What makes a KTU valid?
I am able to load an app using an unprotected ALU.
When I try to load the same app using a confidential ALU, the CREATE MEL APPLICATION APDU return SW 9D1B (invalid KTU).
I am running out of things to check and I am wondering if I missed anything.
Here’s what I already checked:
- the ALC used has ‘verify KTU’ = 0x50 (it is 0x4E in the unprotected ALU’s ALC)
- the plaintext KTU is of size 96 and was encrypted with the card public key (of equal size) extracted from the card certificate returned from the OPEN MEL APPLICATION APDU. Its structure looks ok:
00—> set MSM controls data dates
0000000000000000—> MCD Number
08A000000034494443FFFFFFFFFFFFFFFF—> AID = A000000034494443
01—> number of areas
01 —> DES
197C —> ( beginning of data , CODE + FCI + DIR)
44E0 —> (total Size of data)
08 —> key data length
XXXXXXXXXXXXXXXX—> key data
80000…—> padding up to 96 bytes
- the encrypted KTU is also of size 96 bytes.
Did I miss something?
The card is running Keycorp Multos 4.2.
Thanks in advance for your help,
You will get this error if
1. the KTU does not decrypt properly, probably meaning that you extracted the card public key incorrectly from the certificate returned by the open MEL app command. This could happen if you have used the wrong TKCK public key for the card type. The correct TKCK can be downloaded from here.
2. the MCD_Number in the KTU does not match the MCD_Number of the enabled card. Check this using MUtil to send Get MULTOS Data to the card and decode the returned data.
3. the set MSM controls data dates doesn’t match that in the enabled card. Again, check using MUtil.
4. The Application ID doesn’t match that used in the open MEL app command.
Check the all the above out. (1) and (2) seem the most likely suspects.
I checked all the points with no luck.
Just wondering, could there be a KTU area size issue (my KTU area size is 44E0) since I am using mask I4D(2-1-9) with IC type 0x39?
I couldn’t find much detail about this implementation in the latest MIR.