这是我的智能卡 .cap 验证器及其原子性中的漏洞吗?
Is this a vulnerability in my smart card .cap verifier and its atomicity?
我使用 JCManager
重置了我的智能卡
:::> gpj -list
:::> java -jar gpj.jar -list
Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0
ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00
DEBUG: Command APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00
DEBUG: Command APDU: 80 50 00 00 08 73 A2 DC F8 5D 56 48 B2
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 CB F8 CB B2 CC 73 6F A5 16 2B 6D 46 94 0F 13 90 00
DEBUG: Command APDU: 84 82 00 00 10 36 0E 2D D6 F4 6C 65 E0 C4 EC A4 8C 96 D1 80 6A
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 84 82 00 00 08 36 0E 2D D6 F4 6C 65 E0
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 6A 88
AID: A0 00 00 00 03 00 00 00 |........| ISD LC: 1 P
R: 0x9E
:::>
之后我在上面上传了一个 .cap 文件 :
:::> gpj -list
:::> java -jar gpj.jar -list
Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0
ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00
DEBUG: Command APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00
DEBUG: Command APDU: 80 50 00 00 08 39 CF 9A 58 C1 02 16 88
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 D0 C7 78 48 8C D6 C9 9D B1 9F FF 45 23 89 26 90 00
DEBUG: Command APDU: 84 82 00 00 10 EA 3A 38 56 6D 7B 9D 73 BB EF 4A 1B C5 DD 58 6C
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 84 82 00 00 08 EA 3A 38 56 6D 7B 9D 73
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 30 30 30 31 07 00 90 00
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 30 30 30 31 07 00 90 00
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 6B 61 67 31 01 00 90 00
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 6B 61 67 31 01 00 90 00
AID: A0 00 00 00 03 00 00 00 |........| ISD LC: 1 P
R: 0x9E
AID: 6D 79 70 61 63 30 30 30 31 |mypac0001| App LC: 7 P
R: 0x00
AID: 6D 79 70 61 63 6B 61 67 31 |mypackag1| Exe LC: 1 P
R: 0x00
:::
如上所示,上传了两个新的 AID。
Q1:哪个是Applet,哪个是Package?为什么?
我可以向两者成功发送SELECT命令。这是我发送 SELECT 命令时我的工具的输出:
Answer-to-Reset
3B 68 00 00 00 73 C8 40 12 00 90 00
# CLA|INS|P1|P2|Lc|Le
# Data Field
# Status Word
< 00 A4 04 00 09 00
< 6D 79 70 61 63 30 30 30 31
> 9000
< 00 A4 04 00 09 00
< 6D 79 70 61 63 6B 61 67 31
> 9000
然后我再次使用 JCManager 重置卡 :
:::> gpj -list
:::> java -jar gpj.jar -list
Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0
ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00
DEBUG: Command APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00
DEBUG: Command APDU: 80 50 00 00 08 73 A2 DC F8 5D 56 48 B2
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 CB F8 CB B2 CC 73 6F A5 16 2B 6D 46 94 0F 13 90 00
DEBUG: Command APDU: 84 82 00 00 10 36 0E 2D D6 F4 6C 65 E0 C4 EC A4 8C 96 D1 80 6A
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 84 82 00 00 08 36 0E 2D D6 F4 6C 65 E0
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 6A 88
AID: A0 00 00 00 03 00 00 00 |........| ISD LC: 1 P
R: 0x9E
:::>
然后我使用 HDD Hex Editor Neo(Windows 的二进制文件编辑软件)更改同一个 .cap 文件的一些字节。
最后我尝试将这个新的 .cap 文件上传到卡中:
如您所见,我未能成功上传。我尝试了另一个 gpj -list 命令,这是输出:
:::gpj -list
:::java -jar gpj.jar -list
Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0
ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00
DEBUG: Command APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00
DEBUG: Command APDU: 80 50 00 00 08 03 97 15 70 2B 1F E1 9B
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 CE AF 71 EB 5D 50 0F 81 F5 7B FB 7B 51 B4 6D 90 00
DEBUG: Command APDU: 84 82 00 00 10 AF 86 13 9F C7 8E BC BE 8A 91 97 6A 26 CF 69 E1
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 84 82 00 00 08 AF 86 13 9F C7 8E BC BE
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 6B 61 67 31 01 00 90 00
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 6B 61 67 31 01 00 90 00
AID: A0 00 00 00 03 00 00 00 |........| ISD LC: 1 P
R: 0x9E
AID: 6D 79 70 61 63 6B 61 67 31 |mypackag1| Exe LC: 1 P
R: 0x00
:::
现在是主要问题:
Q2:为什么我在输出中看到两个AID?我认为出于安全原因,JCRE 必须防止小程序安装不完整,对吗?
