GALU
GALU
Guide to Generating
Application Load Units
MAO-DOC-TEC-009 v2.7
MAO-DOC-TEC-009 v2.7
Copyright
Copyright 1999 2014 MAOSCO Limited. This document contains confidential and proprietary
information. No part of this document may be reproduced, published or disclosed in whole or part, by
any means: mechanical, electronic, photocopying, recording or otherwise without the prior written
permission of MAOSCO Limited.
Trademarks
MULTOS is a registered trademark of MULTOS Limited.
All other trademarks, trade names or company names referenced herein are used for identification
only and are the property of their respective owners
Published by
MAOSCO Limited
St. Andrews House
Kelvin Close
The Links
Birchwood
WARRINGTON
Cheshire
WA3 7PB
United Kingdom
.
General Enquiries
Email: dev.support@multos.com
Tel: +44 (0) 1925 882 050
Fax: +44 (0) 1925 882 051
Web: http://www.multos.com
Document References
All references to other available documentation is followed by the document acronym in square [ ]
brackets. Details of the content of these documents can be found in the MULTOS Guide to
Documentation, and the latest versions are always available from the MULTOS web site
(http://www.multos.com).
Data References
All references to MULTOS data can be cross-referenced to the MULTOS Data Dictionary.
ii
GALU
Contents
1
Introduction ............................................................................................................................... 1
1.1 Overview .............................................................................................................................. 1
1.2 Loading Applications ............................................................................................................ 3
1.3 Types of Application Load Units ............................................................................................ 3
1.3.1 Unprotected ALU ........................................................................................................... 4
1.3.2 Protected ALU ............................................................................................................... 4
1.3.3 Confidential ALU ........................................................................................................... 4
1.3.4 Additional Notes ............................................................................................................ 5
2 ALU Generation Overview .......................................................................................................... 6
2.1 Additional Notes .................................................................................................................. 7
2.2 Public Keys ........................................................................................................................... 8
2.2.1 MCD Public Key ............................................................................................................. 8
2.2.2 MULTOS Transport Key Certifying Keys ........................................................................ 13
2.2.3 Application Provider Keys ............................................................................................. 13
2.3 Summary ........................................................................................................................... 13
2.3.1 Additional Information ................................................................................................. 14
3 Generating Application Load Units ........................................................................................... 15
3.1 Structure of Application Load Units .................................................................................... 15
3.1.1 MCD Number .............................................................................................................. 16
3.1.2 Code Record................................................................................................................ 16
3.1.3 Data Record................................................................................................................. 16
3.1.4 DIR Record .................................................................................................................. 16
3.1.5 FCI Record ................................................................................................................... 16
3.1.6 Application Signature .................................................................................................. 16
3.1.7 KTU ............................................................................................................................. 16
3.2 Structure of the Application Unit ........................................................................................ 17
3.3 Generation of the Key Transformation Unit ........................................................................ 17
3.3.1 Overview ..................................................................................................................... 18
3.3.2 Procedure .................................................................................................................... 18
3.3.3 Plaintext KTU Overview ................................................................................................ 18
3.3.4 Ciphertext Application Unit .......................................................................................... 21
3.3.5 Ciphertext KTU ............................................................................................................ 21
3.4 Generation of the Application Signature ............................................................................. 23
3.4.1 Procedure .................................................................................................................... 23
3.4.2 Calculating the Hash Digest ......................................................................................... 24
3.4.3 Hashing Algorithm....................................................................................................... 25
3.4.4 Application Provider Private Key ................................................................................... 27
3.4.5 Application Signature .................................................................................................. 27
4 MULTOS V4 Confidential ALU .................................................................................................. 28
4.1 Plaintext Application Load Unit ........................................................................................... 28
4.2 Plaintext Application Unit ................................................................................................... 29
4.2.1 Combined Application Unit .......................................................................................... 30
4.3 Enciphering Application Units ............................................................................................. 30
4.3.1 The encryption process ................................................................................................ 30
4.4 Retrieval/Authentication of MULTOS Card Public Key .......................................................... 31
4.4.1 Recovering the Public Key ............................................................................................ 33
4.4.2 Interpretation of decrypted certificate ciphertext .......................................................... 34
4.4.3 Authenticating the certificate ....................................................................................... 34
4.5 Generation of Ciphertext KTU ............................................................................................ 37
2014 MAOSCO Limited. MAO-DOC-TEC-009 v2.7
MULTOS is a registered trademark of MULTOS Limited.
iii
iv
GALU
1 Introduction
This document has been aimed at MULTOS v4 developers, but the differences between v4 and
MULTOS v3 have been noted where relevant.
1.1 Overview
This section gives an overview of how Application Load Units are used within the MULTOS Scheme.
To understand this, the whole loading and deleting process must be considered. The following
diagram shows the MULTOS Scheme with respect to the loading of applications.
Application Provider
MEL
MEL
MEL
Private Key
MEL
MEL Application
Application
MEL Header
Application Load
Unit Generator
Card
Issuer
Certification
Authority
MEL
Application
Load
Certificate
Application Load
Facility
MSM Controls Data
MULTOS Card Public Keys
Customer Database for personalisation
The MEL Application itself and the Application Providers Private Key are generated by the
Application Provider and must be sent to the Application Load Unit Generator to build the
Application Load Units. The Application Providers Private Key is required to generate a
Protected or Confidential Application Load Unit.
Protected and Confidential Application Load Units are described in detail later in this
document.
The Application Header for the Application along with the Application Providers Public key is
sent to the Card Issuer who must send these to the MULTOS CA as part of the Application
Registration process. The MULTOS CA will use this information when generating the
Application Load and Delete Certificates, which provide the main mechanism by which an
application is authenticated during the loading process.
The Application Header contains a brief outline of the applications main characteristics. The
Application ID, Application Code Hash, Code Size and Data Size are the most important parts
of this header information. Other characteristics specified in the Application Header relate to
the type of application (standard or shell) along with whether the application is able to edit
the ATR historical characters, the session data size, DIR record size and the size of File Control
Information supplied.
2014 MAOSCO Limited. MAO-DOC-TEC-009 v2.7
MULTOS is a registered trademark of MULTOS Limited.
GALU
The key point to note here is that the Application Provider keys may be generated by either the
Application Developer, or the Card Issuer; the decision depends upon the degree of security required
or mandated by each of the parties.
MULTOS Smartcard
MEL
Application Load Unit
Load/Delete Certificates
The Application Load Unit (ALU) provides the application code, data, directory file entry (DIR),
and File Control Information (FCI) for the application. This may be Unprotected, Protected or
Confidential depending upon the security required during the loading process.
For example, within a secure environment an Unprotected Application Load Unit could be used,
but in many cases a Protected or Confidential ALU will be required to provide security for the
applications code or data.
The Application Load Certificate (ALC) provides the ability for the MULTOS Card to verify that
the Application to be loaded is valid and that the Card Issuer has authorised the loading of the
Application.
The MULTOS Card itself must have been enabled for the Card Issuer by loading the MULTOS
card enablement data, called MULTOS Security Manager (MSM) Controls Data. It is not possible
to load any application until the card has been enabled. When a card is enabled it will be given
its MULTOS Carrier Device (MCD) Private and Public Keys, which are used during the
Application Load process to decipher any enciphered portions of the ALU.
The load process involves sending the ALU and ALC to the MULTOS Card. Beyond matching up
an ALC, ALU and a MULTOS Card there is little processing required here. Any security must
already be present within the ALU and ALC.
