Reading PIV-II CHUID & Printed Information

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Reading PIV-II CHUID & Printed Information

Luke B

I am sorry if this is the wrong place to ask. I am interested in reading the CHUID off of a PIV-II card and getting it in a format that I could easily process in a Bash script.

Is there an easy way to do this using OpenSC? I am able to read objects using PKCS15-Tool -R , but then I am not sure how to process the object dump. Are there tools for this?

Are there any good walk throughs on how to PIN in and also retrieve the "Printed Information"? 800-73 says that Printed Info needs a PIN to access. Is this always the case? Do some implementations put it in the clear?

Right now I am using a contact reader. I also have a contactless reader. Looking at 800-73, it looks like the CHUID should also be accessible through the contactless reader. I have libnfc up and running and I am able to see the card, but I am unable to find out how to pull down the objects or process them.

Sorry if this is OT, I am not sure where else to ask.

 - Luke



--
_________________________________________________________
What's for dinner? Visit www.cookography.com to find out!
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Reading PIV-II CHUID & Printed Information

Douglas E. Engert


On 6/3/2013 4:05 PM, Luke B wrote:
>
> I am sorry if this is the wrong place to ask. I am interested in reading the CHUID off of a PIV-II card and getting it in a format that I could easily process in a Bash script.
>
> Is there an easy way to do this using OpenSC? I am able to read objects using PKCS15-Tool -R , but then I am not sure how to process the object dump. Are there tools for this?
>

Yes. I will send you by seperate e-mail a program(s) to look at some of the objects on the card.


> Are there any good walk throughs on how to PIN in and also retrieve the "Printed Information"? 800-73 says that Printed Info needs a PIN to access. Is this always the case? Do some implementations put
> it in the clear?

The printed info needs the user's PIN. Its not in the clear.

>
> Right now I am using a contact reader. I also have a contactless reader. Looking at 800-73, it looks like the CHUID should also be accessible through the contactless reader. I have libnfc up and
> running and I am able to see the card, but I am unable to find out how to pull down the objects or process them.

I would be interested in that too.

AFAIK, NIST does not want authentication being done over NFC.

>
> Sorry if this is OT, I am not sure where else to ask.
>
>   - Luke
>
>
>
> --
> _________________________________________________________
> What's for dinner? Visit www.cookography.com <http://www.cookography.com> to find out!
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Reading PIV-II CHUID & Printed Information

Luke B



On 6/3/2013 4:05 PM, Luke B wrote:
>
> I am sorry if this is the wrong place to ask. I am interested in reading the CHUID off of a PIV-II card and getting it in a format that I could easily process in a Bash script.
>
> Is there an easy way to do this using OpenSC? I am able to read objects using PKCS15-Tool -R , but then I am not sure how to process the object dump. Are there tools for this?
>

Yes. I will send you by seperate e-mail a program(s) to look at some of the objects on the card.>

Thanks, I got it and it looks really helpful!

 
> Right now I am using a contact reader. I also have a contactless reader. Looking at 800-73, it looks like the CHUID should also be accessible through the contactless reader. I have libnfc up and
> running and I am able to see the card, but I am unable to find out how to pull down the objects or process them.

I would be interested in that too.

AFAIK, NIST does not want authentication being done over NFC.

That is probably wise...

I did find this project, which may help but I have not been able to get it to work: https://code.google.com/p/ifdnfc/source/browse/#git%253Fstate%253Dclosed

 

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Reading PIV-II CHUID & Printed Information

Douglas E. Engert


On 6/4/2013 8:39 AM, Luke B wrote:

>
>
>
>     On 6/3/2013 4:05 PM, Luke B wrote:
>      >
>      > I am sorry if this is the wrong place to ask. I am interested in reading the CHUID off of a PIV-II card and getting it in a format that I could easily process in a Bash script.
>      >
>      > Is there an easy way to do this using OpenSC? I am able to read objects using PKCS15-Tool -R , but then I am not sure how to process the object dump. Are there tools for this?
>      >
>
>     Yes. I will send you by seperate e-mail a program(s) to look at some of the objects on the card.>
>
>
> Thanks, I got it and it looks really helpful!
>
>      > Right now I am using a contact reader. I also have a contactless reader. Looking at 800-73, it looks like the CHUID should also be accessible through the contactless reader. I have libnfc up and
>      > running and I am able to see the card, but I am unable to find out how to pull down the objects or process them.
>
>     I would be interested in that too.
>
>     AFAIK, NIST does not want authentication being done over NFC.
>
>
> That is probably wise...

NIST 800-73-3 part 4 table 1 says the CHUID, X.509 Certificate for Card Authentication, and
Discovery Object are accessible via contactless.

NIST 800-73-3 part 2 table 2 lists the commands that can be used in contactless.
and also says:
  "Note: Cryptographic protocols using private/secret keys requiring “PIN”
security condition shall not be used on the contactless interface."

The "X.509 Certificate for Card Authentication" and its key, can be used for the card
to authenticate itself without using a PIN. (Useful for a physical access, just proves
it is the card, but not that the user is in possession of the card.)


>
> I did find this project, which may help but I have not been able to get it to work: https://code.google.com/p/ifdnfc/source/browse/#git%253Fstate%253Dclosed


My LG Android phone with Jelly Bean and a NFC app (NFC TagInfo 1.09c from NFC Research Lab Hagenberg) can
read the ATR and default app and can tell it is a DOD PIV card, but does not know what else to do with it.

There are Type A and Type B cards. Mine is a type A. I have a set of 16 NIST test cards,
some type A some type B. The NFC app can tell there is a type A card near, but cant read
anything off of it. It does not see the type B card. (The test cards appear to not be
initialized for contactless.)

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Reading PIV-II CHUID & Printed Information

Frank Morgner
In reply to this post by Luke B
On Tuesday, June 04 at 09:39AM, Luke B wrote:

> On 6/3/2013 4:05 PM, Luke B wrote:
> > >
> > > I am sorry if this is the wrong place to ask. I am interested in reading
> > the CHUID off of a PIV-II card and getting it in a format that I could
> > easily process in a Bash script.
> > >
> > > Is there an easy way to do this using OpenSC? I am able to read objects
> > using PKCS15-Tool -R , but then I am not sure how to process the object
> > dump. Are there tools for this?
> > >
> >
> > Yes. I will send you by seperate e-mail a program(s) to look at some of
> > the objects on the card.>
> >
>
> Thanks, I got it and it looks really helpful!
>
>
>
> > > Right now I am using a contact reader. I also have a contactless reader.
> > Looking at 800-73, it looks like the CHUID should also be accessible
> > through the contactless reader. I have libnfc up and
> > > running and I am able to see the card, but I am unable to find out how
> > to pull down the objects or process them.
> >
> > I would be interested in that too.
> >
> > AFAIK, NIST does not want authentication being done over NFC.
> >
>
> That is probably wise...
>
> I did find this project, which may help but I have not been able to get it
> to work:
> https://code.google.com/p/ifdnfc/source/browse/#git%253Fstate%253Dclosed
Make sure your libnfc-device is mentioned in the Info.plist
https://code.google.com/p/ifdnfc/source/browse/src/Info.plist.in


--
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (501 bytes) Download Attachment