u2f_ez100pu_bbbb

# u2f_ez100pu_bbbb ###### tags: `fido` [download packets](https://drive.google.com/file/d/1WolbIAcYrxognhRX3LeZSdaAM5MfTRER/view?usp=sharing) username : bbbb packet filters: * usb.capdata * usb.capdata contains 00a4 && usb.capdata contains 472f [slide](https://docs.google.com/presentation/d/1R6S88EQC8jlyLoybihFGnyafbxql7-ov/edit?usp=sharing&ouid=110034452499467481068&rtpof=true&sd=true) [iso7816-4-5](https://cardwerk.com/smart-card-standard-iso7816-4-section-5-basic-organizations/) [fido u2f raw message formats](https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html) [X.680 ASN.1 Specification of basic notation](https://www.itu.int/rec/T-REC-X.680-202102-I/en) [X.690 ASN.1 encoding rules](https://www.itu.int/rec/T-REC-X.690-202102-I/en) [Cyber Chef](https://gchq.github.io/CyberChef/#recipe=Parse_X.509_certificate('DER%20Hex')&input=MzA4MjAxM2MzMDgxZTRhMDAzMDIwMTAyMDIwYTQ3OTAxMjgwMDAxMTU1OTU3MzUyMzAwYTA2MDgyYTg2NDhjZQozZDA0MDMwMjMwMTczMTE1MzAxMzA2MDM1NTA0MDMxMzBjNDc2ZTc1NjI2Mjc5MjA1MDY5NmM2Zjc0MzAxZTE3CjBkMzEzMjMwMzgzMTM0MzEzODMyMzkzMzMyNWExNzBkMzEzMzMwMzgzMTM0MzEzODMyMzkzMzMyNWEzMDMxMzEKMmYzMDJkMDYwMzU1MDQwMzEzMjY1MDY5NmM2Zjc0NDc2ZTc1NjI2Mjc5MmQzMDJlMzQyZTMxMmQzNDM3MzkzMAozMTMyMzgzMDMwMzAzMTMxMzUzNTM5MzUzNzMzMzUzMjMwNTkzMDEzMDYwNzJhODY0OGNlM2QwMjAxMDYwODJhCjg2NDhjZTNkMDMwMTA3MDM0MjAwMDQ4ZDYxN2U2NWM5NTA4ZTY0YmNjNTY3M2FjODJhNjc5OWRhM2MxNDQ2NjgKMmMyNThjNDYzZmZmZGY1OGRmZDJmYTNlNmMzNzhiNTNkNzk1YzRhNGRmZmI0MTk5ZWRkNzg2MmYyM2FiYWYwMgowM2I0Yjg5MTFiYTA1Njk5OTRlMTAxMzAwYTA2MDgyYTg2NDhjZTNkMDQwMzAyMDM0NzAwMzA0NDAyMjA2MGNkCmI2MDYxZTljMjIyNjJkMWFhYzFkOTZkOGM3MDgyOWIyMzY2NTMxZGRhMjY4ODMyY2I4MzZiY2QzMGRmYTAyMjAKNjMxYjE0NTlmMDllNjMzMDA1NTcyMmM4ZDg5YjdmNDg4ODNiOTA4OWI4OGQ2MGQxZDk3OTU5MDJiMzA0MTBkZg) ## register ```= >> 00a4040008 a0000006472f0001 00 // packet No.183 << 5532465f5632 9000 // "U2F_V2" >> 8012010000 << 6d00 >> 00a4040008 a0000006472f0001 00 // No.555 << 5532465f5632 9000 // "U2F_V2" >> 8010000001 04 00 // get info, defined in ctap2 << 6d00 ``` ![](https://i.imgur.com/S1p4MB1.png) ![](https://i.imgur.com/TlxeB7L.png) ```= >> 0001030040 // INS=01 ->ENROLL 5ba19a7840cf49b2 c2ac65d237b5c9c4 // challenge param. 32bytes 9043fa417cd0793a ba04ead616cb7f37 74a6ea9213c99c2f 74b22492b320cf40 // app param. 