How to design a secure session key distribution?
i am having some problem in key distribution using DES ,ElGamal, HMAC and MEYER 82. can any one help me with the distribution stucture?
user13404668 wrote:
But it is not acceptable to us every time we send the selected organization and the sector.
Why is that ? Its a perfectly valid pattern when using SLSB.
regards,
ram.
Similar Messages
-
How to find my security (network) key?
How to find my security(network) key for Airport Extreme?
Manufacturers use the word "key" to mean the wireless network "password" or "passphrase" for your network.
The actual "key" is 64 characters long. I doubt that this is what you are looking for, but if you want to see it......
Open Macintosh HD > Applications > Utilities > AirPort Utility
Click on the AirPort Extreme icon
Click Edit in the smaller window that appears
Click the Base Station menu at the top of the screen
Click Show Passwords -
How to design a Structure without Key figures in Row.
Hi Experts,
Could you please advise me how to design
Keyfigure Current year(2013)
Keyfigure previous year(2012)
attached csv file .
Keyfigure Current year(2013)
Keyfigure previous year(2012)
Calday
01-09-2013
02-09-2013
03-09-2013
04-09-2013
05-09-2013
06-09-2013
Regards,
shanHi,
Please let us know what is the output needed in keyfigures?
Current year(2013)
previous year(2012)
Calday
01-09-2013
02-09-2013
03-09-2013
04-09-2013
05-09-2013
06-09-2013 -
How to design a EJB session beans for a example ERP case study?
Hello to everyone,
We have a huge dilemma on how to organize our Beans to support the use case in an information system such as ERP.
In the use case user after logded in selecting one of the organization and specific sector that works for. (Background logic check relations between user and organizations, user rights, organization states ets.) After the selection of organizations and sectors, users all the time working with these parameters calling different modules of ERP systems and different activities.
According to the logic of things, to keep certain parameters we should use a Stateful Beans.
On the other hand, becouse of performance reasons and our need to open a business logic with a service (REST) we woud like to use Stateless Beans. But it is not acceptable to us every time we send the selected organization and the sector.
It would be ideal if they could are using an Stateless Beans and that they can somehow to access something like "SessionContext in Web applications", where the logged user kept details of the selected parameters.
We studied many tutorials, but all are based on simple examples, which do not cover our case.
Are there any best practice recommendations on how to solve the problems of a similar type?user13404668 wrote:
But it is not acceptable to us every time we send the selected organization and the sector.
Why is that ? Its a perfectly valid pattern when using SLSB.
regards,
ram. -
Enable secure session cookie on Sun ONE Web Server 6.1
How can I enable secure session cookie (JSESSIONID) on Sun ONE Web Server 6.1?.
For 6.0 is <session-cookie is-secure="true"/> inside the <web-app> tags in web-apps.xml but I'm not able to find this setting for 6.1.There is a fix in 6.1sp5 that enables the session cookie to be marked as secure.
See the release notes and search for 6262885 under Issues Resolved in 6.1sp5:
http://docs.sun.com/app/docs/doc/819-2479/6n4p1bdea?a=view -
How to search in BI 7.1 query designer for the required key figures & chars
Hi All,
Can anyone plz tell me how to search in BI 7.1 query designer for the required key figures & characteristics. I have the query being built on a multiprovider which has many cubes.
So, i have a huge list of key figures and characteristics. I am not able to search for the required one by the name or the technical name.
How can we search and pick the required object from the enormous list of the Mutliprovider in the Bex Query Designer??
Thanks
PhaniThere is not a search feature available. You have to do an educated guess under what dimension your infoobject could be and select.
-
Iam using iPlanet 6.0SP6 in NT 4.0.
I would like to make the session cookie JSESSIONID to be transfer only on secure connection.
Then, I make the change to web-apps.xml as below
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE vs PUBLIC "-//Sun Microsystems, Inc.; iPlanet//DTD Virtual Server Web Applications 6.0//EN"
"http://developer.iplanet.com/webserver/dtds/iws-webapps_6_0.dtd">
<vs>
<session-cookie is-secure="true"></session-cookie>
</vs>
After that, I restart the iplanet web server and load the page with I.E. again. I see that the cookie is still passed with non-secure mode.
Is there any wrong with my web-apps.xml?Janice,
Thanks for your help.
When I use the below web-apps.xml, I can make the cookie in secure session.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE vs PUBLIC "-//Sun Microsystems, Inc.; iPlanet//DTD Virtual Server Web Applications 6.0//EN"
"http://developer.iplanet.com/webserver/dtds/iws-webapps_6_0.dtd">
<vs>
<web-app uri="/" dir="d:/java/docroot" enable="true">
<session-manager class="com.iplanet.server.http.session.IWSSessionManager">
<init-param>
<param-name>maxSessions</param-name>
<param-value>16000</param-value>
</init-param>
<init-param>
<param-name>timeOut</param-name>
<param-value>7200</param-value>
</init-param>
<init-param>
<param-name>reapInterval</param-name>
<param-value>30</param-value>
</init-param>
<init-param>
<param-name>maxValueSize</param-name>
<param-value>8192</param-value>
</init-param>
</session-manager>
<session-cookie is-secure="true"/>
</web-app>
</vs>
However, when I configure more on the web applicaiton with the web.xml, I check that the cookie no more secure.
