> > Unfortunately the login-process uses some sort of challenge-response
> > mechanism (GET CHALLENGE command followed by EXTERNAL AUTH)
> > So far I have absolutely no idea how to compute the response from
> > a given challenge. I do know where the certs and keys are, and I do
> > know all APDUs that are necessary. So the response-computation
> > is the only missing information.
>
> for this you need to extract the secret key used for the MAC
> generation (I assume a symmetric key is used here) from the
> library ;-) The rest shouldn't be too difficult (although opensc
> doesn't really support the various EXT. AUTHENTICATE variants
> at the moment).
> Getting the key could be the fun part. Btw: it is a windows or
> linux binary ?
I'm afraid the secret key is not stored in the library as it
must be different for each eToken. My guess is that the library
will generate the key from the PIN.
Indeed OpenSC does not support EXT AUTH but here my idea was to
add a special PIN_TYPE and implement the challenge response
mechanism in the pin_cmd routine of the card-driver like this:
switch (data->pin_type) {
case SC_AC_CHV: return iso_ops->pin_cmd(card, data, tries_left);
case SC_AC_ALADDIN:
compute symmetric key from PINi;
do GET CHALLENGE;
do EXT AUTH;
break;
default: return SC_ERROR_INVALID_ARGUMENTS;
}
Anyway - until someone (from Alddin) explains the details to me
I cannot implement this.
Peter
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
