4

My problem looks like this. I have generated keys on the card and the terminal sides. I have on the terminal side the card public and private keys and the terminals public and private keys, and the same on the card side (i'm doing tests so thats why i have all of them on the terminal and on the card). When i generate KeyAgreement (terminal side) for the card as private and for the terminal as private the secters are the same, so the generation is OK and i get a 24 bytes (192 bit) secret. When i generate the the secrets on the card (2 cases like on the terminal) the secrets are also the same, but they ale shorter - 20 bytes (160 bit). Here are the generation codes. the terminal:

ECPublicKey publicKey;
ECPrivateKey privateKey;

...

KeyAgreement aKeyAgree = KeyAgreement.getInstance("ECDH", "BC");
aKeyAgree.init(privateKey);
aKeyAgree.doPhase(publicKey, true);
byte[] aSecret = aKeyAgree.generateSecret();

and the card side:

eyAgreement = KeyAgreement.getInstance(KeyAgreement.ALG_EC_SVDP_DH, false);
short length = terminalEcPublicKey.getW(array, (short) 0);

keyAgreement.init(cardEcPrivateKey);
short secretlength = keyAgreement.generateSecret(array, (short)0, length, buffer, (short)0);
TajnosAgentos
  • 167
  • 1
  • 1
  • 10

1 Answers1

6

There is a problem in your implementation of KeyAgreement.ALG_EC_SVDP_DH in the terminal side. The correct length of output of the this method of key agreement should always be 20 bytes since SHA-1 is being performed on the derived output.

So in your terminal side, you should perform SHA-1 after generating the secret data.

Chooch
  • 573
  • 3
  • 12
  • why does it work like that? The card doesnt have to do that, so why the terminal should to that? – TajnosAgentos Jun 15 '15 at 20:37
  • Actually, the card does perform SHA-1. generateSecret() does that for ALG_EC_SVDP_DH algorithm. – Chooch Jun 16 '15 at 00:31
  • but why the terminal does not do that? – TajnosAgentos Jun 19 '15 at 12:33
  • 1
    In JavaCard, there are ALG_EC_SVDP_DH, ALG_EC_SVDP_DH_KDF, ALG_EC_SVDP_PLAIN, ALG_EC_SVDP_DHC, and many more). ECDH is performed in all of these algorithm, they just differ in post-computation (performing SHA-1 in your case) which is not related anymore to the ECDH algorithm. In your terminal side, you created an instance of KeyAgreement with the parameter "ECDH" which suggests that it only performs an ECDH. I think that it is up to the terminal side to do any post-computation after the ECDH computation. – Chooch Jun 21 '15 at 23:22