THe web.xml is
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<display-name>Trade Info Exchange</display-name>
<description>
Trade Info Exchange
</description>
<!-- Define servlets that are included in the example application -->
<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Login</servlet-name>
<url-pattern>/Login</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Fmenu</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.FmenuServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Fmenu</servlet-name>
<url-pattern>/Fmenu</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Fcontent</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.FcontentServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Fcontent</servlet-name>
<url-pattern>/Fcontent</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Express</servlet-name>
<servlet-class>com.chase.apps.express.servlet.EXPRESS2</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Express</servlet-name>
<url-pattern>/EXPRESS2</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>AppControl</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.AppControlServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AppControl</servlet-name>
<url-pattern>/AppControl</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>errorPage</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.errorPage</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>errorPage</servlet-name>
<url-pattern>/errorPage</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>LoginFail</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.LoginFailServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginFail</servlet-name>
<url-pattern>/LoginFail</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Logout</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.LogoutServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Logout</servlet-name>
<url-pattern>/Logout</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>ChangePwdWarning</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.ChangePwdWarningServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ChangePwdWarning</servlet-name>
<url-pattern>/ChangePwdWarning</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>ChangePwd</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.ChangePwdServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ChangePwd</servlet-name>
<url-pattern>/ChangePwd</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>ReLoginDialog</servlet-name>
<servlet-class>com.chase.infra.appcontrol.servlet.ReLoginDialog</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ReLoginDialog</servlet-name>
<url-pattern>/ReLoginDialog</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>TradeTrackProcessSearch</servlet-name>
<servlet-class>chase.app.tt.servlet.ProcessSearchServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TradeTrackProcessSearch</servlet-name>
<url-pattern>/TradeTrackProcessSearch</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>TradeTrackSearchScreen</servlet-name>
<servlet-class>chase.app.tt.servlet.SearchScreenServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TradeTrackSearchScreen</servlet-name>
<url-pattern>/TradeTrackSearchScreen</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>TradeTrackMain</servlet-name>
<servlet-class>chase.app.tt.servlet.MainServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/LCIMPORT</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/LCEXPORT</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/COLLIMP</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/COLLEXP</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/B2BMenu</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TradeTrackMain</servlet-name>
<url-pattern>/B2BMain</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>ctielogin.html</welcome-file>
</welcome-file-list>
</web-app>
Pls advise how I can make the cookie secure for using the web.xml and web-apps.xml
thanks
samuel poon -
How to use Session Key-based Request Targeting Mechanism in OCCAS ??
I read Session Key-Based Request Targeting(chapter 5) in Developing SIP Applications.
But, I don't work my application using this mechanism.
I add sesssionKey function with @SipApplicationKey annotation.
I deploy this application. And then, other machine send INVITE request.
My application received INVITE request. But sessionKey function is not called before doInvite function is called.
I used @SipApplicationKey(applicationName="...") annotation.
It didn't work.
sample code is following.
Could someone help me?
import javax.servlet.ServletConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.sip.SipFactory;
import javax.servlet.sip.SipServlet;
import javax.servlet.sip.SipServletMessage;
import javax.servlet.sip.SipServletRequest;
import javax.servlet.sip.SipServletResponse;
import javax.servlet.sip.SipURI;
import javax.servlet.sip.URI;
import javax.servlet.sip.annotation.SipApplicationKey;
public class app2SipServlet extends SipServlet {
private static final long serialVersionUID = 1L;
public static SipFactory sipFactory;
public static ServletContext sc;
public void init(ServletConfig cfg) throws ServletException {
super.init(cfg);
sipFactory = getSipFactory();
sc = getServletContext();
trace("+++ app2SipServlet Initialization");
@SipApplicationKey
public static String sessionKey(SipServletRequest req) {
String appid = req.getHeader("ApplicationID");
System.out.println("application id : " + appid);
return appid;
@Override
public void doRequest(SipServletRequest req) throws ServletException, IOException {
trace(req, "doRequest()");
super.doRequest(req);
@Override
protected void doInvite(SipServletRequest req) throws ServletException, IOException {
URI from = req.getFrom().getURI();
String user = ((SipURI)from).getUser();
trace(user + " : " + req.getSession().getApplicationSession().getId());
trace(user + " : " + req.getSession().getApplicationSession().getApplicationName());
SipServletResponse resp = req.createResponse(200);
resp.send();
trace(resp);
}How many servlets you have defined in your sip.xml .If there are multiple you may want to check if
-- You have defined main-servlet ?
-- or Is deployment descriptor version 1.0 or 1.1 -
How to determine Secure Channel key set index or version within applet
Hi,
Is there any way to determine from within the applet the used key set index or key set version?
The ProviderSecurityDomain object does not contain such a property to my understanding.
b.r.
FabeNo there is not. There are API's to ask the security domain to do crypto operations using the current secure channel session keys and GP says that the security domain needs to be aware of what keys to use for this.
The key information is not exposed to the applet as it is not generally required and for security reasons.
Cheers,
Shane -
How to design for YTD, Monthly & Last year Key figures
Hi Gurus:
Can you pls tell me how to design a data model, where a user wants to get YTD, Monthly & Last year Key figures say Sales volume...
Is aggregates the answer?
Pls let me know...Thanks a lotHi Vijay,
I am a beginner in BI field.
I have a problem till now i couldnt get the right answer.
That the reason why i write you today.
My Problem is with a Query.
I'm designed a dynamic query which should look like this:
12.2005-- Jan06 --- Feb06 --- Mar06 --- Apr06 ... Dec06 --- YTD
My Problem, if you give per e.g Dezember, all Months have to appear. Or you give may, your going to receive till may.The result i receive till now its only the month i gave.How can i get the correct answer? How i am going to calculate the YTD?
