PIV Smart Card - GENERAL AUTHENTICATE - Sign a nonce

Question

I was hoping someone could help me with the PIV smart card standard.

I would like to authenticate the smart card by making it sign a PKCS#1 padded nonce with the previously generated RSA 1024-bit modulus Digital Signature Key 0x9C. Here is what the output of my test application looks like:

Requesting Signature
Sending: 0087069C867C84820081800001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00CB441C4A656E071F1FB9F31BC6AB1824324FB42780
Error: (6A80) Incorrect parameters in command data

And here is the breakdown:

00 - Not chained (chaining not required because message does not exceed max length)
87 - GENERAL AUTHENTICATE
06 - RSA 1024 Algorithm
9C - Digital Signature Key
86 - Length of data field
  7C - Dynamic Authentication template identifier
  84 - Length of dynamic authentication template
    82 - Response
    00 - Response length 0 (Response requested)
    81 - Challenge
    80 - Challenge length 128
      0001FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00CB441C4A656E071F1FB9F31BC6AB1824324FB427 - PKCS #1 padded 20-byte Nonce (Padded with OpenSSL RSA_padding_add_PKCS1_type_1)
80 - Expected response length (128 bytes)

I have also run tests using all of the different keys (having generated all of them successfully already) and using chained messages vs single part messages. See further test data.

You do perform the PCKS#1 padding around the NONCE, but are you sure that the inner hash structure is not required? Maybe simply perform H(NONCE) and use the structures defined in the PKCS#1 standard, you can simply compare H(NONCE) with H'(NONCE) instead of NONCE with NONCE' after decryption to verify the authentication. — Maarten Bodewes, May 05 '12 at 14:26
I don't fully understand. Are you saying I should apply the "DigestInfo" DER encoding around my Nonce/Hash before padding? If so, this does not work either. Are you saying I should hash my nonce before padding it? Since my nonce and a sha1 hash are both 20 psuedo-random bytes, this makes no difference. — GHW, Jun 19 '12 at 19:35
"The GENERAL AUTHENTICATE command shall be used with the PIV authentication Keys ('9A', '9B', '9E') to authenticate the card or a card application to the client application (INTERNAL AUTHENTICATE)" Seems to me you are using both the wrong key *and* the wrong APDU. Why do you need key 0x9C as the spec clearly indicates the other keys? — Maarten Bodewes, Jun 19 '12 at 21:50
From the NIST standard: "The GENERAL AUTHENTICATE command can be used to generate signatures. The pre-signature hash and padding (if applicable) is computed off card. The PIV Card Application receives the hashed value of the original message, applies the private signature key (key reference '9C'), and returns the resulting signature to the client application" - I have brute force tried every key. What do you think is wrong with my APDU? — GHW, Jun 21 '12 at 14:32

score 2 · Accepted Answer · answered Jul 05 '12 at 13:43

2

There was a bug with the PIV card applet loaded on my smart card. It will not sign any data that starts with 0x00. If you change the 0x00 to anything else (as long as the data as an integer is less than the modulus as an integer per requirement of the RSA algorithm) it will sign successfully. So of course this means these cards cannot sign any standard PKCS1 padded data :(

Thanks for the help

answered Jul 05 '12 at 13:43

GHW

71
11

You should be able to accept your answer now. Too bad it was this kind of bug. – Maarten Bodewes Jul 28 '12 at 22:26

PIV Smart Card - GENERAL AUTHENTICATE - Sign a nonce

1 Answers1