21 September 2011

JCOP Change Keys

JCOP Key Version & Key Change
GPSpec 2.2


Key Change Sometimes  (Occasionally) works  
[ Security Domain Secure Channel Keys  S-ENC S-MAC  DEK]

- I did a keyChange with oldVersion 1 newVersion2,
   then a keyChange with oldVersion2 new Version 3
( it is not stated that versions must be consecutive)
Now I cant change any more ...

Notes:
Initiallize Update   (initialize a Secure Channel Session) is currently done with hardcoded
p1  = 0   .... “ Key Version within the Security Domain to be used to initiate the Secure Channel Session. If this value is zero, the first available key chosen by the Security Domain will be used. “
p2 = 0 ....Key Identifier ..with the Key Version..”unique reference to the set of keys to be used to initiate the Secure Channel Session.”

So a regularisation of usage here seems required.
............................................
ChangeKey [PUT KEY]
has p1 = current key Set      = version  “ identifies keys already on card”
and Data[0] = new KeySet
........................................

Getting the  KeySet version:
the response to  Initialize Update has Key Version Number as byte [11]
 I understand the relation between initialize Update p1 and response ??

........................................

Get Data
There is a variant of getData  (note E0 tagindicating Key data
APDU = FF CA 00 E0 00     but note CLA FF is NOT defined
 - I forget where I learned to use FF as CLA byte....


this Class also used in:
final String sread_uid =    "FFCA 00-00 00";
I forget where I got these FF??


example
Select App 01090000010303000401 selected     keyData 2DB3BB28
   - what means Version B3 ???

try select Card Manager:

after select CardManager: CM selected        keyData 2D B3 BB 28

So I try changeKey oldVersion B3  new Version B4   WORKED!!
then b4 -> B5 it did not work !!  0x6A80       SW_WRONG_DATA

So Occasionally PUT KEY works ... I wish I knew the rules.





20 September 2011

JCOP Card Init Update, Opal

JCOP card example
Init Update is used in authenticate and deriveKeys,

deriveKeys is slightly secret  - the jcManager code. on which this is based,  omits the derive routine.
So its nowhere on the internets.

The Derivation routine was passed to us in a silly kind of hush-hush way - we got sent a jpg of a torn page of the specs ...
(derived means that each card modifies the master keys using some unique cardID.

Its not actually secret, nor  covered by NDA, so offer me a job and I'll bring it.



    static String CMAID = "A000000003000000";  //  Card Manager




    public static byte[] initUpdate()  //  uses globals CMAID, Cardch
    {
//                print("\n Select Card Manager " + CMAID) ;
byte[] selectAPDU = Uti.asHex("00 A4 04 00 08 A0 00 00 00 03 00 00 00 ");  //  Le 00 not present
                // put CMAID into Select:   if CMAID never changes these2 lines redundant:
byte[] issuerDomain = Uti.asHex(CMAID);
                System.arraycopy(issuerDomain,0,selectAPDU,5,8);
                ResponseAPDU  respa = Terminal.sendAPDU(selectAPDU, Cardch);  // CardChannel
                if (respa.getSW() != 0x9000)
                {
                    print("     SW " + Uti.serrcode(respa.getSW()) );  // translate error code
                    return null;
                }
                /**
              // print("\n Select Card Manager APDU response (Horrid ASN.1) " + Uti.asString(respa.getData()));
                '6F' File Control Information (FCI template) Mandatory
                '84' Application / file AID Mandatory
                'A5' Proprietary data Mandatory
                '73' Security Domain Management Data (see Appendix F for detailed coding)              Optional
                '9F6E' Application production life cycle data Optional
                '9F65' Maximum length of data field in command message Mandatory
                **/
hostChallenge = new byte[8];
Random rnd = new Random();
rnd.nextBytes(hostChallenge);


                
byte[] initUpdateAPDU = Uti.asHex("8050 0000 08 00000000  00000000 ");
System.arraycopy(hostChallenge, 0, initUpdateAPDU, 5, 8);
respa = Terminal.sendAPDU(initUpdateAPDU, Cardch);
                if (respa.getSW() == 0x6982)  //  SW_SECURITY_STATUS_NOT_SATISFIED
                {
                    print("  SW_SECURITY_STATUS_NOT_SATISFIED ");
                    print("  Keys incorrect?, not derived? Derived when they oughtnt be?");
                    return null;
                }
                else if(respa.getSW() != 0x9000)
                {
                    print("     SW " + Uti.serrcode(respa.getSW()));
                    return null;
                }
                return respa.getData(); // 28 bytes


    }


______________________________
Sydney Oyster/Opal 2014 $1B
Sydney's version of a universal public transport card .. will be called Opal...
The card will first be introduced on Sydney Ferries by December next year, she said.
.. following year it will be trains, the following year after that it will be buses " ..
She said the system had been bought from and would be operated by the people behind London's Oyster card, and would cost just over $1 billion. NSW Transport Minister Gladys Berejiklian says.
September 13, 2011 AP
smh
________________________________________________________

11 September 2011

Smart Card "No Driver Found" - continued

OK I did the MSoft RegEdit thing:

