I am trying to generate AC manually, I have a tool to generate AC but I want to generate it by my own to understand the algorithm for the same.
My calculation is fine for Discover card but it is failing for MasterCard. As per my understanding, data used to generate AC is depend on Tag 8C - CDOL1 which we provide to card with Gen AC command + AIP + ATC.
AIP and ATC - accessed internally by ICC.
Data used to generate AC is:-
data part of Gen AC command + value of tag 82 + value of tag 9f36 + 80 + optional 00 to make it multiple of 8.
this is my logic ,it might be I am using wrong data to calculate A.C that's why getting different result from my test tool.
Terminal Supplied Data
Amount, Authorised - 000000000201
Amount, Other - 000000000000
Terminal Country Code - 0826 - United Kingdom
Terminal Verification Results - 00 00 00 00 00
Transaction Currency Code - 0826 - Pound Sterling
Transaction Date - 15 04 28
Transaction Type - 00 - Goods and Services
Unpredictable Number - 30 90 1B 6A
Terminal Type - 23 - Attended, offline only. Operated by Merchant
Data Authentication Code - 00 00
ICC Dynamic Number - 1E AB C1 26 F8 54 99 76
CVM Results - 00 00 00
Gen AC Using CDOL1
80 AE 40 00 2B 0000000002010000000000000826000000000008261504280030901B6A2300001EABC126F8549976000000
this command is returning 9F26.
data i used for calcatation is:-
0000000002010000000000000826000000000008261504280030901B6A2300001EABC126F85499760000003800000180 [ data is multiple of 8]
Where 3800 is AIP 0001 is ATC and 80 for Padding [ Padding method 2 EMV] This is my logic, Is any body tell me where I should focus more to generate same AC as my tool generated.
MasterCard Application Cryptogram (AC) generation is more complicated than other card schemes.
Card can use different ICC Session Key Derivation (SKD) methods:
MasterCard Proprietary SKD, where involved Application Transaction Counter (ATC) and Unpredictable Number (UN);
EMV2000 Method, where involved only ATC - see EMV 4.0, Book 2;
EMV Common Session Key (CSK) Method, where involved only ATC - see EMV 4.2, Book 2;
Data Objects (DO) can be with different sets of additional or modified values:
Card Verification Results (CVR) can be 6 or 4 bytes.
The offline counters from Issuer Application Data (IAD) can be included.
Last online ATC value can be included.
The used method and data variant can be detected by Cryptogram Version Number (CVN) and Application Control bits. CVN is sub-field of IAD tag 0x9F10 .
The detailed information are proprietary and available for the MasterCard members.
For deep learning about it take a look into "M/Chip Card Application Cryptographic Algorithms" and M/Chip Card Application references.
Related
I´m trying to access the Information on a Mifare Smartcard(iso14443A) over a Omnikey 5321 CL reader.
I tried to use the smartcard lib, but it uses an other iso standard.
For accessing the Card I have to set a Application ID ( 3x hex), a key (32 int), keyid (hex).
You can still use smartcard lib, but you have to configure the reader to use the MIFARE mode instead of the T-CL variant of 14443 protocol.
If I remember corectly, the Omnikey workbench provides a graphical configuration tool for that purpose.
I strongly recommend to study Omnikey contactless smart card readers developer guide, especially the section MIFARE emulation mode, for serious work.
(I have no idea, what a one byte Application ID means in Mifare context, and what value 3x is supposed to represent.)
I am busy with similar process, however after searching I found this example:
https://github.com/santigimeno/node-pcsclite
EDIT
In fact I actually got this one working
https://github.com/pokusew/nfc-pcsc
It returns the following:
ACS ACR122 0 card detected {
atr: <Buffer 3b 8f 80 01 80 4f 0c a0 00 00 03 06 03 00 01 00 00 00 00 6a>,
standard: 'TAG_ISO_14443_3',
type: 'TAG_ISO_14443_3',
uid: '767aec7e'
}
I'm developing an application that require a client authentication to a server using a smart card.
As a guide, i'm tracing a normal web authentication with a browser and i've seen that the SSL/TLS packet containing the "Certificate Verify" structure is created using the signing session of the card.
Analizing the CCID-APDU packet sent to the card reader i've seen this dump:
6f 05 01 00 00 00 41 00 01 00 00 2a 80 86 00 01 01 00 00 01 ff ff ........
The answer of this command is actually the content sent to the 'Certificate Verify' SSL/TLS structure.
The strange thing is that the APDU command sent is
00 2a 80 86 00
Looking at the APDU documentation this is a "PSO: DECIPHER" command but shouldn't it be a signature command? (00 2A 9E 9A xx)
Would anyone be able to clarify this behavior?
Tnx
PSO DECIPHER shares with signature generation that it applies the private key. It is significantly simpler, since it is restricted to one data block, i. e. the command data field of the APDU. PSO CDS for Compute Digital Signature has lots of additional complications like chaining (data split to several commands), hashing (with various algorithms to use), padding (with various padding schemes) to ensure correct data length etc.
So it seems, that your analyzed solution is optimized for the specific scenario required, and as many optimizations clarity is somewhat reduced as side effect.
After some mucking about, I have got a pybluez script to connect to an AVRCP profile on various devices, and read the responses.
