Re: [opensc-devel] cardos split-key
Viktor TARASOV wrote: Viktor TARASOV wrote: Is it possible to buy somewhere 2-3 cards CardOS, that will be accepted by OpenSC (formatted, initialized, ...)? I've bought on CryptoShop the CardOS cards in a manufacturer state . It seems that cardos-tool do not accept these cards for formatting . Can I format this card with OpenSC, please? Support of CryptoShop says that they ... ... also offer the CardOS V4.3 B with the manufacturerkey set to default key. Now I have usables in OpenSC CardOS cards, thanks to all. Kind wishes, -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] cardos split-key
Viktor TARASOV wrote: Is it possible to buy somewhere 2-3 cards CardOS, that will be accepted by OpenSC (formatted, initialized, ...)? I've bought on CryptoShop the CardOS cards in a manufacturer state . It seems that cardos-tool do not accept these cards for formatting . Can I format this card with OpenSC, please? Here is cardos-info output: 3b:f2:18:00:02:c1:0a:31:fe:58:c8:08:74 Info : CardOS V4.3B (C) Siemens AG 1994-2004 Chip type: 123 Serial number: 29 42 f2 17 27 38 Full prom dump: 33 66 00 40 EB EB EB EB 7B FF 29 42 F2 17 27 38 3...@{.)B..'8 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 OS Version: 200.8 (that's CardOS M4.3B) Current life cycle: 52 (manufacturing) Security Status of current DF: Free memory : 13320 ATR Status: 0x0 ROM-ATR Packages installed: Ram size: 4, Eeprom size: 32, cpu type: 66, chip config: 63 Free eeprom memory: 32621 System keys: PackageLoadKey (version 0x00, retries 10) System keys: StartKey (version 0x00, retries 10) Unable to determine current DF: Received (SW1=0x6D, SW2=0x00) Kind wishes, Viktor. -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] cardos split-key
Viktor TARASOV wrote: Is it possible to buy somewhere 2-3 cards CardOS, that will be accepted by OpenSC (formatted, initialized, ...)? I've bought on CryptoShop the CardOS cards in a manufacturer state . It seems that cardos-tool do not accept these cards for formatting . Can I format this card with OpenSC, please? Here is cardos-info output: 3b:f2:18:00:02:c1:0a:31:fe:58:c8:08:74 Info : CardOS V4.3B (C) Siemens AG 1994-2004 Chip type: 123 Serial number: 29 42 f2 17 27 38 Full prom dump: 33 66 00 40 EB EB EB EB 7B FF 29 42 F2 17 27 38 3...@{.)B..'8 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 OS Version: 200.8 (that's CardOS M4.3B) Current life cycle: 52 (manufacturing) Security Status of current DF: Free memory : 13320 ATR Status: 0x0 ROM-ATR Packages installed: Ram size: 4, Eeprom size: 32, cpu type: 66, chip config: 63 Free eeprom memory: 32621 System keys: PackageLoadKey (version 0x00, retries 10) System keys: StartKey (version 0x00, retries 10) Unable to determine current DF: Received (SW1=0x6D, SW2=0x00) Kind wishes, Viktor. -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] cardos split-key
Am Montag 30 November 2009 10:21:57 schrieb Viktor TARASOV: Viktor TARASOV wrote: Is it possible to buy somewhere 2-3 cards CardOS, that will be accepted by OpenSC (formatted, initialized, ...)? I've bought on CryptoShop the CardOS cards in a manufacturer state . It seems that cardos-tool do not accept these cards for formatting . Can I format this card with OpenSC, please? there are no packages installed, so you should be able to format the card with opensc. (packages are lost if you format the card, and you can't install them - they packages are copyright by siemens and the encrypted APDU commands to install them thus are copyrighted too - so we can't make that information public...) but: System keys: PackageLoadKey (version 0x00, retries 10) System keys: StartKey (version 0x00, retries 10) so you need to change the startkey from 0x00 (secret manufacturing startkey) to some other value first. the normal thing to do is to change it to version 0xff with 16 bytes 0xff as value. the startkey itself is secret, only the encrypted APDU command to change it to 0xff is known (but I can't post it here, siemens might claim a copyright violation). then you can run opensc-tool to format the card (i.e. change from manufacturing mode to admin mode by creating a main folder). Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] cardos split-key
Hi Viktor, If you send me your address, I'll send you one for free ;-) Cardos 4.3B on a SLE66 320P (32k) Startkey FF and an empty pkcs15 structure. Regards, Vital _ ZETES BE- Rue de Strasbourg 3, 1130 Brussels ___ WWW.ZETES.COM | ALWAYS A GOOD ID # Do not print this e-mail unless absolutely necessary # -Original Message- From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of João Poupino Sent: dinsdag 17 november 2009 15:39 To: Viktor TARASOV Cc: opensc-de...@opensc-project.org Subject: Re: [opensc-devel] cardos split-key Hi Viktor, Viktor TARASOV wrote: Is it possible to buy somewhere 2-3 cards CardOS, that will be accepted by OpenSC (formatted, initialized, ...)? Viktor. You can get some eTokens (32K and 64K) that will be accepted by OpenSC and are relatively cheap, at ebay [1]. Regards, João [1] - http://shop.ebay.com/i.html?_kw=etoken_fcid=164_localstpos=_sticky=1_stpos=gbr=1 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] cardos split-key
