FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Reading Authentication attempts counter on SE050

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

Reading Authentication attempts counter on SE050

Jump to solution
‎12-11-2020 04:02 PM
1,870 Views
m_grand
Contributor II

Hi every one,

I would like to know if it is possible to read the Authentication attempts counter of an AESKey authentication object.

From what I understand this is not possible as the only way to read such a value would be to perform an attested read which actually always returns 0x6985 when trying to read an AESKey.

Can someone confirm that it is not possible?

Thank you

Labels (1)
Labels
0 Kudos
Reply
1 Solution

Jump to solution
‎12-31-2020 10:38 AM
1,796 Views
m_grand
Contributor II

Unfortunately, i'm still not able to read attempts counter. Read object command fails with a CONDITION_NOT_SATISFIED status word. It seems that AESKey authentication object attributes cannot be read just like normal AESKey. I used the attestation key with ID 0xF0000012 and attestation algorithm EC_SHA_512.

I tried to configure the authentication object with policy ALLOW_READ but key creation fails with the status word WRONG_DATA.

EDIT: Ok, it works. I was using Se05x_API_ReadObjectAttributes() instead of Se05x_API_ReadObject_W_Attst(). However i does not understand why this function could not be used while its purpose seems to be to read object's attributes. As explained above Se05x_API_ReadObject_W_Attst() cannot be used as is because it expects TAG1 which is actually not returned when reading an AESKey object.

View solution in original post

0 Kudos
Reply
5 Replies

Jump to solution
‎12-17-2020 08:15 PM
1,849 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @m_grand ,

 

Sorry, I misunderstood the policies to be validated during secure objects creation as the policies to be allowed on these objects, SW_CONDITIONS_NOT_SATISFIED is returned when you attempt to read a private key or a symmetric key or a userID with the command of "ReadObject", just as specified in AN12413, but you can do an attested read on an AES key (attestation key needs to be an ECDSA key like you wrote) – secure element will not return any key data, but it will return with the object attributes and sign them.

The current MW I think still has an bug which makes this combination of an attested read of an symmetric key still not usable as the MW expects data coming back, but on the IoT Applet it has to work.

 

Please also note the TLV_TAG5 is the identifier which specifies the key which is used to sign the data/attributes which are returned by the attested read. Please kindly refer to the following for details.

read object with attestation.png

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

 

 

0 Kudos
Reply

Jump to solution
‎12-31-2020 10:38 AM
1,797 Views
m_grand
Contributor II

Unfortunately, i'm still not able to read attempts counter. Read object command fails with a CONDITION_NOT_SATISFIED status word. It seems that AESKey authentication object attributes cannot be read just like normal AESKey. I used the attestation key with ID 0xF0000012 and attestation algorithm EC_SHA_512.

I tried to configure the authentication object with policy ALLOW_READ but key creation fails with the status word WRONG_DATA.

EDIT: Ok, it works. I was using Se05x_API_ReadObjectAttributes() instead of Se05x_API_ReadObject_W_Attst(). However i does not understand why this function could not be used while its purpose seems to be to read object's attributes. As explained above Se05x_API_ReadObject_W_Attst() cannot be used as is because it expects TAG1 which is actually not returned when reading an AESKey object.

0 Kudos
Reply

Jump to solution
‎12-18-2020 07:50 AM
1,846 Views
m_grand
Contributor II

Thank you for your answer. I'm going to investigate this question and i will comme back to you if i have additional questions.

0 Kudos
Reply

Jump to solution
‎12-24-2020 02:57 AM
1,822 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hello @m_grand ,

 

You are welcome! Please kindly let me know if there is any further issue.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

Jump to solution
‎12-14-2020 12:18 AM
1,859 Views
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @m_grand ,

 

No, it is not possible as only the asymmetric keys have the policy of POLICY_OBJ_ALLOW_ATTESTATION. Please kindly refer to the page 27 of https://www.nxp.com/docs/en/application-note/AN12413-SE050_APDU_specification.pdf for more details.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply