Search code examples
c#smartcardsmartcard-readerpcsc

External authenticate with tachograph smartcard

I'm using C# with a c# library to read out the identification data from tachograph cards.

I only need to read out the unique card ID and can do this with a driver card, I send the correct APDUs to do the trick. I'm now trying to read out the ID of a company card doing the same things, as described in the documentation I could find (ECE/TRANS/SC.1/2006/2 and sub appendixes). This doesn't work.

If I understand the documentation correctly, the problem is that after selecting a DF and an EF after that, the Authentication has to be redone (on a company card only) to read out the unique identification data from the EF. Now, reading the documentation, I can understand I have to use a "manage security environment" to set/request a public key? Then use an "internal authenticate", "get challenge", run an "external authenticate" and finally use a "read binary" to read out the data. But only after setting the logic to the correct EF. Am I correct in this matter?

If I'm correct, does anyone understand where/how I can request the public key from the card? and what algorithm is used to decrypt the challenge using the public key and eventually, what to send back to the card?

If I did not understand it correctly, can anyone explain the steps in authenticating with a tachograph smartcard? Using idiot terms would be appreciated as I'm completely new in this line of work and still trying to learn.

Solution

  • I had no detailed look into Tachograph specification for years, but this might help you to start:

    • a challenge is just a random number, you have to encrypt it (symmetric algorithm) or sign it (asymmetric algorithm) by yourself. The appropriate algorithm has to be defined before, since the card has to follow the same rules for checking.
    • external authenticate is far more likely using symmetric cryptography (nobody likes to sign something unknown, which could also be a hash code for a message)
    • there are two standardized modes for retrieving the public key:
      • either as response to a special Generate Asymmetric Key Pair command (there is one, which just reads but does not generate a new key)
      • or in some file to be read using standard READ commands (e. g. a certificate which has the advantage, that you may check its signature). Which case applies has to be stated in the specification.
    • Manage Security Environment just informs the card, which key to use for a subsequent operation like PSO, giving its Control Reference Template, id and usage qualifier