Performing PACE PIN authentication using C# and nfc card : Chip Authentication with ECDH

Question

I want to implement Chip Authentication with ECDH in C#.

I have configured je PACE PIN and when i use PlatinumReader with the CAN its work, but i want to implement that on my application. I have pasted a log from the platinumReader about how it's done there. but I am having issues with the DH key exchange, using an elliptic curve.

I decrypted the nonce sent by the chip, but the steps that follow this operation are confusing. I have read manual 9303 part11, but they do not explain how to obtain the public and private ephemeral keys. I have the curve information that i have used in pre-personnalisation of the chip.

# Private ECC key (Generated from a RNG)

d_pace_ecdh_card_private=0029482318BE67844AE13D6C2CD672AE69525F9016496DF15AF141BB26E901EB

prime=FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF

a=FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC

order=FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551

b=5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B

G_X=basepoint=6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C2964FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5

# Calculate Ecc public key (Q=d_pace_ecdh_card_private*basepoint)

pace_ecdh_public=046CEC918BFBE1198005718DEA22D2139C856B66326B66A8AF769DAADB4D4F439B56A161713158746F8D3117F097972B1F9CB2382E54A3AF2D61FAA30ED1FEF436

LOG PLATINUMREADER

Using PACE algorithm index: 0
PACE Protocol OID: id-PACE-ECDH-GM-AES-CBC-CMAC-128
Protocol: PACE - Start
Info: Version - 2
Info: SharedPasswordType - PIN (0x03)

APDU: SetMSE Pace - Start
APDU: Request
00 22 c1 a4 12 80 0a 04 00 7f 00 07 02 02 04 02 02 83 01 03 84 01 0c                            
APDU: Response  9000
APDU: SetMSE Pace - End
APDU: GeneralAuthentication - Start
APDU: Request 
10 86 00 00 02 7c 00 00
APDU: Response
7c 12 80 10 53 55 da 31 de a7 f3 5b 58 71 ef fe c2 34 45 66 90 00
APDU: GeneralAuthentication - End
Key: z - encrypted nonce (z [PACE]) 
53 55 da 31 de a7 f3 5b 58 71 ef fe c2 34 45 66
Key: K - derived key from shared secret
59 20 1b d2 c1 c3 4b ac c9 83 e7 93 34 1d af e1
Key: nonce - decrypted nonce 
70 87 3d 68 3a 1b 99 59 df 89 6a d2 61 10 b7 bf
Key: D_PICC - original DH domain parameters (D_PICC [PACE])
30 81 e0 02 01 01 30 2c 06 07 2a 86 48 ce 3d 01 01 02 21 00 ff ff ff ff 00 00 00 01 
00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 30 44 04 20 
ff ff ff ff 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff
ff ff ff fc 04 20 5a c6 35 d8 aa 3a 93 e7 b3 eb bd 55 76 98 86 bc 65 1d 06 b0 cc 53
b0 f6 3b ce 3c 3e 27 d2 60 4b 04 41 04 6b 17 d1 f2 e1 2c 42 47 f8 bc e6 e5 63 a4 40
f2 77 03 7d 81 2d eb 33 a0 f4 a1 39 45 d8 98 c2 96 4f e3 42 e2 fe 1a 7f 9b 8e e7 eb
4a 7c 0f 9e 16 2b ce 33 57 6b 31 5e ce cb b6 40 68 37 bf 51 f5 02 21 00 ff ff ff ff
00 00 00 00 ff ff ff ff ff ff ff ff bc e6 fa ad a7 17 9e 84 f3 b9 ca c2 fc 63 25 51
02 01 01.
Info: Algorithm - ECDH
Passport::performPACE - Generating DH key pair (for generic mapping)
Key: ~DH_PCD_SK - DH ephemeral private key (for generic mapping)
e7 d8 72 d4 21 57 24 6e 0e 24 3e 5d 96 93 4b 79 8a a8 2b 39 d9 d2 b6 c6 a8 24 35 a6
b2 33 b1 e5 
Key: ~DH_PCD_PK - DH ephemeral public key (for generic mapping)
04 4a ef 83 45 4d dd 59 b4 81 24 df cf ad 73 97 9f 67 15 91 bd e3 d8 12 f1 03 a5 4a
52 02 f4 9f 50 85 0e 5d b4 42 94 4a 44 9a d2 4a 50 e7 1c 5b c7 f2 7d 10 34 c7 32 d4
ea 3b 9c 6f 96 20 74 17 bc.
APDU: GeneralAuthenticate - Start
APDU: Request
10 86 00 00 45 7c 43 81 41 04 4a ef 83 45 4d dd 59 b4 81 24 df cf ad 73 97 9f 67 15
91 bd e3 d8 12 f1 03 a5 4a 52 02 f4 9f 50 85 0e 5d b4 42 94 4a 44 9a d2 4a 50 e7 1c
5b c7 f2 7d 10 34 c7 32 d4 ea 3b 9c 6f 96 20 74 17 bc 00

