-
-
Notifications
You must be signed in to change notification settings - Fork 7
Martin Paljak edited this page Jan 23, 2019
·
16 revisions
Highlights:
- NO specs whatsoever in TD-ID1-Chip-App v0.8
-
id-PACE-Nist-P256 AES-CBC-CMAC-256
"To exchange APDU in Contactless with PKI application in a secure channel. No applicative privileges are granted" on page 12 in "IFD (Interface Device)" section. - Incorrect claim on page 14 regarding EF.CardAccess:
PACEDomainParameterInfo: BRAINPOOL_P384_R1 (BrainpoolP384r1)
- actual curve used is P256
-
- PACE with
id-PACE-ECDH-GM-AES-CBC-CMAC-256
with CAN (6 digit number printed on card)- TR 03110-3 defines it: https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/TR03110/BSITR03110.html
- Video of POC https://mrtn.ee/vids/2019-01-22-nfcid.mp4
- validated with real life digi-ID, video with test card for privacy reasons (CAN number)
- All PKI doable over NFC after CAN authentication with PACE
Leaving the card on a powered NFC reader for overnight can have disastrous consequences. This is how the ATR of the card looks like on the contact interface:
[*] [ ] ACS ACR 38U-CCID 01 00
3B0FD8D8D8D8D8D8D8D8D8D8D8D8D8D8D8
versus a working card:
[*] [ ] ACS ACR 38U-CCID 01 00
3BDB960080B1FE451F830012233F536549440F9000F1
In other words - the card is fried/bricked/useless