LdsSecurityObject with only one hash

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

LdsSecurityObject with only one hash

ziggi slaw
1. Why is LdsSecurityObject limited with 2...16 hashes in the DataGroupHashValues?
2. How can I circumvent this? Can I use another object to build the LdsSecurityObject with only one has?

I need this for ISO compliant driving license (but I think it is the same logic for passports) where you have to put datagroups (DG) on the chip and then also their hashes (and then sign them at the end). But the problem is that when you have only one DG than you have only one hash and subsequently cannot use LdsSecurityObject.

My code is somewhat similar to
- https://github.com/E3V3A/JMRTD/blob/master/jmrtd/src/org/jmrtd/lds/SODFile.java (line 855)
- or https://github.com/Qingbao/PasswdManager/blob/master/src/passwdmanager/hig/no/lds/DG_SOD.java (line 507).


Reply | Threaded
Open this post in threaded view
|

Re: LdsSecurityObject with only one hash

David Hook

In answer to 1: it's ASN.1 profile defines it that way.

With 2, it sounds like you need a similar, but different object. Is
there anything documented in the standard relating to the ASN.1 profile
of the structures it's using?

Regards,

David

On 26/07/16 21:46, ziggi slaw wrote:

> 1. Why is LdsSecurityObject limited with 2...16 hashes in the
> DataGroupHashValues?
> 2. How can I circumvent this? Can I use another object to build the
> LdsSecurityObject with only one has?
>
> I need this for ISO compliant driving license (but I think it is the
> same logic for passports) where you have to put datagroups (DG) on the
> chip and then also their hashes (and then sign them at the end). But
> the problem is that when you have only one DG than you have only one
> hash and subsequently cannot use LdsSecurityObject.
>
> My code is somewhat similar to
> -
> https://github.com/E3V3A/JMRTD/blob/master/jmrtd/src/org/jmrtd/lds/SODFile.java
> (line 855)
> - or
> https://github.com/Qingbao/PasswdManager/blob/master/src/passwdmanager/hig/no/lds/DG_SOD.java
> (line 507).
>
>


Reply | Threaded
Open this post in threaded view
|

Re: LdsSecurityObject with only one hash

ziggi slaw
It's funny because in the ISO standard (18013-3) the DataGroupHash should be from 2 to number of data groups. I don't know if I am alowed to paste content of ISO documents, but I found it online also: www.hsevi.ir/RI_Standard/File/9449 (page 15).

LDSSecurityObject ::= SEQUENCE {
version LDSSecurityObjectVersion,
hashAlgorithm DigestAlgorithmIdentifier,
dataGroupHashValues SEQUENCE SIZE (2..ub-DataGroups) OF DataGroupHash }



And in other part of the specification it says that only one DataGroup is mandatory (DG1), so I'm a bit confused...

Best regards,
Simon

On Wed, Jul 27, 2016 at 1:23 AM, David Hook <[hidden email]> wrote:

In answer to 1: it's ASN.1 profile defines it that way.

With 2, it sounds like you need a similar, but different object. Is
there anything documented in the standard relating to the ASN.1 profile
of the structures it's using?

Regards,

David

On 26/07/16 21:46, ziggi slaw wrote:
> 1. Why is LdsSecurityObject limited with 2...16 hashes in the
> DataGroupHashValues?
> 2. How can I circumvent this? Can I use another object to build the
> LdsSecurityObject with only one has?
>
> I need this for ISO compliant driving license (but I think it is the
> same logic for passports) where you have to put datagroups (DG) on the
> chip and then also their hashes (and then sign them at the end). But
> the problem is that when you have only one DG than you have only one
> hash and subsequently cannot use LdsSecurityObject.
>
> My code is somewhat similar to
> -
> https://github.com/E3V3A/JMRTD/blob/master/jmrtd/src/org/jmrtd/lds/SODFile.java
> (line 855)
> - or
> https://github.com/Qingbao/PasswdManager/blob/master/src/passwdmanager/hig/no/lds/DG_SOD.java
> (line 507).
>
>



Reply | Threaded
Open this post in threaded view
|

Re: LdsSecurityObject with only one hash

David Hook

Does it give examples of "non-mandatory" DataGroups that can be added? It's hard to believe (although not impossible) that they would have missed the fact 2 are required. The assumption may be that you'd always have 2, but that one of them (DG1) would always be present.

Regards,

David

On 27/07/16 23:40, ziggi slaw wrote:
It's funny because in the ISO standard (18013-3) the DataGroupHash should be from 2 to number of data groups. I don't know if I am alowed to paste content of ISO documents, but I found it online also: www.hsevi.ir/RI_Standard/File/9449 (page 15).

LDSSecurityObject ::= SEQUENCE {
version LDSSecurityObjectVersion,
hashAlgorithm DigestAlgorithmIdentifier,
dataGroupHashValues SEQUENCE SIZE (2..ub-DataGroups) OF DataGroupHash }



And in other part of the specification it says that only one DataGroup is mandatory (DG1), so I'm a bit confused...

Best regards,
Simon

On Wed, Jul 27, 2016 at 1:23 AM, David Hook <[hidden email]> wrote:

In answer to 1: it's ASN.1 profile defines it that way.

With 2, it sounds like you need a similar, but different object. Is
there anything documented in the standard relating to the ASN.1 profile
of the structures it's using?

Regards,

David

On 26/07/16 21:46, ziggi slaw wrote:
> 1. Why is LdsSecurityObject limited with 2...16 hashes in the
> DataGroupHashValues?
> 2. How can I circumvent this? Can I use another object to build the
> LdsSecurityObject with only one has?
>
> I need this for ISO compliant driving license (but I think it is the
> same logic for passports) where you have to put datagroups (DG) on the
> chip and then also their hashes (and then sign them at the end). But
> the problem is that when you have only one DG than you have only one
> hash and subsequently cannot use LdsSecurityObject.
>
> My code is somewhat similar to
> -
> https://github.com/E3V3A/JMRTD/blob/master/jmrtd/src/org/jmrtd/lds/SODFile.java
> (line 855)
> - or
> https://github.com/Qingbao/PasswdManager/blob/master/src/passwdmanager/hig/no/lds/DG_SOD.java
> (line 507).
>
>