[Muscle] load file DAP
Peter Williams
home_pw at msn.com
Fri Apr 25 18:21:05 PDT 2008
Even more incredibly, I cleaned out an old filing cabinet, while moving
offices. Found the DODCAC/Martsoft v2.01 manual on the DAP support in the GP
2.01 card. I'll go play, now I have some technical counsel.
--------------------------------------------------
From: "Karsten Ohme" <widerstand at t-online.de>
Sent: Thursday, April 17, 2008 5:05 PM
To: "MUSCLE" <muscle at lists.musclecard.com>
Subject: Re: [Muscle] load file DAP
> Peter Williams schrieb:
>> Guess I get to do it myself! If I recall the GP model, this is what I
>> need to do with GPShell
>>
>> 1. use openssl lib to create PEM-era private/public key files (wow, it
>> 1985 I think I first hit PEM, learning it along with
>> RSA/DES/CBC/countermode from the person drafting PEM in IRTF (even before
>> it hit IETF!). Its been around a while!)
>>
>> 2) 1. use GPSHELL load dm key of the openssl RSA keyfile into the app
>> domain applet, version=1 index=1
>>
>> 3) create the muscle applet load file from the cap, affixing the
>> appropriate RSA 1024bit signature. Can gpshell do this, on the fly or
>> statically?
>
> Not GPShell, the Global Platform library should be able to do this. But I
> never got a card working with the a security domain. Either the
> specification is not clear enough, the cards are buggy or I do something
> wrong over and over again.
>
> Regards,
> Karsten
>
>>
>> 4) load and install the signed applet, where its security domain is the
>> APP security domain AID (not the more usual card issuer)
>>
>> Doing all this, I think the load flow is: Upon detection of 1 or more
>> signature blocks in the load file, the card issuer is supposed to invoke
>> the app SD denote in the load for load APDU to verify the crypto - where
>> the AppSD knows the crypto is RSA and the key is RSA, the key index 1,
>> and the signature block has endian format X.
>>
>>
>> --------------------------------------------------
>> From: "Peter Williams" <home_pw at msn.com>
>> Sent: Monday, April 14, 2008 11:04 AM
>> To: "MUSCLE" <muscle at lists.musclecard.com>
>> Subject: Re: [Muscle] load file DAP
>>
>>> I've managed to locate (somewhat incredibly) 5 virgen USB tokens that -
>>> presumably as they are in their original static-proof bags - still have
>>> the manufacturer's app security domain applet on the card - in addition
>>> of the card issuers SD. (Typically, during post-manufacturing we removed
>>> the app SD , to free up space to load and init the muscle applet.)
>>>
>>> What I do not have is any technical documentation and all the my people
>>> contacts have long since left the javacard startup company for greener
>>> pastures.
>>>
>>> Anyone want to play with some of them, to test GPShell and ensure its
>>> 2.01 era delegated loading (via RSA) is solid?
>>>
>>> --------------------------------------------------
>>> From: "Karsten Ohme" <widerstand at t-online.de>
>>> Sent: Saturday, April 05, 2008 4:43 AM
>>> To: "MUSCLE" <muscle at lists.musclecard.com>
>>> Subject: Re: [Muscle] load file DAP
>>>
>>>> Peter Williams schrieb:
>>>>> 1. Has anyone used GPShell to load an RSA public key into an
>>>>> _issuer's_ security domain of a 201 card, so one can use the GPShell
>>>>> to send a DAP hash and signature for the load file?
>>>>
>>>> I think this does not work. I have tried a lot with different cards,
>>>> but I had no success. So, there might be compatibility problems, the
>>>> cards do to support it after all or the specification is not clear
>>>> enough. You can play with the code base, would be very interesting to
>>>> me, if you get it working.
>>>>
>>>> Karsten
>>>>> 2. has anyone tested the use of SHA1 by itself for a LOAD DAP?
>>>>> 3 If I half remember right, only a security domain OTHER than the
>>>>> card manager SD can verify either a DESCBC or an RSA DAP (given its
>>>>> knows the verification key, and knowledge that the signature is either
>>>>> RSA or DESCBC).
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Muscle mailing list
>>>>> Muscle at lists.musclecard.com
>>>>> http://lists.drizzle.com/mailman/listinfo/muscle
>>>>
>>>> _______________________________________________
>>>> Muscle mailing list
>>>> Muscle at lists.musclecard.com
>>>> http://lists.drizzle.com/mailman/listinfo/muscle
>>>>
>>> _______________________________________________
>>> Muscle mailing list
>>> Muscle at lists.musclecard.com
>>> http://lists.drizzle.com/mailman/listinfo/muscle
>>>
>> _______________________________________________
>> Muscle mailing list
>> Muscle at lists.musclecard.com
>> http://lists.drizzle.com/mailman/listinfo/muscle
>>
>>
>
> _______________________________________________
> Muscle mailing list
> Muscle at lists.musclecard.com
> http://lists.drizzle.com/mailman/listinfo/muscle
>
More information about the Muscle
mailing list