Access to BYTE GP211_SECURITY_INFO::dataEncryptionSessionKey[16]

[sebastienlorquet]

Hello

Is this project still live?

We are using this wrapper in our tools, it works well, but we need to send Store data commands in which the data is encrypted using DEK (See the GP specification).

We have hacked a function to access BYTE GP211_SECURITY_INFO::dataEncryptionSessionKey[16] from the wrapper.

A better alternative would be an encryption routine in the GlobalPlatform library, eg GP211_EncryptData() but we have no time to implement this, submit upstream, etc. for the moment.

Code: Select all

/* parameter GP211_SECURITY_INFO */
PyObject* pyGP211_get_sdek(PyObject* self, PyObject* args)
{
    CHECK_FUNCTION_ARGUMENTS_COUNT(1);

    GP211_SECURITY_INFO stGP211SecurityInfo = *(GP211_SECURITY_INFO *)PyString_AsString(PyTuple_GetItem(args, 0));
    
    return PyString_FromStringAndSize((char*)stGP211SecurityInfo.dataEncryptionSessionKey, 16);
}

[UNKNwYSHSA]

From the globalplatform source code, secInfo->dataEncryptionSessionKey is only used to encrypt key data in function get_key_data_field() at globalplatform\src\crypto.c:1159.
The DEK only used to encrypt key data.
If you want to encrypt your command data with it, you can refer to the implementation of function get_key_data_field().

Code: Select all

// set key type
keyDataField[i++] = keyType;
keyDataField[i++] = (BYTE)keyDataLength;
if (isSensitive) {
    // sensitive - encrypt
    // Initiation mode implicit
    if (secInfo->secureChannelProtocolImpl == GP211_SCP02_IMPL_i0B
        || secInfo->secureChannelProtocolImpl == GP211_SCP02_IMPL_i1B
        || secInfo->secureChannelProtocolImpl == GP211_SCP02_IMPL_i1A
        || secInfo->secureChannelProtocolImpl == GP211_SCP02_IMPL_i0A) {
            status = calculate_enc_cbc_SCP02(secInfo->dataEncryptionSessionKey, keyData, keyDataLength, encrypted_key, &encrypted_key_length);
    }
    else {
        status = calculate_enc_ecb_two_key_triple_des(secInfo->dataEncryptionSessionKey, keyData, keyDataLength, encrypted_key, &encrypted_key_length);
    }
    if (OPGP_ERROR_CHECK(status)) {
        goto end;
    }
    // we assume that each key is a multiple of 8 bytes.
    memcpy(keyDataField+i, encrypted_key, keyDataLength);
    i+=keyDataLength;

}
else {
    // not sensitive - copy directly
    memcpy(keyDataField+i, keyData, keyDataLength);
    i+=keyDataLength;
}

Following the code, The key type and length not encrypted, only the key data encrypted. You can encrypt your command data by the same.

[sebastienlorquet]

Hello, thanks.

This keys is used for BOTH key encryption AND arbitrary data encryption for use with STORE DATA.

Actually I have posted a message in the GP devel mailing list.

If all goes well we will get additional APIs in the GlobalPlatform library.

[UNKNwYSHSA]

Waiting for the response of mail list.
You can branch the code and do that yourself.