Problem Description
% kinit -e -P 0kinit sends the following APDU to the card:
03 10 00 00 lenWhere len is the length of the encrypted AS_REP, and the data is the encrypted AS_REP itself. Your applet should decrypt this data with key number 6 in the key file (3f00/0011), and return the plain text AS_REP to the host. kinit will then obtain the response via the get_response APDU.
data
Caution
Allocate all the objects in the constructor, not in process() or any methods called by process(). Applets are initialized (constructed) only when they are installed on the card. They are not initialized on card reset. Therefore, if you have new operations in process() method, they are called every time APDU is sent to the card. This leads to memory leak because there is no garbage collector in Java Cards.
Using DES in Cyberflex Access is at least tricky. Some advices:- Construct the DES key object with key number, e.g., deskey = new DES_Key((short)6);
- Always initialize the initialization vector of DES, e.g.,
IV = new byte[64]; // This must be 64, not 8, because of bugs in the card
IV[0] = (byte)0x0;
IV[1] = (byte)0x0;
IV[2] = (byte)0x0;
IV[3] = (byte)0x0;
IV[4] = (byte)0x0;
IV[5] = (byte)0x0;
IV[6] = (byte)0x0;
IV[7] = (byte)0x0;
deskey.setICV (IV, (short)0); // allocate the ICV location
deskey.clearICV();
- Allocate the DES key in the constructor, not in process() method. Otherwise, it will leak memory (see above).
pay> 2To unelect your applet (and therefore reselect the default loader), use jq command in pay .
pay> jq
pay> ju
pay> jl Krb.bin
pay> jq
pay> f 3f.00
pay> f 77.78
pay> js
pay> q
itoi@snoopy :) kinit -K itoi@UMICH.EDUThen load the printed key into the card with "jk" command of pay.
Password for itoi@UMICH.EDU:
key:
11 22 33 44 55 66 77 88
pay> jk 1
class F0
Verify key: 90 00 ok
ca_load_key buf=jk 1
key 0 : <- paste the 8 byte key here
itoi@snoopy :) kinit -e -P 0 itoi@UMICH.EDUIf you want to try, you can use aklog to convert the K5 ticket to AFS token, and krb524init to Krb4 ticket (to use kpop, for example).
itoi@snoopy :) klist
Ticket cache: /tmp/krb5cc_p500
Default principal: itoi@UMICH.EDU
Valid starting Expires Service principal
02/01/00 21:55:47 02/02/00 07:55:47 krbtgt/UMICH.EDU@UMICH.EDU
Flags: I
Submission
Please place the binary and source of your program in your class
directory (/afs/engin.umich.edu/class/w00/eecs598/002/uniqname), and
send me e-mail with where your files are, and a couple of
paragraphs that explain what your program does.
Your programs must be called "Krb.java" and
"Krb.bin".
I welcome Solaris, Linux, and OpenBSD binaries. If it is absolutely
necessary, I will accept others, e.g., Windows binary.
Reference
All right, another homework is done. As always, send questions to smartcards@umich.edu (I really like receiving questions at smartcards@umich than itoi@eecs because other students can share the information), or talk to us at IRC #smartcards. Obviously, doing more development on Krb5/Smartcard is more than welcome. For example, kinit with the smartcard on a remote host is an interesting project. If you are interested in doing more, talk to us about potential course projects. Good luck. :)