You can directly answer hier:[email protected]
Thanks -
Hi,
As I understand it, in the process of making an SSL connection (during the handshake) certificates are exchanged and their identities are authenticated, and then each create an identical (symetric) session key which will be used to encrypt communication.
My questions are:
1) What algorithm/encryption engine is used to create this key?
2) How strong is the algorithm that generates the key, and what type of key is used?
3) How can custom cyrptographic providers be used with SSL to generate these session keys?
4) Is there a way to force the SSL connection to use one specific method of generating the session key, and fail if it can't?
5) Is there a web page that gives me the deatail on these topics?
I've been looking around, but I can't find the answers to these specific questions.
Any help would be much appreciated, thanks,
JasonYou may consider to look on the following resources:
SSL v3 http://ssllib.sourceforge.net/draft302.txt
SSL v2 http://ssllib.sourceforge.net/SSLv2.spec.html
TLS v1 http://ssllib.sourceforge.net/rfc2246.txt
SSL and TLS book http://www.rtfm.com/sslbook/
JSSE Guide
http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html
http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html#SSLDocs
The algorithms used in SSL hanshake and then in data transmition are driven by the choosen cipher suite http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html#CipherSuite I.e. TLS_RSA_WITH_RC4_128_MD5. See SSLSocket documentation on how to set enabled suites - http://java.sun.com/j2se/1.4/docs/api/javax/net/ssl/SSLSocket.html#setEnabledCipherSuites(java.lang.String[]) -
How to give JASS Security to ADF BC Swing Application.
Hello Friends,
->I read lots of threads about JASS Security in ADF about Web Application.
->But i am not getting any solution/Document Which explains, How to Implement JASS Security to ADF BC Swing Apllication.
-> I Will Explain Which type of application we developed.
We had developed one Whole ERP Product by using ADF BC [Swing] Technology.We have 480 Forms in our Application.Now i need to give security to my Application.
->I Will Explain Structure of Application.
We have seperate Application Module for each form means i have 480 Application Modules in my application.I create seperate session beans for each Application Module and I deploy it on Standalone OC4J Server
So please friends help me out to give security to my application.
Thanks in Advance.Hello Franks
First thanks for your reply.
--> As you suggested two options for me but i would like to go with second option.
JAZN with ADF BC.
---> As you said i need to do jbo.security.enforce property set to "auth".but currently i made it "Test" to trace login user means to set History Columns.
--->Frank i am waiting for your documents.If you have documents in the format of how-to-do then Please Forward me.
Thanks Frank -
From a Technical Architect point of view, how to design a web application?
Hi to all,
I am writing this issue here because I this question is not related on how to program, but on how to design a web application. That is, this question is not related to how to program with the technologies in J2EE, but how to use them correctly to achieve a desired outcome.
Basically I know how to develop a simple web application. I like to use SpringFramework with AcegiSecurity and Hibernate Framework to persist my data. I usually use JBoss to deploy my web applications, however I could easily use Tomcat or Jetty (Since I am not using EJB�s).
However I have no idea on how to develop (or a better word would be �design�) a website which is divided into different modules.
Usually when you develop a website, you have certain areas that are public, and other areas that are not. For example, a company would want anyone on the Internet to download information about the products they are selling, however they would only want their employees to download certain restricted information.
Personally I try to categorise this scenario in to common words; Extranet and Intranet.
But � (and here starts the confusion in my mind) should I treat these two as two projects, or as one project? The content to be displayed on the Extranet is much different then the content to be displayed on the Intranet and definitely clients should not be allowed to the Intranet.
First approach would be to treat them as the same project. This would be perfect, since if the company (one day) decides to change the layout of the website, then the design would change for both the Intranet and the Extranet version. Also the system has a common login screen, that is I would only need to have employees to have a certain Role so that they have access to the intranet, while clients would not have a certain Role and thus they would not be allowed in. But what about performance and scalability? What if the Intranet and Extranet have to be deployed on the different Hardware!?
The second approach is to threat them as two separate projects. To keep the same layout you just copy & paste the layout from one project to another. However we would not want to have two different databases to store our users, one for the employees and the other one for the clients. Therefore we would build a CAS server for authentication purposes. Both the Intranet and the Extranet would use the same CAS server to login however they could be deployed on different hardware. However what if we want to change the design. Do we really want to have to just copy and paste elements from one project to another? We all know how these things finish! �We do not have time for that � just change the Extranet and leave the Intranet as it is!�
The third approach (and this is the one I like most) is to have a single project built into different WAR files. The common elements would be placed in all WAR files. However in development you would only need to change once and the effects would show in the different war files. The problem with this approach is that the project will be very big. Also, you will still need to define configuration files for each one of them (2 Web.config, 2 Spring-Servlet.config, 2 acegi-security.config, etc).
Basically I would like something in the middle of approach 2 and approach 3! However I can identify what this approach is. Also I can not understand if there is even a better approach then these three! I always keep in mind that there can always be more then two modules (that is not only Intranet and Extranet).
Anyways, it is already too long this post. Any comments are more then welcome and appreciated.
Thanks & Regards,
Sim085Hi to all,
First of all thanks for the interest shown and for the replies. I do know what MVC or Multi-layered design is and I develop all my websites in that way.
Basically I have read a lot of books about Domain-Driven Design. I divide my web applications into 4 layers. The first layer is the presentation layer. Then I have the Facade layer and after that I have a Service layer (Sometimes I join these two together if the web application is small enough). Finally I have the Data Access layer where lately I use Hibernate to persist my object in the database.
