"kcv" about globalplatformpro HOT 8 CLOSED

What about extending the commandline -key option with opts:key:kcv and adding an optional kcv parameter to key class? I expect key validation to happen before invoking GPPro commands or API, normally.

from globalplatformpro.

yes, validation should be upon entry. An opts --kcv sounds good. It would be great to enforce use of this when the "production" switch (#36) is used.

from globalplatformpro.

Just to clarify: for a KCV you mean the same algorithm that is used for PUT KEY? KCV could mean anything and could be proprietary, unless referencing some known algorithm in a public specification (same for other key derivation methods, and there's plenty of proprietary stuff in smart card field) I'm thinking of re-writing the whole key argument handling but don't yet have a great idea how. Eventually it would be nice if the key could be provided with a kcv in one argument (like currently des: and aes: prefixes work). But also the relax hex parsing of the key options is something I'd like to keep (easy copy-paste from e-mails, documentation etc), so some heuristics need to be done. Will do that on my next spring on GP.

from globalplatformpro.

But please clarify the kcv algorithm or provide a reference implementation of some other link. Otherwise I assume PUT KEY semantics ?

from globalplatformpro.

yes, put key - there is an industry standard that basically says the KCV is the first 24 bits (in hex format) of zero string encrypted with a given key.
"- The KCV is the "Key Check Value" for the key, calculated by assuming the key/components are 3DES keys, and encrypting a string of binary zeroes. The KCV is the first six hex digits of the resulting ciphertext."

It is mainly used for DES/3DES but I've seen applications for AES keys as well. Here's one online calculator working for DES/3DES only: http://extranet.cryptomathic.com/keyshares/index

from globalplatformpro.

So my idea would be to drop the current -mac/-enc/-kek command line options (but still allow to specify different keys from the API, if they are not derived from a single derived card key) for a single -key and a -kcv.

from globalplatformpro.

Just to add - the kcv method currently works for 3des as well as aes

from globalplatformpro.

works, cool! I like this. Just one comment about toString(), I will file it as a new request.

from globalplatformpro.