Application
KTU
Unprotected ALU
Protected ALU
Application Signature
Key Transformation Unit
Confidential ALU
GALU
1.3.4 Additional Notes
Each of the different ALU types are stored using the same file format, the difference between them
lies in the presence of the Application Signature and the Key Transformation Unit for Protected and
Confidential ALU. In Confidential ALU the data is just stored in enciphered form in the ALU.
Example
An issuer wishes to provide a card that has several applications loaded on it.
One application will always be present on every card and is loaded within a secure environment
before cards are first issued. Typically this would be performed at a card-processing bureau. Since
enciphering the application would slow down the loading process, the application is not actually
enciphered but relies on the secure loading environment. It is the bureaus operating procedures and
security that now protects the ALU.
One application contains no secret data, but must be loaded within an insecure environment. For
example, the application may be a loyalty application that is loaded within a supermarket. Although
the supermarket is manned, it is not a secure environment. Since the Loyalty application contains no
sensitive or secret data Protected ALU are generated. This will ensure that the application is not
tampered with or corrupted. The ALU themselves can be easily read, but since they contain no secret
information this is not important.
Two applications must be secure since they contain secret information and the customer may choose
to dynamically load either onto the card. Confidential ALU are generated for these applications, which
enables the customer to load one application within an insecure environment. Also, since the security
is present within the ALU it is not possible for the customer or an eavesdropper to read or tamper
with the application during the loading process.
MEL
SIG
MEL
Application
Signature
Application
MEL
MEL
M
EL
MEL
Application
Load Unit
Customisation Data
Application Load
Unit Generator
MEL
Enciphered
KTU
The Application itself consists of the application code, data, directory file entry and file control
Information. The Application Provider will supply this.
The Application Data may contain initialisation values for the application, but will not usually
contain any data that is specific to a particular customer.
Optional. The Customisation Data consists of data that is used to personalise an Application
Load Unit for a particular consumer. In this case there must be one Application Load Unit
generated for each target consumer / Target MULTOS card.
The Customisation Data may be anything from a set of encryption keys specific to the MULTOS
Card, or information about an actual consumer such as account details, or the consumers
name.
There is no requirement for personalisation to occur during the ALU Generation stage, though
it does allow secure loading of such information.
The Application Providers Private Key is part of an RSA Public/Private Key set. The Private Key is
used during the generation of a Protected or Confidential ALU and therefore gives complete
control to the Application Provider of who can read the final ALU.
The Private Key is used to generate the Application Signature. If there is no Application
Signature than this key is not required. The presence of an Application Signature ensures that
the ALU is protected against changes.
GALU
The MCD (MULTOS Carrier Device smartcard) Public Key is required to generate Confidential
Application Load Units. For an Application Load Unit to remain confidential it is important that
only the Target MULTOS Card is able to read the ALU. This is achieved by enciphering the ALU
and then enciphering the information required when deciphering the ALU with the Target
MULTOS Cards Public Key.
The information required to decipher the ALU is held in a Key Transformation Unit attached to
the ALU. This KTU is enciphered and only the Target MULTOS Card has the corresponding
private key with which to decipher the KTU and hence decipher the ALU.
The Application Load Unit generated may be either generic (plaintext or protected) and be
usable for a large number of cards, or it may be specific to a single MULTOS Card, i.e. a
Confidential ALU.
If the ALU is specific to a single MULTOS Card then there must be one ALU per Target Card.
There is provision within the recommended file formats to store either a single ALU or many
ALU.
Private Key
MEL
MEL Application
Application
MEL Header
Application Load
Unit Generator
Card
Issuer
Certification
Authority
MEL
Application
Load
Certificate
Application Load
Facility
MSM Controls Data
MULTOS Card Public Keys
Customer Database for personalisation
The actual sizes of these keys are version or even implementation specific.
GALU
part of the Enablement Data, a copy of all the specific MULTOS Public Key Certificates for all the
MULTOS cards. It is the responsibility of the Issuer to retain this information and pass the certificates
onto any other entities that may need them.
The Certificates are then deciphered using the MULTOS CA Public Transport Key Certifying Key
(tkck_pk) to find out the public key for the card (multos_pk_certificate).
MULTOS Card
TKCK
MULTOS CA Public
Key Certifying Key
(Transport)
MCD Public Key
A MULTOS Card will return its Public Key Certificate in response to an Open MEL Application
command. This may be more useful for dynamically loaded applications where the card is available to
respond. For cases where ALU are being generated en mass then this method is unlikely to be
practical and the list of public keys returned by the MULTOS CA with a set on enabled cards can be
used instead, to pre-generate the ALU.
Note that the MULTOS KMA keeps a copy of every card specific public key every generated, and
hence an Issuer can always request a copy from the CA after the event if they have lost their copy.
2.2.1.1 Recovery
The Messages corresponds to the entire Public Key Certificate and will consist of two portions. The
most significant, left hand side, bytes will be plaintext, whilst the least significant bytes will be
enciphered. There are always at least the Public Key Length (pkl) bytes in a message.
Certificate Length
Certificate Body
Plaintext Length
pkl
Certificate Ciphertext
Size
Key Type
Key Identifier
Certification Method ID
Hash Method ID
Algorithm ID
Public Exponent
MCD Issuer ID
MCD Number
Key Type: This is used to indicate the type of key contained within this certified public key.
Different key types have different data fields included within the certificate.
Key Identifier: An eight byte identifier of a cryptographic key.
Certification Method ID: This is a single byte value which specifies the way in which the
public key has been certified. In practise this will correspond to the key certifying key which
has been used.
Hash Method ID: This is a two byte value which specifies the hashing algorithm and hash
modulus which is used for both the certification of keys and also for the checking of
applications during loading.
Public Key Length: This is a two byte field which holds the length of the public key being
certified.
Certifying Key Length: This is a two byte field which holds the length of the key certifying
key used to produce the public key certificate.
Algorithm ID: This is a single byte field that identifies the algorithm which the certified key is
intended to be used with.
Public Exponent Length: This is a double byte field that specifies the length of the Public
Exponent.
Public Exponent: This is a four byte field that holds the Public Exponent. The Public Exponent
should be aligned in the most significant bytes of this field.
MCD Issuer Product ID: This is a single byte field which specifies the Product ID assigned to
the MULTOS Card for which this key is the Public Key.
MCD Issuer ID: This is a four byte field which specifies the Issuer ID of the Card Issuer who
issued the MULTOS Card.
Set MSM Controls Data Date: This is a single byte field which specifies the MSM Controls
Data Date for the MULTOS Card.
MCD Number: This specifies the eight byte MCD Number for the MULTOS Card.
Note that MULTOS version 4 also has the top bytes of the public key at the end of the header, if the
16 byte hash modulus + the public key is greater that the TKCK modulus length.
10
GALU
Once the Ciphertext Signature has been deciphered the resulting plaintext will comprise of a Digest
and the Recovered Key. Depending upon the length of the actual key, and the version of MULTOS,
the Recovered Key may contain padding, or may only contain the least significant bytes of the key
with the most significant bytes being held in the Plaintext portion of the original certificate.
DIGEST
Recovered Key
Recovered Key
Recovered Key
The Public Key to be certified may have to be either padded or split in order to generate the plaintext
to be enciphered in the final certificate. A value called the Message Block Length is the maximum size
of public key which can fit into the enciphered portion of the certificate. The Message Block Length,
mbl, is equal to the size of the Certifying Public Key minus the size of the Digest. The size of the
Digest is usually represent by the value Hash Chain Length, abbreviated to hcl in the above diagram.
