From b00120c6377841be3bdc8ae4a957c5abc26c1848 Mon Sep 17 00:00:00 2001 From: Michele Balistreri Date: Mon, 19 Nov 2018 14:27:36 +0300 Subject: [PATCH] document the DUPLICATE KEY command --- APPLICATION.MD | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/APPLICATION.MD b/APPLICATION.MD index 3d78a14..36590c5 100644 --- a/APPLICATION.MD +++ b/APPLICATION.MD @@ -325,6 +325,46 @@ command until a new LOAD KEY command is performed. Generates and stores keys completely on card. The state of the card after execution is the same as if a LOAD KEY command had been performed. +### DUPLICATE KEY + +* CLA = 0x80 +* INS = 0xD5 +* P1 = subcommand +* P2 = depends on subcommand +* Data = depends on phase +* Response SW = 0x9000 on success. +* Response Data = depends on subcommand +* Preconditions: depends on subcommand + +P1: +* 0x00: START DUPLICATE +* 0x01: ADD ENTROPY +* 0x02: EXPORT DUPLICATE +* 0x03: IMPORT DUPLICATE + +#### START DUPLICATE +This is the first step to start duplication. Requires an open secure channel and user PIN must be verified. Aborts any +on-going duplication session. P2 is the number of entropy pieces to expect in total (including this command). The data +contain the first piece of entropy. Returns no data. Must be performed with exactly the same parameters and data on all +cards taking part in the duplication. + +#### ADD ENTROPY +This command uses the same one-shot secure channel scheme as defined in the INIT command. P2 is 00. Requires an ongoing +duplicate session started with the START DUPLICATE subcommand. Must be performed once per device taking part in the +duplication process, for a total number of devices equaling the P2 parameter of the START DUPLICATE subcommand (counting +the device which sent the START DUPLICATE command as the first device). The data is a random 256-bit number. The same +data must be sent to all the cards taking part in the duplication process. + +#### EXPORT DUPLICATE +This command must be sent to the card which you wish to duplicate. Requires an open secure channel and authenticated +PIN. Works only if a duplication session is active and ADD ENTROPY has been performed the required number of times. +Returns the encrypted duplicate of the master key and terminates the duplication session for this card. + +#### IMPORT DUPLICATE +This command must be sent to all the cards which are a target for duplication. The Data field must contain the output +from the EXPORT DUPLICATE command performed on the source card. Returns no data. It follows exactly the same rules as +the EXPORT DUPLICATE subcommand + ### SIGN * CLA = 0x80