[Muscle] load file DAP

[Peter Williams]

Do any of the following facts sound plausible - for a new GP 2.01 era card with installed SD?
 
- one binds to the SD's AID
- one does the security handshake, using keys of the card issuer
 
- one does putkey(DES=0x81) into the SD instance
 
- one does a 2nd security handshake, using keys of the SD now
 
- one does putkey(RSA=0xA1)
 
 
- one binds and does security handshake with card issuer 
 
- load uses gpshell to load up the firmware, where gpshell calculates the RSA signature(s) and SHA dynamically
 
- Cardissuer with have SD check the RSA signature, at the end of load?
 
Wondering if I need to SetStatus at any point, manually on the SD's state.



> From: home_pw at msn.com> To: muscle at lists.musclecard.com> Subject: Re: [Muscle] load file DAP> Date: Fri, 25 Apr 2008 18:21:05 -0700> > Even more incredibly, I cleaned out an old filing cabinet, while moving > offices. Found the DODCAC/Martsoft v2.01 manual on the DAP support in the GP > 2.01 card. I'll go play, now I have some technical counsel.> > --------------------------------------------------> From: "Karsten Ohme" <widerstand at t-online.de>> Sent: Thursday, April 17, 2008 5:05 PM> To: "MUSCLE" <muscle at lists.musclecard.com>> Subject: Re: [Muscle] load file DAP> > > Peter Williams schrieb:> >> Guess I get to do it myself! If I recall the GP model, this is what I > >> need to do with GPShell> >>> >> 1. use openssl lib to create PEM-era private/public key files (wow, it > >> 1985 I think I first hit PEM, learning it along with > >> RSA/DES/CBC/countermode from the person drafting PEM in IRTF (even before > >> it hit IETF!). Its been around a while!)> >>> >> 2) 1. use GPSHELL load dm key of the openssl RSA keyfile into the app > >> domain applet, version=1 index=1> >>> >> 3) create the muscle applet load file from the cap, affixing the > >> appropriate RSA 1024bit signature. Can gpshell do this, on the fly or > >> statically?> >> > Not GPShell, the Global Platform library should be able to do this. But I > > never got a card working with the a security domain. Either the > > specification is not clear enough, the cards are buggy or I do something > > wrong over and over again.> >> > Regards,> > Karsten> >> >>> >> 4) load and install the signed applet, where its security domain is the > >> APP security domain AID (not the more usual card issuer)> >>> >> Doing all this, I think the load flow is: Upon detection of 1 or more > >> signature blocks in the load file, the card issuer is supposed to invoke > >> the app SD denote in the load for load APDU to verify the crypto - where > >> the AppSD knows the crypto is RSA and the key is RSA, the key index 1, > >> and the signature block has endian format X.> >>> >>> >> --------------------------------------------------> >> From: "Peter Williams" <home_pw at msn.com>> >> Sent: Monday, April 14, 2008 11:04 AM> >> To: "MUSCLE" <muscle at lists.musclecard.com>> >> Subject: Re: [Muscle] load file DAP> >>> >>> I've managed to locate (somewhat incredibly) 5 virgen USB tokens that - > >>> presumably as they are in their original static-proof bags - still have > >>> the manufacturer's app security domain applet on the card - in addition > >>> of the card issuers SD. (Typically, during post-manufacturing we removed > >>> the app SD , to free up space to load and init the muscle applet.)> >>>> >>> What I do not have is any technical documentation and all the my people > >>> contacts have long since left the javacard startup company for greener > >>> pastures.> >>>> >>> Anyone want to play with some of them, to test GPShell and ensure its > >>> 2.01 era delegated loading (via RSA) is solid?> >>>> >>> --------------------------------------------------> >>> From: "Karsten Ohme" <widerstand at t-online.de>> >>> Sent: Saturday, April 05, 2008 4:43 AM> >>> To: "MUSCLE" <muscle at lists.musclecard.com>> >>> Subject: Re: [Muscle] load file DAP> >>>> >>>> Peter Williams schrieb:> >>>>> 1. Has anyone used GPShell to load an RSA public key into an > >>>>> _issuer's_ security domain of a 201 card, so one can use the GPShell > >>>>> to send a DAP hash and signature for the load file?> >>>>> >>>> I think this does not work. I have tried a lot with different cards, > >>>> but I had no success. So, there might be compatibility problems, the > >>>> cards do to support it after all or the specification is not clear > >>>> enough. You can play with the code base, would be very interesting to > >>>> me, if you get it working.> >>>>> >>>> Karsten> >>>>> 2. has anyone tested the use of SHA1 by itself for a LOAD DAP?> >>>>> 3 If I half remember right, only a security domain OTHER than the > >>>>> card manager SD can verify either a DESCBC or an RSA DAP (given its > >>>>> knows the verification key, and knowledge that the signature is either > >>>>> RSA or DESCBC).> >>>>> ------------------------------------------------------------------------> >>>>>> >>>>>> >>>>> _______________________________________________> >>>>> Muscle mailing list> >>>>> Muscle at lists.musclecard.com> >>>>> http://lists.drizzle.com/mailman/listinfo/muscle> >>>>> >>>> _______________________________________________> >>>> Muscle mailing list> >>>> Muscle at lists.musclecard.com> >>>> http://lists.drizzle.com/mailman/listinfo/muscle> >>>>> >>> _______________________________________________> >>> Muscle mailing list> >>> Muscle at lists.musclecard.com> >>> http://lists.drizzle.com/mailman/listinfo/muscle> >>>> >> _______________________________________________> >> Muscle mailing list> >> Muscle at lists.musclecard.com> >> http://lists.drizzle.com/mailman/listinfo/muscle> >>> >>> >> > _______________________________________________> > Muscle mailing list> > Muscle at lists.musclecard.com> > http://lists.drizzle.com/mailman/listinfo/muscle> > 
_________________________________________________________________
Express yourself wherever you are. Mobilize!
http://www.gowindowslive.com/Mobile/Landing/Messenger/Default.aspx?Locale=en-US?ocid=TAG_APRIL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drizzle.com/pipermail/muscle/attachments/20080428/1eda5a24/attachment.html