Thursday, 25 June 2009

Smart Card SCP02

GlobalPlatform Secure Channel Protocol 2 (GP SCP02) allows secure communication with an applet. It is documented as Appendix E in the GP Card Specification 2.1.1

GP card-side classes (org.globalplatform.GPSystem and org.globalplatform.SecureChannel, included in JCOP Tools gp211.jar or in GP Card Specification) make it easy to process, wrap and unwrap secured APDUs.

Card managers supporting SCP02 include JCOP Tools and GPShell.

(No info on terminal-side classes for SCP02 yet. Watch this space.)

SCP03 has been specified by GP middle of 2007 as part of Card Specification 2.2 but it's not clear if there are any implementations which support this yet.

Tips for managing sessions and applets:
  • Remember that have only 10 tries to authenticate to a JCOP card manager. Successfully authenticating will reset its internal counter. After 10 failures the card manager will be locked and cannot be unlocked, although the applets on the card will remain usable. This is different than the situation where the card itself is in GP state CARD_LOCKED, which is reversible.
    Using the wrong key-set is the most common mistake people make. Confirm that you are using the right key-set: read the tutorials on-line and contact your vendor if you don't have supporting documentation for the card.
    JCOP Tools get-cplc prints the production info for the card (aka ISD), which you can send to the card vendor (or google!) to get the key-set. If you are already authenticated to the card and want to confirm the default key-set number, use init-update: the response APDU has the key-set number you used to authenticate in the 11th byte, and the SCP version in the 12th byte. (Refer to GP2.1.1 Appendix D4.1 and D4.2 for init-update and ext-auth commands). Remember that using init-update when not authenticated counts as authentication failure, which will use up one of your tries! First reset the ISD failure counter by authenticating successfully, then continue experimenting.
  • SCP02 requires key-type CBC (valid key types are DES, DES-ECB, DES-CBC, RSA-PRIV, RSA-PUB, RSA-CRT, DSA-PRIV, or DSA-PUB). If you specified SCP02 ENC+MAC by using JCOP Tools command ext-auth enc, JCOP Tools will automatically set key type to CBC even if you set key type for example DES-ECB.
  • The card has several life-cycle states, usually READY or SECURED (the latter requiring external authentication level C-MAC at least). Refer to GP2.1.1 Section 5.1.

2 comments:

Unknown said...

Where is it specified that SCP 02 requires CBC keys??

__ said...

To clarify, JCOP Tools (at least up to version 3.2.8) mandates DES-CBC for SCP02. This is from my experience, it might not be written anywhere.