Mats Andersson wrote: The pinReference seems to be 0x06, padChar is 0xff. (EF(AODF) is wrong/incomplete). I found this while sniffing this card. OpenSC doens't like that card for two other reasons as well. First it has it's own DF for pkcs15 (found in EF(DIR), add this to apps[] in dir.c: { (const u8 *) \xE8\x28\xBD\x08\x0F\x00\xA0\x00\x00\x02\x24, 11, Vasco P15 } Secondly the EF(TokenInfo) just contains zeros (making sc_pkcs15_parse_tokeninfo() angry). Cheers, /Mats Is it possible to buy somewhere 2-3 cards CardOS, that will be accepted by OpenSC (formatted, initialized, ...)? Viktor. On 11/16/09 3:00 PM, JP Szikora jean-pierre.szik...@uclouvain.be wrote: Viktor TARASOV a écrit : JP Szikora wrote: Viktor TARASOV a écrit : I would try to prepare patch, but actually I have no CardOS card recognized by OpenSC . The card CardOS that I have is: 3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a Info : CardOS V4.3B (C) Siemens AG 1994-2004 Chip type: 124 Any help would be greatly appreciated. Hi Viktor, You have a strange CardOS card ;-) The ATR is not the usual CardOS 4.3B (but that can be changed) and the chip type is usually 123. Can you send a complete output of the cardos-info command? Hi Jean-Pierre, here it is: 3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a Info : CardOS V4.3B (C) Siemens AG 1994-2004 Chip type: 124 Serial number: 27 20 ab 15 2a 12 Full prom dump: 33 66 00 1B 5B 5B 5B 5B 7C FF 27 20 AB 15 2A 12 3f..|.' ..*. 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 OS Version: 200.8 (that's CardOS M4.3B) Current life cycle: 16 (operational) Security Status of current DF: Free memory : 818 ATR Status: 0x128 unknown Packages installed: E1 09 01 04 13 02 C8 08 8F 01 01 ... Ram size: 4, Eeprom size: 64, cpu type: 66, chip config: 63 Free eeprom memory: 41116 System keys: PackageLoadKey (version 0x00, retries 10) System keys: StartKey (version 0xff, retries 10) Path to current DF: This card has been formated with Vasco tools, it contains some PKCS#15 system. I know the values of PIN, SOPIN(PUK ?) but I could not verify any of the PINs referenced in it's EF.AOD . Hi Viktor, You have a 64k Cardos 4.3B card. The StartKey is still the default one (0xFF), but probably the erase command is protected or blocked at the ACL level. Need a deeper analysis. I'm not sure you can do too much with OpenSC and this externally formatted card. With opensc-explorer, you can always try to look and to understand the structure of your card. Maybe the best is to find an clean CardOS 4.3B to play with it. Cheers, Jean-Pierre ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel Scanned by Check Point Total Security Gateway. -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] cardos split-key
Hi Viktor, Viktor TARASOV wrote: Is it possible to buy somewhere 2-3 cards CardOS, that will be accepted by OpenSC (formatted, initialized, ...)? Viktor. You can get some eTokens (32K and 64K) that will be accepted by OpenSC and are relatively cheap, at ebay [1]. Regards, João [1] - http://shop.ebay.com/i.html?_kw=etoken_fcid=164_localstpos=_sticky=1_stpos=gbr=1 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] cardos split-key
Viktor TARASOV a écrit : I would try to prepare patch, but actually I have no CardOS card recognized by OpenSC . The card CardOS that I have is: 3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a Info : CardOS V4.3B (C) Siemens AG 1994-2004 Chip type: 124 Any help would be greatly appreciated. Hi Viktor, You have a strange CardOS card ;-) The ATR is not the usual CardOS 4.3B (but that can be changed) and the chip type is usually 123. Can you send a complete output of the cardos-info command? Cheers, Jean-Pierre ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] cardos split-key