To stop dumb-arse "no Driver.." message

For x64-bit systems, identical changes must be made under the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards
    ATR=Hexadecimal      DWORD: 3B,8A,80,01,4A,43,4F,50,34,31,56,32,33,32,7D     (actually a REG_EXPAND_SZ)
    ATRMask= Hexadecimal DWORD: ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,00,00 (actually a REG_EXPAND_SZ)
    Crypto Provider=String value: "FRED Dummy Provider"                        (actualy REG_SZ)


This mask supposedely will recognise JCOP41 and JCOP31
The message seems to have stopped, but you never know
Now I get a NFC read with OMNIKEY 5321 v2  using "HID" - Omnikey Disgnostic tool 2.4.0.5

I had another Omnikey at home and couldnt get it to work (NFC only) so I dont know if all the drivers I downloaded will work with it of not

I recommend sticking with the dual (Contact/NFC)  5321

I also recommend not settling for Windows "Home"

Smart Card "No Driver Found", QR fun

 Smart Card "No Driver Found" - revisited - You can just ignore this message every time you read a card
OR the fix is: run
gpedit.msc
 1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
2. In the console tree under Computer Configuration, click Administrative Templates.
3. In the details pane, double-click Windows Components, and then double-click Smart Card.
4. Right-click Turn on Smart Card Plug and Play service, and then click Edit.
5. Click Disabled, and then click OK.

 BUT Windows 7 Home Premium does NOT have gpedit (my New Laptop is W7HP)
 I looked for an install, but got a couple of dodgy looking sites that did NOT install gpedit.msc
I guess for now I'll just have to live with the annoying message

 These sites did NOT work: (remove the zzz if you really like dodgy web sites) icpezzzp thecustomizewzzzindows




This also does NOT work in Wind7HomePrem
 1. Run MMC.exe
 2. Add Group Policy snap-in
3. Open Local Computer Policy\Computer Configuration\Windows Settings\Administrative Templates\Windows Components\Smart Card
 4. Disable Turn On Smart Card Plug And Play Services. Smart Card "No Driver Found"


[im gonna hafta revert to old blog format... the new editor doesnt recognise linebreaks .. how braindead!]

_______________________________________________________________
Quickmark QR fun
 phone ctskinner phone
____________________________________________________________________
 Kronecker Blog Kronecker Blog _______________________________________________________________
 email ctskinner email _______________________________________________________________

Cheap NFC on the way nfctimes

06 September 2011

Java to CAP to Card

JCOP 


 Java to CAP
 Compiling the java:
 We use JCOP41 cards so: We need JavaCard old-style ie 2.2.1 and javaCompiler1.3

Eclipse uses 2.2.2+ so cant be used for the final compile.
 I suspect Netbeans might be persuaded to do the decent thing.

 You dont have to dig up java 1.3,       use java 1.6 with -target 1.1 -source 1.3

 here is the compile batch file
 ...........................................................

 copy "C:\Users\Chris Skinner\Documents\NetBeansProjects\Shamu\src\sham\Shamu.java" \card\src\sham


 set JC_HOME=C:\card\java_card_kit-2_2_1


 :: CARE set JAVA_HOME does NOT change javac version 


 set JAVA_HOME="C:\Program Files\Java\jre1.5.0_05"
:: the above line is pointless?? or does it give us api.jar??


 set PATH=.;%JC_HOME%\bin;%JAVA_HOME%\bin;%PATH%


 cd \card\src\sham
 del *.class


 ::C:\card\jsdk13\bin\javac -g -classpath ".;%JC_HOME%\lib\api.jar" Shamu.java  NOT NOW NEEDED


 javac -target 1.1 -source 1.3 -g -classpath ".;%JC_HOME%\lib\api.jar" Shamu.java 


 pause 


set _CLASSES=C:\card\java_card_kit-2_2_1\lib\apduio.jar;C:\card\java_card_kit-2_2_1\lib\api.jar;C:\card\java_card_kit-2_2_1\lib\capdump.jar;C:\card\java_card_kit- 2_2_1\lib\converter.jar;C:\card\java_card_kit-2_2_1\lib\offcardverifier.jar;




 cd \card\src\ 


 java -classpath "%_CLASSES%"      com.sun.javacard.converter.Converter -config Shamu.opt


 ...........................................................

 You cant just say "converter",
 I jumped through all the classpath hoops as above

 shamu.opt is a configuration file viz:
 ......................................................
 -out EXP JCA CAP
 -exportpath sham\exp 
 -applet 0x1:0x9:0x0:0x0:0x1:0x3:0x1:0x0:0x4:0x1 sham.Shamu sham 0x1:0x9:0x0:0x0:0x1:0x3:0x1:0x0:0x4 1.0

 ......................................................

 It is suggester that the package name should have at least 2 layers... ie I could use a few more...

 We dont ever use the EXP and JCA output?

__________________________________________________________________

CAP to Card

I have used jcManager source to write a CAPLoader

CAPLoader loads CAP produced by this method. (onto JCOP41 cars)

 It Doesnt load many sample CAPs that float down through the Internet.
I guess theyre mostly 2.2.2+

CAPLoader does use SCP02 (Secure Channel Protocol 02) so we are not entirely back in the dark ages. 

Oddly, It authenticates to old JCOP31 cards, so they can evidently use SCP02