The size of the key certifying key is represented by the term Public Key Length, pkl in the above
diagram.
pkl
mbl
11
(pk_top)
pk_bottom
pk_redundancy
PK_Digest
hcl
mbl
16 bytes
Public
Key
Public
Key
PK_Digest
hcl
pk_padding
pk_bottom
pk_redundancy
mbl
16 bytes
If the Public Key plus pk_redundancy is larger than the Message Block Length, mbl, then a portion of
the Public Key, denoted pk_top in the diagram, will remain as plaintext within the final public key
certificate.
If the Public Key plus pk_redundancy is smaller than the message block length then it must be padded
to equal the size of the message block length. This padding is denoted as pk_padding in the
diagram.
If the Public Key plus pk_redundancy is equal to the message block length then there will be no
pk_top or pk_padding bytes within the certificate.
The portion of the Public Key contained within the enciphered certificate is denoted as pk_bottom. In
many cases this will be equivalent to the Public Key, but the term pk_bottom is used so that the text
remains as generic as possible.
The signature portion of the certificate is divided into two portions. One is the Hash Digest of the
whole Plaintext Certificate. The second is the enciphered Public Key plus Padding, or at least the
portion of the Public Key which was able to fit into the signature for enciphering.
At this stage the full plaintext certificate may be constructed by appending the Recovered Key
(pk_bottom) to the plaintext in the header of the original certificate (pk_top). However, it is strongly
recommended that the Digest is calculated and compared to the one recovered from the certificate in
order to validate the authenticity of the recovered key.
2.2.1.4 Verification
The Plaintext portion of the certificate should be padded to be a multiple of the Hash Block Length,
and then a Hash Digest calculated using the Asymmetrical Hashing Algorithm. This forms the first
iteration of the Hash Digest.
The recovered portion of the public key (pk_bottom) is then hashed using the result of the first hash
iteration as the Initial Vector.
The result of this hash is then the final digest, which must match the Digest recovered from the
certificate.
12
GALU
Note that on MULTOS v3: Only the first hash is performed on version 3 cards and the result is the
digest. See the version examples for more details.
The most significant bytes of the deciphered signature, Hash Block Length bytes, contain the
certificates digest. This must match the digest generated from the recovered key in order to confirm
that the public key is authentic.
2.3 Summary
The MCD Public Key may be recovered from the MULTOS Public Key Certificate using the MULTOS
CAs Key Certifying Key
The security of a Confidential Application Load Unit ultimately depends upon the authenticity of the
MCD Public Key whose authenticity depends upon the MULTOS CAs Public Transport Key Certifying
key. It is important that all keys are trusted.
2014 MAOSCO Limited. MAO-DOC-TEC-009 v2.7
MULTOS is a registered trademark of MULTOS Limited.
13
14
GALU
MEL
MEL
Unprotected ALU
Encipher areas
of Application
Unit using
DES or 3DES
Card Specific
Data
Generate
Application Hash
with MCD Hash
Modulus Key
MEL
Protected ALU
Generate KTU
Sign Hash
with Application
Providers Private
Key
Encipher KTU
with MCD
Public KEY
MEL
MEL
Confidential ALU
For simplicity an Unprotected Application Load Unit is regarded as being essentially the same as an
Application. Technically an Unprotected ALU has a complete copy of the Code, Data, DIR Record and
FCI Record defined within a fixed structure whereas an Application could be held in any proprietary
structure without either a DIR Record or FCI Record. For example, an application may be the output
from a toolkit.
Components
FCI Record
Application Signature
KTU
record data
record length
The Application Load Unit contains the complete application: Code, Data, DIR File entry and File
Control Information. The details of the various components are shown in the diagram above. An
Application Load Certificate is also required to load an application onto a MULTOS Card, to
authenticate the load process. This is stored separately from the actual application normally.
Note: The record length fields in all of the files are stored in a bigendian manner, i.e. have their most
significant byte first, and followed by the least significant byte. Unless stated otherwise, this applies to
all two byte length fields within this document.
If a record is absent the record length is set to zero and the record data is empty.
15
3.1.7 KTU
The Key Transformation Unit contains the information needed by the MULTOS Card to decipher any
ciphertext within the ALU. The KTU itself is enciphered using the Target MULTOS Cards Public Key.
Only the Target MULTOS Card will have the corresponding private key to decipher the KTU.
Any ALU with a Key Transformation Unit is specific to a single MULTOS Card and only this card is able
to decipher the KTU and thereby decipher the encrypted portions of the ALU.
16
GALU
3.2 Structure of the Application Unit
The Application Load Unit is the information that we send to the card. When the input reaches the
card it is actually stored in a slightly different format, called the Application Unit.
So the Application Unit represents the structure that a MULTOS Card uses when an application has
been loaded. It is way that the application is stored on the card. The following diagram shows the
process of converting an Application Load Unit into an MULTOS 4 Application Unit.
Mcd_Number
Code Record
dir record
Data Record
fci record
code record
DIR Record
Components
FCI Record
data record
Application Signature
KTU
record data
record length
Application Unit
dir record
fci record
data record
code record
Application Unit
The format of the Application Unit is unimportant in terms of the load procedure, but is important
when we start looking at the generation of the KTU (and signature). When encrypting the code and
data, we need to consider the fact that the decryption (done by the MULTOS card) of the loaded code
and data is done in continuous blocks and does not consider the original nature of the data as it was
loaded.
Therefore we must encrypt the hex block (code and/or data) as though it were on the card already.
This means that the hex will be decrypted to valid code/data.
Notes on MULTOS v3: The format of a MULTOS v3 Application Unit (the information as stored on the
card) is slightly more complex. It is shown below and explained in more detail later.
64 bytes
Padding
dir record length
dir record
fci record length
fci record
Padding
49 bytes 00
code record
data record
Multiple of 32 bytes
Example:
It is possible to encipher the whole of the code record, and the first portion of the data, in a block of
enciphered data. A second block of data could be enciphered using a different key.
17
3.3.2 Procedure
The following is an overview of the process involved in generating a Key Transformation Unit.
MEL
MEL
Application Unit
Unprotected ALU
Plaintext KTU
KTU
E
MCD Public Key
MEL
Ciphered Application Unit
e(KTU)
Ciphertext KTU
MEL
Plaintext KTU is enciphered using
MCD Public Key
KTU
The Ciphertext KTU is then copied to
the ALU..
The Key Transformation Unit details which areas of the ALU code and data are enciphered and which
keys where used. The KTU itself is therefore also enciphered in order to protect the keys contained
within it.
Note that the Application Unit is not the same as the Application Load Unit (ALU). Although it
contains essentially the same information the ordering of the information is important and they must
be considered different. In section 3.2 the differences between the application load unit and the
application unit were explained and these are going to be important because we will be enciphering
parts of the application unit structure.
18
GALU
Key1
Key2
Application Unit
dir record
fci record
code record
area length 1
area start 1
area start 2
data record
area length 2
KTU Header
Algorithm ID
Area Start
Area Length
Key Data Length
Key Data
Area Descriptor 1
Algorithm ID
Area Start
Area Length
Key Data Length
Key Data
Area Descriptor 2
Plaintext
KTU
Padding
The following diagram shows how some of the fields apply to an Application Unit that either has
been or will be enciphered. The sub-box within this next diagram shows the structure of each area
descriptor.
Initial Padding
Set MSM Controls Data Date
Mcd_Number
Application_ID
No Area Descriptors
17
1
1
8
Algorithm ID
Area Start
Area Length
Key Data Length
Key Data
padding
2
1
x
x
19
20
GALU
3.3.4 Ciphertext Application Unit
The Application Unit must have the secret areas enciphered using the algorithm and keys specified in
the Area Descriptors.
dir record
data record
code record
fci record
Application Unit
dir record
code record
fci record
data record
Application Unit
Note that the Application Unit is a representation of how MULTOS will see the application as it is
loaded, and is therefore the structure which MULTOS will use when deciphering any enciphered areas.
