2

I have a bunch of GlobalPlatform 2.2.1 JavaCards which I (currently) manage using GlobalPlatformPro. I want to lock them using PSKs like gpp -lock PSK.

However, I want to use individual PSKs for each card so I could give the PSK to the cardholder upon request (so they can install applets of their choosing). Ideally, I would derive the PSKs from a combination of a master key and the card UID (or AID or combination of both etc.) using a key derivation algorithm.

I noticed that gpp has the --lock-kdf-option but I couldn't find any documentation on it except the --help output: "Use KDF with lock key".

  • Is gpp in fact capable of this type of key diversification e.g. like AN10922, Visa2, EMV-CPS..? or should I use different/additional tooling for that?
  • Can I use gpp -lock-kdf MASTERKEY just like -lock but with the increased security of different keys being used for each card?
  • Would I then use gpp -key-kdf MASTERKEY to manage the card analoguous to using -key?
  • How can I obtain the diversified PSK for a card locked this way to give to the card holder without compromising the security of other cards?
Gamification
  • 787
  • 5
  • 20
  • 1
    GP key derivation is almost a chapter all by itself. Getting the (free after registration) GP documentation is highly recommended. I always forget which document contains the key derivation, but the one with the Card API probably references it. – Maarten Bodewes Jul 04 '21 at 17:27
  • 2
    A GP card does return with the GET DATA tag 0x00CF the diversification data. This data can be used together with a master key to get a set of derived keys. E.g the EMV CPS 11 scheme is using this. See for the algorithm https://github.com/kaoh/globalplatform/blob/master/globalplatform/src/globalplatform.c#L4024 – k_o_ Jul 04 '21 at 17:36
  • Thank you so much for your comments, getting into this topic is hard, discourse and resources are sparse. @MaartenBodewes If you mean [these specifications](https://globalplatform.org/wp-content/uploads/2018/05/GPC_CardSpecification_v2.3.1_PublicRelease_CC.pdf) don't cover diversifying the keys. To clarify: I'm not talking about session keys, I only want to generate unique authentication keys off-card from a master key, e.g. as described [here](https://www.nxp.com/docs/en/application-note/AN10922.pdf) – Gamification Jul 04 '21 at 17:53
  • @k_o_ can you recommend tooling that supports diversification? GlobalPlatformPro seems to support this in some way but it lacks documentation and I'm afraid to brick my card. The source you linked is from a library and I assume that being a beginner I'd be ill-advised to write my own tooling on top of that library. – Gamification Jul 04 '21 at 18:00
  • @k_o_ I will give GPshell a try – Gamification Jul 04 '21 at 18:18
  • @Gamification I don't know of any tools just providing the key derivation part. GPShell and GlobalPlatform are developed by myself, hence I was aware of the line of code describing what it does. GPShell has a similar goal like GPPro, not sure if you would face similar limitations, both are not key management tools backed by a server able to store all the necessary data for a batch of cards. This GPShell script should return the diversification data: https://gist.github.com/kaoh/bd80923ead4e47e9c715fde34f0eb528 (if your card supports it) – k_o_ Jul 05 '21 at 19:28
  • Thanks that's great! My GPshell 2.0.0 build segfaults so I'll have to look into that another day and we might meet again in the github issues :) – Gamification Jul 06 '21 at 11:37

1 Answers1

0

With the help in the comments and the realization that gpp has a wiki I'm starting to be able to answer some questions:

GlobalPlatformPro, like most GlobalPlatform implementations supports different algorithms for key diversification (namely emv, visa2, kdf3) as documented here, e.g.

gpp -lock emv:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
Looking at key version
YYYYYYYYYYYYYYYY locked with: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Keys were diversified with EMV and ZZZZZZZZZZZZZZZZZZZZ
Write this down, DO NOT FORGET/LOSE IT!

With the new syntax, in gpp using a diversified key works just like with a static key except diversification algorithm has to be specified like emv:

Remains the question how to know the PSK of an individual card that was locked using a diversified master key. Please correct me if I'm wrong but this isn't possible because diversified keys are not static. Note how the emv-diversified keys differ for the lock and unlock procedure and how unlocking with the enc/mac/dek-keys generated for locking fails:

$ gpp -verbose -lock emv:$(cat master_key)
…
Warning: no keys given, defaulting to 404142434445464748494A4B4C4D4E4F
[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] 
[INFO] GPSession - Diversified card keys: ENC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) MAC=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) DEK=404142434445464748494A4B4C4D4E4F (KCV: 8BAF47) for SCP02
…
A000000003000000 locked with: …
Keys were diversified with EMV and …
Write this down, DO NOT FORGET/LOSE IT!
$ gpp --unlock --key-enc 404142434445464748494A4B4C4D4E4F --key-mac 404142434445464748494A4B4C4D4E4F --key-dek 404142434445464748494A4B4C4D4E4F
Failed to open secure channel: Card cryptogram invalid!
…
$ gpp -verbose -unlock -key emv:$(cat master_key)
…
[INFO] GPSession - Using card master keys with version 0 for setting up session [MAC] 
[INFO] GPSession - Diversified card keys: ENC=89EF06C10723B737246259BE40B918C3 (KCV: 787239) MAC=49913E9A80E1B6128AF6C3AAEF0B6062 (KCV: D52C48) DEK=E63A8D78628F2E0FA6B4AC73669087DD (KCV: D1F762) for SCP02 with EMV
…
Default 404142434445464748494A4B4C4D4E4F set as key for …

Apparently, my question lacks basic understanding of how this type of key diversification works. To achieve what I want, I guess I will either have to "diversify" (in a non-globalplatform sense) static keys myself (e.g. using openssl -hmac) or simply generate per-card random keys and keep them safe in a list/database.

I'm now looking for tooling that supports key management in any such manner and one candidate I found is pyresman which can apparently manage/select keys and excecute GPshell scripts but hasn't been updated for four years.

Gamification
  • 787
  • 5
  • 20