I do not have problems to understand how layering a web application works and why it is required. My problem is how to design and develop web applications with different concerns that use same resources. Let me give an example:
Imagine a Supermarket. The owner of the Supermarket want to sell products from the website, however he wants to also be able to insert new products from the website itself. This means that we have two different websites that make use of the same resources.
The first website is for the Supermarket clients. The clients can create an account. Then they can view products and order them. From the above description we can see that in our domain model we will have definitely an object Account and an object Product (I am not mentioning all of them). In the Data Access layer we will have repository objects that will be used to persist the Account and Products.
The second website is for the Supermarket employees. The employees still need to have an account. Also there is still a product object. This means that Account and Product objects are common to the two websites.
Also important to mention is the style (CSS). The Supermarket owner would like to have the same style for both websites.
Now I would not like to just copy & paste the objects and elements that are common to both websites into the two different projects since this would mean that I have to always repeat the changes I make in one website, inside the other one.
Having a single WAR file with both websites is not an option either because I would not like to have to deploy both websites on the same server because of performance and scalability issues.
Basically so far I have tought of putting the common elements in a Jar File which would be found on the two different servers. However I am not sure if this is the best approach.
As you can see my problem is not about layering. I know what layering is and agree with both of you on its importance.
My question is: What is the best approach to have the same resources available for different websites? This includes Class Files, CSS Files, JavaScript Files, etc.
Thanks & Regards,
Sim085 -
How to setup the security based on roles in Organization.
Hi,
How to setup the security based on roles in Organization.
For example:Few users are Manager and a few user are Non Manager .Manager should have access to all work data including Non Manager and Non Manager should access based role.How to setup this? How OBI server identify the user role?
kindly let me know.
Regards.,
CHRHi,
You need to have Back End support to achieve this. In Back End you need to create two groups . You need to know what joins has to be made for which group (which is more important) and also make session variable for the userrole (with SQL supporting it). In the BMM layer, we need to put the security join conditions in the 'where clause'.
And make a common report. User loggin in with the respective userid will have userrole and joins assigned in the Back end. And they will be viewing the report according to their access.
Hope this will solve your problem.
Regards
MuRam -
Session key and MAC generation in SCP '02' i='15'
Hi,
I am trying send a PUT KEY command and it resolves to '6982' after a '9000' EXTERNAL AUTHENTICATE.
I suspect that my encryption is causing the problem.(not really sure!)
I compare my session keys to some that ppl had derived and posted on the forum and I don't really get what they did.
I am trying to find out if I'm deriving the correct session keys or not?!?!
e.g
//Calculating session keys with
//static key = '404142434445464748494a4b4c4d4e4f' (keyData)
//sequence counter = '003b'
//"0101" + sequenceCounter + "000000000000000000000000" for session CMAC key (data)
//"0102" + sequenceCounter + "000000000000000000000000" for session RMAC key (data)
//"0181" + sequenceCounter + "000000000000000000000000" for session DEK key (data)
//"0182" + sequenceCounter + "000000000000000000000000" for session ENC key (data)
//sessionCMAC is :3213860da8f8d9796794cbcec43ef7a23213860da8f8d979: with sequence counter:003b (result)
//sessionRMAC is :042a687f6e0dd3f80eabf1e5d51ccefe042a687f6e0dd3f8: with sequence counter:003b (result)
//sessionDEK is :1fe31370c22354e3b90d6b8ad5686d371fe31370c22354e3: with sequence counter:003b (result)
//sessionENC is :94a47ad54ffbf423fe4a9d915befab5294a47ad54ffbf423: with sequence counter:003b (result)
<code>
if (keyData.length == 16) {
byte[] temp = (byte[]) keyData.clone();
keyData = new byte[24];
System.arraycopy(temp, 0, keyData, 0, temp.length);
System.arraycopy(temp, 0, keyData, 16, 8);
DESedeKeySpec keySpec = new DESedeKeySpec(keyData);
SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("DESede");
SecretKey key = secretKeyFactory.generateSecret(keySpec);
IvParameterSpec iv = new IvParameterSpec(new byte[]{0, 0, 0, 0, 0, 0, 0, 0});
Cipher desedeCBCCipher = Cipher.getInstance("DESede/CBC/NoPadding");
desedeCBCCipher.init(Cipher.ENCRYPT_MODE, key, iv);
byte[] result = desedeCBCCipher.doFinal(data);
if (result .length == 16) {
byte[] temp = (byte[]) result .clone();
result = new byte[24];
System.arraycopy(temp, 0, result , 0, temp.length);
System.arraycopy(temp, 0, result , 16, 8);
keySpec = new DESedeKeySpec(result);
secretKeyFactory = SecretKeyFactory.getInstance("DESede");
key = secretKeyFactory.generateSecret(keySpec);
</code>
I use the same encrytion to derive KeyCheckValue with
newKey ='505152535455565758595a5b5c5d5e5f', data = '0000000000000000'
and it results to : '6d377e' (of course the last 3 bytes)
Even though my CMAC session key is different from others (e.g "RLopes" in "http://192.9.162.102/thread.jspa?threadID=5365173&tstart=363" and I have seen it in others too and its really odd to me that its slightly different if you take a close look you will get what i mean) i get the EXTERNAL AUTHENTICATION to work.
If there is anyone who is 100% sure meaning he/she got other commands to work after EXTERNAL AUTHENTICATE using CMAC please help me verify the keys I got?
Can he/she test with his code to see if he/she is getting the same session keys or check value?
Thanks in advance
KamranHi,
Here is the Class and thanks for the tip, I've honestly tried these <code></code> but didn't work and I know it is indeed annoying without the tags :D
I really hope it helps...