The whole process of enciphering the Application Load Unit is designed to reduce the processing
required by the MULTOS Card and hence increase load speed.
Once the Ciphertext Application Unit has been generated the Ciphertext is copied back into the
original Application Load Unit. The ciphertext will occupy the same space as the original plaintext.
An Application Signature will always be required when a KTU is used and the Ciphertext Application
Unit should be retained for calculating the Application Signature.
Plaintext KTU
Padding
E
RSA
Ciphertext KTU
For the registration of MULTOS version 4 applications a hash of the code must be sent to the MULTOS
CA. If a KTU is used to encipher the code area of the application then a hash of this enciphered code
area must be sent. This also means that the any area that is enciphered, and contains code, should
not run over into the data area. If it does that changing any data will change the enciphered result,
and hence change the code hash, requiring a new hash will have to be calculated and registered
every time the data changes.
21
22
GALU
3.4 Generation of the Application Signature
The Application Signature is a Signed Hash Digest of the Application Unit. By providing a Hash Digest
of the Application it is possible for the MULTOS Card to verify that the application has not been
corrupted or tampered with. By providing a Signed Hash Digest it is possible for the MULTOS Card to
verify the authenticity of the Hash Digest itself. Please note that an application signature alone does
not prevent the examination of the code and data within the Application Load Unit as, in that case,
none of code and data are enciphered.
The key used to sign the Hash Digest is the Application Providers Private Key, which only the
Application Provider knows. The Issuer, as part of the Application Load Certificate request, sends the
Application Providers Public Key to the MULTOS KMA. This is included within the Application Load
Certificate and the MULTOS Card can therefore verify the authenticity of the Application Signature
itself.
3.4.1 Procedure
The following diagram is an overview to the process of generating an Application Signature.
Application Unit is generated
MEL
MEL
MEL
Ciphered
Application Application Unit
Unit
Unprotected ALU
Hashing
H Algorithm
Padding
Hash Digest
Signing
MEL
E Algorithm
Application Providers
Private Key
Sig
Application Signature
MEL
MEL
Sig
Sig
Note that the Application Unit is not the same as the Application Load Unit (ALU). Although it
contains essentially the same information the ordering of the information is important and they must
be considered different. In section 3.2 the differences between the application load unit and the
application unit were explained and these are going to be important because we will be calculating
the hash digest over the application unit structure.
23
MEL
1st A-Hash
H
0x55 ... 0x55
Initial Value
2nd A-Hash
Application Hash
The Hashing Algorithm is an Asymmetrical Hash, described in the following section. The signing
process involves exponentiation of the plaintext using the Application Providers Secret Key.
24
GALU
3.4.3 Hashing Algorithm
The Application Unit is hashed using the following MULTOS Hash Digest algorithm.
Unprotected ALU
The Application Unit is
generated from the
Unprotected ALU.
Padding may have to be
added to the beginning of
the AU.
Application Unit
Initial Value
Block 1
Block 2
Block n
Current
Chain
Value
RSA
Loop over
all blocks
finished
Hash Digest
25
Block
Hash Chain
Current Block
Hash Modulus
Hash Digest
If the message is not a multiple of the Message Block Length then padding bytes of 55 must be
prepended to the message such that the resulting length is divisible by the block size.
The algorithm used to perform the hash may vary in later versions of MULTOS. There is no provision
within the ALU to specify the algorithm used and therefore it must be derived from knowledge
outside the scope of this document. When generating an ALU, the version of MULTOS for which the
ALU is to be used must be known.
26
GALU
3.4.3.2.1 Signing the hash
The Hash Digest and Padding is signed using the Application Providers Private Key using the RSA
algorithm as shown below.
Hash Digest
MEL
Padding
Random Fixed
Padding Padding
Application Provider
Private Key
E
RSA
Application Signature
The Random Padding added to the Hash Digest protects the Application Providers Private Key from
crypto-analysis. When the Application Signature is verified on the MULTOS Card the length of the
Hash Digest is known and the Random Padding is simply discarded. In addition there should be 8
bytes of fixed padding added.
27
55
6C
00
00
4C
65
00
00
54
74
00
00
4F
65
00
00
53
20
00
00
20
73
00
00
2D
6F
00
00
20
6C
00
00
74
75
00
00
68
74
00
00
65
69
00
00
20
6F
00
00
63
6E
00
00
6F
2E
00
00
6D
20
00
00
28
GALU
4.2 Plaintext Application Unit
The first step in the process is to convert the application load unit into an Application Unit. The
Application Load Unit is the file format that is used to store the application in a file on a PC. The
Application Unit is a snap shot of the application as the MULTOS Card will see it when loaded onto
the card. All of the encryption and signature generation is carried out using the application unit and
not the application load unit.
.
The application unit is generated using the binary data from the application load into the following
structure:
dir record
fci record
code record
data record
The following shows the transformation of an application load unit into an application unit.
Mcd_Number
Code Record
dir record
Data Record
fci record
code record
DIR Record
Components
FCI Record
data record
Application Signature
KTU
record data
record length
Application Unit
dir record
data record
code record
fci record
Application Unit
55
6C
00
00
4C
65
00
00
54
74
00
00
4F
65
00
00
53
20
00
00
20
73
00
00
2D
6F
00
00
20
6C
00
00
74
75
00
00
68
74
00
00
65
69
00
00
20
6F
00
00
63
6E
00
00
6F
2E
00
00
6D
20
00
00
29
0E
00
02
02
01
09
29
68
74
00
00
4F
00
03
03
FF
03
0E
65
69
00
00
01
00
04
04
F3
05
40
20
6F
00
00
0A
00
05
05
70
6D
06
63
6E
00
00
50
00
06
06
00
00
00
6F
2E
00
00
09
00
07
07
09
26
40
6D
20
00
00
61
00
08
08
03
21
4D
70
00
00
54
00
01
01
05
02
55
6C
00
00
65
00
02
02
6E
28
4C
65
00
00
73
00
03
03
00
01
54
74
00
00
74
00
04
04
3F
5E
4F
65
00
00
00
00
05
05
01
00
53
20
00
00
00
00
06
06
FF
00
20
73
00
00
00
00
07
07
F4
59
2D
6F
00
00
00
00
08
08
70
00
20
6C
00
00
55
6C
00
00
4C
65
00
00
54
74
00
00
4F
65
00
00
53
20
00
00
20
73
00
00
2D
6F
00
00
20
6C
00
00
74
75
00
00
68
74
00
00
65
69
00
00
20
6F
00
00
63
6E
00
00
6F
2E
00
00
6D
20
00
00
The algorithm used to encipher this block of data is actually a DES Chain Block Mode decipher. There
is some logic in this. Early versions of MULTOS could only encipher, so the decipher algorithm was
performed off-card, so that the card need only encipher.
When the application is loaded the MULTOS Card will use a DES Chain Block Mode encipher function
to decipher the plaintext. The enciphering may be performed using either single or triple DES chain
block mode enciphering. The following diagram shows how a block of plaintext is encrypted (actually
using the decipher algorithm) to form part of the ciphertext application unit.
30
GALU
Subsequent blocks are then XORd with the previous ciphertext block before being deciphered.