请注意,当我向此 AID 发送 SELECT 命令时,我收到 6A82 [未找到文件或应用程序]。如果它不存在,为什么卡 return 它在列表小程序命令中的 AID?
这是否违反了原子性?它可能是安装程序中的漏洞吗?它会危及我的智能卡的安全吗?
您显然无法解释工具的输出,而且 gpj 也没有真正让它变得简单。
Applet AID 和 package AID 是不同的东西,只能选择 selectable applets。更不用说颁发者安全域,这首先是另一回事。
此外,请不要使用 gpj,这意味着您使用的是旧版本(sf.net 帐户已被锁定,因此那里没有相关信息)。新版本可从此处获取:https://github.com/martinpaljak/GlobalPlatformPro
除其他外,它以更易读的方式显示卡片上的对象列表。寻找 SELECTABLE 的东西,它们是应用程序。
不要在任何卡上使用 jcManager "reset card",它会盲目删除它能删除的所有内容。有些暴露了 ROM 中的组件,如果无意中删除,您将永远丢失这些组件。
我使用 JCManager
重置了我的智能卡:::> gpj -list
:::> java -jar gpj.jar -list
Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0
ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00
DEBUG: Command APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00
DEBUG: Command APDU: 80 50 00 00 08 73 A2 DC F8 5D 56 48 B2
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 CB F8 CB B2 CC 73 6F A5 16 2B 6D 46 94 0F 13 90 00
DEBUG: Command APDU: 84 82 00 00 10 36 0E 2D D6 F4 6C 65 E0 C4 EC A4 8C 96 D1 80 6A
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 84 82 00 00 08 36 0E 2D D6 F4 6C 65 E0
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 6A 88
AID: A0 00 00 00 03 00 00 00 |........| ISD LC: 1 P
R: 0x9E
:::>
之后我在上面上传了一个 .cap 文件 :
:::> gpj -list
:::> java -jar gpj.jar -list
Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0
ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00
DEBUG: Command APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00
DEBUG: Command APDU: 80 50 00 00 08 39 CF 9A 58 C1 02 16 88
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 D0 C7 78 48 8C D6 C9 9D B1 9F FF 45 23 89 26 90 00
DEBUG: Command APDU: 84 82 00 00 10 EA 3A 38 56 6D 7B 9D 73 BB EF 4A 1B C5 DD 58 6C
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 84 82 00 00 08 EA 3A 38 56 6D 7B 9D 73
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 30 30 30 31 07 00 90 00
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 30 30 30 31 07 00 90 00
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 6B 61 67 31 01 00 90 00
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 6B 61 67 31 01 00 90 00
AID: A0 00 00 00 03 00 00 00 |........| ISD LC: 1 P
R: 0x9E
AID: 6D 79 70 61 63 30 30 30 31 |mypac0001| App LC: 7 P
R: 0x00
AID: 6D 79 70 61 63 6B 61 67 31 |mypackag1| Exe LC: 1 P
R: 0x00
:::
如上所示,上传了两个新的 AID。
Q1:哪个是Applet,哪个是Package?为什么?