* To change this template, choose Tools | Templates
* and open the template in the editor.
package terminalpcsc;
import java.lang.Exception;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.SecureRandom;
import java.util.List;
import javax.crypto.*;
import javax.crypto.spec.*;
import javax.security.sasl.AuthenticationException;
import javax.smartcardio.*;
* @author Kamran
* @param args the command line arguments
public class Main {
private static CardChannel channel;
private static Card card;
private static int CHALLENGE_LENGTH = 8;
private static byte[] keyDiversification = new byte[10];
private static byte[] keyInformation = new byte[2];
private static byte[] sequenceCounter = new byte[2];
private static byte[] cardChallenge = new byte[6];
private static byte[] cardCryptogram = new byte[8];
private static byte[] hostChallenge = new byte[8];
private static byte[] hostCryptogram = new byte[8];
private static String keyDiversificationHexString;
private static String keyInformationHexString;
private static String sequenceCounterHexString;
private static String cardChallengeHexString;
private static String cardCryptogramHexString;
private static String hostChallengeHexString;
private static String hostCryptogramHexString;
private static byte[] sessionCMAC;
private static byte[] sessionDEK;
private static byte[] sessionENC;
private static byte[] sessionRMAC;
private static byte[] icvNextCommand;
private static IvParameterSpec ivAllZeros = new IvParameterSpec(new byte[]{0, 0, 0, 0, 0, 0, 0, 0});
private static byte[] staticKey = hexStringToByteArray("404142434445464748494a4b4c4d4e4f4041424344454647");
private static byte[] newKey = hexStringToByteArray("505152535455565758595a5b5c5d5e5f");
private static byte[] CMAC;
* @param args the command line arguments
public static void main(String[] args) throws Exception {
initiateCardChannel();
String apduString = generateSelectAPDU("a000000003535041");
byte[] bufferC = hexStringToByteArray(apduString);
CommandAPDU capdu = new CommandAPDU(bufferC);
System.out.println("Sending APDU Select AID: " + byteArrayToHexString(bufferC));
ResponseAPDU rapdu = channel.transmit(capdu);
System.out.println("Sending Apdu: Done!");
System.out.println("Waiting For Response...");
byte[] bufferR = rapdu.getData();
String responseData = byteArrayToHexString(rapdu.getBytes());
System.out.println("Response: " + responseData);
apduString = generateInitializeUpdateAPDU();
bufferC = hexStringToByteArray(apduString);
capdu = new CommandAPDU(bufferC);
System.out.println("Sending APDU Initialize Update: " + byteArrayToHexString(bufferC));
rapdu = channel.transmit(capdu);
System.out.println("Sending Apdu: Done!");
System.out.println("Waiting For Response...");
bufferR = rapdu.getData();
responseData = byteArrayToHexString(rapdu.getBytes());
System.out.println("Response: " + responseData);
// protocol 01
//System.arraycopy(bufferR,0,keyDiversification,0,10);
//System.arraycopy(bufferR,10,keyInformation,0,2);
//System.arraycopy(bufferR,12,cardChallenge,0,8);
//System.arraycopy(bufferR,20,cardCryptogram,0,8);
// protocol 02
System.arraycopy(bufferR, 0, keyDiversification, 0, 10);
System.arraycopy(bufferR, 10, keyInformation, 0, 2);
System.arraycopy(bufferR, 12, sequenceCounter, 0, 2);
System.arraycopy(bufferR, 14, cardChallenge, 0, 6);
System.arraycopy(bufferR, 20, cardCryptogram, 0, 8);
keyDiversificationHexString = byteArrayToHexString(keyDiversification);
keyInformationHexString = byteArrayToHexString(keyInformation);
sequenceCounterHexString = byteArrayToHexString(sequenceCounter);
cardChallengeHexString = byteArrayToHexString(cardChallenge);
cardCryptogramHexString = byteArrayToHexString(cardCryptogram);
System.out.println("keyDiversification: " + keyDiversificationHexString);
System.out.println("keyInformation: " + keyInformationHexString);
System.out.println("sequenceCounter: " + sequenceCounterHexString);
System.out.println("cardChallenge: " + cardChallengeHexString);
System.out.println("cardCryptogram: " + cardCryptogramHexString);
System.out.println("Calculating Session Keys... encryption with CBC");
//E.4.1 GP 2.1.1
sessionCMAC = deriveEncryptionCBC(staticKey, hexStringToByteArray("0101" + sequenceCounterHexString + "000000000000000000000000"));
System.out.println("sessionCMAC is :" + byteArrayToHexString(sessionCMAC) + ": with sequence counter:" + sequenceCounterHexString);
sessionRMAC = deriveEncryptionCBC(staticKey, hexStringToByteArray("0102" + sequenceCounterHexString + "000000000000000000000000"));
System.out.println("sessionRMAC is :" + byteArrayToHexString(sessionRMAC) + ": with sequence counter:" + sequenceCounterHexString);
sessionDEK = deriveEncryptionCBC(staticKey, hexStringToByteArray("0181" + sequenceCounterHexString + "000000000000000000000000"));
System.out.println("sessionDEK is :" + byteArrayToHexString(sessionDEK) + ": with sequence counter:" + sequenceCounterHexString);
sessionENC = deriveEncryptionCBC(staticKey, hexStringToByteArray("0182" + sequenceCounterHexString + "000000000000000000000000"));
System.out.println("sessionENC is :" + byteArrayToHexString(sessionENC) + ": with sequence counter:" + sequenceCounterHexString);
System.out.println("Calculating and Verifying Card Cryptogram...");
byte[] signature = cbcMACSignature(hexStringToByteArray(hostChallengeHexString + sequenceCounterHexString + cardChallengeHexString + "8000000000000000"), sessionENC);
String signatureHexString = byteArrayToHexString(signature);
