31 August 2010

R-MAC

Response Authentication R-MAC
We want the Card to add a MAC ie Sign a response

GPCardSpec_v2.2.pdf the standards say


"At any time, the BEGIN R-MAC SESSION command may be issued to the card in order to initiate a R-MAC session. "
which looks good. We dont want to use GP secure channel for every-day use.


So I wrote some Java:

ReadOurFile xxxxxdataComesback9000 our propriatery read data command
init R_MAC 6E00 ...... SW_CLA_NOT_SUPPORTED",
ReadOurFile xxxxxdataComesback9000    no R-MAC added
______________________________________________________


But Sun Forums say it isnt so:  old MAC is not back in town
____________________________________________________
From a Sun forum in 2007
http://forums.sun.com/thread.jspa?forumID=23&threadID=764277

I guess it is done with the BEGIN R-MAC SESSION command.

From GlobalPlatform 2.1.1 BEGIN R-MAC SESSION command specification:
P1 = 0x30 => Response Encryption and R-MAC (RFU)

Unfortunately this command is optional in GlobalPlatform and seems not to be supported by the JCOP cards.
.....
. Reasoning: JCOP does not support R-MAC.

beware of commenting on an old thread, SunForums have people who look for that and call you a zombie
- sure the original guy wont answer, but google brought me here, so it may bring others
_____________________________________________________
from 2009
http://forums.sun.com/thread.jspa?forumID=23&threadID=700765
http://forums.sun.com/thread.jspa?forumID=23&threadID=5375447
In addition, let me say that a lot of cards only implement VGP (visa GP) which is a subset of the real GP, but without support for the on card wrapping and DENC encryption. On these cards (when the SD aid is visa, ie A000000003 000000) only org.globalplatform.SecureChannel.unwrap() and org.globalplatform.SecureChannel.decryptData() is allowed. Absence of support for SecureChannel.wrap() means no support for R-MAC.
_____________________________________________________
GPShell response:

enable_trace
establish_context
card_connect -readerNumber 3
* reader name OMNIKEY CardMan 5x21-CL 0
select -AID a0000000030000
Command --> 00A4040007A0000000030000
Wrapped command --> 00A4040007A0000000030000
Response <-- 6F65...... etc etc send_apdu -sc 0 -APDU 847A1001 Command --> 847A1001
Wrapped command --> 847A1001
Response <-- 6985
send_APDU() returns 0x80206985 (6985: Command not allowed - Conditions of use not satisfied.)


Looks like no card R-MAC, you gotta write it yourself for your CAP
Posted by C T Skinner at 9:52 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)