DES Key = 41AD8223A90BE2A1
Input
DES CBC Decryption of first eight bytes data
DESCBCDec(4D554C544F53202D)
2nd plaintext block XOR previous ciphertext block
2074686520636F6D XOR 6BC8592212B0495A
DES CBC Decryption of result
DESCBCDec(4BBC314732D32637)
3rd plaintext block XOR previous ciphertext block
706C65746520736F XOR 7AD431DA01BF7EBE
DES CBC Decryption of result
DESCBCDec(0AB854AE649F0DD1)
...
Output
6BC8592212B0495A
4BBC314732D32637
7AD431DA01BF7EBE
0AB854AE649F0DD1
190A89307E40D288
The generated ciphertext component is shown in BOLD in the table above, and in full here:
6B
19
8B
C3
C8
0A
0E
91
59
89
2E
52
22
30
A9
E6
12
7E
69
06
B0
40
C0
6E
49
D2
B1
EA
5A
88
46
36
7A
C2
B5
34
D4
00
60
1F
31
AF
C4
9E
DA
D6
10
24
01
48
C9
5C
BF
6E
36
0F
7E
F6
5C
44
BE
E2
00
42
The enciphered data is placed back into the application unit. This is required for the generation of the
application signature detailed later in this example.
31
A8
00
F1
9D
33
D4
7D
36
E8
68
BC
50
80
80
9B
CD
DE
58
BA
33
26
2C
00
00
03
98
CC
C9
49
06
AE
B9
80
11
00
FF
64
12
CD
F2
AC
3C
68
64
22
01
F3
74
4B
32
D0
1F
5D
D5
C5
33
03
FF
12
30
53
C6
FD
7D
95
2F
44
00
F1
1C
BE
27
48
6E
4F
80
25
55
00
33
C1
AE
4C
FB
A7
57
BA
66
00
9B
D0
8F
F9
75
A9
3C
BF
77
FF
B7
48
0F
4B
BE
7B
E9
4D
01
11
7F
56
C6
98
7A
EE
A6
09
01
00
F1
A9
D1
7E
A3
AB
46
55
00
00
9E
39
9D
A4
44
0B
7C
68
04
01
35
33
D1
CF
7D
EB
EC
B4
00
00
9B
C1
60
80
D9
98
5D
0D
value
00 A8
50 (1)
00 11
01 01
00 04
00 60
00 80
00
00 01
03 00
FF
11 00
00
FE F1
(2)
22 33 44 55 66 77
00 00
00 01
80 03 FF F3 FF F1
(1) The key type value of 50 indicates a MULTOS public key certificate
(2) The PK Top and Ciphertext value is:
33
C1
AE
4C
FB
A7
57
BA
9B
D0
8F
F9
75
A9
3C
BF
B7
48
0F
4B
BE
7B
E9
4D
7F
56
C6
98
7A
EE
A6
09
F1
A9
D1
7E
A3
AB
46
55
9E
39
9D
A4
44
0B
7C
68
35
33
D1
CF
7D
EB
EC
B4
9B
C1
60
80
D9
98
5D
0D
EE
79
94
DA
5E
11
68
FD
9D
33
D4
7D
36
E8
68
BC
9B
CD
DE
58
BA
33
26
2C
98
CC
C9
49
06
AE
B9
80
64
12
CD
F2
AC
3C
68
64
74
4B
32
D0
1F
5D
D5
C5
12
30
53
C6
FD
7D
95
2F
1C
BE
27
48
6E
4F
80
25
This is 128 bytes. We are unable to determine what the end of this certificate is at the moment. Until
we know the size of the MULTOS KMA Transport Key Certifying Key, we can not determine how
much of the end of the certificate is ciphertext and how much is pk_top.
32
GALU
4.4.1 Recovering the Public Key
Most (if not all) of the public key (modulus) is held within the ciphertext at the end of the certificate.
To decipher this ciphertext requires the public part of the MULTOS CA Transport Key Certification Key
(tkck_pk). The Public Exponent portion of the public key is held in the plaintext portion of the
certificate, public_exponent, above.
The value of the tkck_pk used in this example is as follows:
Public Exponent
03
Public Modulus (tkck_pk)
B6 E7
5E C8
30 9C
D6 F5
CA E5
74 2F
06 13
EC CD
AA
75
1E
E6
EF
7F
86
73
2B
C2
17
FF
E6
24
63
27
4E
88
6A
54
31
12
7F
4B
29
FA
C1
0A
13
61
36
27
96
5F
D0
AB
8A
77
DD
13
F1
16
23
CE
49
FC
49
5D
A9
70
8F
41
45
9C
0C
93
1E
26
A6
2E
D7
15
2E
52
A7
66
A9
74
B2
01
6E
F7
4F
F1
8E
78
27
C9
33
1C
49
BB
63
A4
C6
59
C5
37
7A
FC
42
9B
1A
C3
36
95
E4
6C
7E
93
62
34
EF
AB
AF
5F
AA
AE
20
C8
9D
A7
55
6C
0F
1E
19
6D
18
E9
F8
29
91
A1
3F
20
48
FA
E6
42
AE
2D
C1
AA
C0
0C
A5
65
1F
5D
5C
0E
70
70
02
A6
8B
66
4A
49
9E
07
BA
5C
7E
07
A3
8F
B7
A2
4D
94
E5
E4
52
25
4D
5B
2C
F1
96
B7
E1
07
C3
55
1E
BC
4D
51
1F
98
53
55
1A
91
BD
AF
0A
56
AC
55
E8
16
61
26
C4
1B
FF
55
B8
BA
A2
C4
B9
46
F0
55
1C
4A
22
AB
0E
73
66
55
47
60
25
4A
1F
9A
19
55
0C
10
6C
D7
84
60
A5
55
33
65
1F
5D
5C
0E
70
A6
8B
66
4A
49
9E
5C
7E
07
A3
8F
B7
94
E5
E4
52
25
4D
F1
96
B7
E1
07
C3
BC
4D
51
1F
98
53
91
BD
AF
0A
56
AC
16
61
26
C4
1B
FF
BA
A2
C4
B9
46
F0
4A
22
AB
0E
73
66
60
25
4A
1F
9A
19
10
6C
D7
84
60
A5
Random Padding
E9 E9 FA 0C 70 07 A2 5B
Padding
55 55 55 55 55 55 55 55
34
55
A8
00
F1
55
50
80
80
55
00
00
03
55
11
00
FF
55
22
01
F3
55
33
03
FF
55 55 55 55 55 55 55 55 55
44 55 66 77 01 01 00 04 00
00 00 00 FF 11 00 00 01 00
F1
GALU
Prepending this with an initial value of 16 bytes of 55 gives
55
55
00
60
FE
55
55
A8
00
F1
55
55
50
80
80
55
55
00
00
03
55
55
11
00
FF
55
55
22
01
F3
55
55
33
03
FF
55
55
44
00
F1
55
55
55
00
55
55
66
00
55
55
77
FF
55
55
01
11
55
55
01
00
55
55
00
00
55
55
04
01
55
55
00
00
76
42
A9
83
D9
7D
05
2D
38
70
3C
C0
77
6D
94
16
A7
BD
1C
96
60
05
85
83
9A
8E
A0
9A
34
B0
FD
B9
Using the RSA key for the hash modulus function gives
1B
D6
56
2F
E8
35
CF
75
80
5D
DB
53
A3
E9
C5
F5
7F
EB
43
8E
23
81
91
60
99
AE
12
F2
67
B8
18
77
FC
D2
8D
68
7A
90
C7
DC
55
6C
0F
1E
55
29
91
A1
55
42
AE
2D
55
65
1F
5D
55
A6
8B
66
55
5C
7E
07
55 55 55 55 55 55 55 55 55
94 F1 BC 91 16 BA 4A 60 10
E5 96 4D BD 61 A2 22 25 6C
E4
B7
E1
07
C3
51
1F
98
53
AF
0A
56
AC
26
C4
1B
FF
C4
B9
46
F0
AB
0E
73
66
4A
1F
9A
19
D7 1A 19 3F C1 5C 4A A3 52
84 AB 6D 20 AA 0E 49 8F 25
60 D6 18 48 C0 70 9E B7 4D
A5
and
35
35
55
6C
0F
1E
DB
55
29
91
