Javacard : GlobalPlatform Mutual Authentication

I have recently ordered some few JavaCard units for my students.

You could read about its technical/software characteristics here

Basically, the JCOP J3H145 supports JC 3.0, GlobalPlatoform 2.2.1 and ISO7816, ISO14443 protocols.

0- Secure Channel Protocol

The following flow is an example of explicit Secure Channel initiation between a card and an off-card entity ( GP documentation):

I- Mutual Authentication

After card reset, I sent to card the following command (using GP tools):

The JCOP J3H145 card is using 2keys-3DES for mutual authentication.

The card sent some public information with 3 static keys ( default keys):

K-ENC : 404142434445464748494A4B4C4D4E4F

K-MAC: 404142434445464748494A4B4C4D4E4F

K-DEK:404142434445464748494A4B4C4D4E4F

Then, the mutual authentication protocol is initiated:

[TRACE] GPSession - Generated host challenge: 0286BBF852B03316        

The Host challenge (0286BBF852B03316, 8 bytes) is created by the Host application then sent to the card by means of the following APDU :

A>> T=1 (4+0008) 80500000 08 0286BBF852B03316 00        

What the card will do ?

1. the card will create its own card challenge
2. then, it will create 3 sessions keys : S-ENC, S-MAC, RMAC

The card challenge,in this case, is:

[DEBUG] GPSession - Card challenge: 0002598DD3961BFD        

The session keys generated are:

[INFO] GPSession - Session keys: ENC=ADC1163BA2A147FBB84BF44C8676FB7D MAC=3E06B1C8FCFD788A573B9A9889D0CA50 RMAC=BC3FB634DEABB546AAEC2B630DF44180        

The question is how the card calculated those session keys. GlobalPlatform specifies a precise procedure to calculate the session keys :

BTW:

1. The 2 bytes of sequence counter are the card challenge's first two bytes
2. The 2 bytes (constant) are defined by GP

II- S-ENC

Let's begin with S-ENC:

S-ENC=ADC1163BA2A147FBB84BF44C8676FB7D         

The algorithm used to generate S-ENC is CBC (2keys-3DES). To ease the understanding of the following , I will note a 3DES key as: K1K2K1 (24 bytes)

for instance the static key K-ENC:

K-ENC=404142434445464748494A4B4C4D4E4F
K1=4041424344454647
K2=48494A4B4C4D4E4F
K1=4041424344454647

the 3DES K-ENC is 24 a bytes key,so: 
K1K2K1 = 404142434445464748494A4B4C4D4E4F4041424344454647
        

Let us try finding out manually the S-ENC Key ! The website https://tripledes.online-domain-tools.com/ will be very useful. I entered the following data, then I encrypt:

III- S-MAC

Now, for S-MAC, the only change from above is the constant (2 Bytes) ; We replace 0182 by 0101 and we encrypt:

Once those keys (session keys) are generated by the card, the card will respond with the following R-APDU:

IV- Card cryptogram

The generation and verification of the card cryptogram is performed by concatenating the 8-byte host challenge, 2-byte Sequence Counter, and 6-byte card challenge resulting in a 16-byte block. The data shall be padded with a further 8-byte block ('80 00 00 00 00 00 00 00').

The signature method, using the S-ENC session key and an ICV of binary zeroes, is applied across this 24-byte block and the resulting 8-byte signature is the card cryptogram.

Algorithm to calculate the Card cryptogram:

Again, we will use the website to calculate manually the Card cryptogram:

The Host application will check the Card cryptogram for validity, then creates its own Host Cryptogram.This time, the derivation data is composed as the following:

Card Challenge | Host Challenge | 80 00 00 00 00 00 00 00

in our case, the host cryptogram is:

Calculated host cryptogram: 9B4D8467FC2AC709        

You could use the website to calculate manually the host cryptogram as I did for the Card cryptogram.

V- Message Authentication Code

The Host application is now preparing the next Command APDU.

The MAC is generated by applying multiple chained DES operations (using a session key generated prior to or when opening the Secure Channel) across an APDU message.

The MAC is needed for integrity and data origin authentication in which the receiving entity (the card or off-card entity) ensures that the data being received actually came from an authenticated sending entity (respectively the off-card entity or card) in the correct sequence and has not been altered;

The MAC (in red ) is calculated and added by the host to the C-APDU.

GP specifies a procedure to calculate the MAC code. Here it is:

I will give now a detailed steps (and more understandable way ) to produce the C-MAC field:

remember this this time we will use the S-MAC Key

S-MAC=3E06B1C8FCFD788A573B9A9889D0CA50
with :
K1=3E06B1C8FCFD788A 
K2=573B9A9889D0CA50
the S-MAC key used in 2keys-3DES is: K1K2K1
        

In three steps the calculation will be done. See it by yourself:

At the end of the third step, we will have the Message authentication Message.

Let us do it by ourself

First step:

Second Step:

Third Step

The MAC code is: 58 d5 2a 8d d3 75 11 59

We found the same MAC calculated by Host Application:

A>> T=1 (4+0016) 84820100 10 9B4D8467FC2AC709[58D52A8DD3751159] ; <-- here        

Happy JC