Dear Friends,
Greetings.
I have been working on implementing the PSO:DECIPHER feature using the ECC algorithm.
As part of this, I have been using the method:
public abstract short generateSecret(byte[] publicData, short publicOffset, short publicLength, byte[] secret, short secretOffset) throws CryptoException
I am formatting the public data with all the tags like 0x81, 0x82, 0x83, 0x84, 0x85 and 0x87 which are P, A, B, G(x,y), N fields respectively.
In addition to the above tags, I am passing another tag 0x86 which contains the public portion of the key (this is the data I receive in the PSO:Decipher command data field which is in the format 0x04||X||Y, X and Y are the coordinates of the public key point on the curve).
With this data sent to the above mentioned method (generateSecret), I am getting 0x6985 status word.
So I felt that the public data part (argument 1 of the method which is constructed using the aforementioned tags) is not compatible to the method.
In this regard, could any one tell me what should be the exact format of the public data that should be sent to the method so that it generates a shared secret?
FYI, I am using the BrainPoolsecp192r curve at present for the above operation.
Thank you a lot if I get any expert answer ASAP.
Have a nice day everybody.
VERY URGENT: Format of public data in the KeyAgreement.generateSecret() method
-
sandeepkkamishetti
- Posts: 3
- Joined: Thu Jul 21, 2016 9:03 am
- Points :68
- Contact:
-
UNKNwYSHSA
- Posts: 630
- Joined: Thu May 21, 2015 4:05 am
- Points :3053
- Contact:
Re: VERY URGENT: Format of public data in the KeyAgreement.generateSecret() method
Give us your code.
I tested on A22CR, no problem with curve 192.
Here's the code:
I tested on A22CR, no problem with curve 192.
Here's the code:
Code: Select all
package testGenerateSecret;
import javacard.framework.*;
import javacard.security.*;
public class testGenerateSecret extends Applet
{
private KeyAgreement ka;
private KeyPair kp, kp2;
private ECPublicKey ecPubKey, ecPubKey2;
private ECPrivateKey ecPriKey, ecPriKey2;
private byte[] bufPubKey;
testGenerateSecret()
{
ka = KeyAgreement.getInstance(KeyAgreement.ALG_EC_SVDP_DH, false);
kp = new KeyPair(KeyPair.ALG_EC_FP, KeyBuilder.LENGTH_EC_FP_192);
kp2 = new KeyPair(KeyPair.ALG_EC_FP, KeyBuilder.LENGTH_EC_FP_192);
bufPubKey = JCSystem.makeTransientByteArray((short) 0x80, JCSystem.CLEAR_ON_DESELECT);
}
public static void install(byte[] bArray, short bOffset, byte bLength)
{
new testGenerateSecret().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
}
public void process(APDU apdu)
{
if (selectingApplet())
{
return;
}
byte[] buf = apdu.getBuffer();
switch (buf[ISO7816.OFFSET_INS])
{
case (byte)0x00:
JCSystem.requestObjectDeletion();
break;
case (byte)0x01:
kp.genKeyPair();
ecPriKey = (ECPrivateKey) kp.getPrivate();
ecPubKey = (ECPublicKey) kp.getPublic();
kp2.genKeyPair();
ecPriKey2 = (ECPrivateKey) kp.getPrivate();
ecPubKey2 = (ECPublicKey) kp.getPublic();
break;
case (byte)0x02:
ka.init(ecPriKey);
short wLen = ecPubKey2.getW(bufPubKey, (short) 0);
short secretLen = ka.generateSecret(bufPubKey, (short) 0, wLen, buf, (short) 0);
apdu.setOutgoingAndSend((short) 0, secretLen);
break;
default:
ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
}
}
}
Last edited by UNKNwYSHSA on Fri Jul 22, 2016 2:16 am, edited 1 time in total.
sense and simplicity
-
UNKNwYSHSA
- Posts: 630
- Joined: Thu May 21, 2015 4:05 am
- Points :3053
- Contact:
Re: VERY URGENT: Format of public data in the KeyAgreement.generateSecret() method
And i test it on JCOP V2.4.2 R2.
No problem.
Code:
No problem.