32bytes 262a94c1a950a039 7f29250b60841ef0 << 0504da5432d59c6f 9222eba8c3ce7803 // 04... user public key d0ff529a49d1e70b 1652b46b9d6fdaa7 84b3a73248151953 c7eab4b34398d0b8 748de1b7b6d4c1f6 c2b2ae00fd40f874 2491404cb69d02ba 369c98b9d0c02ba9 //key handle length = 0x40 6199bcee9e66a3e6 1c71e95adae190bf acd9f14017420db2 ef3eed6fcd833548 240820b807a373d3 6b426e3624f8eaaf 8b178b3082013c30 81e4a00302010202 //0x30... X.509 cert. 0a47901280001155 957352300a06082a 8648ce3d04030230 1731153013060355 0403130c476e7562 62792050696c6f74 301e170d31323038 3134313832393332 5a170d3133303831 343138323933325a 3031312f302d0603 550403132650696c 6f74476e75626279 2d302e34 >> 00 << 2e312d34 6100 // 大於等於256bytes要傳 >> 00c00000 00 // INS=c0 -> GET DATA << 3739303132383030 3031313535393537 3335323059301306 072a8648ce3d0201 06082a8648ce3d03 0107034200048d61 7e65c9508e64bcc5 673ac82a6799da3c 1446682c258c463f ffdf58dfd2fa3e6c 378b53d795c4a4df fb4199edd7862f23 abaf0203b4b8911b a0569994e101300a 06082a8648ce3d04 0302034700304402 2060cdb6061e9c22 262d1aac1d96d8c7 0829b2366531dda2 68832cb836bcd30d fa0220631b1459f0 9e6330055722c8d8 9b7f48883b9089b8 8d60d1d9795902b3 0410df3046022100 e90af4bba53ba33a // 30... signature, The signature is encoded in ANSI X9.62 format e125e9e4381bdc16 a47cc151ca035180 ba28046eb5776302 022100d8c7df6974 138a3c582793a287 8b44f4cc >> 00 << 11cac6cc 610b // 剩下11bytes要傳 >> 00c00000 0b << 18fe94354c0bcb1d 8d1cf9 9000 ``` ### certificate ``` Version: 3 (0x02) Serial number: 337945684495923137573714 (0x47901280001155957352) Algorithm ID: SHA256withECDSA Validity Not Before: 14/08/2012 18:29:32 (dd-mm-yyyy hh:mm:ss) (120814182932Z) Not After: 14/08/2013 18:29:32 (dd-mm-yyyy hh:mm:ss) (130814182932Z) Issuer CN = Gnubby Pilot Subject CN = PilotGnubby-0.4.1-47901280001155957352 Public Key Algorithm: EC Curve Name: secp256r1 Length: 256 bits pub: 04:8d:61:7e:65:c9:50:8e:64:bc:c5:67:3a:c8:2a:67: 99:da:3c:14:46:68:2c:25:8c:46:3f:ff:df:58:df:d2: fa:3e:6c:37:8b:53:d7:95:c4:a4:df:fb:41:99:ed:d7: 86:2f:23:ab:af:02:03:b4:b8:91:1b:a0:56:99:94:e1: 01 Certificate Signature Algorithm: SHA256withECDSA r: 60:cd:b6:06:1e:9c:22:26:2d:1a:ac:1d:96:d8:c7:08: 29:b2:36:65:31:dd:a2:68:83:2c:b8:36:bc:d3:0d:fa s: a2:68:83:2c:b8:36:bc:d3:0d:fa:02:20:63:1b:14:59: f0:9e:63:30:05:57:22:c8:d8:9b:7f:48:88:3b:90:89: b8:8d:60:d1:d9:79:59:02:b3:04:10:df Extensions ``` ### certificate (DER) ```= 3082013c // Sequence 3081e4 a003 0201 // Integer:Version 02 020a // Integer:Serial Number 47901280001155957352 300a 0608 // Object identifier 2a8648ce3d040302 // SHA256withECDSA 3017 3115 // Set 3013 0603 // Object identifier 550403 // commonName 130c // String 476e756262792050696c6f74 // "Gnubby Pilot" 301e 170d // UTCTime 3132303831343138323933325a 170d // UTCTime 