帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Reading Authentication attempts counter on SE050

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

Reading Authentication attempts counter on SE050

跳至解决方案
‎12-11-2020 04:02 PM
3,574 次查看
m_grand
Contributor II

Hi every one,

I would like to know if it is possible to read the Authentication attempts counter of an AESKey authentication object.

From what I understand this is not possible as the only way to read such a value would be to perform an attested read which actually always returns 0x6985 when trying to read an AESKey.

Can someone confirm that it is not possible?

Thank you

标签 (1)
标签
0 项奖励
回复
1 解答

跳至解决方案
‎12-31-2020 10:38 AM
3,500 次查看
m_grand
Contributor II

Unfortunately, i'm still not able to read attempts counter. Read object command fails with a CONDITION_NOT_SATISFIED status word. It seems that AESKey authentication object attributes cannot be read just like normal AESKey. I used the attestation key with ID 0xF0000012 and attestation algorithm EC_SHA_512.

I tried to configure the authentication object with policy ALLOW_READ but key creation fails with the status word WRONG_DATA.

EDIT: Ok, it works. I was using Se05x_API_ReadObjectAttributes() instead of Se05x_API_ReadObject_W_Attst(). However i does not understand why this function could not be used while its purpose seems to be to read object's attributes. As explained above Se05x_API_ReadObject_W_Attst() cannot be used as is because it expects TAG1 which is actually not returned when reading an AESKey object.

在原帖中查看解决方案

0 项奖励
回复
5 回复数

跳至解决方案
‎12-17-2020 08:15 PM
3,553 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @m_grand ,

 

Sorry, I misunderstood the policies to be validated during secure objects creation as the policies to be allowed on these objects, SW_CONDITIONS_NOT_SATISFIED is returned when you attempt to read a private key or a symmetric key or a userID with the command of "ReadObject", just as specified in AN12413, but you can do an attested read on an AES key (attestation key needs to be an ECDSA key like you wrote) – secure element will not return any key data, but it will return with the object attributes and sign them.

The current MW I think still has an bug which makes this combination of an attested read of an symmetric key still not usable as the MW expects data coming back, but on the IoT Applet it has to work.

 

Please also note the TLV_TAG5 is the identifier which specifies the key which is used to sign the data/attributes which are returned by the attested read. Please kindly refer to the following for details.

read object with attestation.png

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

 

0 项奖励
回复

跳至解决方案
‎12-31-2020 10:38 AM
3,501 次查看
m_grand
Contributor II

Unfortunately, i'm still not able to read attempts counter. Read object command fails with a CONDITION_NOT_SATISFIED status word. It seems that AESKey authentication object attributes cannot be read just like normal AESKey. I used the attestation key with ID 0xF0000012 and attestation algorithm EC_SHA_512.

I tried to configure the authentication object with policy ALLOW_READ but key creation fails with the status word WRONG_DATA.

EDIT: Ok, it works. I was using Se05x_API_ReadObjectAttributes() instead of Se05x_API_ReadObject_W_Attst(). However i does not understand why this function could not be used while its purpose seems to be to read object's attributes. As explained above Se05x_API_ReadObject_W_Attst() cannot be used as is because it expects TAG1 which is actually not returned when reading an AESKey object.

0 项奖励
回复

跳至解决方案
‎12-18-2020 07:50 AM
3,550 次查看
m_grand
Contributor II

Thank you for your answer. I'm going to investigate this question and i will comme back to you if i have additional questions.

0 项奖励
回复

跳至解决方案
‎12-24-2020 02:57 AM
3,526 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hello @m_grand ,

 

You are welcome! Please kindly let me know if there is any further issue.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 项奖励
回复

跳至解决方案
‎12-14-2020 12:18 AM
3,563 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @m_grand ,

 

No, it is not possible as only the asymmetric keys have the policy of POLICY_OBJ_ALLOW_ATTESTATION. Please kindly refer to the page 27 of https://www.nxp.com/docs/en/application-note/AN12413-SE050_APDU_specification.pdf for more details.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 项奖励
回复