We can then calculate the S_MAC key (analoguous to getting the S_ENC above) and the MAC over that command and append it to the command data to get the full EXTERNAL AUTHENTICATE command that can be sent to the card:

EXTERNAL_AUTHENTICATE = 84 82 03 00 10 | EXTERNAL_AUTHENTICATE_data | MAC

Update

Using http://tripledes.online-domain-tools.com/ to reproduce the results of GPJ

Your K_ENC is 404142434445464748494A4B4C4D4E4F. The online tools does not properly support 2-key-3DES, so you have to convert the key into its 3-key form first:

K_ENC = 404142434445464748494A4B4C4D4E4F4041424344454647

Use this key and a zero IV to encrypt the derivation data (0182001B000000000000000000000000). You get

S_ENC = fb063cc2e17b979b10e22f82110234b4

In 3-key notation, this is

S_ENC = fb063cc2e17b979b10e22f82110234b4fb063cc2e17b979b

Use this key and a zero IV to encrypt the host authentication data (001b9b95b95e5ebc7f41a9e7193783fa8000000000000000):

HOST_CRYPTOGRAM = 773e790c91acce3167d99f92c60e2afd133b4ec52c9ed824

Wassail answered 7/6, 2014 at 8:57 Comment(15)

what is K_ENC? I searched GP Spec 2.2 and GP Spec 2.1 for it, and find nothing! Is there any default value for it or we set any value that we want? – Ectoderm 8/6, 2014 at 10:15

sorry Micheal, but, in line host_cryptogram = encrypt(TDES_CBC, S_ENC, IV, card_auth_data), what is card_auth_data? is it the card challenge random number? thank you. – Ectoderm 8/6, 2014 at 11:9

K_ENC is the card's key for encryption. That's whatever you or the card manufacturer set it to. It could for instance be 40 41 .. 4F (or a card-specific key derived by using a master key). – Wassail 8/6, 2014 at 19:5

That should be host_auth_data. – Wassail 8/6, 2014 at 19:5

Ooops, :( Dear Mr Roland, I use the above formulas step by step and also tripledes.online-domain-tools.com for JC Manager outputs, but I receive a different Host Cryptogram from the one that JC Manager made! why? – Ectoderm 9/6, 2014 at 6:21

And, What is the MAC that comes in the end of EXTERNAL AUTHENTICATE command? how I can create the MAK? Thank you. – Ectoderm 9/6, 2014 at 6:28

did you try to google these questions before posting questions to SO? – Facies 10/6, 2014 at 8:58

@PaulBastian : yes I google it! would you please give me your email address? I want to send you a word file that explain the question more clear. I think this is a better Idea instead of ask it here. – Ectoderm 10/6, 2014 at 9:43

the M essage A uthentication C ode ensures integrity and authenticity. in case of of SCP02 this is described in GP2.2 E.4.4 APDU Command C-MAC Generation and Verification – Facies 10/6, 2014 at 9:52

dear @PaulBastian , when I calculate Host_Cryptogram with above formulas and using this site[tripledes.online-domain-tools.com/], the output is different than what jcmanager send to the card with EXTERNAL_AUTHENTICATION APDU command. this is my main question. – Ectoderm 10/6, 2014 at 10:4

@PaulBastian please take a look at Update section that I added to the question. – Ectoderm 10/6, 2014 at 11:7

@abraham I was wrong about the IV for encrypting the host cryptogram. A zero IV should be used. See my updated answer on how to calculate the cryptogram. – Wassail 10/6, 2014 at 12:28

@MichaelRoland thank you. Is this right? --> "In the GPJ and JCManager, the tool automatically use first 8 byte of the key [404142...4F] for fisrt and third DES and use second 8 byte for second DES of 3DES process. but in the online tool, when I give it 404142...4F as its key, it use first 8 byte for first DES, second 8 byte for second DES, and 00 00 00 00 00 00 00 00 for last DES" And this was origin of the problem? – Ectoderm 11/6, 2014 at 7:2

Is the diversification data value always the same? What would make it change in value? – Cletuscleve 4/12, 2019 at 7:30

Hey @MichaelRoland Can you provide detailed explanation for creating S_MAC? – Quoth 20/11, 2023 at 4:26

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Update

Recommended topics

Hot tags