如何检查 INITIALIZE UPDATE 和 EXTERNAL AUTHENTICATE 的正确性？

Question

我通过 opensc-tool将80 50 00 00 08 00 00 00 00 00 00 00 00[ INITILIZE UPDATE Command] 发送到我的 java 卡，并从卡接收00 00 11 60 01 00 8A 79 0A F9 FF 02 00 11 79 11 36 5D 71 00 A5 A5 EC 63 BB DC 05 CC[ Init Response ] 作为其响应。

正如你看到的：

在命令中，我00 00 00 00 00 00 00 00作为Host Challenge发送，并在响应中：

00 00 11 60 01 00 8A 79 0A F9=关键多元化数据

FF 02=关键信息

00 11 79 11 36 5D 71 00=卡片挑战

A5 A5 EC 63 BB DC 05 CC=卡密码

现在我想检查自己，卡密码是否正常。我该怎么做？例如，我00 00 00 00 00 00 00 00在该站点中使用 3DES 加密算法 [使用我的卡的密钥 = 4041...4F] 进行加密，但输出与我上面写的卡密码不同。为什么？

下一个问题是，如果我想向卡发送EXTERNAL AUTHENTICATION命令，它的数据字段是什么（在上述 INITILIZE UPDATE 之后）？

更新：

这是 GPJ 输出：

C:\Users\ghasemi\Desktop\gpj-20120310>GPJ
C:\Users\ghasemi\Desktop\gpj-20120310>java -jar gpj.jar
Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0
ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00
.
.
.
DEBUG: Command  APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00

DEBUG: Command  APDU: 80 50 00 00 08 7F 41 A9 E7 19 37 83 FA
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 1B 9B 95 B9 5E 5E BC BA 51 34 84 D9 C1 B9 6E 90 00
DEBUG: Command  APDU: 84 82 00 00 10 13 3B 4E C5 2C 9E D8 24 50 71 83 3A 78 AE 75 23
DEBUG: Response APDU: 90 00
DEBUG: Command  APDU: 84 82 00 00 08 13 3B 4E C5 2C 9E D8 24
DEBUG: Response APDU: 90 00

C:\Users\ghasemi\Desktop\gpj-20120310>

所以 ：

Host_Challenge :: 7F41A9E7193783FA

Diversification_Data :: 0000116001008A790AF9

Key_Information :: FF02

Sequence_Counter :: 001B

Card_Challenge :: 9B95B95E5EBC

Card_Cryptogram :: BA513484D9C1B96E

Host_Cryptogram[16,24] = 13 3B 4E C5 2C 9E D8 24

现在，让我们手动制作我们的 Host_Cryptogram ：

Derivation_data=derivation_const_ENC|sequence_counter|0000 0000 0000 0000 0000 0000

Derivation_Data = 0182001B000000000000000000000000

k_ENC :: 404142434445464748494A4B4C4D4E4F

IV = 00 00 00 00 00 00 00 00

S_ENC = encrypt(TDES_CBC, K_ENC, IV, derivation_data)

所以 ：

我使用了http://tripledes.online-domain-tools.com/并且其上述值的输出是：

S_ENC = 448b0a5967ca246d058703ff0c694f15

和 ：

Padding_DES = 80 00 00 00 00 00 00 00
Host_auth_data = sequence_counter | card_challenge | host_challenge | padding_DES
IV = Card_Cryptogram :: BA513484D9C1B96E
host_cryptogram = encrypt(TDES_CBC, S_ENC, IV, host_auth_data)

所以 ：

Host_Authentication_Data : 001B9B95B95E5EBC7F41A9E7193783FA8000000000000000

同样，我使用了http://tripledes.online-domain-tools.com/

和 ：

Host_Cryptogram : 3587b531db71ac52392493c08cff189ce7b9061029c63b62

所以 ：

Host_Cryptogram[16,24] = e7b9061029c63b62

为什么这两种方式[手动和GPJ输出]给我们两个主机密码？

Answer 1

From the INITIALIZE UPDATE command you send, you get

host_challenge = 00 00 00 00 00 00 00 00

In response to the INITIALIZE UPDATE command, you get

diversification_data = 00 00 11 60 01 00 8A 79 0A F9
key_information = FF 02
sequence_counter = 00 11
card_challenge = 79 11 36 5D 71 00
card_cryptogram = A5 A5 EC 63 BB DC 05 CC

The key information indicates SCP02 (02). The key diversification data may be used to derive the card-specific K_ENC. Lets assume we have a K_ENC like this

K_ENC = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

We can then derive the session encryption key like this

derivation_const_ENC = 01 82
derivation_data = derivation_const_ENC | sequence_counter |  00 00 00 00 00 00 00 00 00 00 00 00

IV = 00 00 00 00 00 00 00 00
S_ENC = encrypt(TDES_CBC, K_ENC, IV, derivation_data)

Next, we can assemble the authentication data used to calculate the host cryptogram:

padding_DES = 80 00 00 00 00 00 00 00
host_auth_data = sequence_counter | card_challenge | host_challenge | padding_DES

Then we can use the session encryption key to encrypt the authentication data:

IV = 00 00 00 00 00 00 00 00
host_cryptogram = encrypt(TDES_CBC, S_ENC, IV, host_auth_data)

The last 8 bytes of the encrypted authentication data are the actual host cryptogram that we would send to the card:

EXTERNAL_AUTHENTICATE_data = host_cryptogram[16, 24]

Now we can assemble the EXTERNAL AUTHENTICATE command:

EXTERNAL_AUTHENTICATE = 84 82 03 00 08 | EXTERNAL_AUTHENTICATE_data

We can then calculate the S_MAC key (analoguous to getting the S_ENC above) and the MAC over that command and append it to the command data to get the full EXTERNAL AUTHENTICATE command that can be sent to the card:

EXTERNAL_AUTHENTICATE = 84 82 03 00 10 | EXTERNAL_AUTHENTICATE_data | MAC

Update

Using http://tripledes.online-domain-tools.com/ to reproduce the results of GPJ

你的 K_ENC 是404142434445464748494A4B4C4D4E4F。在线工具无法正确支持 2-key-3DES，因此您必须先将密钥转换为 3-key 形式：

K_ENC = 404142434445464748494A4B4C4D4E4F4041424344454647

使用此密钥和零 IV 来加密派生数据 ( 0182001B000000000000000000000000)。你得到

S_ENC = fb063cc2e17b979b10e22f82110234b4

在 3 键符号中，这是

S_ENC = fb063cc2e17b979b10e22f82110234b4fb063cc2e17b979b

使用此密钥和零 IV 来加密主机身份验证数据 ( 001b9b95b95e5ebc7f41a9e7193783fa8000000000000000)：

HOST_CRYPTOGRAM = 773e790c91acce3167d99f92c60e2afd133b4ec52c9ed824