Do any of the following facts sound plausible - for a new GP 2.01 era card with
installed SD?
- one binds to the SD's AID
- one does the security handshake, using keys of the card issuer
- one does putkey(DES=0x81) into the SD instance
- one does a 2nd security handshake, using keys of the SD now
- one does putkey(RSA=0xA1)
- one binds and does security handshake with card issuer
- load uses gpshell to load up the firmware, where gpshell calculates the RSA
signature(s) and SHA dynamically
- Cardissuer with have SD check the RSA signature, at the end of load?
Wondering if I need to SetStatus at any point, manually on the SD's state.
> From: [EMAIL PROTECTED]> To: muscle@lists.musclecard.com> Subject: Re:
> [Muscle] load file DAP> Date: Fri, 25 Apr 2008 18:21:05 -0700> > Even more
> incredibly, I cleaned out an old filing cabinet, while moving > offices.
> Found the DODCAC/Martsoft v2.01 manual on the DAP support in the GP > 2.01
> card. I'll go play, now I have some technical counsel.> >
> --------------------------------------------------> From: "Karsten Ohme"
> <[EMAIL PROTECTED]>> Sent: Thursday, April 17, 2008 5:05 PM> To: "MUSCLE"
> <muscle@lists.musclecard.com>> Subject: Re: [Muscle] load file DAP> > > Peter
> Williams schrieb:> >> Guess I get to do it myself! If I recall the GP model,
> this is what I > >> need to do with GPShell> >>> >> 1. use openssl lib to
> create PEM-era private/public key files (wow, it > >> 1985 I think I first
> hit PEM, learning it along with > >> RSA/DES/CBC/countermode from the person
> drafting PEM in IRTF (even before > >> it hit IETF!). Its been around a
> while!)> >>> >> 2) 1. use GPSHELL load dm key of the openssl RSA keyfile into
> the app > >> domain applet, version=1 index=1> >>> >> 3) create the muscle
> applet load file from the cap, affixing the > >> appropriate RSA 1024bit
> signature. Can gpshell do this, on the fly or > >> statically?> >> > Not
> GPShell, the Global Platform library should be able to do this. But I > >
> never got a card working with the a security domain. Either the > >
> specification is not clear enough, the cards are buggy or I do something > >
> wrong over and over again.> >> > Regards,> > Karsten> >> >>> >> 4) load and
> install the signed applet, where its security domain is the > >> APP security
> domain AID (not the more usual card issuer)> >>> >> Doing all this, I think
> the load flow is: Upon detection of 1 or more > >> signature blocks in the
> load file, the card issuer is supposed to invoke > >> the app SD denote in
> the load for load APDU to verify the crypto - where > >> the AppSD knows the
> crypto is RSA and the key is RSA, the key index 1, > >> and the signature
> block has endian format X.> >>> >>> >>
> --------------------------------------------------> >> From: "Peter Williams"
> <[EMAIL PROTECTED]>> >> Sent: Monday, April 14, 2008 11:04 AM> >> To:
> "MUSCLE" <muscle@lists.musclecard.com>> >> Subject: Re: [Muscle] load file
> DAP> >>> >>> I've managed to locate (somewhat incredibly) 5 virgen USB tokens
> that - > >>> presumably as they are in their original static-proof bags -
> still have > >>> the manufacturer's app security domain applet on the card -
> in addition > >>> of the card issuers SD. (Typically, during
> post-manufacturing we removed > >>> the app SD , to free up space to load and
> init the muscle applet.)> >>>> >>> What I do not have is any technical
> documentation and all the my people > >>> contacts have long since left the
> javacard startup company for greener > >>> pastures.> >>>> >>> Anyone want to
> play with some of them, to test GPShell and ensure its > >>> 2.01 era
> delegated loading (via RSA) is solid?> >>>> >>>
> --------------------------------------------------> >>> From: "Karsten Ohme"
> <[EMAIL PROTECTED]>> >>> Sent: Saturday, April 05, 2008 4:43 AM> >>> To:
> "MUSCLE" <muscle@lists.musclecard.com>> >>> Subject: Re: [Muscle] load file
> DAP> >>>> >>>> Peter Williams schrieb:> >>>>> 1. Has anyone used GPShell to
> load an RSA public key into an > >>>>> _issuer's_ security domain of a 201
> card, so one can use the GPShell > >>>>> to send a DAP hash and signature for
> the load file?> >>>>> >>>> I think this does not work. I have tried a lot
> with different cards, > >>>> but I had no success. So, there might be
> compatibility problems, the > >>>> cards do to support it after all or the
> specification is not clear > >>>> enough. You can play with the code base,
> would be very interesting to > >>>> me, if you get it working.> >>>>> >>>>
> Karsten> >>>>> 2. has anyone tested the use of SHA1 by itself for a LOAD
> DAP?> >>>>> 3 If I half remember right, only a security domain OTHER than the
> > >>>>> card manager SD can verify either a DESCBC or an RSA DAP (given its >
> >>>>> knows the verification key, and knowledge that the signature is either
> > >>>>> RSA or DESCBC).> >>>>>
> ------------------------------------------------------------------------>
> >>>>>> >>>>>> >>>>> _______________________________________________> >>>>>
> Muscle mailing list> >>>>> Muscle@lists.musclecard.com> >>>>>
> http://lists.drizzle.com/mailman/listinfo/muscle> >>>>> >>>>
> _______________________________________________> >>>> Muscle mailing list>
> >>>> Muscle@lists.musclecard.com> >>>>
> http://lists.drizzle.com/mailman/listinfo/muscle> >>>>> >>>
> _______________________________________________> >>> Muscle mailing list> >>>
> Muscle@lists.musclecard.com> >>>
> http://lists.drizzle.com/mailman/listinfo/muscle> >>>> >>
> _______________________________________________> >> Muscle mailing list> >>
> Muscle@lists.musclecard.com> >>
> http://lists.drizzle.com/mailman/listinfo/muscle> >>> >>> >> >
> _______________________________________________> > Muscle mailing list> >
> Muscle@lists.musclecard.com> >
> http://lists.drizzle.com/mailman/listinfo/muscle> >
_________________________________________________________________
Express yourself wherever you are. Mobilize!
http://www.gowindowslive.com/Mobile/Landing/Messenger/Default.aspx?Locale=en-US?ocid=TAG_APRIL
_______________________________________________
Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
