0

I'm using C# with a c# library to read out the identification data from tachograph cards.

I only need to read out the unique card ID and can do this with a driver card, I send the correct APDUs to do the trick. I'm now trying to read out the ID of a company card doing the same things, as described in the documentation I could find (ECE/TRANS/SC.1/2006/2 and sub appendixes). This doesn't work.

If I understand the documentation correctly, the problem is that after selecting a DF and an EF after that, the Authentication has to be redone (on a company card only) to read out the unique identification data from the EF. Now, reading the documentation, I can understand I have to use a "manage security environment" to set/request a public key? Then use an "internal authenticate", "get challenge", run an "external authenticate" and finally use a "read binary" to read out the data. But only after setting the logic to the correct EF. Am I correct in this matter?

If I'm correct, does anyone understand where/how I can request the public key from the card? and what algorithm is used to decrypt the challenge using the public key and eventually, what to send back to the card?

If I did not understand it correctly, can anyone explain the steps in authenticating with a tachograph smartcard? Using idiot terms would be appreciated as I'm completely new in this line of work and still trying to learn.

Oscar K
  • 185
  • 1
  • 11

1 Answers1

1

I had no detailed look into Tachograph specification for years, but this might help you to start:

  • a challenge is just a random number, you have to encrypt it (symmetric algorithm) or sign it (asymmetric algorithm) by yourself. The appropriate algorithm has to be defined before, since the card has to follow the same rules for checking.
  • external authenticate is far more likely using symmetric cryptography (nobody likes to sign something unknown, which could also be a hash code for a message)
  • there are two standardized modes for retrieving the public key:
    • either as response to a special Generate Asymmetric Key Pair command (there is one, which just reads but does not generate a new key)
    • or in some file to be read using standard READ commands (e. g. a certificate which has the advantage, that you may check its signature). Which case applies has to be stated in the specification.
  • Manage Security Environment just informs the card, which key to use for a subsequent operation like PSO, giving its Control Reference Template, id and usage qualifier
guidot
  • 5,095
  • 2
  • 25
  • 37
  • Good sir, thank you. I'm going to look into this all day long (if no one bothers me) I'll keep you updated. You helped me before as well. You seem to be the Stack Overflow expert on these matters. Appreciate it! – Oscar K Feb 25 '21 at 07:28
  • Follow up question: I tried using the generate key pair instruction to get a public key. I got the error back on sw1 and 2 which dials down to "Instruction code not supported or invalid". It should be the code 46 or 0x46 but that doesn't work. I can however read the Card certificate. Is there a way to extract the public key from a card certificate? It's 196 bytes long. If so, do you have any clue what documentation to read about it? – Oscar K Feb 25 '21 at 09:42
  • 1
    Trying 0x47 instead of 0x46 may help. In principle, you should be able to extractthe public key. A certificate consists of 1) public key, 2) additional information (which may or not be covered by the signature) 3) an indication, what institution signed and 4) the signature. Given, that a RSA-2048 signature alone requires 256 byte, you may have elliptic curve public key and signature. X.509 is a wide-spread certificate scheme. – guidot Feb 26 '21 at 08:06
  • Thank you very much for your help! I'm currently doing an internship and have to do this. I'm going to spend the rest of the week on it, I'll keep you updated! – Oscar K Mar 01 '21 at 09:58
  • In your answer, you say I have to use the appropriate algorithm that has to be defined before. Do you have any clue as on how to do so? Using the an MSE command? Also, I would like to use the symmetric alogithm, but if I understand it all correctly. This requires a so called "IV". How do I retrieve that from a card? And on a sidenote: 0x47 doesnt work either it seems... So i read out the certificate and try to get the data from there. – Oscar K Mar 01 '21 at 15:30
  • For anyone ever reading this. Also see: https://stackoverflow.com/questions/66458042/smart-card-retrieve-public-key-from-ca-certificate – Oscar K Mar 03 '21 at 14:21
  • No, the algorithm must be known by card an application, it is that secret, by which external authentication works. Any possibility to supply algorithm or even key data via MSE SET would weaken the concept. – guidot Mar 03 '21 at 14:28