What is the exact procedure to perform external authentication?

Question

I am trying to perform external authentication on smart card, I got the 8 byte challenge from the card and then I need to generate the card cryptogram on that 8 bytes. But I don't know how to perform that cryptogram operation (smartcard tool kit converting 8 bytes to 72 bytes). The following commands are generated by the tool kit

1. 00 A4 04 00 0C A0 00 00 02 43 00 13 00 00 00 01 04
2. 00 22 41 A4 06 83 01 01 95 01 80
3. command: 80 84 00 00 08 Response: (8 bytes challenge)
4. command: 80 82 00 00 48 (72 bytes data)

Can any body say what are the steps to follow to convert 8 byte challenge to 72 bytes ?

Answer 1

Conversion is not exactly the right term. You need to apply the cryptographic algorithm with the correct key to the received challenge. I assume, that an External Authenticate command is performed, but the strange data field length allows no assumption on the algorithm used. Possibly an external challenge is also provided in the command and session keys are established. Since the assumed Get Challenge command and the External Authenticate command have a class byte indicating a proprietary command, ISO 7816-4 won't help here and you need to refer to the card specification. To get knowledge of the key you probably have to sign a non-disclosure agreement with the card issuer.