Re: [opensc-devel] GET CHALLENGE / EXTERNAL AUTHENTICATE Problem

2007-04-16 Thread Peter Koch 
Hi Nils

 sure that a normal pin is used (or is this a DES key which
 somehow needs to be enlarged to 64 bits) ?

Of course a key is needed to calculate the response. I assumed
that this key was caluclated from the PIN by just 0-padding it.

  I have already tried stuff like
 
  echo -en '\x58\x4e\xb5\x6f\x6d\x9f\x13\xc5' |\
  openssl enc -des-ede3-ofb -K 313233343536 -iv 0 |\
  od -tx1
 
  with different cyphers. Unfortunately I don't know what IV-value
  must be used. Any ideas?

 afaik this cannot work as the cardos m4.01a either uses public
 key cryptography or a MAC calculation for EXTERNAL AUTHENTICATE.
 As the response is 8 bytes long I would guess that a MAC
 algorithm is used in your case (hence either a [i]MAC or a
 [i]3MAC (the 'i' specifies whether ISO-padding or not is used)).
 As [3]DES key is needed in this case it would be interesting how
 the full key is derived ... Perhaps the application which created
 the above APDUs could be helpful to answer these questions ;-)

Do you know of any docs that describe the [i][3]MAC Algorithm? I
looked into the CardOS manual and there are some pictures only,
which I don't understand.

Can openssl do [i][3]MAC-calculations? Or any other software?

Peter
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] GET CHALLENGE / EXTERNAL AUTHENTICATE Problem

2007-04-16 Thread Andreas Schwier 
Hi Peter,

that depends on the algorithm used for EXTERNAL AUTHENTICATE. Quite
typically CardOS uses a Retail-MAC, which is a single DES CBC with
IV='00.00.00.00.00.00.00.00' using the left key half applied to all
blocks, a decrypt with the right key half and a final encrypt with the
left key half applied on the final block (In short: single DES for n-1
blocks, triple DES for last block).

For the Smart Card Shell you could write

---8--8--8--8--8--8--8--8--8---
//
// Authenticate against CardOS card
//

var card = new Card(_scsh3.reader);
var crypto = new Crypto();

var key = new Key();
key.setComponent(Key.DES,
new ByteString(01010101010101010101010101010101, HEX));

// Get challenge
var challenge = card.sendApdu(0x00, 0x84, 0x00, 0x00, 8, [0x9000]);

// Crypto.DES_MAC_EMV is a CBC generated Retail-MAC
var cipher = crypto.sign(key, Crypto.DES_MAC_EMV, challenge);

card.sendApdu(0x00, 0x82, 0x00, 0x81, cipher);

print(Card returns  + card.SW.toString(16) +  -  + card.SWMSG);
---8--8--8--8--8--8--8--8--8---

However you will need to know the key value for the authentication key,
unless your system uses some way to derive the key from the PIN code
(Using SHA-1 for example). This is quite uncommon, so I would assume
that the PIN verification is done sometime before authentication takes
place (using VERIFY INS=20 APDU).

Andreas




Peter Koch schrieb:
 Hi all!
 
 I'm trying to do an EXTERNAL AUTHENTICATE against a CardOS 4.01 card.
 
 Requesting the challenge is easy. But how do I calculate the response?
 
 Here's an example that I captured with an USB-sniffer:
 
 APDU 1: 0084 08, Response 584eb56f6d9f13c5 9000
 APDU 2: 00820081 08 cdddb92642a38d3b, Response 9000
 
 Does anybody know how response cdddb92642a38d3b was calculated
 from challenge 584eb56f6d9f13c5 using PIN 123456.
 
 I have already tried stuff like
 
 echo -en '\x58\x4e\xb5\x6f\x6d\x9f\x13\xc5' |\
   openssl enc -des-ede3-ofb -K 313233343536 -iv 0 |\
   od -tx1
 
 with different cyphers. Unfortunately I don't know what IV-value
 must be used. Any ideas?
 
 Peter
 ___
 SMS schreiben mit WEB.DE FreeMail - einfach, schnell und
 kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192
 
 ___
 opensc-devel mailing list
 opensc-devel@lists.opensc-project.org
 http://www.opensc-project.org/mailman/listinfo/opensc-devel


-- 

-CardContact Software  System Consulting
   |.## ##.|   Andreas Schwier
   |#   #|   Schülerweg 38
   |#   #|   32429 Minden, Germany
   |'## ##'|   Phone +49 171 8334920
-http://www.cardcontact.de

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

[opensc-devel] out of memory?

2007-04-16 Thread Andreas Jellinghaus 
I as about to release 0.11.2, but regression tests found this:

pkcs15-tool --read-public-key 45 -o ./test-data/key.pem
--- Command output ---
asn1.c:1366:asn1_encode_entry: encoding of ASN.1 object 'key' failed: Out of 
memory
asn1.c:1366:asn1_encode_entry: encoding of ASN.1 object 'publicKey' failed: 
Out of memory
Error encoding PEM key: Out of memory

any idea what is wrong?

Regards, Andreas
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel