Olivier LAHAYE wrote:
> Le Tuesday 23 May 2006 16:46, Karsten Ohme a écrit :
>
>
>>>created a gpshell script to try to open a secure channel and test the
>>>authentication.
>>>After digging on the net, I found that the keys are:
>>>Static keys: PK-IS
>>>Kenc = CA CA CA CA CA CA CA CA 2D 2D 2D 2D 2D 2D 2D 2D
>>>Kmac = 2D 2D 2D 2D 2D 2D 2D 2D CA CA CA CA CA CA CA CA
>>>Kkek = CA 2D CA 2D CA 2D CA 2D CA 2D CA 2D CA 2D CA 2D
>>
>>The default key for GemXpresso cards is:
>>
>>static const BYTE OPGP_GEMXPRESSO_DEFAULT_KEY[] = {0x47, 0x45, 0x4d,
>>0x58, 0x50, 0x52, 0x45, 0x53, 0x53, 0x4f, 0x53, 0x41, 0x4d, 0x50, 0x4c,
>>0x45};
>
> Strange as I've also confirmed that the 3 keys Kenc, Kmac and Kkek above are
> used by the Gem Xpresso Pro windows software.
Can be, but in my docs this key is mentioned. Maybe you have a different
card.
> What is the default key you're taking above? (GEMXPRESSOSAMPLE)
The above one?
>
> what the open_sc command could look like? Is there a specific order to follow
> for the key switches: -enc_key -mac_key -kek_key ?
No.
>
>
>>Try this (without the surrounding stuff).
>
> You mean tha I should try this:?
> open_sc -keyind 0 -keyver 0 -key 47454d5850524553534f53414d504c45 -security 0
yes, but with -enc -mac -kek ... with the same value.
>
>
>>>Thus I tried the following gpshell script with no success:(note that I
>>>reset the unsuccessfull failed attempt counter to open the secure channel
>>>by using the windows Gem Xpresso Pro software on windows 2000 and
>>>authenticate the card)
>>>Note: the open_sc line is on 1 single line
>>>-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<---
>>>-- gemXpressoPro
>>>enable_trace
>>>
>>>establish_context
>>>card_connect
>>>select -AID a000000018434d # example of AID to test AID selection works
>>>open_sc -security 0 -enc_key cacacacacacacaca2d2d2d2d2d2d2d2d -mac_key
>>>2d2d2d2d2d2d2d2dcacacacacacacaca -kek_key
>>>ca2dca2dca2dca2dca2dca2dca2dca2d // Open secure channel
>>>get_status -element e0
>>>close_sc // Close secure channel
>>>card_disconnect
>>>release_context
>>>-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<---
>>>-- The gpshell version is 1.3.1
>>>What means -keyind 0 -keyver 0 ?
>>
>>key index is teh key position in a key version. E.g the MAC, KEK and ENC
>>key are in one key version, there is a order, I believe ENC, MAC, KEK in
>>a keyset. key index specifies the offset in the key version to start
>>looking for these keys. So 0 is OK. (Should, else it is a strange card.)
>>key version 0 means: take the first availbale key version. This should
>>be OK for your card, if 13 is really the first available key version.
>>
>>Maybe also see the README of gpshell.
>
> Unfortunately, I red it up and down and down to up :)
>
>
>>Can you please submit a log from the enable_trace?
>
> rpm/BUILD/gpshell-1.3.1 $ gpshell < Nesrine.txt
> gemXpressoPro
> enable_trace
> establish_context
> card_connect
> select -AID a000000018434d
> --> 00A4040007A000000018434D
> <-- 6F188407A000000018434DA50D9F6E063231030033309F6501FF9000
> open_sc -security 0 -keyind 0 -keyver 0 -mac_key
> 2d2d2d2d2d2d2d2dcacacacacacacaca -kek_key ca2dca2dca2dca2dca2dca2dca2dca2d
> -enc_key cacacacacacacaca2d2d2d2d2d2d2d2d // Open secure channel
> --> 80CA9F7F00
> <--
> 9F7F2A0004001532310300333003490000859800CB1292300112933001000000000000000000000000000000009000
> --> 8050000008C53AB0323EC1F6D500
> <-- 434D03490000859800CB0D0115C962009EC0B2FD3442D9FF2629C9769000
> mutual_authentication() returns 0x80302000 (The verification of the card
> cryptogram failed.)
>
>
>>Have you taken the latest versions of GlobalPlatform and GPShell from SVN?
>
> Unfortunately not as I'm behind a firewall. I'm using GPshell 1.3.1 from
> March
> 24th, 2006. If you could sent to me a bzip2 tarball of the latest SVN I'd
> apreciate a lot Karsten.
OK.
>
> Olivier.
> --
> Olivier LAHAYE
> Motorola Labs IT Manager
> Computer & Information Systems
> European Communications Research
>
> _______________________________________________
> Muscle mailing list
> [email protected]
> http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