Code:
Code: Select all
package testGenerateSecret_JCOP;
import javacard.framework.*;
import javacard.security.*;
public class testGenerateSecret_JCOP extends Applet
{
private KeyAgreement ka;
private KeyPair kp, kp2;
private ECPublicKey ecPubKey, ecPubKey2;
private ECPrivateKey ecPriKey, ecPriKey2;
private byte[] bufPubKey;
public static final byte[] NIST_FP_192_P = new byte[] {(byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFE, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF};
public static final byte[] NIST_FP_192_A = new byte[] {(byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFE, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFC};
public static final byte[] NIST_FP_192_B = new byte[] {(byte)0x64, (byte)0x21, (byte)0x05, (byte)0x19, (byte)0xE5, (byte)0x9C, (byte)0x80, (byte)0xE7, (byte)0x0F, (byte)0xA7, (byte)0xE9, (byte)0xAB, (byte)0x72, (byte)0x24, (byte)0x30, (byte)0x49, (byte)0xFE, (byte)0xB8, (byte)0xDE, (byte)0xEC, (byte)0xC1, (byte)0x46, (byte)0xB9, (byte)0xB1};
public static final byte[] NIST_FP_192_N = new byte[] {(byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0xFF, (byte)0x99, (byte)0xDE, (byte)0xF8, (byte)0x36, (byte)0x14, (byte)0x6B, (byte)0xC9, (byte)0xB1, (byte)0xB4, (byte)0xD2, (byte)0x28, (byte)0x31};
public static final byte[] NIST_FP_192_G = new byte[] {(byte)0x04, (byte)0x18, (byte)0x8D, (byte)0xA8, (byte)0x0E, (byte)0xB0, (byte)0x30, (byte)0x90, (byte)0xF6, (byte)0x7C, (byte)0xBF, (byte)0x20, (byte)0xEB, (byte)0x43, (byte)0xA1, (byte)0x88, (byte)0x00, (byte)0xF4, (byte)0xFF, (byte)0x0A, (byte)0xFD, (byte)0x82, (byte)0xFF, (byte)0x10, (byte)0x12, (byte)0x07, (byte)0x19, (byte)0x2B, (byte)0x95, (byte)0xFF, (byte)0xC8, (byte)0xDA, (byte)0x78, (byte)0x63, (byte)0x10, (byte)0x11, (byte)0xED, (byte)0x6B, (byte)0x24, (byte)0xCD, (byte)0xD5, (byte)0x73, (byte)0xF9, (byte)0x77, (byte)0xA1, (byte)0x1E, (byte)0x79, (byte)0x48, (byte)0x11};
testGenerateSecret_JCOP()
{
ka = KeyAgreement.getInstance(KeyAgreement.ALG_EC_SVDP_DH, false);
kp = new KeyPair(KeyPair.ALG_EC_FP, (short) 192);
ecPriKey = (ECPrivateKey) kp.getPrivate();
ecPubKey = (ECPublicKey) kp.getPublic();
kp2 = new KeyPair(KeyPair.ALG_EC_FP, (short) 192);
ecPriKey2 = (ECPrivateKey) kp2.getPrivate();
ecPubKey2 = (ECPublicKey) kp2.getPublic();
ecPubKey.setFieldFP(NIST_FP_192_P, (short) 0, (short) NIST_FP_192_P.length);
ecPubKey.setA(NIST_FP_192_A, (short) 0, (short) NIST_FP_192_A.length);
ecPubKey.setB(NIST_FP_192_B, (short) 0, (short) NIST_FP_192_B.length);
ecPubKey.setR(NIST_FP_192_N, (short) 0, (short) NIST_FP_192_N.length);
ecPubKey.setG(NIST_FP_192_G, (short) 0, (short) NIST_FP_192_G.length);
ecPubKey.setK((short) 1);
ecPriKey.setFieldFP(NIST_FP_192_P, (short) 0, (short) NIST_FP_192_P.length);
ecPriKey.setA(NIST_FP_192_A, (short) 0, (short) NIST_FP_192_A.length);
ecPriKey.setB(NIST_FP_192_B, (short) 0, (short) NIST_FP_192_B.length);
ecPriKey.setR(NIST_FP_192_N, (short) 0, (short) NIST_FP_192_N.length);
ecPriKey.setG(NIST_FP_192_G, (short) 0, (short) NIST_FP_192_G.length);
ecPriKey.setK((short) 1);
ecPubKey2.setFieldFP(NIST_FP_192_P, (short) 0, (short) NIST_FP_192_P.length);
ecPubKey2.setA(NIST_FP_192_A, (short) 0, (short) NIST_FP_192_A.length);
ecPubKey2.setB(NIST_FP_192_B, (short) 0, (short) NIST_FP_192_B.length);
ecPubKey2.setR(NIST_FP_192_N, (short) 0, (short) NIST_FP_192_N.length);
ecPubKey2.setG(NIST_FP_192_G, (short) 0, (short) NIST_FP_192_G.length);
ecPubKey2.setK((short) 1);
ecPriKey2.setFieldFP(NIST_FP_192_P, (short) 0, (short) NIST_FP_192_P.length);
ecPriKey2.setA(NIST_FP_192_A, (short) 0, (short) NIST_FP_192_A.length);
ecPriKey2.setB(NIST_FP_192_B, (short) 0, (short) NIST_FP_192_B.length);