JP Szikora wrote: Viktor TARASOV a écrit : I would try to prepare patch, but actually I have no CardOS card recognized by OpenSC . The card CardOS that I have is: 3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a Info : CardOS V4.3B (C) Siemens AG 1994-2004 Chip type: 124 Any help would be greatly appreciated. Hi Viktor, You have a strange CardOS card ;-) The ATR is not the usual CardOS 4.3B (but that can be changed) and the chip type is usually 123. Can you send a complete output of the cardos-info command? Hi Jean-Pierre, here it is: 3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a Info : CardOS V4.3B (C) Siemens AG 1994-2004 Chip type: 124 Serial number: 27 20 ab 15 2a 12 Full prom dump: 33 66 00 1B 5B 5B 5B 5B 7C FF 27 20 AB 15 2A 12 3f..|.' ..*. 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 OS Version: 200.8 (that's CardOS M4.3B) Current life cycle: 16 (operational) Security Status of current DF: Free memory : 818 ATR Status: 0x128 unknown Packages installed: E1 09 01 04 13 02 C8 08 8F 01 01 ... Ram size: 4, Eeprom size: 64, cpu type: 66, chip config: 63 Free eeprom memory: 41116 System keys: PackageLoadKey (version 0x00, retries 10) System keys: StartKey (version 0xff, retries 10) Path to current DF: This card has been formated with Vasco tools, it contains some PKCS#15 system. I know the values of PIN, SOPIN(PUK ?) but I could not verify any of the PINs referenced in it's EF.AOD . Cheers, Jean-Pierre Thanks, Viktor. -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] cardos split-key
Incidentally this ATR matches a Vasco CertiID initialized CardOS4.3b card, could that be what you have? I've investigated (sniffed) a card like this and found 3 anomalies (from a pkcs15-perspective): Empty/zero-filled EF(TokenInfo), wrong padChar in EF(AODF) pin object, missing pinReference in EF(AODF) (sniffed value used in VERIFY is 0x06). Cheers, /Mats On 11/16/09 9:15 AM, JP Szikora jean-pierre.szik...@uclouvain.be wrote: Viktor TARASOV a écrit : I would try to prepare patch, but actually I have no CardOS card recognized by OpenSC . The card CardOS that I have is: 3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a Info : CardOS V4.3B (C) Siemens AG 1994-2004 Chip type: 124 Any help would be greatly appreciated. Hi Viktor, You have a strange CardOS card ;-) The ATR is not the usual CardOS 4.3B (but that can be changed) and the chip type is usually 123. Can you send a complete output of the cardos-info command? Cheers, Jean-Pierre ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel Scanned by Check Point Total Security Gateway. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] cardos split-key
Andreas Jellinghaus wrote: btw, if anyone wants to touch the cardos/splitkey code: we could as well remove it and simply store sign,decrypt as decrypt key and do the signing internaly. after a few years, I think the hack to copy the key didn't work out so well, and if you can use card+pin for decrypt'ing, there is no security benefit in not using it. Hi, I would like to do it, if you are not particularly in a hurry. My motivation is to finalize the 'intrinsic_ID' and 'dissociate_ID_and_file_index'. The actual concept of 'splitted key' is not quite compatible with key's 'intrinsic ID', neither it's compatible with PKCS#15 standard -- it states the uniqueness of the key ID. About 're-use object' used by CardOS . (Is it the only one?) See http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012854.html . IMHO, pkcs15 level should not bother to keep the traces of the deleted objects. It's up to card-specific level to find out free index(s) -- re-use the old or create a new one. Will we keep 'splitted key' or not, it can be implemented at the card specific level, with the help of some additional pkcs15_init_operation like get_free_index(). (Method will be also useful for the others cards.) This method will find out free BS index(s); if there is a possibility, it can create a new one(s), and will store key index(s) in key_info. Afterwards, card specific store_key() will store key into the once (or twice). (In a background, I have a thought about card IAS-ECC. In it's the last specification there is no possibility to create new BSs -- all BS slots are pre-allocated . It's up to card specific level, when importing a BS object, to discover a suitable slot with a proper size, algo, ACLs, ...) we should stay compatible with cards initialized with old opensc however. I would try to prepare patch, but actually I have no CardOS card recognized by OpenSC . The card CardOS that I have is: 3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a Info : CardOS V4.3B (C) Siemens AG 1994-2004 Chip type: 124 Any help would be greatly appreciated. Regards, Andreas Kind wishes, Viktor Tarasov. -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] cardos split-key
btw, if anyone wants to touch the cardos/splitkey code: we could as well remove it and simply store sign,decrypt as decrypt key and do the signing internaly. after a few years, I think the hack to copy the key didn't work out so well, and if you can use card+pin for decrypt'ing, there is no security benefit in not using it. we should stay compatible with cards initialized with old opensc however. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel