Kronecker: 2010

21 December 2010

NFC feuding, Symmetric vs PKC

NFC feuding

NXP’s Gingerbread Coup Leaves Rivals With a Bitter Taste Dec 20 2010

If Gingerbread supports Mifare, the most popular technology used for transit ticketing, it would put Inside at a significant disadvantage to supply NFC chips with secure elements, since NXP has declined to grant Inside a Mifare license. Of course, Inside faces a problem supplying chips for any NFC phone that supports Mifare, unless it partners with a Mifare licensee. Any Mifare support in Gingerbread is also expected to favor suppliers of Mifare tags.
....
Many in the industry, including telcos and service providers, are disappointed with the few tag-reading commands that Gingerbread and the first handset using it, the Nexus S, so far supports. “This API is useless for us,” said one telco, according to a source. Many telcos want to support retail payment, either hosting applications from banks or running the payment scheme themselves.

nfctimes
____________________________________________________________

future Symmetric Crypto should definitely be at least AES128
proprietary short keys are dangerous:
WikiPedia: "clone any MIFARE Classic card in not more than 10 seconds"

current 112 bit "triple DES" will surely be orphaned... will anyone continue to optimise DES chips?
........................

With symmetric crypto algorithms, NFC payment schemes currently require secret keys on Card and Reader.

Something like this:
1) Card to reader send Random1, and requested $ amount.
2) Reader to Card send encrypted Random1, send Random2 Card trusts Reader
3) Card to Reader send Encrypted Random2 Reader trusts Card (constructs card session key
4) Reader to Card send Send Signed transaction Card sure that transaction is complete
"Tearaway" logic must be in place in the reader if this sequence is broken.
.................................

If PKC were adopted
1) Card sends signed Amount to Reader Reader trusts card
2) Reader sends signed Acceptance to Card Card trusts Reader and completes transaction

Some nonce with known structure would be included in the signature

PKC (eg RSA public key) would mean
No Common Secret Key would be loaded onto Card
Each card could generate its own secret key, which would never leave the card.

A certification structure wold be required, to guard public keys. Note this is a lower order cryptographic problem.
Fast Large Integer Hardware arithmetic would be required.
A desktop can validate a PKC signature in < 10msec, not sure about NXP speed.

Is it is possible to use symmetric crypto in a 2 stage transaction?
1) card sends amount & random & encrypted random Reader trusts Card (based on shared secret key
this exposes known plaintext, whereas the 4-step allows for 'session' keys. which are calculated using CardID.
The Card's key is derived from its ID so breaking one card doesnt break all,
So in practice a 4 step transaction is used.

I expect that PKC will eventually replace symmetric crypto.

Initialising cards with Secret Keys is an arduous and anxious process.

08 December 2010

NSW TCard, OSPT GEMALTO M-pesa

NSW smart cart in court Elisabeth Sexton December 8, 2010
THE NSW cabinet.. $300 million litigation over the abandonment of a transport smartcard developed by the former .. ERG Ltd.
...
The appeal, .. relates to a decision by Justice Clifford Einstein in June giving ERG access to most, but not all, documents relevant ..

The government is suing ERG for $77 m ... Tcard contract. ERG has countered $215 m..

ERG was delisted .. last year
Ingot Capital ..run by Duncan Saville, which was ERG's largest shareholder ..

____________________________________________________________

London buses to go contactless (thought they already were?)
07 December, 2010 - 13:33
..from early 2012 and on the Underground around a year or so later,"
..visitors to London or occasional users to avoid the need to purchase an Oyster card,..
..
Barclaycard launched a combined contactless Oyster travel and debit card, OnePulse, in 2007.
..save TfL money on the commission it currently has to pay Oyster operators
...France, with Giesecke & Devrient, Infineon Technologies, Inside Secure and Oberthur Technologies announcing OSTP..
finextra
_______________________________________________
snapper
Google phone not so smart
__________________________________________

The Open Standard for Public Transport (OSPT) Alliance, ...two new members: Watchdata Technologies Ltd. and the Open Ticketing Institute of the Netherlands.

...interoperable transit fare collection solutions based on open standard security.

Founded in Beijing in 1994, Watchdata provides a range of products including smart cards, USB tokens, readers, .....

The Open Ticketing Institute ...to advance The Netherland’s e-ticketing system, OV-chipkaart. As a separate not-for-profit foundation..

The new open security standard, Cipurse, defines an authentication scheme, a secure messaging protocol, four minimum mandatory file types and a minimum mandatory command set to access these files types. It also specifies encryption keys and access conditions, and includes a cryptographic protocol that protects against differential power analysis (DPA) and differential fault analysis (DFA).

contactlessnews
pcworld
osptalliance
calypsotechnology
waazaa 14443-3.pdf
____________________________________
2010 SESAMES winner unveiled
notably:
"SESAMES IT SECURITY: The winner is GEMALTO with eGo. eGo gives access to services in touching objects with any parts of your body. It has no defined form factor and may be any object you should carry close to your body. The message wakes up a secure element and a usual wireless communication means."
- if I understood this I believe I would be excited (italics NOT in original)
secureidnews

________________________________________
Odd Java Hints:...
private static void PreserveStackTrace(Exception exception)
{
MethodInfo preserveStackTrace = typeof(Exception).GetMethod("InternalPreserveStackTrace",
BindingFlags.Instance | BindingFlags.NonPublic);
preserveStackTrace.Invoke(exception, null);
}
____________________________________
M-Pesa

since 2007, Kenya ... phone technology..
..M-Pesa ...those without a bank account to transfer funds .. a text message.
..Vodafone and Safaricom...Pesa is Swahili for money.
50% use the service to send money to..relatives, to pay for shopping..taxi ride ..
..
"The bank in my phone"
..register with Safaricom at an M-Pesa outlet... load money onto their phone. ..sent onto a third party by text message.
The recipient takes the phone to their nearest vendor,... pick up the cash.
..Mr Makusi says he no longer has to worry about being mugged while carrying cash.
..Seema Desai, director of the Mobile Money for the Unbanked (MMU)..
..Nick Hughes and Susie Lonie.. M-Pesa. .. Economist Innovation award..
...payment to the thousands of small one or two-cow milk producers.. decided to create a payment system using M-Pesa.
... Smart and Globe were active on a smaller scale in the Philippines in 2002
... March 2010 28.59bn (KES) $351m) was transferred using the service.
.. launched in Tanzania, Afghanistan and now South Africa, with trials underway in India.
.. One company that does let you pay with your mobile is Boku...buy virtual money..??? 65 countries..

The Bill and Melinda Gates Foundation has committed $500 million (Sh40 billion) over five years
..Global Savings Forum held in Seattle
..
.."In Kenya, M-Pesa is showing what storing and transferring money on mobile phones can do for poor people... at an enormous scale" Mrs Gates told the gathering.
..
.. $4.8 million (Sh384 million) will be used to expand M-Pesa into Tanzania
...mobile money transfer service had helped Kenyans cope with disasters better.
..
ShoreBank International..in Bangladesh will receive $10 million .. introducing bKash .. to be launched in .. March 2011.
..
nation

_________________________________________________
NFC:
Japan and South Korea ..in use for several years
Verizon, AT&T, and T-Mobile.. NFC system called Isis by 2012,
..Google Gingerbread smartphone, will have NFC technology
November 17, 2010
By ANTONY KARANJA in DALLAS TEXAS
bbc

23 November 2010

M-Pesa, SSL snoopsM-Pesa, Cloud Cracking

M-Pesa
since 2007, Kenya ... phone technology..
..M-Pesa ...those without a bank account to transfer funds .. a text message.
..Vodafone and Safaricom...Pesa is Swahili for money.
50% use the service to send money to..relatives, to pay for shopping..taxi ride ..
..
"The bank in my phone"
..register with Safaricom at an M-Pesa outlet... load money onto their phone. ..sent onto a third party by text message.
The recipient takes the phone to their nearest vendor,... pick up the cash.
..Mr Makusi says he no longer has to worry about being mugged while carrying cash.
..Seema Desai, director of the Mobile Money for the Unbanked (MMU)..
..Nick Hughes and Susie Lonie.. M-Pesa. .. Economist Innovation award..
...payment to the thousands of small one or two-cow milk producers.. decided to create a payment system using M-Pesa.
...Smart and Globe were active on a smaller scale in the Philippines in 2002
...March 2010 28.59bn (KES) $351m) was transferred using the service.
..launched in Tanzania, Afghanistan and now South Africa, with trials underway in India.
..
One company that does let you pay with your mobile is Boku...buy virtual money..??? 65 countries..

NFC:
Japan and South Korea ..in use for several years
Verizon, AT&T, and T-Mobile.. NFC system called Isis by 2012,
..Google Gingerbread smartphone, will have NFC technology
bbc
................................
November 17, 2010
By ANTONY KARANJA in DALLAS TEXAS

The Bill and Melinda Gates Foundation has committed $500 million (Sh40 billion) over five years
....$4.8 million ..to expand M-Pesa into Tanzania through .. Vodafon..
..helped Kenyans cope with disasters better.
..ShoreBank Int..BRAC Bank .. Bangladesh will receive $10 million..go into introducing bKash..a mobile money ..
nation
________________________________________
SSL snoops

crypto
24March2010
A paper published today by Chris Soghoian and Sid Stamm [pdf] suggests that the threat may be far more practical than previously thought. They found turnkey surveillance products, marketed and sold to law enforcement and intelligence agencies in the US and foreign countries, designed to collect encrypted SSL traffic based on forged "look-alike" certificates obtained from cooperative certificate authorities. The products (apparently available only to government agencies) appear sophisticated, mature, and mass-produced, suggesting that "certified man-in-the-middle" web surveillance is at least commonplace and widespread enough to support an active vendor community. Wired's Ryan Singel reports in depth here.
http://files.cloudprivacy.net/ssl-mitm.pdf
pdf
http://www.wired.com/threatlevel/2010/03/packet-forensics/\
Law Enforcement Appliance Subverts SSL
marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

Verisign has never issued a fake SSL certificate, and to do so would be against our policies,” said vice president Tim Callan.

___________________________________________

Cloud Cracking

..Amazon EC2 "Cluster GPU Instances": ..the power of two NVIDIA Tesla “Fermi” M2050 GPUs....
33.5 EC2 Compute Units (2 x Intel Xeon X5570, quad-core “Nehalem” architecture)2 x NVIDIA Tesla “Fermi” M2050 GPUsAPI name: cg1.4xlarge

GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack SHA1 hashes?

Using the CUDA-Multiforce, I was able to crack all hashes from this file with a password length from 1-6 in only 49 Minutes (1 hour costs 2.10$ by the way.):
http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/
[cracking a hash is 1 thing, cracking a hash with a useful message is another]

_____________________________

arduino "smart card" or smartcard reader
arduino 8 bit controller - toys take over the world
__________________________
how to read SLE4442 smart card
com
______________________
From 64-bit Hexadecimal Representation To Decimal Floating-Point
cs
___________________
Engineers at the University of Kitakyushu have built this red snapper robot. Intended for wildlife surveys, this robot sports an array of sensors as well as a hand painted silicon body. It is decidedly more realistic looking than the Robofish and the Essex University robot fish.
aaa

botjunkie
watch
_________________________________________________________________________
Web Tech
One of the compelling reasons to use JSON instead of XML in current web applications are the imposed security restrictions in modern browsers; JSON can actually be retrieved from remote websites without too much trouble (using jsonp) while XML requires one to jump through a number of loops (such as a local proxy). Go figure!
http://norman.walsh.name/2010/11/17/deprecatingXML
______________________________
MasterCard Tap & Go
..New Zealand's first "tap and go" credit cards ..tomorrow..
..ANZ's Rugby World Cup MasterCards ..< $80 ....two seconds....terminals .. in Auckland's Eden Park and Wellington's Westpac Stadium.."corridors" of retailers around the stadiums.. protected by MC's "zero fraud liability" protection, .. ..has already been issuing prepaid and reloadable MasterCards with the embedded antennae, .. not been telling customers about the ..contactless feature. ....83 million MasterCard contactless cards on issue worldwide___________________________ stuff
_________________________________________

09 November 2010

Australian Problems, Bangalore and Pune, AES-NI

Australian Problems
seem to have had a few since I tried to get on the bus in 95

The history of implementing public transport smart cards in Australia has seen mixed results. The first attempt to implement a smart card for public transport in NSW failed in 2008 and has since led to long-running legal troubles for the State Government. In Victoria, the Myki smart card system is up and running on trains, buses and trams in Melbourne, but has also had its fair share of troubles. Queensland has experienced less troubles with its go card system. Perth has also managed to implement a smart card system.

South Australia and the Australian Capital Territory are in the midst of roll-outs.

Clark said Visa was currently conducting a trial in New York's transit system with a payWave app on the iPhone

zdnet
________________________
Bangalore and Pune are vying to be the first city in India to deploy a contactless smart card fare system on city buses .. idsuperstore.ca.

