Re: [Muscle] 16 character PIN
It's not a PIV card but an Oberthur V7 card using ActivIdentity applet v2.6.2B which can be found at : http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp880.pdf On Wed, Aug 28, 2013 at 7:43 PM, Kwan Hon Luen kwanhonl...@gmail.comwrote: Am trying to verify an Oberthur v7 card with ActivIdentity applet v2.6.2b with a 16 character PIN. How does the payload of the 16 char PIN look like? Thanks. ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com
Re: [Muscle] 16 character PIN
I am sorry folks, but I gave the wrong links in the previous email. The right link is as : http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp639.pdf Although the document is said as Oberthur V5 card, but the Applet v2.6.2B is correct. On Thu, Aug 29, 2013 at 5:19 PM, Kwan Hon Luen kwanhonl...@gmail.comwrote: It's not a PIV card but an Oberthur V7 card using ActivIdentity applet v2.6.2B which can be found at : http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp880.pdf On Wed, Aug 28, 2013 at 7:43 PM, Kwan Hon Luen kwanhonl...@gmail.comwrote: Am trying to verify an Oberthur v7 card with ActivIdentity applet v2.6.2b with a 16 character PIN. How does the payload of the 16 char PIN look like? Thanks. ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com
Re: [Muscle] 16 character PIN
On 8/29/2013 4:23 AM, Kwan Hon Luen wrote: I am sorry folks, but I gave the wrong links in the previous email. The right link is as : http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp639.pdf Although the document is said as Oberthur V5 card, but the Applet v2.6.2B is correct. You say you are trying to verify a 16 character PIN. But which PIN? Section 5.5 Table 2 says the CSC uses secure channel. The card holder PIN does not, buts implies the ISO7816 the VERIFY operation. Section 9.4 says PIN (user I assume) can be between 6 and 256 digits or between 4 and 256 characters or digits. So the assumption is the PIN is sent as ASCII representation of the digit or characters, which are usually padded with 0xFF Section 9.5 says the user pin is zeroed, which on some cards I have seen this means all are 0x00, rather then 0x30 the ascii 0. Section 10.4 says the Card Holder Service PIN Execute (Verify CHV) This implies this is a standard ISO7816 Verify command. *BUT* I don't see where it sets sets the length of the pin, or how to read from the card what the length of the PIN should be. How do you know the PIN length is 16? Do you have a card to test with, and you know the PIN? (Or how to reset the user PIN if you make too many false attempts.) The most likely command using ISO7816 Verify would be with a 12 character password of Abcd012345678 padded with 4 0xFF 00 20 80 0f 41 62 63 64 30 31 32 33 34 35 36 37 38 FF FF FF FF -- The 80 says to use the application or DF reference data. If the Global PIN was used, it would be 00 A return of the 90 00 is success. a return of 63 Cx indicates you have x number of retries before the PIN is locked. On Thu, Aug 29, 2013 at 5:19 PM, Kwan Hon Luen kwanhonl...@gmail.com mailto:kwanhonl...@gmail.com wrote: It's not a PIV card but an Oberthur V7 card using ActivIdentity applet v2.6.2B which can be found at : http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp880.pdf On Wed, Aug 28, 2013 at 7:43 PM, Kwan Hon Luen kwanhonl...@gmail.com mailto:kwanhonl...@gmail.com wrote: Am trying to verify an Oberthur v7 card with ActivIdentity applet v2.6.2b with a 16 character PIN. How does the payload of the 16 char PIN look like? Thanks. ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com
Re: [Muscle] 16 character PIN
hi I think there is no universal pin standard. Packing and Padding options can be very wide : use ascii use binary use nibble-packed bcd pad high nibble of each byte with 0xF etc. pad with zeros pad with ones pad with complemented pin prepend with length etc. the card/applet may not even specify a pin format since it just check that a bunch of bytes are equal to a previously stored value. I would say it depends on the application driving the card, not on the card itself. BR Sebastien Le 29/08/2013 17:29, Douglas E. Engert a écrit : On 8/29/2013 4:23 AM, Kwan Hon Luen wrote: I am sorry folks, but I gave the wrong links in the previous email. The right link is as : http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp639.pdf Although the document is said as Oberthur V5 card, but the Applet v2.6.2B is correct. You say you are trying to verify a 16 character PIN. But which PIN? Section 5.5 Table 2 says the CSC uses secure channel. The card holder PIN does not, buts implies the ISO7816 the VERIFY operation. Section 9.4 says PIN (user I assume) can be between 6 and 256 digits or between 4 and 256 characters or digits. So the