3133303831343138323933325a 3031 312f 302d 0603 // Object identifier 550403 // commonName 1326 // String 50696c6f74476e756262792d302e342e312d3437393031323830303031313535393537333532 // "PilotGnubby-0.4.1-47901280001155957352" 3059 3013 0607 2a8648ce3d0201 // ecPublicKey 0608 2a8648ce3d030107 // P-256 0342 // Bitstring 00048d617e65c9508e64bcc5673ac82a6799da3c1446682c258c463fffdf58dfd2fa3e6c378b53d795c4a4dffb4199edd7862f23abaf0203b4b8911ba0569994e101 300a 0608 2a8648ce3d040302 // SHA256withECDSA 0347 003044 0220 60cdb6061e9c22262d1aac1d96d8c70829b2366531dda268832cb836bcd30dfa 0220 631b1459f09e6330055722c8d89b7f48883b9089b88d60d1d9795902b30410df ``` ### signature ```= 3046 0221 00e90af4bba53ba33ae125e9e4381bdc16a47cc151ca035180ba28046eb5776302 0221 00d8c7df6974138a3c582793a2878b44f4cc11cac6cc18fe94354c0bcb1d8d1cf9 ``` ## login ```= >> 00a4040008 a0000006472f0001 00 // No.985 << 5532465f5632 9000 // "U2F_V2" >> 80120100 00 // deselecting, defined in ctap2 << 6d00 >> 00a4040008 a0000006472f0001 00 // No.1459 << 5532465f5632 9000 // "U2F_V2" >> 8010000001 04 00 // get info, defined in ctap2 << 6d00 ``` ![](https://i.imgur.com/HY2qLJb.png) 這邊control byte是p1 ```= >> 0002070081 // INS=02 ->SIGN , p1=07 SIGN_CHECK_ONLY e2cab13c66a860ae 4bff089be6ca8608 // e2... chanllenge param. 699f15378e49bf56 ea65c327d5e3c9c8 74a6ea9213c99c2f 74b22492b320cf40 // 74... app param. 262a94c1a950a039 7f29250b60841ef0 404cb69d02ba369c 98b9d0c02ba96199 // 4c... key handle bcee9e66a3e61c71 e95adae190bfacd9 f14017420db2ef3e ed6fcd8335482408 20b807a373d36b42 6e3624f8eaaf8b17 8b 00 << 6985 // FIDO_SW_TEST_OF_PRESENCE_REQUIRED >> 0002030081 // INS=02 ->SIGN , p1=03 ENFORCE_PRESENCE_AND_SIGN e2cab13c66a860ae 4bff089be6ca8608 // e2... chanllenge param. 699f15378e49bf56 ea65c327d5e3c9c8 74a6ea9213c99c2f 74b22492b320cf40 // 74... app param. 262a94c1a950a039 7f29250b60841ef0 404cb69d02ba369c 98b9d0c02ba96199 // 4c... key handle bcee9e66a3e61c71 e95adae190bfacd9 f14017420db2ef3e ed6fcd8335482408 20b807a373d36b42 6e3624f8eaaf8b17 8b 00 ``` ![](https://i.imgur.com/UXbPG4L.png) ![](https://i.imgur.com/n5tlc7v.png) ```= << 0100000001304502 205b6cf8bbae7115 // 30... signature 3ea2c0ab502dc21b a361c905bf9db96a cd23a4e7b7a37584 ff022100fa14afff 9c9338353efd9a00 bdfe7a042146dcd5 e1e9f072f6d5f370 42bc701e 9000 >> 80120100 00 << 6d00 ``` ### signature ```= 3045 0220 5b6cf8bbae71153ea2c0ab502dc21ba361c905bf9db96acd23a4e7b7a37584ff 0221 00fa14afff9c9338353efd9a00bdfe7a042146dcd5e1e9f072f6d5f37042bc701e ```