Lectura de datos de la tarjeta de empresa europea DTCO

I need to be able to read card and company identification data from European digital tachograph company cards (smart cards). These are described within the document COMMISSION REGULATION (EC) No 1360/2002 but I have run into a problem. The data I need to be able to read is contained within the file EF Identification, which must be read with secure messaging and I therefore need to issue a Manage Secure Environment APDU command that requires a key identifier that identifies a key residing on the card.

I don't know where to find these key identifiers or the data that makes them up (described in an appendix of the document). I am waiting for feedback from our partners in Europe but thought I would take a chance an ask here in the hope that someone will have done this and be able to offer some advice.

The key identifier is made up of an equipment serial number, a date, a manufacturer code and a manufacturer specific type. This suggests a problem as I need to be able to access the data from any company card, regardless of manufacturer, issuer or holder. Not sure how I can get the data to compose the key.

I realise that this is pretty specialised information but have been stalled for over a week so am pretty desperate to find a solution so I can continue.

preguntado el 22 de mayo de 12 a las 16:05

2 Respuestas

I believe that you first have to obtain a certificate from a country CA. You can then perform the following algorithm (simplified from Appendix 11, section 4):

  1. Select and read the card certificate (EF_CERTIFICATE)
  2. Issue a Manage Security Environment command to select the Root CA public key
  3. Issue a Verify Certificate with the country CA certificate
  4. Issue a Manage Security Environment command to select the country CA public key
  5. Issue a Verify Certificate with your certificate
  6. Issue a Manage Security Environment command to select your public key
  7. Issue an Internal authenticate command. Verify response.
  8. Issue a Get Challenge command
  9. Issue an External authenticate command
  10. Calculate the session key
  11. Select File EF_IDENTIFICATION
  12. Perform a Read Binary command using secure messaging (you need the session key to calculate the checksum and decrypt the result).

contestado el 30 de mayo de 12 a las 19:05

Thank you for your help but it turns out, and we learned this only yesterday, that we have no need to do any of this. The application we have been commissioned to replace does not access the secure information on the card but uses an open non-application-related serial number (cardExtendedSerialNumber from EF ICC) to identify which card is in which reader and uses this with the user-entered application-specific card number to create a table that can be used to address the reader containing a specific card. We have been told to simply do the same. - steve grúa

@Steve: Ah, much simpler. Thank you for posting a follow-up. - Rasmus faber

I don't know the standard, but I would assume that you read out EF Card_Certificate, recover the certificate content and extract the key identifier from that.

Assuming you have the root certificate (it is published here: http://dtc.jrc.it/erca_of_doc/EC_PK.zip), you will need to:

  1. Read EF CA_Certificate
  2. Follow the algorithm in Appendix 11, section 3.3.3
  3. Extract the CA public key from the certificate content
  4. Read EF Card_Certificate
  5. Follow the algorithm in Appendix 11, section 3.3.3
  6. The Key Identifier should now be byte 20-27 of the recovered certificate content.

contestado el 25 de mayo de 12 a las 11:05

I wondered if that would be possible. I can already read the Card_Certificate and I'll dig through the specification and see if it contains the identifier I need. - steve grúa

@Steve Crane: I skimmed through the standard and added a few more pointers. - Rasmus faber

Thank you, this is most helpful. Trying to follow that standard is not too easy if you aren't familiar with working with smart cards, keys and certificates. - steve grúa

Making some progress but still struggling a little. When you said "Assuming you have the root certificate", does this mean we need to have a certificate from somewhere other than the card in order to complete the authentication process? I don't have such a certificate. How do you get one? As we are writing an application that needs one, do we need to request that some authority issue us with one? - steve grúa

@Steve Crane: I believe the root certificate is the one published by ECRA. - Rasmus faber

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.