-
-
Notifications
You must be signed in to change notification settings - Fork 216
Secure Channel Establishment
GlobalPlatformPro supports SCP01, SCP02 and SCP03 (with S16) Secure Channel protocols.
By default it tries to connect to the card manager via ISD, by issuing an empty SELECT (and parsing the returned data for actual AID).
Secure channel can be opened with ISD, any supplementary security domains (SSD-s) or any on-card applets that use the Global Platform secure channel capability.
To connect to a specific AID, use -connect to specify it. Alternatively, the AID to connect to can be specified in $GP_AID.
gp -connect 112233445566 -dvlChallenges and MAC-s in SCP03 (and earlier DES based SCP01/02) have always been 8 bytes, what for SCP03 means a truncated MAC. Amendment D v1.2 introduces strengthened security with 128bit challenges and MAC-s.
GPPro will try to upgrade to S16 mode automatically, if S8 is rejected by the card, but to request S16 mode manually add -s16 to your command line.
Important
Always be as precise and exact as possible when specifying security properties (keys, algorithms etc). GPPro tries to be both failsafe as well as helpful, but trying incorrect parameters can result in a locked up card!
If you are connecting to a security domain (ISD or SSD) on the card, you can query interesting information.
To get information about the keys on the card, use -i / --info. This command can be used without opening a secure channel, but just specifying the security domain AID with -connect, and will fetch and parse various informational data elements, such as CPLC, Card Recognition Data and information about keys in the security domain.
To list the contents of the security domain, use -l / --list. This will issue the Global Platform GET STATUS command and display the result in a nicely readable format, starting with the Issuer Security Domain (ISD).
$ gp -l
ISD: A000000151000000 (OP_READY)
Parent: A000000151000000
From: A0000001515350
Privs: SecurityDomain, CardLock, CardTerminate, CardReset, CVMManagement, TrustedPath, AuthorizedManagement, TokenVerification, GlobalDelete, GlobalLock, GlobalRegistry, FinalApplication, ReceiptGeneration
PKG: A0000001515350 (LOADED)
Parent: A000000151000000
Version: 255.255
Applet: A000000151535041
PKG: A0000000620204 (LOADED)
Parent: A000000151000000
Version: 1.0
PKG: A0000000620202 (LOADED)
Parent: A000000151000000
Version: 1.3How to interpret the output:
- Issuer Security Domain has a special name -
ISD. - Other types are instantiated applets (
APP), supplementary security domains (DOM) and loaded CAP files (PKG) that are called Executable Load Files in the specification - Each entity has the associated lifecycle (like
OP_READYorSELECTABLEorLOADED) - Applications and security domains also have privileges.
Use -s / --secure-apdu
javacard.pro - custom JavaCard applet development services · Editing locked due to malicious SPAM, sorry :(
Basic usage
- Getting Started
- Support GlobalPlatformPro development
- Glossary
- Environment variables
- Keys
- Secure Channel Establishment
- Application management
- Frequently Asked Questions
- Support & Questions
Advanced topics
- Lifecycle management
- Supplementary security domains
- DAP Verification
- Delegated management & receipts
- PACE
Development
JavaCard ecosystem