我可以向两者成功发送SELECT命令。这是我发送 SELECT 命令时我的工具的输出:
Answer-to-Reset
3B 68 00 00 00 73 C8 40 12 00 90 00
# CLA|INS|P1|P2|Lc|Le
# Data Field
# Status Word
< 00 A4 04 00 09 00
< 6D 79 70 61 63 30 30 30 31
> 9000
< 00 A4 04 00 09 00
< 6D 79 70 61 63 6B 61 67 31
> 9000
然后我再次使用 JCManager 重置卡 :
:::> gpj -list
:::> java -jar gpj.jar -list
Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0
ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00
DEBUG: Command APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00
DEBUG: Command APDU: 80 50 00 00 08 73 A2 DC F8 5D 56 48 B2
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 CB F8 CB B2 CC 73 6F A5 16 2B 6D 46 94 0F 13 90 00
DEBUG: Command APDU: 84 82 00 00 10 36 0E 2D D6 F4 6C 65 E0 C4 EC A4 8C 96 D1 80 6A
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 84 82 00 00 08 36 0E 2D D6 F4 6C 65 E0
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 6A 88
AID: A0 00 00 00 03 00 00 00 |........| ISD LC: 1 P
R: 0x9E
:::>
然后我使用 HDD Hex Editor Neo(Windows 的二进制文件编辑软件)更改同一个 .cap 文件的一些字节。
最后我尝试将这个新的 .cap 文件上传到卡中:
如您所见,我未能成功上传。我尝试了另一个 gpj -list 命令,这是输出:
:::gpj -list
:::java -jar gpj.jar -list
Found terminals: [PC/SC terminal ACS CCID USB Reader 0]
Found card in terminal: ACS CCID USB Reader 0
ATR: 3B 68 00 00 00 73 C8 40 12 00 90 00
DEBUG: Command APDU: 00 A4 04 00 08 A0 00 00 00 03 00 00 00
DEBUG: Response APDU: 6F 10 84 08 A0 00 00 00 03 00 00 00 A5 04 9F 65 01 FF 90 00
Successfully selected Security Domain OP201a A0 00 00 00 03 00 00 00
DEBUG: Command APDU: 80 50 00 00 08 03 97 15 70 2B 1F E1 9B
DEBUG: Response APDU: 00 00 11 60 01 00 8A 79 0A F9 FF 02 00 CE AF 71 EB 5D 50 0F 81 F5 7B FB 7B 51 B4 6D 90 00
DEBUG: Command APDU: 84 82 00 00 10 AF 86 13 9F C7 8E BC BE 8A 91 97 6A 26 CF 69 E1
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 84 82 00 00 08 AF 86 13 9F C7 8E BC BE
DEBUG: Response APDU: 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 80 00 02 4F 00
DEBUG: Response APDU: 08 A0 00 00 00 03 00 00 00 01 9E 90 00
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 40 00 02 4F 00
DEBUG: Response APDU: 6A 88
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 10 00 02 4F 00
DEBUG: Response APDU: 6A 81
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 6B 61 67 31 01 00 90 00
DEBUG: Command APDU: 80 F2 20 00 02 4F 00
DEBUG: Response APDU: 09 6D 79 70 61 63 6B 61 67 31 01 00 90 00
AID: A0 00 00 00 03 00 00 00 |........| ISD LC: 1 P
R: 0x9E
AID: 6D 79 70 61 63 6B 61 67 31 |mypackag1| Exe LC: 1 P
R: 0x00
:::
现在是主要问题:
Q2:为什么我在输出中看到两个AID?我认为出于安全原因,JCRE 必须防止小程序安装不完整,对吗?
请注意,当我向此 AID 发送 SELECT 命令时,我收到 6A82 [未找到文件或应用程序]。如果它不存在,为什么卡 return 它在列表小程序命令中的 AID?
这是否违反了原子性?它可能是安装程序中的漏洞吗?它会危及我的智能卡的安全吗?
您显然无法解释工具的输出,而且 gpj 也没有真正让它变得简单。
Applet AID 和 package AID 是不同的东西,只能选择 selectable applets。更不用说颁发者安全域,这首先是另一回事。
此外,请不要使用 gpj,这意味着您使用的是旧版本(sf.net 帐户已被锁定,因此那里没有相关信息)。新版本可从此处获取:https://github.com/martinpaljak/GlobalPlatformPro
除其他外,它以更易读的方式显示卡片上的对象列表。寻找 SELECTABLE 的东西,它们是应用程序。
不要在任何卡上使用 jcManager "reset card",它会盲目删除它能删除的所有内容。有些暴露了 ROM 中的组件,如果无意中删除,您将永远丢失这些组件。