Bangalore’s .. nearing completion, ..1,000 buses. Pune, .. a definitive November 14 launch date..
______________________________
AES on Intel
The Intel® AES New Instructions (AES-NI) Sample Library .. Advanced Encryption Standard (AES) block cipher using the new AES-NI instructions available in Intel Core™ i5, i7, Xeon® 5600 series and newer processors.
intel

.. all new 2010 Intel® Core..Westmere.
..
28.0 cycles per byte to 3.5 cycles per byte
_______________________________________
AES-NI in truecrypt, but note the arguments:
truecrypt apparently doesnt have a "true" free licence - tghe disatinction seems moot to me

truecrypt really doesn't do anything useful that you can't do better with proper open source choices, like dmcrypt/luks.

but:

a lot easier to use, has a simple gui for easy creation of encrypted containers, partitions and drives, supports multiple cores!! and AES-NI, no need to create multiple dmcrypt-devices and a raid above them, to use multiple cores (on slower systems with fast disks/ssds without hadrware acceleration (VIA Eden, AES-NI, ... ) especially on older dual/quadcore-systems where cpu can be a real bottleneck for system-performance if you have your system encrypted, and want copy data on other fast encrypted discs (internal sata/sas or external e-sata/usb3).

From the performance-point of view:

..

Now I get ~570mb/s on a single core (i7 620M [dualcore]) with dmcrypt [aes-ni-support] and with truecrypt ~1600-1700mb/s on both cores.

Without AES-NI truecrypt (6.0) got about 250mb/s while dmcrypt on one core got about 100mb/s [older kernel/dmcrypt, think 110-120mb/s would be possible on an up2date kernel/dmcrypt]

..

I will keep my dmcrypt for the operating system (since truecrypt for linux-system encryption isn't supported) and use truecrypt for external drives.

Another thing, truecrypt runs on windows, linux, mac, solaris, ... , especially for external harddrives you want to use on more than operating system, sticking with dmcrypt just doesnt work.

phoronix
____________________________________________________

...

31 October 2010

Bling Tag, Passport country

Bling Tag - dont lose your phone.

nearfieldcommunicationsworld bling nation

Bling Tag, .. an NFC-enabled sticker that you stick to the back of your mobile phone. .. you don’t need any identification.. paying with Bling is as simple as tapping your phone onto a merchant’s Bling Box.

..downtown Palo Alto.. Bling Tags available at a few local shops. The Tag itself is free ..Just stick the Tag to your phone and you’re halfway done.
...
The first time you pay for goods at participating merchants, you’ll need to jump through one additional hoop .. When checking out at the cashier, simply tap the Tag on the Bling Box..The cashier will ask you for your phone number and use that to authorize the purchase. ..The verification code is only required on your initial purchase,..
....any phone that can accept SMS text message will work just fine.

The Bling Tag is tied to your credit card... Bling is offering a $20 credit to first time users...
intomobile
.....

Business Model
Wences Casares, house in Chile
aaa

paymentsviews
______________________________________________________________________

Bling targets a small community which has a decent..financial asset size, and which is served primarily by local community banks. They sign up one or more of the banks, and an assortment of frequently-visited local merchant
......
Bling looks like a foreign ATM to the bank. Settlement in batch is done at night, between Bling and the banks, as a private, not network, settlement. The merchant doesn’t have to submit any clearing transactions – as long as they got the Blinger confirmation, they know their account will be credited that day.
http://paymentsviews.com/2009/10/19/blinging-it-home-a-look-at-bling-nation/

..............
The pitch to merchants is primarily cost – transactions are about 50% cheaper than traditional card acceptance.

In low crime-areas you may see people sitting at outdoor cafe tables with their cellphones on the table.

Not Where snatchers are (most of the world?)

_______________________________
NFC card
The new device is the shape of a thick (3.9mm) bank card and can be used to display and store coupons, tickets, prepaid funds, adverts and membership of loyalty programmes — without the need for a mobile network connection. It includes a 2.2inch 320 by 240 pixel colour liquid crystal display and control keys that enable the user to switch between a number of screens. The device is fully NFC compliant and is compatible with ISO 14443 Type A and B contactless card systems as well as Sony's FeliCa technology.
via 0x9000.blogspot
nearfieldcommunicationsworld
______________________________________________________
Sort fast

Gusfield, Dan (1999), Algorithms on Strings, Sequences and Trees. Cambridge: University Press.
the Boyer-Moore string search algorithm, invented by Bob Boyer and J Strother Moore in 1977, in a variant devised by Nigel Horspool.
effbot
__________________________

Passport

Java implementation

...open source Java Cardimplementation of the passport we provide at
sourceforge
..we can remotely detect the presence of a passport of a particular
country,..

_____________________________________________________________________

Books ... on refactoring

com forrst
Clean-Code-Handbook
I liked "Implementation Patterns" better. (
refactoring
com
Patterns of Enterprise Application Architecture
amazon
codeproject
java build sorry state
safaribooksonline $36.50 /month
___________________________________

C# how to throw

try
{
var r = new RethrowProperly();
r.DoSomething();
}
catch (DivideByZeroException ex)
{
throw;
}
Now the call stack points directly at the line of code in DoSomething where the calculation is done.
_______________________________
Bit Hack #4. Unset the n-th bit.
y = x & ~(1<<n)
catonmat
_______________________________

Security threat?
(i have not understood nor investigated this press clippping)

theregister

a universal Padding Oracle affecting every ASP.NET web application," Rizzo explains. "In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework's API.

"The vulnerabilities exploited affect the framework used by 25 per cent of the internet websites. The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise," he adds.

More details of the security weakness are due to be outlined at a presentation during the Ekoparty conference in Argentina this week.

Rizzo told threatpost that the attack might be exploited to allow a "moderately skilled attacker" to break into a website in an hour or less.

"The first stage of the attack takes a few thousand requests, but once it succeeds and the attacker gets the secret keys, it's totally stealthy. The cryptographic knowledge required is very basic," Rizzo said. ® via code project

__________________
celent
South Korea CL NFC
.....................................
Indeed, as the RPA starts its rollout of an integrated ticketing system here, TFL will begin to make the Oyster system redundant in London. From next year customers will be able to pay onto buses and trains directly with their contactless credit or debit cards, cutting out the need for an integrated system in between.
irishtimes
_________________________________

Sad day.
Sun Forums have been replaced by Oracle.

Sun forums were a great learning place, well attended, with serious answers
part of a radical re-make of the work/learning experience of C21
I cant overstate the importance of this and other forums. Enabling me to teach myself Java, Database, X.509, SSL, etc etc
The readiness of others to reply, sometimes in a gruff manner (rtfm) was continually amazing

Oracle:
update: today 1Nov2010 Oracle forums look fine
..
is this true?
It seems that ther is no carry-over, old topics from Sun are not indexed.
no search result for SSH jsch
"secure Sockets" does turn up a couple of rambling requests dating post 25Sep2010

on Sun, I got called a Zombie occasionally.
Because I found an old thread, usually via Google. Sometimes these old threads contained answers. Sometimes I was guilty of waking the zombie, but other google users sometimes arrived.
Sun had zombie-watchers who seemed to prowl the forums seeking to 'lock' any thread awakened by zombies.
Understandable from a neat-and-tidy perspective, but actually hindering me in searching for solutions.
The issue is moot now...

