1

Been trying to read data from my National eID using an ACS ACR1281 1S Dual Reader ICC. It requires Basic Access Control (BAC) authentication. I'm able to properly authenticate but I'm getting an error when I try to Select EF.COM (01 1E) using secure messaging following specifications from ICAO Doc 9303 Part 11

Below is the APDU Command I'm sending

Select EF.COM

// Send APDU
00 A4 02 0C 02 01 1E 00 
// APDU Response
90 00

a) Mask class byte and pad command header:
 CmdHeader = ‘0CA4020C80000000’
b) Pad data:
 Data = ‘011E800000000000’
c) Encrypt data with KSEnc:
 EncryptedData = ‘6375432908C044F6’
d) Build DO‘87’:
 DO87 = ‘8709016375432908C044F6’
e) Concatenate CmdHeader and DO‘87’:
 M = ‘0CA4020C800000008709016375432908C044F6’
 App D-6 Machine Readable Travel Documents
f) Compute MAC of M:
    i) Increment SSC with 1:
    SSC = ‘887022120C06C227’
    ii) Concatenate SSC and M and add padding:
    N = ‘887022120C06C2270CA4020C800000008709016375432908C044F68000000000’
    iii) Compute MAC over N with KSMAC:
    CC = ‘BF8B92D635FF24F8’
g) Build DO‘8E’:
 DO8E = ‘8E08BF8B92D635FF24F8’
h) Construct and send protected APDU:
 ProtectedAPDU = ‘0CA4020C158709016375432908C044F68E08BF8B92D635FF24F800’

// Send APDU
00 A4 02 0C 15 87 09 01 7C 76 3C 70 98 06 45 BD 8E 08 20 42 68 2C D0 BE 14 A0 00
// APDU Response
6A 87

KsEnc and KsMac are computed Session keys after external authenticate 0x82. But I keep getting 6A 87 - Lc inconsistent with P1-P2 as feedback. I'm using PCSC 5.0.0 library to talk to the card (ICC). I'm not sure where I'm missing it kindly help.

vlp
  • 7,811
  • 2
  • 23
  • 51
Henry
  • 13
  • 2
  • Following the *Send APDU* comment the class byte has to be 0C again. For a plain text APDU an LC byte of 15 would match the obtained status... Typo? – guidot Jul 26 '20 at 09:00
  • Thank you I missed that when I was sending the command indeed you are right it is supposed to be 0x0C and not 0x00 now I'm getting **69 85 - Conditions of use not satisfied**. will look into why I'm getting that error – Henry Jul 26 '20 at 12:54
  • @guidot So I'm still getting the same 69 85 here is the full APDU `00 A4 04 0C 07 A0 00 00 02 47 10 01 00` `90 00` `00 84 00 00 08` `82 30 34 55 E5 F8 47 FF 90 00` `00 82 00 00 28 99 D1 B5 D7 AC 08 A4 75 90 5D 6B CA 9D C8 65 A4 F2 3A 60 B5 E2 B3 53 AA 24 5E 51 E9 57 14 59 DB 18 48 76 1B 8A 39 06 FC 28 78 E8 AE 7E B4 CC D2 58 73 26 C1 57 C7 29 A7 3B C3 AE A7 ED 22 90 3B 64 EC 82 E9 8D DF 9D 40 63 5F 07 DF 55 E5 A8 2A 47 90 00` `00 A4 02 0C 02 01 1E 00 ` `90 00` `0C A4 02 0C 15 87 09 01 63 75 43 29 08 C0 44 F6 8E 08 2D E9 45 86 95 A1 79 B1 00` `69 85` – Henry Jul 26 '20 at 19:48

1 Answers1

2

Henry, from your latest comment to @guidot it looks like you send the SELECT EF.COM twice? First without Secure Messaging which will destroy your trusted channel established with BAC, followed by the secured APDU, which then tries to use the session keys / trusted channel that no longer exists.

ALe
  • 156
  • 1
  • 4
  • Thank you very much this was the issue I just removed the unprotected EF.COM command and it worked – Henry Jul 31 '20 at 12:52