A1
F5
55
42
AE
2D
23
55
65
1F
5D
AE
55
A6
8B
66
18
55
5C
7E
07
68
55
94
E5
E4
76
55
F1
96
D9
55
BC
4D
38
55
91
BD
77
55
16
61
A7
55
BA
A2
60
55
4A
22
9A
55
60
25
34
55
10
6C
47
81
AF
40
5F
2B
A4
92
5A
A4
B2
31
39
40
67
22
81
75
C2
4A
2A
BD
C1
38
75
80
71
78
2B
54
C6
76
BD
09
A0
B6
49
70
56
8F
49
87
DF
9B
46
B3
D2
5D
7F
6B
2A
67
84
33
79
9C
84
32
72
F1
13
3C
35
64
7C
E3
73
5D
51
1F
98
53
84
AF
0A
56
AC
32
26
C4
1B
FF
35
C4
B9
46
F0
47
AB
0E
73
66
2B
4A
1F
9A
19
B2
D7
84
60
A5
22
1A
AB
D6
4A
19
6D
18
38
3F
20
48
78
C1
AA
C0
76
5C
0E
70
B6
4A
49
9E
8F
A3
8F
B7
9B
52
25
4D
55
B6
A5
E8
8C
F8
3E
DF
18
F4
E6
D7
76
46
9C
A5
95
6B
CB
95
02
DC
F4
B6
10
BA
DE
E5
D3
D1
4D
B8
96
30
3E
2C
06
B8
0F
1E
98
A6
D4
1A
4E
FD
C8
E8
6F
CE
09
B8
4E
D3
BF
1C
9D
16
8B
47
E9
56
81
0C
F3
B5
C7
36
GALU
4.5 Generation of Ciphertext KTU
The Ciphertext KTU component of the application load unit must now be generated. This holds the
information about what parts of the application unit have been enciphered and which algorithm and
keys have been used to encipher the application unit.
.
Field
Value
Initial Padding
55
MSM Date
00
MCD Number
FE F1 80 03 FF F3 FF F1
Application ID
AID Length
01
AID
0A
AID Padding
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
No Area Descriptors
01
Area1 Algorithm ID
01
Area1 Start
00 67
Area1 Length
00 40
Area1 Data Len
08
Area1 Key Data
41 AD 82 23 A9 0B E2 A1
Note: When attempting to replicate this process the MSM Date and MCD Number must match those
on the card. Not necessarily those values quoted here.
The following shows the above data after being assembled into a single block of data and padded to
the 96 bytes length of the MULTOS Cards Public Key.
55
FF
40
00
00
00
00
FF
08
00
00
00
FE
FF
41
00
00
00
F1
FF
AD
00
00
00
80
FF
82
00
00
00
03
FF
23
00
00
00
FF
FF
A9
00
00
00
F3
FF
0B
00
00
00
FF
FF
E2
00
00
00
F1
FF
A1
00
00
00
01
FF
00
00
00
00
0A
01
00
00
00
00
FF
01
00
00
00
00
FF
00
00
00
00
00
FF
67
00
00
00
00
FF
00
00
00
00
00
Note: The padding must be random for the security of the ALU to be maintained. For the purposes of
clarity a padding value of 0x00 has been used in this example
37
6C
0F
1E
19
6D
18
29
91
A1
3F
20
48
42
AE
2D
C1
AA
C0
65
1F
5D
5C
0E
70
A6
8B
66
4A
49
9E
5C
7E
07
A3
8F
B7
94
E5
E4
52
25
4D
F1
96
B7
E1
07
C3
BC
4D
51
1F
98
53
91
BD
AF
0A
56
AC
16
61
26
C4
1B
FF
BA
A2
C4
B9
46
F0
4A
22
AB
0E
73
66
60
25
4A
1F
9A
19
10
6C
D7
84
60
A5
The resulting ciphertext KTU is shown in the following hex dump. This is the actual component that is
appended to the application load unit:
Ciphertext KTU
09
18
A3
20
05
58
09
B3
41
EA
4F
24
1C
E3
63
90
84
36
C6
B7
6C
B0
79
A0
7C
30
2E
EC
B0
C6
BE
95
14
EE
D9
49
04
11
84
2A
B1
7A
18
69
8A
E4
07
06
6A
40
D0
24
36
D2
D6
25
A6
D8
0D
8C
B6
D5
BE
5E
C9
44
96
46
E2
85
3A
3F
E3
E7
0E
E9
2B
68
8E
3E
A4
31
C8
02
C6
E3
18
BE
48
EA
6B
39
8E
A7
9A
44
For the registration of MULTOS version 4 applications a hash of the code must be sent to the MULTOS
CA. If a KTU is used to encipher the code area of the application then a hash of this enciphered code
area must be sent. This also means that the any area that is enciphered, and contains code, should
not run over into the data area. If it does that changing any data will change the enciphered result,
and hence change the code hash, requiring a new hash will have to be calculated and registered
every time the data changes.
38
GALU
4.6 Generation of the Application Signature
The encrypted area(s) replace the plaintext in the application unit. The application signature is then
generated using the encrypted area and not on the original plaintext application unit.
The following is a hex dump of the application unit after the data component has been enciphered. In
this case the last 64 bytes of the application has been ciphered.
61
00
01
01
3F
10
00
D4
00
60
1F
0E
00
02
02
01
09
29
31
AF
C4
9E
4F
00
03
03
FF
03
0E
DA
D6
10
24
01
00
04
04
F3
05
40
01
48
C9
5C
0A
00
05
05
70
6D
06
BF
6E
36
0F
50
00
06
06
00
00
00
7E
F6
5C
44
09
00
07
07
09
26
40
BE
E2
00
42
61
00
08
08
03
21
6B
19
8B
C3
54
00
01
01
05
02
C8
0A
0E
91
65
00
02
02
6E
28
59
89
2E
52
73
00
03
03
00
01
22
30
A9
E6
74
00
04
04
3F
5E
12
7E
69
06
00
00
05
05
01
00
B0
40
C0
6E
00
00
06
06
FF
00
49
D2
B1
EA
00
00
07
07
F4
59
5A
88
46
36
00
00
08
08
70
00
7A
C2
B5
34
The first task is to generate the Asymmetrical Hash of the application unit.
For MULTOS version 4 cards, the Hash Digest is calculated in two steps. The first is to perform an AHash on the application unit. The next step is to use the result from this A-Hash as the Initial Value for
a second A-Hash. The second A-Hash is applied to a block of 55.
Application Unit
MEL
1st A-Hash
H
0x55 ... 0x55
Initial Value
2nd A-Hash
Application Hash
We need to split the above block (Application Unit) into blocks of 56. If we need to pad then they
need to be placed at the beginning of the block. The pad byte is 55.