if (signatureHexString.equalsIgnoreCase(cardCryptogramHexString)) {
System.out.println("signature is :" + signatureHexString + "\ncardCryptogram is :" + cardCryptogramHexString + " \nCard cryptogram authenticated");
apduString = generateExternalAuthenticateAPDU();
bufferC = hexStringToByteArray(apduString);
capdu = new CommandAPDU(bufferC);
System.out.println("Sending APDU External Authenticate: " + byteArrayToHexString(bufferC));
rapdu = channel.transmit(capdu);
System.out.println("Sending Apdu: Done!");
System.out.println("Waiting For Response...");
bufferR = rapdu.getData();
responseData = byteArrayToHexString(rapdu.getBytes());
System.out.println("Response: " + responseData);
apduString = generatePutKeyAPDU();
bufferC = hexStringToByteArray(apduString);
capdu = new CommandAPDU(bufferC);
System.out.println("Sending APDU Put Key: " + byteArrayToHexString(bufferC));
rapdu = channel.transmit(capdu);
System.out.println("Sending Apdu: Done!");
System.out.println("Waiting For Response...");
bufferR = rapdu.getData();
responseData = byteArrayToHexString(rapdu.getBytes());
System.out.println("Response: " + responseData);
} else {
System.out.println("signature is :" + signatureHexString + "\ncardCryptogram is :" + cardCryptogramHexString + " \nCard cryptogram is not authenticated");
releaseCardChannel();
public static byte[] cbcMACSignature(byte[] data, byte[] sessionSENC) throws AuthenticationException {
IvParameterSpec params =
new IvParameterSpec(new byte[]{0, 0, 0, 0, 0, 0, 0, 0});
if (sessionSENC.length == 16) {
byte[] temp = (byte[]) sessionSENC.clone();
sessionSENC = new byte[24];
System.arraycopy(temp, 0, sessionSENC, 0, temp.length);
System.arraycopy(temp, 0, sessionSENC, 16, 8);
byte[] temp = null;
SecretKey secretKey = new SecretKeySpec(sessionSENC, "DESede");
try {
Cipher cbcDES = Cipher.getInstance("DESede/CBC/NoPadding");
cbcDES.init(Cipher.ENCRYPT_MODE, secretKey, params);
temp = cbcDES.doFinal(data);
} catch (GeneralSecurityException e) {
e.printStackTrace();
byte[] signature = new byte[8];
System.arraycopy(temp, temp.length - 8, signature, 0, signature.length);
return signature;
// generateInitialUpdateAPDU()
//CLA '80'
//INS '50' INITIALIZE UPDATE
//P1 'xx' Key Version Number
//P2 '00' Reference control parameter P2
//Lc '08' Length of host challenge
//Data 'xx xx…' Host challenge
//Le '00'
//RESPONSE TEMPLATE
//Key diversification data 10 bytes
//Key information 2 bytes
//Card challenge 8 bytes
//Card cryptogram 8 bytes
public static String generateInitializeUpdateAPDU() throws Exception {
hostChallenge = generateHostChallenge();
hostChallengeHexString = byteArrayToHexString(hostChallenge);
return "8050000008" + hostChallengeHexString + "00";
//CLA '80' or '84'
//INS 'D8' PUT KEY
//P1 'xx' Reference control parameter P1 Key Version Number -- '00' is new key range is '01' to '7F'
//P2 'xx' Reference control parameter P2 Key Identifier -- '00' to '7F'
//Lc 'xx' Length of data field
//Data 'xxxx..' Key data (and MAC if present)
//Le '00'
public static String generatePutKeyAPDU() throws Exception {
String keyCheckValue = new String();
//keyCheckValue = keyCheckValue.substring(keyCheckValue.length() - (3 * 2));
keyCheckValue = byteArrayToHexString(deriveEncryptionECB(newKey, hexStringToByteArray("0000000000000000")));
keyCheckValue = keyCheckValue.substring(keyCheckValue.length() - (3 * 2));
System.out.println("keyCheckValue :" + keyCheckValue + " 3DES ECB, key is new key '505152535455565758595a5b5c5d5e5f5051525354555657', data is 8 zeroes");
String encryptedNewKey = byteArrayToHexString(deriveEncryptionECB(sessionDEK, newKey));
//System.out.println("sessionDEK.getEncoded() :" + sessionDEK.getEncoded() + " len is:" + sessionDEK.getEncoded().length);
System.out.println("encryptedNewKey :" + encryptedNewKey);
//testing newKey
String dataField = "01" + "8010" + encryptedNewKey + "03" + keyCheckValue + "8010" + encryptedNewKey + "03" + keyCheckValue + "8010" + encryptedNewKey + "03" + keyCheckValue;
// String dataField2 = "01" + "8010" + byteArrayToHexString(newKey) + "03" + keyCheckValue + "8010" + byteArrayToHexString(newKey) + "03" + keyCheckValue + "8010" + byteArrayToHexString(newKey) + "03" + keyCheckValue;
System.out.println("datafield to calculate cmac :" + dataField);
System.out.println("icv to calculate cmac is previous mac first 8 byte sessionCMAC in CBC single des :" + byteArrayToHexString(icvNextCommand));
CMAC = generateCMac2((byte) 0x84, (byte) 0xD8, (byte) 0x00, (byte) 0x81, hexStringToByteArray(dataField), sessionCMAC, icvNextCommand);
System.out.println("data field with des padding for encryption (encryption in CBC sessionENC) :" + desPadding(dataField));
String dataField3 = byteArrayToHexString(deriveEncryptionCBC(sessionENC, hexStringToByteArray(desPadding(dataField))));
System.out.println("data field after encryption :" + dataField3);
Integer CMACLen = byteArrayToHexString(CMAC).length() / 2;
System.out.println("CMACLen :" + CMACLen);
Integer dataFieldLen = dataField3.length() / 2;
System.out.println("dataFieldLen :" + dataFieldLen);
Integer intLc = dataFieldLen + CMACLen;
System.out.println("intLc :" + intLc);
String hexLc = Integer.toString(intLc, 16);
System.out.println("hexLc :" + hexLc);
return "84D80081" + hexLc + dataField3 + byteArrayToHexString(CMAC) + "00";
//generateExternalAuthenticateAPDU()
//CLA '84'
//INS '82' EXTERNAL AUTHENTICATE
//P1 'xx' Security level --'03' C-DECRYPTION and C-MAC.--'01' C-MAC.'00' No secure messaging expected.
