[SOLVED] global platform secure channel 2 computation example needed

global platform secure channel 2 computation example needed

I am writing personalization software for a payment chip that implements Global Platform Secure Channel Protocol 2. I have a tool from the chip vendor that can log in to the card, but I cannot duplicate those computations to come up with my own login. The vendor tool has just one factory key, or maybe a keyset with three identical parts. That's all the vendor tool knows, and it can log in to the card:

cm> auth
=> 80 50 00 00 08 A0 13 2D 8B C1 E6 6E 9A 00          .P.....-...n..          host challenge:     A0132D8B C1E66E9A
(122317 usec)                       vv indicates SCP02
<= 00 00 00 00 00 00 00 00 00 00 FF 02 00 13 BA 2A    ...............*        seq num: 0013    card challenge:     BA2A16C9DC0E
   16 C9 DC 0E 30 11 F0 19 01 0D BF 2B 90 00          ....0......+..          card cryptogram:    3011F019 010DBF2B
 Status: No Error                                                               
 => 84 82 00 00 10 29 FD 73 3D 5A 91 6C 6F EA A6 56    .....).s=Z.lo..V        host cryptogram: 29FD733D5A916C6FEAA656B82A6B8928
   B8 2A 6B 89 28                                     .*k.(
(75647 usec)
<= 90 00                                              ..
Status: No Error

By my reading of the publicly available Global Platform Card Specification, my software needs to use the constant 182 (or maybe 181, I tried it both ways), and the Sequence Counter ("0013" here), zero-padded to 16 bytes, to make a Session Key. Then it needs to concatenate the Host Challenge, Sequence Number, Card Challenge, and "8000..." padding to make plaintext for a signature. Sign that with the session key and the result should match the card cryptogram. Once I can duplicate the vendor tool computation, I can use the same code in my perso machine. Easy peasy.

Working in .Net 4.5 TripleDESCryptoServiceProvider and MACTripleDES, I get values that do not match. I'm reluctant to integrate Bouncy Castle just to see if it makes things better. My key computation is verified on internet calculators, but of course I can't see the card's session key. Online signature calculators disagree with my code, but they also disagree with the sample data. All I know is that the signature comes out wrong, or at least different from the working tool.

So I guess the question is, are there examples of this computation available anywhere? Of course I asked the chip vendor first.

Solution

An example in Python is the Asterix project: https://github.com/suma12/asterix

Minor chopping up of SCP02.py in that project was enough to run and duplicate my sample data.