Code snippet:
addr="e2:8b:8e:89:6c:07" #S530 white
port=23
if (port>0):
print("Attempting to connect to L2CAP port ",port)
socket=bluetooth.BluetoothSocket(bluetooth.L2CAP);
socket.connect((addr,port))
print("Connected.")
while True:
print("Waiting on read:")
data=socket.recv(1024)
for b in data:
print("%02x"%b,end=" ")
print()
socket.close()
The results I'm getting when I press the button on the earpiece are as follows:
Attempting to connect to L2CAP port 23
Connected.
Waiting on read:
10 11 0e 01 48 00 00 19 58 10 00 00 01 03
Waiting on read:
20 11 0e 00 48 7c 44 00
Waiting on read:
30 11 0e 00 48 7c 46 00
Waiting on read:
40 11 0e 00 48 7c 44 00
After careful reading of the spec, it looks like I'm seeing PASSTHROUGH commands, with 44 being the "PLAY" operation command, and 46 being "PAUSE" (I think)
I don't know what the 10 11 0e means, apart from the fact that the first byte appears to be some sort of sequence number.
My issue is threefold:
I don't know where to find a list of valid operation_ids. It's
mentioned in the spec but not defined apart from a few random
examples.
The spec makes reference to subunit type and Id, (which would be the
48 in the above example) again without defining them AFAICT.
There is no mention of what the leading three bytes are. They may
even be part of L2CAP and nothing directly to do with AVRCP, I'm not
familiar enough with pybluez to tell.
Any assistance in any of the above points would be helpful.
Edit: For reference, the details of the AVRCP spect appears to be here: https://www.bluetooth.org/docman/handlers/DownloadDoc.ashx?doc_id=119996
The real answer is that the specification document assumes you have read other specification documents.
The three header bytes are part of the AVCTP transport layer:
http://www.cs.bilkent.edu.tr/~korpe/lab/resources/AVCTP%20Spec%20v1_0.pdf
In short:
0: 7..4: Incrementing transaction id. 0x01 to 0x0f
3..2: Packet type 00 = self contained packet
1 : 0=request 1=response
0 : 0=PID recognized 1: PID error
1-2: 2 byte bigendian profile id (in this case 110e, AVRCP)
The rest is described in the AVRCP profile doc, https://www.bluetooth.org/docman/handlers/DownloadDoc.ashx?doc_id=119996
I don't find the documentation to be amazingly clear.
I have provided a sample application which seems to work for most of the AVRCP devices I have been able to test:
https://github.com/rjmatthews62/BtAVRCP
I am trying to use UPDATE BINARY command using APDU command for modify IMSI code, but The response is 98 04.
A0 A4 00 00 02 3F 00 -> SELECT MF
A0 A4 00 00 02 7F 20 -> Select DF_GSM
A0 A4 00 00 02 6F 07 ->Select EF_IMSI
A0 D6 00 00 09 [08 79 03 30 60 00 61 33 23] -> UPDATE IMSI FOR RANDOM NUMBER
when doing this I get the following response 98 04 and it is not modified.
According to the documentation The response 98 04 can mean the following:
access condition not fulfilled
unsuccessful CHV verification, at least one attempt left
unsuccessful UNBLOCK CHV verification, at least one attempt left
authentication failed
How I can change IMSI?
Thank you.
From 3GPP-TS-11.011 - You have to verify ADM first in order to update EF_IMSI. See link. Typically only the network has the "password". Otherwise anyone with the password can impersonate the identity of someone else's SIM card.
EF_IMSI Update Conditions
In order to update IMSI file on SIM , UPDATE command header and data part should be generated according GSM 03.48 specification. For the SIM file structure 31.102 is the specification.
Command header parameters should be obtained from SIM vendor. Minimum security Level parameter will definitely enforce encryption and cryptographic cHecksum usage for securing the command data, because real SIM card card manager expects MSL parameters something like that 0x25, so KiC and KiD key values are required.
You need first to Verify CHV (PIN1 for IMSI).
Use the following APDU and replace your PIN1 value.
-> A0 20 00 01 08 31 32 33 34 FF FF FF FF
<- 90 00
Caution: If you use wrong PIN value, it will be disabled after 3 times.
I have two different smartcard chips with Visa Paywave inside (one is native, and other is Java Card).
I am trying to run select PPSE or select Application command, one card is giving the expected result while another card is giving status word 6700.
Command ---->CMD 00A404000E325041592E5359532E4444463031
Sw1-sw2 <----67 00
Command ---->CMD 00A4040007A0000000031010
Sw1-sw2 <----67 00
We have some other proprietary test tool that is receiving a good result for both cards. That means that both cards have a PPSE and application in it. I wonder why my tool is sending the same command but getting a different result.
Any advice would be helpful here.
As we know that there are 4 cases defined in ISO7816-4 like,
As per my experience maximum card does not worry about Le field in apdu command, card O.S just process the command and return data if require.
Here i am getting error -6700 because here my card is expecting Le byte too.( card expecting case 4 instead of case 3)
Send command like below solve my problem,
00 A4 04 00 0E 325041592E5359532E4444463031 00 ( adding Le = 0x00 at last)