29 September 2010

Near Field Community testlibusb-win.exe

Near Field Community

libnfc
libnfc depends on libusb?
_____________________________________________________________

testlibusb-win.exe

works on Snapper Feeder

DLL version: 1.2.1.0
Driver version: 1.2.1.0

bus/device idVendor/idProduct
bus-0/\\.\libusb0-0001--0x04cc-0x0531 04CC/0531
- Manufacturer : Philips
- Product : USB TAMA
wTotalLength: 32
bNumInterfaces: 1
bConfigurationValue: 1
iConfiguration: 0
bmAttributes: a0h
MaxPower: 50
bInterfaceNumber: 0
bAlternateSetting: 0
bNumEndpoints: 2
bInterfaceClass: 255
bInterfaceSubClass: 255
bInterfaceProtocol: 255
iInterface: 0
bEndpointAddress: 04h
bmAttributes: 02h
wMaxPacketSize: 64
bInterval: 4
bRefresh: 0
bSynchAddress: 0
bEndpointAddress: 84h
bmAttributes: 02h
wMaxPacketSize: 64
bInterval: 4
bRefresh: 0
bSynchAddress: 0

As Xiaofan says: re Java problems

This is not a libusb-win32 problem but your JAVA USB wrapper problem.
The test program for libusb-win32 is testlibusb-win.exe. Is that working?

If that is working, you have to contact the author of the JAVA wrapper.

___________________________________________________
smartcardsource
easymifare (v1) - mifare / desfire read / write utility for only (!) $400
___________________________________________________

from 2006

Although the Universal Serial Bus (USB) is an integral part of many computers, Java does not officially support USB. Getting your Java programs to interact with arbitrary USB devices thus requires either a third-party Java/USB API or your own Java/USB API. This article introduces two third-party APIs and my own API, which provides a partial USB interaction.

today.java
___________________________________________________
mcuee
Xiaofan's Blog

Blog on IT and Electronics and more, especially Linux and microcontroller related issues
-points to
sourceforge
____________________________________________________

proxmark
a famous reader

_____________________________________________________________

An Introduction to Near-Field Communication and the Contactless Communication API
2008 low level API?
javax.microedition.contactless

sun

27 September 2010

libusb, favicon

Snapper Feeder does not show as a PC/SC Readers ( javax.smartcardio.Card;)Wth "mysnapper" drivers

windows\system32\drivers\libusb0.sys

system3libusb0.dll

are installed

I obtained
Java libusb/libusb-win32 wrapper
sourceforge
and tried to build UsbView
but sadly:

..\UsbView.java:177: fireTreeStructureChanged(ch.ntb.usb.Usb_Bus) has protected access in ch.ntb.usb.usbView.UsbTreeModel

treeModel.fireTreeStructureChanged(bus);

sourceforge forum
- this looks like it is nothing to do with USB!

hopefully I will get a bitter reply on sourceforge telling me the obvious thing I havent done

- more likely a bitter reply telling me a) its the wrong forum b) this was answered years ago, zombie etc etc

- but seriously folks, forums are great - couldnt live without them

I got something called ReadWrite.java
from

* Java libusb wrapper

* Copyright (c) 2005-2006 Andreas Schläpfer
*

which gave a run error of
java.lang.UnsatisfiedLinkError: no LibusbJava in java.library.path
which looks much more amenable to fixing
I found a LibusbJava.dll which I put in the path, but that didnt work .... way to easy, simple and obvious to act in a Jaa World!
actually the guys here at work, who have the answers, are away for a while, so I guess I'll just have to wait to eat humble pie upon their return

___________________________________________________
Snapper cards now do Taxis in Wgtn scoop
___________________________________________________
Tried to put gold contacts as my favicon, with very minimal success
blogspot old template was so grand!
(eg the "preview" now does not look like the post...

20 September 2010

HDMI Key, Utils

Master HDCP Key Cracked
From Bruce

The master key for the High-Bandwidth Digital Content Protection standard -- that's what encrypts digital television between set-top boxes and digital televisions -- has been cracked and published. (Intel confirmed that the key is real.) The ramifications are unclear:

But even if the code is real, it might not immediately foster piracy as the cracking of CSS on DVDs did more than a decade ago. Unlike CSS, which could be implemented in software, HDCP requires custom hardware. The threat model for Hollywood, then, isn't that a hacker could use the master key to generate a DeCSS-like program for HD, but that shady hardware makers, perhaps in China, might eventually create and sell black-market HDCP cards that would allow the free copying of protected high-def content.

schneier

A comment there:
We generally refer to this as security theater. The cryptographic security has been illusory all along.
...
________________________________________________________
/** Some utils
*~
* @author chris.skinner July 2010
*/
package nz.here.there.everywhere;

import java.security.Provider;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;

import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;

public class SomeCipher {
public static String serrcode ( int err) {
    String s = "?";
    String se = Integer.toHexString(err);
        for (String ss : errs){
        if(ss.contains(se)) {
            s = ss;
            break;
        }
        }
    se = Integer.toHexString(err).toUpperCase();

        for ( String st : errs){
        if(st.contains(se)) {
            s = st;
            break;
        }
        }
    return s;
}//================

public static long by2long (byte[] b) {
    //java.lang.Byte wrapper provides longValue(),
    long value = 0;
    for (byte byt:b)
       value = (value << 8) + (byt & 0xff);
return value;
}
public static byte[] longtohex( long g) { // long to byte array nb only 4 bytes
    // java long is 8 bytes, but our maths is 4 bytes only...
    byte[] bout = new byte[4];
    for (int j = 3 ; j >= 0; j--){
            bout[j] = (byte)( g & 0x00000000000000FFL);
            g = g >> 8;
    }
    return bout;
}
public static byte[] inc(byte[] val){   // add 1 to a byte array
    return longtohex(by2long(val)+1);

}

public static byte[] sub (byte[] ba, byte[] bb){   // ba = ba - bb
    return (longtohex(by2long(ba) - by2long(bb)));

}
public static byte[] add ( byte[] bb, byte[] bc){   // ba = bb + bc
    return (longtohex(by2long(bb) + by2long(bc)));
}

public static String by2String (byte b) {
    String s = ""; // seems to need this for static include...
    s = String.format("%02X", b);
    return s;
}

public static byte[] pad(byte[] plain) { // pad but NOT if 0 mod 8
        byte[] padded = null;
        int z = plain.length;
        int x = (z & 0x0007) ;
        try
        {
            if ((x) != 0)
            {
                x = 8 - x;
                padded = new byte[z+x];
         //       java.util.Arrays.fill (padded, 0, z, (byte)0x77); // z not really "to" index but +1
                padded[z] = (byte)0x80;
                System.arraycopy(plain,          0, padded, 0,     z);
                java.util.Arrays.fill (padded, z+1,    z+x, (byte)0x00); // done by default 00
                return (padded);
            }
            else
            {
                return plain;
            }
        }
        catch (Exception ex)
        {
                System.out.println("pad error " + ex.getMessage() ) ;
                return plain;