assumption is the PIN is sent as ASCII representation of the digit or characters, which are usually padded with 0xFF Section 9.5 says the user pin is zeroed, which on some cards I have seen this means all are 0x00, rather then 0x30 the ascii 0. Section 10.4 says the Card Holder Service PIN Execute (Verify CHV) This implies this is a standard ISO7816 Verify command. *BUT* I don't see where it sets sets the length of the pin, or how to read from the card what the length of the PIN should be. How do you know the PIN length is 16? Do you have a card to test with, and you know the PIN? (Or how to reset the user PIN if you make too many false attempts.) The most likely command using ISO7816 Verify would be with a 12 character password of Abcd012345678 padded with 4 0xFF 00 20 80 0f 41 62 63 64 30 31 32 33 34 35 36 37 38 FF FF FF FF -- The 80 says to use the application or DF reference data. If the Global PIN was used, it would be 00 A return of the 90 00 is success. a return of 63 Cx indicates you have x number of retries before the PIN is locked. On Thu, Aug 29, 2013 at 5:19 PM, Kwan Hon Luen kwanhonl...@gmail.com mailto:kwanhonl...@gmail.com wrote: It's not a PIV card but an Oberthur V7 card using ActivIdentity applet v2.6.2B which can be found at : http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp880.pdf On Wed, Aug 28, 2013 at 7:43 PM, Kwan Hon Luen kwanhonl...@gmail.com mailto:kwanhonl...@gmail.com wrote: Am trying to verify an Oberthur v7 card with ActivIdentity applet v2.6.2b with a 16 character PIN. How does the payload of the 16 char PIN look like? Thanks. ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com
[Muscle] 16 character PIN
Am trying to verify an Oberthur v7 card with ActivIdentity applet v2.6.2b with a 16 character PIN. How does the payload of the 16 char PIN look like? Thanks. ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com
Re: [Muscle] 16 character PIN
I don't know the actual answer. In practice, there are only a few ways to make this work. 1) prefix the pin field with a length byte. 2) pad the pin with some value that can't be input as the pin (e.g. for ascii pins, use FF as the padding value). 3) truncate the pin to the appropriate length and let the length data for the APDU describe the length of the PIN. 4) the applet knows the PIN length so you don't actually have to do anything special. For PINs meant to be used with secure PIN entry, (2) seems to be the most used. When all else fails - cheat. Wire tap the connection between the applet and the actividentity middleware to figure out what's being passed. Mike At 07:43 AM 8/28/2013, Kwan Hon Luen wrote: Am trying to verify an Oberthur v7 card with ActivIdentity applet v2.6.2b with a 16 character PIN. How does the payload of the 16 char PIN look like? Thanks. ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com
Re: [Muscle] 16 character PIN
I don't know the actual answer. In practice, there are only a few ways to make this work. 1) prefix the pin field with a length byte. 2) pad the pin with some value that can't be input as the pin (e.g. for ascii pins, use FF as the padding value). 3) truncate the pin to the appropriate length and let the length data for the APDU describe the length of the PIN. 4) the applet knows the PIN length so you don't actually have to do anything special. For PINs meant to be used with secure PIN entry, (2) seems to be the most used. When all else fails - cheat. Wire tap the connection between the applet and the actividentity middleware to figure out what's being passed. Mike At 07:43 AM 8/28/2013, Kwan Hon Luen wrote: Am trying to verify an Oberthur v7 card with ActivIdentity applet v2.6.2b with a 16 character PIN. How does the payload of the 16 char PIN look like? Thanks. ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com
Re: [Muscle] 16 character PIN
On 8/28/2013 6:43 AM, Kwan Hon Luen wrote: Am trying to verify an Oberthur v7 card with ActivIdentity applet v2.6.2b with a 16 character PIN. How does the payload of the 16 char PIN look like? Sounds like a CAC or PIV card... http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1145.pdf The Oberthur id-one card supports SM so it may be a 8 digit pin over a SM channel. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1414.pdf The PIV specs say the PINs are 8 character. ActivIdentity may be using Secure Messaging so it looks like 16. Could also be the ActiveIdentity applet supports longer PINs, and the card can too. See if you can find your card and applet here: http://csrc.nist.gov/groups/STM/cmvp/validation.html#01 Thanks. ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ Muscle mailing list Muscle@lists.musclecard.com http://lists.musclecard.com/mailman/listinfo/muscle_lists.musclecard.com