All,
First, sorry for the long post.
My problem is that I have to authenticate the terminal with a GemPlus MPCOS-EMV smart card using the following algorithm (this is in the G+ MPCOS-EMV manual):
Known by both the card and the terminal: The "System" key, K, a 16-byte key.
1. The terminal generates an eight-byte random number, TRnd, and sends it to the card.
2. The card then generates its own eight-byte random number, CRnd.
3. The card takes the 4 ms bytes of TRnd and CRnd and concatenates them in to RN, so RN=TRnd7,...,TRnd4,CRnd7,...,CRnd4.
4. The card then computes the temporary administration key, Kats, where Kats=3DES_16(RN,K).
5. Next, the card generates a cryptogram, CR, based on TRnd and Kats, so CR=3DES(TRnd,K).
6. The card then returns the 4 ls bytes of CR and the entire RN to the terminal, i.e., card returns CR3,...,CR0,RN7,...,RN0.
7. The terminal can then compute Kats, and CR to verify that Kats was computed correctly.
8. The terminal then uses Kats to perform administrative functions on the card.
NOTES:
The card docs show the following regarding the various DES:
3DES (EDE mode: Encrypt Decrypt Encrypt) -
16-byte Key = KLeft + KRight
8-byte plain text = Data
r1 = DES(Data,KLeft)
r2 = DES-1(r1,KRight)
r3 = DES(r2,KLeft)
3DES cryptogram (8-bytes) = r3
3DES-1 -
16-byte Key = KLeft + KRight
8-byte 3DES cryptogram = Data
r1 = DES-1 (Data,KLeft)
r2 = DES(r1,KRight)
r3 = DES-1 (r2,KLeft)
Plain text data (8-bytes) = r3
3DES_16 -
16-byte Key = KLeft + KRight
8-byte plain text = Data
r1 = DES(Data,KLeft) r4 = DES(Data,KRight)
r2 = DES-1(r1,KRight) r5 = DES-1(r4,KLeft)
r3 = DES(r2,KLeft) r6 = DES(r5,KRight)
3DES_16 cryptogram (16-bytes) = r3 + r6
Note that 3DES_16 returns a 16-byte cryptogram given an 8-byte plain text.
The documentation does not mention ECB or CBC, so I'm assuming ECB. It does mention CBC mode for another process, computing the crypto checksum for secure messaging, hence the assumption of ECB mode.
I have found several DES implementations on the web and also have the source from Mastering Algorithms with C, O'Reilly 1999. All of the DES algorithms I have tested are able to encrypt the plain text to a cryptogram and decrypt the cryptogram to the correct plain text, but all the cryptograms generated were different for each DES algorithm. Is this expected? Is the DES algorithm not a standard as the name would lead you to believe? If the DES implementations all generate different cryptograms, how can I be expected to perform the necessary computations to generate Kats and authenicate the terminal to the card? As my only method of verifing that I computed Kats correctly is to generate CR and compare the results to that of the card.
After testing all of the DES routines, generating Kats and CR, I cannot match what the card generates. These are test cards so the system key is known ("TEST KEYTEST KEY" if interested).
If anyone has any insight, it would help.
Again, sorry for the long post.
Thanks,
JP