//P2 '00' Reference control parameter P2
//Lc '10' Length of host cryptogram and MAC
//Data 'xx xx…' Host cryptogram and MAC
//Le Not present
public static String generateExternalAuthenticateAPDU() throws Exception {
System.out.println("Calculating and Verifying Host Cryptogram...");
hostCryptogram = cbcMACSignature(hexStringToByteArray(sequenceCounterHexString + cardChallengeHexString + hostChallengeHexString + "8000000000000000"), sessionENC);
hostCryptogramHexString = byteArrayToHexString(hostCryptogram);
System.out.println("hostCryptogram is :" + hostCryptogramHexString);
CMAC = generateCMac2((byte) 0x84, (byte) 0x82, (byte) 0x03, (byte) 0x00, hostCryptogram, sessionCMAC, new byte[]{0, 0, 0, 0, 0, 0, 0, 0});
return "8482030010" + hostCryptogramHexString + byteArrayToHexString(CMAC);
// generateSelectAPDU()
//CLA '00' ISO/IEC 7816-4 command
//INS 'A4' SELECT
//P1 'xx' Reference control parameter P1 --'04' select by name
//P2 'xx' Reference control parameter P2 --'00' First or only occurrence --'02' Next occurrence
//Lc 'xx' Length of AID
//Data 'xxxx..' AID of Application to be selected
//Le '00'
// RESPONSE TEMPLATE
//'6F' File Control Information (FCI template) Mandatory
//'84' Application / file AID Mandatory
//'A5' Proprietary data Mandatory
//'73' Security Domain Management Data (see Appendix F for detailed coding) Optional
//'9F6E' Application production life cycle data Optional
//'9F65' Maximum length of data field in command message Mandatory
public static String generateSelectAPDU(String AID) throws Exception {
String AIDlen = Integer.toString(AID.length() / 2, 16);
if (AIDlen.length() == 1) {
AIDlen = "0" + AIDlen;
System.out.println("00A40400" + AIDlen + AID);
return "00A40400" + AIDlen + AID;
public static String byteArrayToHexString(byte[] b) throws Exception {
String result = "";
for (int i = 0; i < b.length; i++) {
result +=
Integer.toString((b[i] & 0xff) + 0x100, 16).substring(1);
return result;
public static void initiateCardChannel() throws CardException {
System.out.println("Connecting to Java Card...");
TerminalFactory factory = TerminalFactory.getDefault();
List<CardTerminal> terminals = factory.terminals().list();
System.out.println("Terminals Detected: " + terminals);
// get the first terminal
System.out.println("Connecting to: " + terminals + "...");
CardTerminal terminal = terminals.get(0);
System.out.println("Connected to: " + terminals);
// establish a connection with the card
System.out.println("Connecting to Java Card...");
card = terminal.connect("T=0");
System.out.println("Connected to card: " + card);
System.out.println("Obtaining Channel...");
channel = card.getBasicChannel();
System.out.println("Connecting to Channel: " + channel.getChannelNumber());
public static void releaseCardChannel() throws CardException {
System.out.println("Disconnection all...");
card.disconnect(false);
System.out.println("Disconnection Done");
System.out.println("*END*");
public static byte[] hexStringToByteArray(String s) {
int len = s.length();
byte[] data = new byte[len / 2];
for (int i = 0; i < len; i += 2) {
data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));
return data;
//To generate the derivation data:
public static byte[] deriveEncryptionCBC(byte[] keyData, byte[] data) throws GeneralSecurityException {
//Key key = getSecretKey(keyData);
if (keyData.length == 16) {
byte[] temp = (byte[]) keyData.clone();
keyData = new byte[24];
System.arraycopy(temp, 0, keyData, 0, temp.length);
System.arraycopy(temp, 0, keyData, 16, 8);
SecretKey secretKey = new SecretKeySpec(keyData, "DESede");
IvParameterSpec dps =
new IvParameterSpec(new byte[]{0, 0, 0, 0, 0, 0, 0, 0});
String algorithm = "DESede/CBC/NoPadding";
Cipher desedeCBCCipher = Cipher.getInstance(algorithm);
desedeCBCCipher.init(Cipher.ENCRYPT_MODE, secretKey, dps);
byte[] result = desedeCBCCipher.doFinal(data);
//adjustParity(result);
return result;
public static byte[] deriveEncryptionECB(byte[] keyData, byte[] data) throws GeneralSecurityException {
//Key key = getSecretKey(keyData);
if (keyData.length == 16) {
byte[] temp = (byte[]) keyData.clone();
keyData = new byte[24];
System.arraycopy(temp, 0, keyData, 0, temp.length);
System.arraycopy(temp, 0, keyData, 16, 8);
SecretKey secretKey = new SecretKeySpec(keyData, "DESede");
String algorithm = "DESede/ECB/NoPadding";
Cipher desedeCBCCipher = Cipher.getInstance(algorithm);
desedeCBCCipher.init(Cipher.ENCRYPT_MODE, secretKey);
