Secure Authentication中的主题 AES key session authentication

AES key session authentication

Raza — Thu, 22 Oct 2020 07:30:08 GMT

I am using msp430f5994 and se050. I want to create a AES key on the smart card.

I first created an AESKey using WriteSymmKey command from se050 APDU specification document. But for session authentication I have to follow global platform authentication steps.

1. Initialize Update command

2. External authenticate command

In initialize update command, I have to send host challenge to the smartcard and the card will create its own card challenge, internal session keys and card cryptogram, and send it back to microcontroller. Now, I have to generate also the same session keys on the microcontroller for comparison.

According to the global platform SCP document, I have to do 3DES encryption technique in ECB mode to generate those keys. I don't know how to implement this.

If anyone of you has some experience in this, I would be really thankful for your help.

Re: AES key session authentication

msjcard — Thu, 22 Oct 2020 23:38:41 GMT

https://github.com/martinpaljak/GlobalPlatformPro

Martin Paljak has written a pretty good Global Platform library that includes (in the source) the various key expansion/derivation steps necessary to derive a session key set from a static key set.

https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050?tab=Design_Tools_Tab

Also the se050 middleware package has an implementation. Near as i can tell, api>src>ax_scp.c may be where you want to start.

Re AES key vs SCP - you want to take a look at the SCP03 documentation, not the SCP02 doc. SCP03 does not use DES for anything and SCP02 does not use AES for anything.

Mike

Re: AES key session authentication

Raza — Fri, 23 Oct 2020 07:07:34 GMT

Thank you so much for your reply.
I have already sent the INITIALIZEUPDATE command to se050 and it gave the following as a response
1. key diversification data

2. key information

3. card challenge

4. card cryptogram

Now, I need to know the following:

1. what static K-ENC key is used by the card to generate the card cryptogram?

2. How can I generate the card cryptogram, session S-ENC key and finally the host cryptogram that will be sent to the se050 in EXTERNAL AUTHENTICATE command?

3. I have a C code in code composer studio to send APDUs from msp430 to se050. How can I generate the above mentioned things in C, so that I can formulate the EXTERNAL AUTHENTICATE command?

Re: AES key session authentication

Kan_Li — Tue, 27 Oct 2020 09:07:02 GMT

Hi @Raza ,

The Platform SCP03 keys provisioned in SE050 are as follows:

ENC is 35C29245895EA34F6136155F8209D6CD
MAC is AF172D5D54F7C0D5C10A05B9F1207F78
DEK is A2BC8438BF77015B361A4425F239FA29

and we have provide source code for platform SCP communication in the MW, which contains APIS, for example, SCP_HostLocal_CalculateSessionKeys(), SCP_HostLocal_CalculateHostCryptogram(), and you may find them in the folder of "simw-top\hostlib\hostLib\api\src", in the file of "ax_scp.c", just as mentioned by @msjcard . You may use them as a reference for your own application.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------