Clever Geek Handbook

Why does the java SIM secure channel return "do not match"?

I am trying to install the applet on a SIM card that supports java card V3.0.4. When I try to set up a secure channel to download the applet, the card returns an error:

mode_211
enable_trace
establish_context
card_connect
select -AID A000000151000000
Command --> 00A4040008A000000151000000
Wrapped command --> 00A4040008A000000151000000
Response <-- 6F108408A000000151000000A5049F6501FF9000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 79AA24D80FF0056101F1D9AB6DCAF0E6
 -enc_key 79AA24D80FF0056101F1D9AB6DCAF0E6
Command --> 80CA006600
Wrapped command --> 80CA006600
Response <-- 664A734806072A864886FC6B01600B06092A864886FC6B020202630906072A86488
6FC6B03640B06092A864886FC6B048000640B06092A864886FC6B040255640B06092A864886FC6B0
481079000
Command --> 8050000008F05E65BF5254BC9F00
Wrapped command --> 8050000008F05E65BF5254BC9F00
Response <-- 00005147A5190C5352322002001C1F47B6C76BABFD305EBBC2CD1BB39000
mutual_authentication() returns 0x8030F00A (The Secure Channel Protocol passed and reported do not match.)

I am using GPShell-1.4.4. I think the problem is with the wrong set of keys! Am I right, or is there something else, I can't guess what ?!

Thanks for your reply,

+3


source to share


1 answer


(I am partially reusing an answer I wrote for your previous question that you suddenly deleted)

The GP211_ERROR_INCONSISTENT_SCP error code means that the version intended for use in the SCCH is incompatible with the actual SCP version specified by the map ( see here ).

Check the 12th byte of the card response for INITIALIZE UPDATE

- secure channel protocol identifier (see for example GP Card Specification 2.3 , section E5.1.6) and use the parameter -scp

.

Alternatively, you can use GlobalPlatformPro as GPShell is pretty outdated ...

Beware that you could block your card by issuing multiple commands INITIALIZE UPDATE

without successful authentication!



Since your current question contains a complete log, it is possible to parse the map data tag giving (as per GP 2.2.1 ):

66 Card Data
    73 Card Recognition Data / Discretionary Data Objects
        06 OID
            2A864886FC6B01 {globalPlatform 1} // Card Recognition Data
        60 Application Tag 0
            06 OID
                2A864886FC6B020202 {globalPlatform 2 2 2} // GP 2.2 Card
        63 Application Tag 3
            06 OID
                2A864886FC6B03 {globalPlatform 3} // Card Identification Scheme
        64 Application Tag 4
            06 OID
                2A864886FC6B048000 {globalPlatform 4 128 0x00} // SCP80 i=0x00
        64 Application Tag 4
            06 OID
                2A864886FC6B040255 {globalPlatform 4 2 0x55} // SCP02 i=0x55
        64 Application Tag 4
            06 OID
                2A864886FC6B048107 {globalPlatform 4 129 0x07} // SCP81 i=0x07

So you can use -scp 2 -scpimpl 0x55

or -scp 2 -scpimpl 85

(which is the same).

Or use GlobalPlatformPro .

Alternatively -scpimpl 0x15

should work as well as the well-known pseudo-random algorithm (map call) bit in "i" doesn't matter ...

Good luck!

+3


source






More articles:


All Articles