Secure AuthenticationのトピックRe: SE050 ECKeySessionInternalAuthenticate 6a80

SE050 ECKeySessionInternalAuthenticate 6a80

jychab — Wed, 20 Nov 2024 10:53:07 GMT

I am using OMSE050ARD, i'm trying to start an eckey session but i seem to be getting 6A80 whenever i try to call ECKeySessionInternalAuthenticate.

Select Applet: 00a4040010a000000396545300000001030000000000
Response: 0301006fff010b9000

Create Session: 8004001b0641047fff020108
Response: 4182000801124e0147cc788a 9000

ECKeySessionGetECKAPublicKey (wrapped in processSessionCmd):
8005000017100801124e0147cc788a410b84cabf2106a60483020000
Response: 7f4946b041045c687ea7258d61a43b7a8255ad7102cb17377b1ff253f3504ca23028edd9a5df76e6645f85cd9e206a27d87eeffddcd9417c772271e373689065c302771c7d0ff001035f37473045022032279f5688fd0d0dfa25d46c3fc99db5d5b156932516fb52749c5fb22d0a91f1022100c2e11a115ac529bb7b281cecf49cb8cb5769b29c2afd577eeee016b70c5c0e35 9000

Host Ephemeral PublicKey: 0427cefa0865a912cc36a733d659fc4077abb5faa25029d7ed0f4521ff1ba715ff6af976b6ebd6c5f3c0f62dace1859fa64e9116aa7cc8ba4d2659709881fdcb4a
Host Signature: 3045022100ecc7d866b6d1425ab7d7d0ab8c84297e98a1a968d7ece420f0236f9e37c274b702200a73f417b980976b2ef6425364258a86bfbab9a691b2ddc17e4505073b6dbb8e

ECKeySessionInternalAuthenticate (wrapped in processSessionCmd): 80050000c4100801124e0147cc788a4181b784880000b2a61d4f10a00000039654530000000103000000009003ab01408001888101107f4946b0410427cefa0865a912cc36a733d659fc4077abb5faa25029d7ed0f4521ff1ba715ff6af976b6ebd6c5f3c0f62dace1859fa64e9116aa7cc8ba4d2659709881fdcb4af001035f37473045022100ecc7d866b6d1425ab7d7d0ab8c84297e98a1a968d7ece420f0236f9e37c274b702200a73f417b980976b2ef6425364258a86bfbab9a691b2ddc17e4505073b6dbb8e
Response: 6a80

The documentation specifies that the TLVs (0xA6 and 0x7F49) must be signed with the S_RMAC key.
However, the S_RMAC key cannot be derived until after the secure session is established, which happens later in the process.
Should the host ephemeral private key be used for signing instead of the S_RMAC key?

Re: SE050 ECKeySessionInternalAuthenticate 6a80

Kan_Li — Thu, 21 Nov 2024 03:44:26 GMT

Hi @jychab ,

Maybe there is some misunderstanding here. I found you created the ECKey session with ID of 7fff0201, which is provisioned as ECKA pair at SE for EC key Session Authentication, but from my understanding, this session should be created with the ID to store the PK.Host.ECDSA . so the host side should generate Host.ECDSA at first and write PK.Host.ECDSA as authentication object in SE with a non-reserved ID (e.g. 0x00001000), then create the ECKey session with this ID instead.

Hope that makes sense,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Re: SE050 ECKeySessionInternalAuthenticate 6a80

jychab — Thu, 21 Nov 2024 06:45:17 GMT

Im following the example as shown in the docs.

It uses the Reserved_EC_Key_Sesssion_Id to create the session as well.

Re: SE050 ECKeySessionInternalAuthenticate 6a80

Kan_Li — Tue, 26 Nov 2024 08:14:22 GMT

Hi @jychab ,

This figure has been confirmed as a doc issue, the public key from the host and provisioned in SE shall be referenced there.

Hope that makes sense,

Have a great day,
Kan

Re: SE050 ECKeySessionInternalAuthenticate 6a80

jychab — Tue, 26 Nov 2024 13:40:08 GMT

I need to establish secure sessions with multiple, unknown hosts.
Does it mean i need to write a new key to the secure element each time a new host is interacting with the secure element?

Re: SE050 ECKeySessionInternalAuthenticate 6a80

jychab — Wed, 27 Nov 2024 16:39:48 GMT

For some context, I'm using the SE050E as an NFC tag via its CL interface, allowing multiple smartphones (acting as NFC readers) to communicate with the secure element through NFC.
What would be the most efficient way to establish a secure session each time a new smartphone initiates communication with the secure element?

Re: SE050 ECKeySessionInternalAuthenticate 6a80

Kan_Li — Thu, 28 Nov 2024 06:37:24 GMT

Hi @jychab ,

For such case, the NFC phone needs to generate the Host.ECDSA key pair natively and writes the PK.Host.ECDSA into SE from the beginning and then starts to establish an ECKey session with SE, and as writing PK.Host.ECDSA into SE causes NVM writes , so the key ID to store PK.Host.ECDSA in SE has to be created as transient object and please reserve multiple objects for back up so that the NFC phone may have a list of them all and select either of them as an Auth Object.

Hope that makes sense,

Have a great day,
Kan

Re: SE050 ECKeySessionInternalAuthenticate 6a80

jychab — Sat, 30 Nov 2024 09:51:27 GMT

Are you sure i can create a session using a transient authentication object?
In the documentation for the latest applet, it states that authentication object needs to be a persistent object and it can't be a transient object.

Re: SE050 ECKeySessionInternalAuthenticate 6a80

Kan_Li — Mon, 02 Dec 2024 01:45:35 GMT

Hi @jychab ,

Sorry, my bad! The authentication object must be persistent, but as writing ECKey pair always cause NVM writes, so you better let the hosts have the key pair used for authentication after they are registered.

Have a great day,
Kan

Re: SE050 ECKeySessionInternalAuthenticate 6a80

jychab — Thu, 05 Dec 2024 15:27:40 GMT

I realized that I can't create an authentication object without first establishing a session.

This brings me back to the same issue: how can I establish an EC key session? Is it possible to do so using the pre-provisioned key 7FFF0201?

It would be extremely helpful if you could provide an APDU example demonstrating how to establish a secure EC key session.

Re: SE050 ECKeySessionInternalAuthenticate 6a80

Kan_Li — Fri, 06 Dec 2024 06:03:38 GMT

Hi @jychab ,

The authentication object can be trust provisioned out of factory with a secure service, such as edgelock2go secure service , and you may refer to the https://www.nxp.com/products/security-and-authentication/secure-service-2go-platform:SECURE_SERVICE_2GO for details.

To have an APDU command example regarding how to establish a secure EC key session, you may simply enable ECKey Auth type for the MW and enable the verbose log, so you may have the APDU log when you run any MW example after rebuilding the MW.

Please kindly refer to the following for details.

Hope that helps,

Have a great day,
Kan

Re: SE050 ECKeySessionInternalAuthenticate 6a80

jychab — Fri, 06 Dec 2024 08:40:45 GMT

Would it be possible for you to provide the extracted APDU command example directly? I'm working on using the secure element as a contactless interface and am communicating solely through APDU. Unfortunately, I don't have the necessary hardware setup to run a demo with the middleware.

Re: SE050 ECKeySessionInternalAuthenticate 6a80

Kan_Li — Tue, 10 Dec 2024 03:43:30 GMT

Hi @jychab ,

No problem! Please kindly refer to the attachment for details.

Have a great day,
Kan