        } // catch
    }// pad   KSCC maybe

public static byte[] padm(byte[] plain) {   // for gp authentication, always add 1 80
        byte[] padded = null;
        int z = plain.length + 1 ;
        int x = (z & 0x0007) ;
        if (x != 0)
            x = 8 -x;
//        System.out.println("\n plain.length " + plain.length + " x " + x ) ;
        padded = new byte[z + x];
        padded[z-1] = (byte)0x80;
        try {
                System.arraycopy(plain,          0, padded, 0,     z-1);
                java.util.Arrays.fill (padded, z+1,    z+x, (byte)0x00); // done by default 00
                return (padded);
            }
        catch (Exception ex)
        {
                System.out.println("pad error " + ex.getMessage() ) ;
        } // catch
    return (padded);
}// pad at least 1 GP

public static byte[] appendt ( List<byte[]> pb) { //new append method with pad
    byte[] bout = append( pb);
    return pad(bout);
}
public static byte[] append ( List<byte[]> pb) { //new append method without pad
// actually a concatente, not append...
    int sz = 0;
    for (byte[] bd : pb) {
       sz+= bd.length; }
    byte[] bout = new byte[sz];
    sz = 0;
    for (byte[] bc:pb) {
        System.arraycopy(bc,     0,    bout, sz,           bc.length);
        sz+= bc.length;
    }
    return bout;
    }

    public static SecretKey makey16( byte[]   b, Provider prov) {    // CARE input MUST be the final 16 bytes of ciphertext
        byte[] raw = new byte[16];
        SecretKey s = null;
           if (b.length < 16)       {
            System.out.println(" key bytes too short for factory");
            System.exit(79); //formalise these...throw exception???
        }
        System.arraycopy(b, b.length-16, raw,      0, 16);
        s = makey(raw,prov);
        return s;
    } //makey16

    public static SecretKey makey( byte[]   b, Provider prov) {
    // make a 24 byte DESede key from 16 bytes
    SecretKey s = null;
    byte[] b24 = new byte[24];
    try    {
           if (b.length < 16)       {
                System.out.println(" key bytes too short for factory");
            System.exit(77); //formalise these...throw exception???
        }
        else        {
            System.arraycopy(b, 0, b24,      0, 16);      // replicate the first 8 to the last 8
            System.arraycopy(b, 0, b24,     16, 8);
            DESedeKeySpec    desEdeKeySpec = new DESedeKeySpec(b24);
            SecretKeyFactory desEdeKeyFact = SecretKeyFactory.getInstance("DESede",prov);
            s = desEdeKeyFact.generateSecret(desEdeKeySpec);
//            byte[] rawkey = desEdeKeySpec.getKey(); // get the raw bytes back...
//            System.out.print ("\n isparity adjusted      " + desEdeKeySpec.isParityAdjusted(rawkey, 0)) ;
        }
    }
    catch (NullPointerException npe) {
        System.out.println(" key bytes null");
        System.exit(78); //formalise these...???

    }
    catch (Exception ex)    {
        System.exit(77); //formalise these...
        ex.printStackTrace();
    }
    return (s);
} // makey\\

    public static String Hex2String(byte[] b) { // convert array of bytes to string
        String result="";
        for (byte by:b)
            result+= String.format("%02X", by);
        return result;
}
    public static String Hex2String(byte[] b, int size) {
        if (size > b.length)
            return Hex2String(b);
        byte[] bin = new byte[size];
        System.arraycopy(b,0,bin,0,size);
        String result="";
        for (byte by:bin)
            result+= String.format("%02X", by);
        return result;
}
    public static String stripGarbage(String s) {
    String good =
      "ABCDEF0123456789";
    String result = "";
    for ( int i = 0; i < s.length(); i++ ) {
        if ( good.indexOf(s.charAt(i)) >= 0 )
           result += s.charAt(i); //stringbuilder might be better
        }
    return result;
    }//______________________________________________

    public static byte[] String2Hex(String sin){
        sin = sin.toUpperCase();
        sin = stripGarbage(sin);
        byte[] bout = new byte[sin.length() / 2]; // sz must be even...
        if ((sin.length() & 1) != 0)
            return bout;
        try {
            for (int j = 0; j < sin.length()-1; j+=2) {
                bout[j/2] = (byte)(Integer.parseInt(sin.substring(j,j+2),16));
            } // for
        } // try
        catch (Exception ex) {
            print(" String2Hex " + ex.getMessage() );
        }
        return bout;
    }//_______________________
public static void print (String s) { // one stop stop print
    System.out.print(s);
    }//_____________________

static List<String> errs = Arrays.asList( // there are lots more
              //"0x9000       SW_NO_ERROR",                       // , //response status : No Error   ,
            "0x6100       SW_BYTES_REMAINING_00",             // ,
            "0x6700       SW_WRONG_LENGTH",                   // ,
            "0x6982       SW_SECURITY_STATUS_NOT_SATISFIED", // , new 9171
            "0x6983       SW_FILE_INVALID",                   // ,
            "0x6984       SW_DATA_INVALID",                   // ,
            "0x6985       SW_CONDITIONS_NOT_SATISFIED",       // ,
            "0x6986       SW_COMMAND_NOT_ALLOWED",            //     ,//no current EF) = // 0x6986
            "0x6999       SW_APPLET_SELECT_FAILED",           // ,
            "0x6A80       SW_WRONG_DATA",                     // ,
            "0x6A81       SW_FUNC_NOT_SUPPORTED",             // ,
            "0x6A82       SW_FILE_NOT_FOUND",                 // ,
            "0x6A83       SW_RECORD_NOT_FOUND",               // ,
            "0x6A86       SW_INCORRECT_P1P2",                 // ,// Incorrect parameters (P1,P2)
            "0x6B00       SW_WRONG_P1P2",                     // ,
            "0x6C00       SW_CORRECT_LENGTH_00",              // ,//   Correct Expected Length (Le)
            "0x6D00       SW_INS_NOT_SUPPORTED",              // ,// INS value not supported
            "0x6E00       SW_CLA_NOT_SUPPORTED",              // ,// CLA value not supported CLASS
            "0x6F00       SW_UNKNOWN",                        // ,// No precise diagnosis
            "0x6A84       SW_FILE_FULL",                     // // Not enough memory space in the file
            "9172         TC cert fail new   ",          //
            );

} //Classssssssssssssssssssssssssssssssss
_____________________________________________________________________

Some acronyms Acronyms defined:
FICAM–Federal Identity, Credential, and Access Management
NSTIC–National Strategy for Trusted Identities in Cyberspace
NHIN–Nationwide Health Information Network
TWIC–Transportation Worker Identification Credential
smartcardalliance
_____________________________
Sad Java
How sad that Java failed to conquer the internet, and that Adobe rules