39
61
00
01
01
0E
00
02
02
4F
00
03
03
01
00
04
04
0A
00
05
05
50
00
06
06
09 61 54 65 73 74 00 00 00
00 00 00 00 00 00 00 00 00
07 08 01 02 03 04 05 06 07
07
08
03
21
6B
01
05
02
C8
02
6E
28
59
03
00
01
22
04
3F
5E
12
05
01
00
B0
06
FF
00
49
07 08 3F 01 FF F3 70 00 09
F4 70 10 09 03 05 6D 00 26
59 00 00 29 0E 40 06 00 40
5A
7A
C2
B5
34
D4
00
60
1F
31
AF
C4
9E
DA
D6
10
24
01
48
C9
5C
BF
6E
36
0F
7E
F6
5C
44
BE 19 0A 89 30 7E 40 D2 88
E2 8B 0E 2E A9 69 C0 B1 46
00 C3 91 52 E6 06 6E EA 36
42
Block 2
Block 3
40
D3
7E
F8
3E
12
75
58
34
4F
B7
94
4A
94
5D
39
54
39
9D
31
91
C6
0A
37
19
68
6B
12
F4
9F
C4
0B
0E
BD
33
99
F1
8E
0D
35
2D
40
64
25
5C
E1
37
A2
C1
32
46
44
EE
9D
26
6F
3F
6E
E9
AE
A8
40
72
EC
FF
0E
31
75
GALU
We have an initial chain block of 16 bytes of 55, which we concatenate with the first block.
Initial chain block + Block1
55
55
00
00
08
55
61
00
01
01
55
0E
00
02
02
55
4F
00
03
03
55
01
00
04
04
55
0A
00
05
05
55
50
00
06
06
55
09
00
07
07
55
61
00
08
55
54
00
01
55
65
00
02
55
73
00
03
55
74
00
04
55
00
00
05
55
00
00
06
55
00
00
07
AF
26
EE
2F
A7
57
FC
B6
B8
69
C4
30
CF
35
34
49
6F
40
8C
95
F3
7C
81
C9
26
63
D9
98
5F
21
11
87
B6
8E
72
99
0D
EE
DA
95
88
8B
95
47
08
B0
87
D6
76
EE
C4
F7
9E
A7
D5
A8
3C
53
8B
34
5A
FF
5F
76
FC
94
DF
The first 16 bytes of this ciphertext will make the new chain value, BUT first we must make sure that
the most significant bit (msb) is zero. In our example 22 is 00100010 which has the msb set to zero
already. Let us suppose however that the first byte were 9D. This is binary 10011101 so we convert it
to 00011101, which equals 1D. So our new initial value, when appended to block two, would have
the first byte as 1D, not 9D.
Ciphertext IV + Block 2
22 EE
08 01
03 05
21 02
6B C8
95
02
6E
28
59
D6
03
00
01
22
9E
04
3F
5E
12
53
05
01
00
B0
5F
06
FF
00
49
AF
07
F4
59
5A
57
08
70
00
69
3F
10
00
35
01
09
29
40
FF
03
0E
7C
F3
05
40
63
70
6D
06
21
00
00
00
8E
09
26
40
52
9F
86
BD
97
3A
C6
62
B6
A8
10
3B
1A
64
C0
F7
6C
C6
1D
D0
F7
43
78
94
B1
72
EE
E8
A4
37
F3
AF
21
ED
07
A7
5E
E8
07
F6
4D
62
7B
93
3E
DA
33
2C
7A
15
30
A6
F2
EE
A3
BE
2A
59
8A
7E
7C
BA
82
0E
65
4D
60
The first 16 bytes are used as the IV for the next step in the calculation. The most significant bit is
already set to zero. This gives the following value.
Ciphertext IV + Block 3
35
7A
C2
B5
34
82
D4
00
60
1F
52
31
AF
C4
9E
3A
DA
D6
10
24
10
01
48
C9
5C
F7
BF
6E
36
0F
F7
7E
F6
5C
44
72
BE
E2
00
42
F3
19
8B
C3
07
0A
0E
91
07
89
2E
52
7B
30
A9
E6
33
7E
69
06
30
40
C0
6E
A3
D2
B1
EA
8A
88
46
36
41
6A
A7
B3
B9
78
DE
5B
09
17
42
39
C9
50
27
CF
4A
76
7D
E3
5D
05
AB
FB
E8
96
D9
84
70
05
A2
38
70
47
82
B5
8C
BF
21
11
DB
87
25
D5
97
C8
10
49
D2
24
95
DC
99
7B
DC
6A
90
1B
F7
F1
7C
0F
BB
57
BA
DF
39
26
First A-Hash
From this we can determine the Hash Digest of the Application Unit, from the first 16 bytes. We must
also make sure that the msb is 0. So the 1st A-Hash is:
07 6A DE 39 4A 05 D9 38 8C DB 97 D2 99 90 7C BA
To generate the second A-Hash we add 56 bytes of 55 to the 1st A-Hash
1st A-Hash + 56 bytes 55
07
55
55
55
55
6A
55
55
55
55
DE
55
55
55
55
39
55
55
55
55
4A
55
55
55
55
05
55
55
55
55
D9
55
55
55
55
38
55
55
55
55
8C
55
55
55
DB
55
55
55
97
55
55
55
D2
55
55
55
99
55
55
55
90
55
55
55
7C
55
55
55
BA
55
55
55
C3
2F
1F
1A
6E
58
A9
C0
13
AD
A0
F0
DD
28
E8
A7
24
2A
B4
00
4F
EA
E5
48
5C
FB
AE
23
04
EF
4A
CE
95
5C
CE
9B
99
A7
9D
E4
09
98
2F
50
75
02
83
D1
FC
6B
43
0A
E3
2E
06
85
B8
FC
55
79
67
96
CA
A6
1C
66
0D
Second A-Hash
So the 2nd and actual Application Hash (having converted the most significant bit to 0) is:
22 CA C3 58 A0 A7 4F FB 4A CE 9D 2F 83 43 06 55
Pad the hash to 72 bytes to get the plaintext Application Signature
42
GALU
4.6.2 Plaintext Application Signature
Note: For version 4 cards the padding are 40 bytes of 0x55 followed by 8 bytes of random data,
followed by 8 bytes of 55.
22
55
55
55
55
CA
55
55
55
55
C3
55
55
55
55
58
55
55
55
55
A0
55
55
55
55
A7
55
55
55
55
4F
55
55
55
55
FB
55
55
55
55
4A
55
55
01
CE
55
55
02
9D
55
55
03
2F
55
55
04
83
55
55
05
43
55
55
06
06
55
55
07
55
55
55
08
This is then RSA enciphered using the Application Providers Private Key.
48
38
00
69
20
C8
7A
17
4B
D2
E9
0A
E7
CA
F7
35
E1
37
D9
85
7E
3E
42
4A
C0
1D
89
CC
0A
BD
3A
6D
35
E4
FB
B8
90
26
5B
4E
3E
C9
F6
0B
86
04
EC
5A
1B
13
32
07
DA
42
22
95
FB
31
8D
04
44
D3
9F
81
F0
58
AA
43
6D
54
80
97
2B
2D
B7
23
02
BD
5D
10
DC
9D
B1
D0
51
AC
DA
55
3D
DD
F3
04
13
2B
CE
0E
2F
CD
D8
24
CC
87
83
14
58
48
0D
75
5D
AE
82
11
C9
96
B7
07
29
3A
00
0B
C8
F2
CC
5F
78
27
4F
86
E7
34
D8
C2
68
F0
DD
44
C7
31
0B
47
AB
28
C5
B4
40
FC
91
F0
4E
83
FD
0C
B7
34
68
4C
2E
21
21
09
26
78
73
58
8D
4A
98
3B
13
D6
B5
76
3C
8B
FE
E7
2E
E0
1E
AC
69
80
D5
0D
C4
6D
E1
A1
09
F8
26
45
F2
34
A1
FB
59
C1
C4
52
A0
FA
98
GALU
4.7 Creating the Confidential Application Load Unit
The final stage is to recreate the Application Load Unit. This is a merely a case of copying the
Application Unit back into the Application Load Unit and adding the Ciphertext KTU and Application
Signature.