ecPriKey2.setR(NIST_FP_192_N, (short) 0, (short) NIST_FP_192_N.length);
ecPriKey2.setG(NIST_FP_192_G, (short) 0, (short) NIST_FP_192_G.length);
ecPriKey2.setK((short) 1);
bufPubKey = JCSystem.makeTransientByteArray((short) 0x80, JCSystem.CLEAR_ON_DESELECT);
}
public static void install(byte[] bArray, short bOffset, byte bLength)
{
new testGenerateSecret_JCOP().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
}
public void process(APDU apdu)
{
if (selectingApplet())
{
return;
}
byte[] buf = apdu.getBuffer();
switch (buf[ISO7816.OFFSET_INS])
{
case (byte)0x00:
JCSystem.requestObjectDeletion();
break;
case (byte)0x01:
kp.genKeyPair();
kp2.genKeyPair();
break;
case (byte)0x02:
ka.init(ecPriKey);
short wLen = ecPubKey2.getW(bufPubKey, (short) 0);
short secretLen = ka.generateSecret(bufPubKey, (short) 0, wLen, buf, (short) 0);
apdu.setOutgoingAndSend((short) 0, secretLen);
break;
default:
ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
}
}
}
sense and simplicity
-
UNKNwYSHSA
- Posts: 630
- Joined: Thu May 21, 2015 4:05 am
- Points :3053
- Contact:
Re: VERY URGENT: Format of public data in the KeyAgreement.generateSecret() method
Maybe you need to tell us the parameters of curve BrainPoolsecp192r.
sense and simplicity
-
sandeepkkamishetti
- Posts: 3
- Joined: Thu Jul 21, 2016 9:03 am
- Points :68
- Contact:
Re: VERY URGENT: Format of public data in the KeyAgreement.generateSecret() method
Hello UNKNwYSHSA,
Thank you very much for your reply.
Actually, I could not share the code with you. I am very sorry for that.
FYI, the curve parameters are:
Curve-ID: brainpoolP192r1
p = C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297
A = 6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF
B = 469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9
x = C0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD6
y = 14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F
q = C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1
h = 1
Also, in the source code you shared, you are generating the public and private key pair and doing the Key Agreement.
In my case, what is expected from the smart card is:
1. The public coordinates X and Y are sent in uncompressed format (0x04|X||Y) to the card in the PSO: Decipher command;
2. The card is having the corresponding Private key which is set for Key Agreement in the MSE SET command prior to the PSO: Decipher command, which is a must step;
3. The card after receiving the uncompressed format of the public coordinates has to perform Key Agreement and send the shared key as a response to the PSO:Decipher command;
4. This should be possible with NIST, Brainpool and ANSI curves with all the key lengths (192, 224, 256, 384, 512, etc.).
My intention is to implement the PSO:Decipher command on the card.
For this what I am doing in the command handler is :
1. Receive the uncompressed format of public coordinates and validate the data for the first byte (it should be 0x04);
2. Initialise the Private key that was set in the MSE:SET command;
3. Pass the public data to the method KeyAgreement.generateSecret() which is framed as below:
public abstract short generateSecret(byte[] publicData,
short publicOffset,
short publicLength,
byte[] secret,
short secretOffset)
throws CryptoException
4. To this method is I pass the publicData as it is the received PSO: Decipher command data field (0x04||X||Y), then this method throws me a CryptoException.ILLEGAL_VALUE (value 0x0001);
Instead, if pass the public data as a public key i.e. forming all the parameters of a public key (P, A, B, N, G(X,Y), h, etc.) in TLV format with their corresponding tags, I am getting a status word 0x6985 (conditions of use not satisfied).