Shocking example of Java decrepitude:
Serial ports are not supported

it is possible to find an ancient (c) 1998 copy of javax.comm

In typiclalJava fashion, installation is a Bitch. Even after you have set classpath (does Flash ever ask this?)
you see this:

Several serial port sample applications are provided with this release. One of them is BlackBox. To run BlackBox, first add BlackBox.jar to your classpath:

C:\>set CLASSPATH=c:\commapi\samples\Blackbox\BlackBox.jar;%CLASSPATH%

Now you can run BlackBox:

BUT YOU CANNOT

+java BlackBox
Exception in thread "main" java.lang.NoClassDefFoundError: javax/comm/CommPort
Caused by: java.lang.ClassNotFoundException: javax.comm.CommPort
        at java.net.URLClassLoader$1.run(Unknown Source)

        etc etc

So either we have to do some more absurd tinkering with classpath
OR the code does not vin fact hava a CommPort class
- the vast majority of the Human race has by now switched off....

I am stunned Years ago, last time I used serial ports, they were a couple of lines in BASIC

ps:

SerialPortDisplay[] is not found in javax.comm so their very first Demo doesnt run OR compile...

15 September 2010

Snapper Feeder, SCARD_W_RESET_CARD, Driver annoyance,

Snapper Feeder (Wellington NZ) is still regarded as the smallest/cheapest USB reader
highly regarded by hackers worldwide.
now NZD$40. there are only 5000 left , they dont make them any more...
snapper
qwandor
youtube
aaa

________________________________________________________________

.. Nephsystem ...new 13.56 MHz contactles reader/writer, .. one of the smallest ..15 grams, the N330 also features wireless communication capabilities via Bluetooth, USB interface and is compatible with all the 13.56MHz protocols, including ISO 15693, I-code SLI, ISO 18000-3, ISO 14443A/B/C, Mifare, Ultralight, INSIDE PicoTag, Sony Felica, KSW VarioSens..

prlog
_________________________________________________________

Also, at 7g in the SD Slot::
prlog

NephSystem N360 SDIO interfaced 13.56MHz RFID reader/writer is an Plug&Play Secure-Digital RFID Reader/Writer that combines the contactless 13.56MHz High Frequency RFID technology with the Secure-Digital (SD slot) aaa

_________________________________________________________

Irritants:

SCARD_W_RESET_CARD error message.
Some say this is a Windows bug
Seems I have to trap this error and reconnect to the readers (Wired, not CL)
every time this happens, which is often. Possibly Netbeans multiple tasks?

Trust this doesnt happen in the real world!

____________________________________
Windows & persistant annoying "Can't load Driver" messages:
These refer to the Card, not the Reader
Remedy:
run gpedit.msc

1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
2. In the console tree under Computer Configuration, click Administrative Templates.
3. In the details pane, double-click Windows Components, and then double-click Smart Card.
4. Right-click Turn on Smart Card Plug and Play service, and then click Edit.
5. Click Disabled, and then click OK.
________________________________

08 September 2010

Java Card bits, ePassporte

Java Cards the wheel turns:

each generation of devices looks like an ancient form. ie restricted memory etc
On our Java Card, we are packing data into bit arrays, NOT on byte boundaries
ie Bits into Byte Arrays

     static long extractbits (int a, int b, byte[] bin) {      // a = start bit, b = last bit(zero based)
      // extract bits from a byte array
      int byta = a >> 3; // 1st byte
      int bytb = b >> 3; // last byte
           int bytz = bytb -byta + 1; // number of bytes
        byte[] block = new byte[bytz];
        System.arraycopy(bin, byta, block,0, bytz);
        int p = 8 - (a & 7); // # of bits in mask
        block[0] = (byte) (block[0] & ((1<<p) - 1));

        return ((by2long (block)) >> (7 - (b & 7)));
    }//_________________________________________________________________________

...........................

     static byte[] insertbits (int a, int b, long g, byte[] bin) {
        //inset bits from a long into a byte array a=startbit b=lastbit zero based
        byte[] bout = new byte[bin.length];
        // how many bytes does the long require // care we assume 1..4 not 0..8
        int byta = a >> 3; // 1st byte we are altering
        int bytb = b >> 3; // last byte we are altering
        int bytz = bytb -byta + 1; // number of bytes we are working on
        System.arraycopy(bin,0,bout,0,bin.length); // make a copy
        g = g << (7 - (b&7)); // shift g left acording to b
        byte[] b4 = longtohex(g); // 4 bytes max.. maximum is FF FF FF FF FF ???         // OR b4 onto bout... this assumes bout target area is zeros , else we need a prior NAND
        int k = 3; // OR bytes 3..2..1..0 ..actually only 2???0
        byte bc;
    for (int j=bytb ; j>= byta ; j--) {
        bc = b4[k--]; //why is bc needed???
        bout[j] = (byte)(bout[j] | bc);
          // ie bout[j] = (byte)(bout[j] | b4[k--]); does NOT work
        }
        return bout;
     }//_________________________

     public static long by2long (byte[] b) {
        //java.lang.Byte wrapper provides longValue(),
        long value = 0;
        for (byte byt:b)
           value = (value << 8) + (byt & 0xff);
        return value;      }

//_________________________________________

public static byte[] longtohex( long g) { // long to byte array nb only 4 bytes

// java long is 8 bytes, but our maths is 4 bytes only...

        byte[] bout = new byte[4];
        for (int j = 3 ; j >= 0; j--){
            bout[j] = (byte)( g & 0x00000000000000FF);
            g = g >> 8;
        }
        return bout;
     }//___________________________________________

News:

ePassporte

From the department of un-reassuring reassurances:

"The ePassporte e-Wallet program continues to be up and running, except funds cannot be transferred between your Visa account and your e-Wallet," Mallick said.
ecommerce

Customers cannot shop online and pay with their virtual debit card. Nor they can transfer their funds on the card back to their wallets. The issue is not just US-wide, it is everywhere in the world. Any user in any country who has a Visa debit card from ePassporte cannot use it and at the moment it is just a piece of plastic.

