3
votes

I want to change globalplatform default key for loading applet and secure messaging to card manager. I could change my gemalto default GP card key using bellow commands successfuly:

mode_211
enable_trace
establish_context
card_connect -readerNumber 1
select -AID A000000018434D00
open_sc -security 1 -keyind 0 -keyver 1 -key 47454d5850524553534f53414d504c45  -keyDerivation visa2 // Open secure channel
put_sc_key -keyver 0 -newkeyver 1 -key 505152535455565758595a5b5c5d5e5f // Put secure channel keys
card_disconnect
release_context

But when i want to make secure channel to card manager by new key, cryptogram which produces in host side doesn't match to card side. The old key doesn't work too. Commands for authentication to card manager are:

open_sc -security 1 -keyind 0 -keyver 0 -key 505152535455565758595a5b5c5d5e5f  -keyDerivation visa2 // Open secure channel

also i tested

open_sc -security 1 -keyind 0 -keyver 1 -key 505152535455565758595a5b5c5d5e5f  -keyDerivation visa2 // Open secure channel

and

open_sc -security 1 -keyind 1 -keyver 0 -key 505152535455565758595a5b5c5d5e5f  -keyDerivation visa2 // Open secure channel

and

open_sc -security 1 -keyind 1 -keyver 0 -key 505152535455565758595a5b5c5d5e5f  -keyDerivation visa2 // Open secure channel

Also i tested the process by smartcafe smart expert 3.2 (G&D card) and the results are same.

I appreciate if anyone can help me.

1
I see you changing only one key. I guess you should also change key #2 which, if I remember correctly, is the MAC key used for authentication. So that one is probably still at the old value. If this educated guess is correct please notify me so I can change it into an answer.Maarten Bodewes

1 Answers

1
votes

You need to use:

open_sc -security 1 -key 505152535455565758595a5b5c5d5e5f

As the new key is not diversified (derived) and you must use it directly.

Good luck!


And beware that there is a limit on unsuccessful authentications -- you might lock your card.