Hence, I am in dilemma since 10 days that what data exactly should be passed to the generateSecret() method.
If you could clarify me this point, I would be very thankful to you.
Thank you.
Have a nice weekend.
BR,
Sandeep Kumar KAMISHETTI.
Thank you very much for your reply.
Actually, I could not share the code with you. I am very sorry for that.
FYI, the curve parameters are:
Curve-ID: brainpoolP192r1
p = C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297
A = 6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF
B = 469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9
x = C0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD6
y = 14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F
q = C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1
h = 1
Also, in the source code you shared, you are generating the public and private key pair and doing the Key Agreement.
In my case, what is expected from the smart card is:
1. The public coordinates X and Y are sent in uncompressed format (0x04|X||Y) to the card in the PSO: Decipher command;
2. The card is having the corresponding Private key which is set for Key Agreement in the MSE SET command prior to the PSO: Decipher command, which is a must step;
3. The card after receiving the uncompressed format of the public coordinates has to perform Key Agreement and send the shared key as a response to the PSO:Decipher command;
4. This should be possible with NIST, Brainpool and ANSI curves with all the key lengths (192, 224, 256, 384, 512, etc.).
My intention is to implement the PSO:Decipher command on the card.
For this what I am doing in the command handler is :
1. Receive the uncompressed format of public coordinates and validate the data for the first byte (it should be 0x04);
2. Initialise the Private key that was set in the MSE:SET command;
3. Pass the public data to the method KeyAgreement.generateSecret() which is framed as below:
public abstract short generateSecret(byte[] publicData,
short publicOffset,
short publicLength,
byte[] secret,
short secretOffset)
throws CryptoException
4. To this method is I pass the publicData as it is the received PSO: Decipher command data field (0x04||X||Y), then this method throws me a CryptoException.ILLEGAL_VALUE (value 0x0001);
Instead, if pass the public data as a public key i.e. forming all the parameters of a public key (P, A, B, N, G(X,Y), h, etc.) in TLV format with their corresponding tags, I am getting a status word 0x6985 (conditions of use not satisfied).
Hence, I am in dilemma since 10 days that what data exactly should be passed to the generateSecret() method.
If you could clarify me this point, I would be very thankful to you.
Thank you.
Have a nice weekend.
BR,
Sandeep Kumar KAMISHETTI.
-
UNKNwYSHSA
- Posts: 630
- Joined: Thu May 21, 2015 4:05 am
- Points :3053
- Contact:
Re: VERY URGENT: Format of public data in the KeyAgreement.generateSecret() method
Is the publicData generated with the same curve as the curve of private key?
And the description of the the exception:
What is the model of your card?
Is the card support other keyagreement algorithm (Other than ALG_EC_XXXX)?
And the description of the the exception:
CryptoException.ILLEGAL_VALUE if the input key type is inconsistent with the KeyAgreement algorithm, for example, if the KeyAgreement algorithm is ALG_EC_SVDP_DH and the key type is TYPE_RSA_PRIVATE, or if privKey is inconsistent with the implementation.
What is the model of your card?
Is the card support other keyagreement algorithm (Other than ALG_EC_XXXX)?
sense and simplicity
-
sandeepkkamishetti
- Posts: 3
- Joined: Thu Jul 21, 2016 9:03 am
- Points :68
- Contact:
Re: VERY URGENT: Format of public data in the KeyAgreement.generateSecret() method
Hello UNKNwYSHSA,
The public and private key are generated from the same curve.
Now I am able to perform the key agreement successfully.
The offset of the data I was sending to the KeyAgreement method was incorrect and so I was getting the CryptoException.
As I do not have any debug tool, the problem took more time for investigation.
Thank you a lot for your support.
Have a nice day ahead.
BR,
K. Sandeep Kumar.
The public and private key are generated from the same curve.
Now I am able to perform the key agreement successfully.
The offset of the data I was sending to the KeyAgreement method was incorrect and so I was getting the CryptoException.
As I do not have any debug tool, the problem took more time for investigation.
Thank you a lot for your support.
Have a nice day ahead.
BR,
K. Sandeep Kumar.
-
UNKNwYSHSA
- Posts: 630
- Joined: Thu May 21, 2015 4:05 am
- Points :3053
- Contact:
Re: VERY URGENT: Format of public data in the KeyAgreement.generateSecret() method
OK.
sense and simplicity
Who is online
Users browsing this forum: No registered users and 27 guests