31 August 2010

C-MAC java card GlobalPlatform Secure Channel

How to make C-MAC

the weirdest part of secure channel / authentication with a Card

written with javax.smartcardio and ERACOM provider

    byte[] makeC_MAC(byte[] toauth, byte[] Sess_C_MAC, byte[] iv) throws NoSuchAlgorithmException, NoSuchProviderException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {

//       toauth = command less 8 bytes of MAc DATA AND WITHout Le
//       make the C_MAC   "Retail MAC"
//       plain = apdu without the C_MAC tail... pad it
//       key = Sess_C_MAC
//       Lc is set to +8 to allow for cmac

//    iv is the previous C_MAC
//    encrypt 1ST8 bytes of the 16bytes (padded) message using 1ST 8 bytes of the
//    C-MAC session key:
            toauth = padm16(toauth); // pad the chopped message ie missing the 8 bytes where C-MAC will go
            byte[] plaina = new byte[8];
            byte[] bkeya = new byte[8];
            System.arraycopy(toauth, 0, plaina, 0, 8);
            System.arraycopy(Sess_C_MAC, 0, bkeya, 0, 8);   // Sess_C_MAC I prepared earlier
            //   E(f8(Sess_C__MAC)) [f8 message]
            Cipher desCipher = Cipher.getInstance("DES/ECB/NoPadding", "ERACOM"); // eracom the classic from QUT
            SecretKey kca = makey8(bkeya);   // key factory stuff turns bytes into a key
            IvParameterSpec ivp = new IvParameterSpec(iv); // bytes into ivp
            desCipher.init(Cipher.ENCRYPT_MODE, kca,ivp);   //Care iv is chained....... from the previous C-MAC
            byte[] ciphert = desCipher.doFinal(plaina);
            //xor the first 8bytes that were encrypted with the last 8bytes of "plain text"
            for (short i = 0; i < 8; i++) {
                ciphert[i] ^= toauth[i + 8];   // better: this could be done via ERACOM cbc??
            }        //       encrypt this 8bytes using the final TripleDES:
            Cipher enc = Cipher.getInstance("DESede/ECB/NoPadding", "ERACOM");
            SecretKey key3 = makey(Sess_C_MAC); // 16 bytes to 24 then keyfactory stuff
            //ERACOM insists on a 24byte key so copy the first 8
            enc.init(Cipher.ENCRYPT_MODE, key3); // do we use ivp? ecb ... would seem not
            C_MAC = enc.doFinal(ciphert);   //C_MAC
            //print("\n makeCMAC C_MAC " + Hex2String(C_MAC));
            return C_MAC;
    } // makec_mac______________________________

nb: Currently, I can establish a secure channel, but I currently can't carry on the chain of C-MACS,
so something is wrong.

I'm confused about the iv chaining from previous C-MAC, since both DES are ECB, so where does the iv go? The first time its zeros, so it doesnt matter?

I'm pleased I can authenticate, since you only get 10 failed attempts, then the card is Terminated with extreme prejudice   - I've terminated 3 or 4.

R-MAC

Response Authentication R-MAC

We want the Card to add a MAC ie Sign a response

GPCardSpec_v2.2.pdf the standards say

"At any time, the BEGIN R-MAC SESSION command may be issued to the card in order to initiate a R-MAC session. "
which looks good. We dont want to use GP secure channel for every-day use.

So I wrote some Java:

ReadOurFile xxxxxdataComesback9000 our propriatery read data command
init R_MAC 6E00 ...... SW_CLA_NOT_SUPPORTED",
ReadOurFile xxxxxdataComesback9000 no R-MAC added
______________________________________________________

But Sun Forums say it isnt so: old MAC is not back in town
____________________________________________________
From a Sun forum in 2007
http://forums.sun.com/thread.jspa?forumID=23&threadID=764277

I guess it is done with the BEGIN R-MAC SESSION command.

From GlobalPlatform 2.1.1 BEGIN R-MAC SESSION command specification:

P1 = 0x30 => Response Encryption and R-MAC (RFU)

Unfortunately this command is optional in GlobalPlatform and seems not to be supported by the JCOP cards.

.....

. Reasoning: JCOP does not support R-MAC.

beware of commenting on an old thread, SunForums have people who look for that and call you a zombie

- sure the original guy wont answer, but google brought me here, so it may bring others

_____________________________________________________
from 2009
http://forums.sun.com/thread.jspa?forumID=23&threadID=700765
http://forums.sun.com/thread.jspa?forumID=23&threadID=5375447

In addition, let me say that a lot of cards only implement VGP (visa GP) which is a subset of the real GP, but without support for the on card wrapping and DENC encryption. On these cards (when the SD aid is visa, ie A000000003 000000) only org.globalplatform.SecureChannel.unwrap() and org.globalplatform.SecureChannel.decryptData() is allowed. Absence of support for SecureChannel.wrap() means no support for R-MAC.

_____________________________________________________
GPShell response:

enable_trace
establish_context
card_connect -readerNumber 3
* reader name OMNIKEY CardMan 5x21-CL 0
select -AID a0000000030000
Command --> 00A4040007A0000000030000
Wrapped command --> 00A4040007A0000000030000
Response <-- 6F65...... etc etc send_apdu -sc 0 -APDU 847A1001 Command --> 847A1001
Wrapped command --> 847A1001
Response <-- 6985
send_APDU() returns 0x80206985 (6985: Command not allowed - Conditions of use not satisfied.)

Looks like no card R-MAC, you gotta write it yourself for your CAP

30 August 2010

Yoban’tel

"Yoban’tel"

June 28, 2010 Societe Generale and Obopay..teaming to bring mobile payment services to banked and unbanked customers who have a mobile phone. ..today in Senegal .. Societe Generale de Banques au Senegal (SGBS).

"Yoban’tel" ... carrier-agnostic, mobile money transfer and bill payment .. all of Senegal with a mobile phone.
...enroll for a mobile payment service and load or pick up cash at designated locations throughout Senegal. ..send money to anyone throughout the country, or to pay a bill.

..
Yoban’tel by Obopay, any Senegalese.. a mobile phone.. send money to recipients using a simple SMS transaction. ..
    * ..existing customers of the bank or new customers through a prepaid account (unbanked??)
    * Any mobile phone ... a simple SMS message to send the transfer request, without having to change the phone’s SIM card or install an application on the phone
    * ...compatible with all carriers; ..carrier-agnostic and not limited to transfers within a single network
..Carol Realini, ..founded the company following volunteer work in Africa, ... US, India, Kenya and now Senegal..

Founded in 2005 banks.obopay.com .. interoperable mobile payments service by transforming any mobile phone.. easy way to send and receive money. ... Mobile Money for Banks offers bank-branded
obopay

WesternUnion's grotesque profits may be doomed

____________________________________________________________

Some Banks in Mexico have raised the limit on Pre-Paid cards ($10,000?)

... transfers from USA are now simplified...

___________________________________________________________
select schools around Metro Manila, Smart Tag Internet access for P15 per 30 minutes "much cheaper than the P100 per hour offers of other WiFi ". ... five-day, unlimited WiFi access for only P150.

..700 hotspots .. Starbucks, Jollibee and Chowking.

..reloadable..valid for one year ... 11,000 students and staff of Smart Tag pilot schools have been given free pre-loaded Smart Tag cards worth P150, which they may consume for five days, 24/7. (expiration...)

“In Ateneo, the campus is too big for all of us to share the wireless broadband connection the school provides. We would rather go outside the campus ..