Code component (unchanged)
3F 01 FF F3 70 00 09 03 05 6E 00 3F 01 FF F4 70
10 09 03 05 6D 00 26 21 02 28 01 5E 00 00 59 00
00 29 0E 40 06 00 40
Data component (enciphered)
6B
19
8B
C3
C8
0A
0E
91
59
89
2E
52
22
30
A9
E6
12
7E
69
06
B0
40
C0
6E
49
D2
B1
EA
5A
88
46
36
7A
C2
B5
34
D4
00
60
1F
31
AF
C4
9E
DA
D6
10
24
01
48
C9
5C
BF
6E
36
0F
7E
F6
5C
44
BE
E2
00
42
C7
31
0B
47
AB
28
C5
B4
40
FC
91
F0
4E
83
FD
0C
B7
34
68
4C
2E
21
21
09
26
78
73
58
8D
4A
98
3B
13
D6
B5
76
3C
8B
FE
E7
2E
E0
1E
AC
69
80
D5
0D
C4
6D
E1
A1
09
F8
26
45
F2
34
A1
FB
59
C1
C4
52
A0
FA
98
B6
D5
BE
5E
C9
44
96
46
E2
85
3A
3F
E3
E7
0E
E9
2B
68
8E
3E
A4
31
C8
02
C6
E3
18
BE
48
EA
6B
39
8E
A7
9A
44
09
B3
41
EA
4F
24
1C
E3
63
90
84
36
C6
B7
6C
B0
79
A0
7C
30
2E
EC
B0
C6
BE
95
14
EE
D9
49
04
11
84
2A
B1
7A
18
69
8A
E4
07
06
6A
40
D0
24
36
D2
D6
25
A6
D8
0D
8C
45
F1
70
00
D2
5C
0A
00
03
76
C6
FE
04
E3
2A
48
80
10
40
88
00
50
00
04
E7
0B
1E
18
39
E4
9A
03
09
6B
C2
C3
09
00
05
AC
B4
D5
6A
A3
24
58
FF
03
C8
00
91
61
00
06
0D
4E
E1
D6
41
D8
24
F3
05
59
AF
52
54
00
07
A1
34
26
B6
63
5E
36
FF
6D
22
D6
E6
65
20
08
45
21
A1
96
6C
85
A0
F1
00
12
48
06
73
01
01
FB
58
C4
E3
2E
E9
C6
00
26
B0
6E
6E
74
02
02
52
13
98
8E
14
31
49
27
21
49
F6
EA
00
03
03
A6
8B
70
C6
84
BE
7A
3F
02
5A
E2
36
00
04
04
31
E0
AB
6B
8A
A7
06
01
28
7A
8B
34
00
05
05
C5
80
FC
18
D0
05
D2
FF
01
D4
0E
1F
00
06
06
F0
6D
FD
B3
A6
4F
8C
F3
5E
31
2E
9E
00
07
07
B7
F8
4C
E3
BE
84
44
70
00
DA
A9
24
00
08
08
21
34
26
B7
E2
79
3F
00
00
01
69
5C
00
01
00
73
C1
4A
30
0E
B0
68
09
59
BF
C0
0F
00
02
48
3B
FA
B5
95
A4
D9
02
03
00
7E
B1
44
00
03
27
3C
17
00
11
18
B1
EA
05
00
BE
46
42
00
04
C7
2E
47
60
69
8E
07
44
6E
29
19
B5
00
00
05
28
69
40
09
40
20
36
00
0E
0A
60
20
00
06
91
C4
83
09
25
EA
0D
3F
40
89
C4
61
00
07
0C
09
68
1C
D5
90
C9
01
06
30
10
0E
00
08
2E
F2
09
C6
46
B0
3A
FF
00
7E
C9
4F
00
01
78
59
8D
7C
E7
EC
2B
01
FF
00
FF
00
00
20
47
9E
C9
03
D1
01
FF
00
FF
00
00
00
E1
68
77
87
AF
01
FF
00
FF
00
00
50
6E
91
53
BF
AA
01
FF
FF
FF
00
00
50
F9
14
1B
97
CB
00
FF
FF
FF
00
00
00
99
EB
AF
51
9D
48
FF
FF
FF
00
00
01
90
C6
BB
AD
5A
00
FF
FF
FF
00
00
00
5A
3A
42
8F
CC
80
FF
FF
FF
00
00
44
0D
37
D2
DA
11
00
FF
FF
FF
00
00
F9
72
D7
D8
5D
EE
00
FF
FF
FF
00
00
13
15
AB
AC
20
0F
01
FF
FF
FF
00
00
21
20
7B
9B
2F
01
03
FF
FF
00
00
00
16
4C
FE
01
DC
95
00
FF
FF
00
00
00
8C
0A
EF
77
17
8E
46
22
00
FF
FF
00
0A
00
4F
D9
04
1B
2F
0F
43
FF
FF
FF
00
00
00
F7
06
28
FD
73
11
FF
FF
FF
00
00
27
A3
12
1D
F5
7C
11
FF
FF
FF
00
00
00
49
89
3A
BB
75
11
FF
FF
FF
00
00
40
72
D3
C6
90
35
11
FF
FF
FF
00
00
00
F8
D5
59
1D
31
11
FF
FF
FF
00
00
08
D9
0C
D8
67
78
11
FF
FF
FF
00
00
00
FC
E5
48
F9
5A
11
FF
FF
FF
00
00
20
7C
24
A2
51
CD
11
FF
00
FF
00
00
00
DF
26
43
36
2A
GALU
4.7.3 Application Delete Certificate
01
00
FF
FF
00
01
00
8C
FB
01
30
CA
11
00
FF
FF
00
0A
6C
E6
66
D4
6A
F1
44
FF
FF
FF
00
00
1A
C1
F4
D8
3A
57
11
FF
FF
FF
00
00
54
E9
78
B6
11
24
11
FF
FF
FF
00
00
B7
92
89
91
F0
E8
11
FF
FF
FF
00
00
1A
83
6D
C5
06
65
11
FF
FF
FF
00
00
8B
17
BF
43
73
42
11
FF
FF
FF
00
00
92
D4
CB
8B
11
80
11
FF
FF
FF
00
00
95
C0
32
5B
15
BB
11
FF
FF
FF
00
00
5B
51
43
C4
3D
11
FF
00
FF
00
00
44
CE
78
C9
0A
01
FF
00
FF
00
00
EA
C3
6C
4B
22
01
FF
00
FF
00
00
D8
E7
10
2F
8C
01
FF
00
FF
00
00
AF
AB
0A
81
05
01
FF
FF
FF
00
00
AC
CC
95
8A
A5
00
FF
FF
FF
00
00
D1
FC
35
FD
96
48
FF
FF
FF
00
00
AD
8D
70
A1
6D
00
FF
FF
FF
00
00
08
AC
39
4B
4B
80
FF
FF
FF
00
00
BB
D8
97
92
8B
00
FF
FF
FF
00
00
76
99
4C
42
07
00
FF
FF
FF
00
00
F4
56
C6
73
47
01
FF
FF
FF
00
00
EB
ED
31
35
64
03
FF
FF
00
00
00
D5
E1
E8
07
A5
00
FF
FF
00
00
00
42
B9
6F
61
CB
47