Geek Answers Handbook

Need advice on cryptographic algorithm

Apologies for the essential nature of this issue. I struggled to cope with this and tried to summarize my understanding of what I needed with the specific issues that I have.

In this issue related to reading data from the European DTCO card, I was given tips that are related to the algorithm in the screenshot below (from Appendix 11 to this document ), but I do not understand how to perform the two steps outlined.

  • I see that Sign is a segment of the array containing the certificate, but what does it mean to open it with the public key? I can successfully complete this step before, reading CA_Certificate from the map and issuing APDU SECURITY MANAGEMENT from it using CAR (see. First step of the algorithm). But, having chosen in this way the public key, which public key I use at the "Step" public step. MSE chooses one, but I don't have one; I have only the European public key for ERCA, but is this the same key that I selected on the card? I do not have private keys, but I need them.

  • In the step to verify that Hash (C ') = H', how do I calculate the hash? It seems that there are so many different ways (is that the right word?) To do encryption / decryption / hashing that I'm pretty confused.

enter image description here

All I really need to do to read the data that I need is to authenticate with EXTERNAL AUTHENTIC right after GET CHALLENGE , which returns an 8-byte call.I suppose I need to use this to calculate the encryption for EXTERNAL AUTHENTICATION . I found the code example below ( see Full post ) and although it seems to be in some C-like scripting language (I use C #), for another type of smart card it looks like what I should use.

// // Authenticate against CardOS card // var card = new Card(_scsh3.reader); var crypto = new Crypto(); var key = new Key(); key.setComponent(Key.DES, new ByteString("01010101010101010101010101010101", HEX)); // Get challenge var challenge = card.sendApdu(0x00, 0x84, 0x00, 0x00, 8, [0x9000]); // Crypto.DES_MAC_EMV is a CBC generated Retail-MAC var cipher = crypto.sign(key, Crypto.DES_MAC_EMV, challenge); card.sendApdu(0x00, 0x82, 0x00, 0x81, cipher); print("Card returns " + card.SW.toString(16) + " - " + card.SWMSG);

Differences

  • An optional parameter, P2, indicating that MANAGE SECURITY ENVIRONMENT is apparently executed with CAR 'from Card_Certificate, which does not work for me, although it works with CAR' from CA_Certificate.

  • Lc 0x80 instead of 0x81 in the sample code.

  • Any cipher that I compute to use here would have to be 128 bytes until it understands the length of the cipher in the sample.

+7
source share
2 answers

This answer is also a bit long, because a misunderstanding needs to be explained. The text above is about authentication using an asymmetric key pair. Since no one can prove anything except that the private adversary is a public key, additional credentials are needed. The issuer of the certificate usually claims to confirm your identity, and this is documented by the signatures of the certificate (the signature is useful if the issuer's public key is known from the Internet or because it is already stored on the card). Typically, a smart card provides the “Perform Security Operation” command in the “Verify Certificate” mode for this purpose: it verifies the issuer's signature, unpacks the public key contained in the certificate or is supplied with it, and saves it for private use will be executed soon.

Your code snippet is about authentication using a symmetric key, also called a private key. It is assumed that this secret is known only to authorized people. 0x81, which you consider LC, is actually P2, which means "take local key number 1" to verify the MAC calculation with this secret key. In fact, if we take an 8-byte random number as input for calculating (both retail and any other) MAC, then (for example, using standard add-on schemes) will lead to a 16-byte result. By the way, the DES key in the example is terrible. The least significant bit of each byte is the parity bit, so the key consists of only zero bytes.

Both schemes have nothing to do with the goal of somehow performing authentication.

For more information, see ISO 7816-8 (for performing a security operation), ISO 7816-4 (for external authentication, receiving a call, and most other smart card commands). They are hard to get without spending money - older versions can be found at www - and are pretty dry to read and understand hard. More explanation can be found in Rankl / Effing "Handbuch der Chipkarten", but it is reported that the English translation of "Smart Card Handbook" is sometimes used. For certificate materials, I would recommend Schneier, Applied Cryptography, which also has hundreds of additional links.

+3
source

Do not do it yourself, a lot can go wrong. The chic lock curve library supports the ISO 9706-2 signature. It works in both C # and java.

At the very beginning, this document makes it clear what is happening. Initially you return from the card

 x_c = sign || c_n || c_ar

A sign is an RSA signature at the output of the encoding / padding / hash function in your message (in this case a message appears - this is a certificate). c_n is the rest of the message, and c_ar is the identifier of the certification authority that created the signature sign.

The encoding function used is μ (m) = 6A || m [1] || hash (m) || BC

where || is concatenation, 6A is only 0x6A bytes, just like for 0xBC. A hash is some hash function, and m 1 is the first k-length of the hash function - 16 bits of the message. m [2], then the rest of the message and what is stored as c_n.

DES is not here.

What you have to do here is

  • Receive message / certificate by concatenating \ m 1 and c_n
  • calculate μ (m [1] || c_n)
  • Verify that the mark is the rsa signature on the μ (m [1] || c_n) certification authority specified in c_ar
+4
source

More articles:


All Articles