byte[] result = desedeCBCCipher.doFinal(data);
//adjustParity(result);
return result;
* Adjust a DES key to odd parity
* @param key
* to be adjusted
public static byte[] adjustParity(byte[] key) {
for (int i = 0; i < key.length; i++) {
int akku = (key[i] & 0xFF) | 1;
for (int c = 7; c > 0; c--) {
akku = (akku & 1) ^ (akku >> 1);
key[i] = (byte) ((key[i] & 0xFE) | akku);
return key;
public static byte[] generateCMac2(byte cla, byte ins, byte p1, byte p2, byte[] dataField, byte[] SMacSessionKey, byte[] icv) throws GeneralSecurityException, Exception {
if (SMacSessionKey.length == 16) {
byte[] temp = (byte[]) SMacSessionKey.clone();
SMacSessionKey = new byte[24];
System.arraycopy(temp, 0, SMacSessionKey, 0, temp.length);
System.arraycopy(temp, 0, SMacSessionKey, 16, 8);
byte[] cMac = new byte[8];
byte[] padding = {(byte) 0x80, 0, 0, 0, 0, 0, 0, 0};
int paddingRequired = 8 - (5 + dataField.length) % 8;
byte[] data = new byte[5 + dataField.length + paddingRequired];
//Build APDU
data[0] = cla;
data[1] = ins;
data[2] = p1;
data[3] = p2;
data[4] = (byte) ((byte) dataField.length + (byte) 0x08);
System.arraycopy(dataField, 0, data, 5, dataField.length);
System.arraycopy(padding, 0, data, 5 + dataField.length, paddingRequired);
System.out.println("data to calculate mac :" + byteArrayToHexString(data));
System.out.println("icv to calculate mac :" + byteArrayToHexString(icv));
Cipher cipher = Cipher.getInstance("DESede/CBC/NoPadding");
Cipher singleDesCipher = Cipher.getInstance("DES/CBC/NoPadding", "SunJCE");
SecretKeySpec desSingleKey = new SecretKeySpec(SMacSessionKey, 0, 8, "DES");
SecretKey secretKey = new SecretKeySpec(SMacSessionKey, "DESede");
//Calculate the first n - 1 block. For this case, n = 1
IvParameterSpec ivSpec = new IvParameterSpec(icv);
singleDesCipher.init(Cipher.ENCRYPT_MODE, desSingleKey, ivSpec);
byte ivForLastBlock[] = singleDesCipher.doFinal(data, 0, 8);
int blocks = data.length / 8;
for (int i = 0; i < blocks - 1; i++) {
singleDesCipher.init(Cipher.ENCRYPT_MODE, desSingleKey, ivSpec);
byte[] block = singleDesCipher.doFinal(data, i * 8, 8);
ivSpec = new IvParameterSpec(block);
int offset = (blocks - 1) * 8;
cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivSpec);
cMac = cipher.doFinal(data, offset, 8);
ivSpec = new IvParameterSpec(new byte[8]);
singleDesCipher.init(Cipher.ENCRYPT_MODE, desSingleKey, ivSpec);
icvNextCommand = singleDesCipher.doFinal(cMac);
return cMac;
public static byte[] generateHostChallenge() {
byte[] hostChallenge = new byte[CHALLENGE_LENGTH];
SecureRandom random = new SecureRandom();
random.nextBytes(hostChallenge);
return hostChallenge;
public static String desPadding(String hexString) {
System.out.println("String to pad before:" + hexString);
hexString = hexString + "80";
int hexStringLen = hexString.length() / 2;
int padding = 8 - (hexStringLen % 8);
for (int i = 0; i < padding; i++) {
hexString = hexString + "00";
System.out.println("String to pad after :" + hexString);
return hexString;
}Thanks in advance
Kamran
Maybe you are looking for
-
Here is the transcript of a chat with Firefox community member zzxcon May 3/10 You are now chatting with Firefox community member zzxc zzxc: Hello zzxc: What happens when you attempt to download a .csv file? seegal: hello seegal: it doesn't copy zzxc
-
Material num truncated while downloading the data into excel in ALV GRID
Hi, I developed a report with ALV GRID display. The reoport is having Material number as one of the column. The report shows the total 10 digit material number. When i tried to downlaod the report into an excel sheet or a TXT file, material number in
-
Problem with creation of table
i have created one custom table with three fields. ( mandt(k),amount(K),desc)). while creating the table for the first time i attached INT4 domain for the amount field. since it want to compare with this value amount field in in the table (BSEG-WRBT
-
Beasrv.exe The requested operation cannot be performed on a file with a use
Hi guys, I am trying to upgrade WLS from 10.3.3 to 10.3.5 But I got the following: Fatal error occurring during the installation. beasrv.exe(The requested operation cannot be performed on a file with a user-mapped section open). I search in taskmgr t
-
The SVG example provided with the XSQL servlet is excellent and illustrates at least 5 different (and very useful) techniques. Congrats to whoever came up with it. This one example shows SVG, named templates, use of xsl:variable, use of xsl_param, us