Julius Sareno, IT director of TUP Manila, said the product serves students well since it encourages students to stay within the campus (???)
technology.inquirer
____________________________________________________________
With myki more than three years late and at least $352 million over budget, the authority continues to spend taxpayer dollars on more expensive taxi trips despite the $1.35 billion "smartcard" system's shortcomings, Freedom of Information documents reveal.
Melbourne..

25 August 2010

Key Derivation ... CPG 2.04

Key Derivation ... CPG 2.04 found?

Caution: nowhere in the EMV docs is 'CPG' or 'CDK' mentioned,
remains to be seen how useful this is:
(we are not EMV?)

From
emvco

CPS1.x

EMV_CPS_v1.1_20070720_20090125100741.pdf
....2.1.1 Issuer Master Keys and Data

EMV personalization ..the card issuer creates master keys

.. The master keys are used in two ways, firstly to support secure transmission of personalization data and secondly to create application-level data for personalization of an EMV application.

... a method of importing or exporting master keys to allow appropriate data sharing between processes will be required.
Prior to the personalization process the identifier of the personalization master key KMCID, key version number, KEYDATA and the corresponding relevant keys, must be placed onto the card. KMCID and key version number are used to access (???) the issuer personalization master key (KMC) in order to derive the card unique static keys using diversification data (KEYDATA).

The 6 byte KMCID (e.g. IIN right justified and left padded with 1111b per quartet)(?????)

concatenated with the 4 byte CSN (least significant bytes) form the key diversification data that must be placed in tag ‘CF’. This same data must be used toform the response to the INITIALIZE UPDATE command.
....................

Table 1 Data Content for tag ‘CF’

Data Element Description ...........Length Format

KEYDATA ......Key derivation data: 10 binary

..............- KMCID (6 bytes)

..............- CSN (4 bytes)

Table 13 INITIALIZE UPDATE Command Coding

"8050 xx:00 08=cccccccccccccccc 00"

cc.. = host challenge

xx = 00..7f see 3.2.5.3 Key Version Number (use 00)

Table 14 Response to INITIALIZE UPDATE command

Field Length

KEYDATA (See Table 15) ........................10

Version number of the master key (KMC) ..........1

Identifier for Secure Channel Protocol (ALGSCP = ‘02’) .......1

Sequence Counter ................2

Card challenge (R_CARD) .........6

Card cryptogram .................8

SW1 SW2 .........................2

Table 15 Initial Contents of KEYDATA

Field Length Format

Identifier of the KMC (e.g. IIN right ..........6 BCD
justified and left padded with 1111b per quartet) (???) what is a quartet??? some kind of Eurotrash choir??

Chip Serial Number (CSN) .................4 Binary

............................

The first 6 bytes of KEYDATA returned from the INITIALIZE UPDATE command are used to identify (???) the master key for secure messaging (KMC).
The six least significant (??? they dont mean it) bytes of KEYDATA are used as key diversification data. The personalization device must use the KMC and KEYDATA to generate the KENC, the KMAC and the KDEK for this IC card,is defined in section 4.1. These keys must have been placed in the IC card

prior to the start of the personalization process.

.........................................

4.1 ..Pre-Personalization

Prior to personalization the ICC must be enabled/activated, the basic EMV

application loaded, and the file and data structure established. .....

..

4.1.1.2 Each application must be selectable by its AID.

4.1.1.3 If the File Control Information (FCI) for the application is not to be personalized, it must be created prior to personalization.

4.1.1.4 KEYDATA must be set as shown in Table 15. KEYDATA is composed of KMCID and Chip Serial Number (CSN). KMCID is the identifier (???) of the master personalization key to be supplied by the card issuer or the personalizer. The length of KMCID is 6 bytes. The CSN is rightmost 4

bytes(!!! is rightmost most or least significant?? ) of the physical identifier of the card.

4.1.1.5 The version number of the personalization master key (KMC) used to generate the initial personalization keys (the KENC, the KMAC and the KDEK) for each application must be on the IC card.

4.1.1.6 A derived key (KENC) must be generated for each IC card and placed into the application. This key is used to generate the card cryptogram and to verify the host cryptogram. This key is also used to decrypt the STORE DATA command data field in CBC mode if the security level of secure
messaging requires the command data field to be encrypted.

The KENC is a 16 byte (112 bits plus parity) DES key.

The KENC will be derived in the following way: KENC := DES3(KMC)[Six least significant bytes of the KEYDATA || ’F0’ || ‘01’ ]|| DES3(KMC)[ Six least significant bytes of the KEYDATA || ‘0F’ || ‘01’].

4.1.1.7 A derived key (KMAC) must be generated for each IC card and placed into the card. This key is used to verify the C-MAC for the EXTERNAL AUTHENTICATE command and also to verify the C-MAC for the STORE DATA command(s) if the security level of secure messaging requires a MAC of the command data.

The KMAC is a 16 byte (112 bits plus parity) DES key

The KMAC will be derived in the following way: KMAC := DES3(KMC)[ Six least significant bytes of the KEYDATA || ’F0’ || ‘02’ ]|| DES3(KMC)[ Six least significant bytes of the KEYDATA || ‘0F’ || ‘02’].

4.1.1.8 A derived key (KDEK) must be generated for each IC card and placed into the card. This key is used to decrypt in ECB mode secret data received in the STORE DATA command.

The KDEK is a 16 byte (112 bits plus parity) DES key.

The KDEK will be derived in the following way: KDEK := DES3(KMC)[ Six least significant bytes of the KEYDATA || ’F0’ || ‘03’ ]|| DES3(KMC)[ Six least significant bytes of the KEYDATA || ‘0F’ || ‘03’].

4.1.1.9 For each Secure Channel key set the sequence counter to be returned in the response to the INITIALIZE UPDATE command must be initialized to’0000’.

________________________________________

So we can 'identify' the master key KMC'

we have 'the identifier (???) of the master personalization key'

but what the hell IS the KMC???

I suppose expensive English Publlic school or Ecole Normal education is a pre-requisite to write bad specifications like the above......

The field of cryptography is stuffed with types of people who are incapable of clear thought or description, They get away with it because they appear to be guarding secrets.

A culture of 'Security through Oscurity impedes the progress of useful industries, and has a negative impact on security.

___________________________________

From:

pre-zombie sun forum thread:

forums.sun.com5

...

"The tool is "Jload2 advanced", I just choose a so-called key file named "GD_V_CDK (CPG 2.04).key", is defines a Master key (40:41:..:4F), the key set (0) and the key derivation method namely CDK04.

I could not find any information regarding CPG 2.04, neither for key derivation method CDK04.

spec name is EMV CPS 1.x). As Dan said, the static keys KMAC,KENC and KDEC are derived and there's a section in this spec that describes the derivation.

...Whoaaa... Yes, it does work, the answer lies in Section 4.1 of the CPS 1.1 document

__________________________________