APDU: Response
7c 43 82 41 04 c0 ba 9a 4b ca 30 66 a2 de c5 fc 9b 12 03 15 3e 24 ec 8b 69 c0 23 c2
17 cf a4 66 ad b9 fd c3 cd 39 9f 04 a7 fe db 45 cc c5 df 8e 24 aa da c6 23 d4 ec 81
09 32 6c 28 7f 68 03 93 04 46 eb 49 45 90 00                           
APDU: GeneralAuthenticate - End

Key: ~DH_PK_PICC - DH ephemeral public key of passport (for generic mapping)
04 c0 ba 9a 4b ca 30 66 a2 de c5 fc 9b 12 03 15 3e 24 ec 8b 69 c0 23 c2 17 cf a4 66
ad b9 fd c3 cd 39 9f 04 a7 fe db 45 cc c5 df 8e 24 aa da c6 23 d4 ec 81 09 32 6c 28
7f 68 03 93 04 46 eb 49 45 
Key: DHMappedGenerator - DH shared secret (mapped Generator)
04 5b 92 77 be 2a 64 a3 71 4a 53 11 db 5e d4 8b d1 ca 6b 85 a3 53 c8 8f d6 c6 7d 9e
05 5a 43 89 4d 44 83 c3 46 3f 59 d3 b0 33 ff e0 da 9a 93 32 f9 1f 51 6f de 5c ca a2
cd 85 b5 af 81 7a eb d6 c4 .
Key: ~D - mapped DH domain parameters (~D [PACE])
30 81 e0 02 01 01 30 2c 06 07 2a 86 48 ce 3d 01 01 02 21 00 ff ff ff ff 00 00 00 01
00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 30 44 04 20
ff ff ff ff 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff
ff ff ff fc 04 20 5a c6 35 d8 aa 3a 93 e7 b3 eb bd 55 76 98 86 bc 65 1d 06 b0 cc 53 
b0 f6 3b ce 3c 3e 27 d2 60 4b 04 41 04 6f ab 85 68 33 01 94 d3 ed 31 47
55 15 bc 82 
d8 03 b7 db c7 95 9b e9 06 32 fb be 03 48 8d 83 f8 f6 d7 26 43 a6 c0 20 d2 74 cb c5
1c fb 2e 21 f0 4f fc 1f bb 00 97 6d c1 38 f8 f9 e2 ae 7a 00 88 02 21 00 ff ff ff ff
00 00 00 00 ff ff ff ff ff ff ff ff bc e6 fa ad a7 17 9e 84 f3 b9 ca c2 fc 63 25 51
02 01 01 

Info: DH-KA Algorithm - ECDH
Operations: Passport::performPACE - Generating DH key pair GENERIC
2024-03-08 : Key: ~SK_PCD - DH ephemeral private key (~SK_PCD [PACE])
4b 9d 93 b2 0f af 53 72 4e 6d 21 f8 e7 32 29 77 16 74 e5 c9 e7 fc 8e 3d 7a 86 cd c4
36 e9 65 3f
GENERIC 2024-03-08 : Key: ~PK_PCD - DH ephemeral public key (~PK_PCD [PACE])
04 f0 d0 65 a4 16 54 a3 b7 91 20 38 3f df d6 5a 92 f0 8f a1 db 77 29 85 bd f8 6c 95
20 d1 f6 6c fe 1b 10 4d 0d 4e 88 52 a0 a9 02 96 7d 14 87 bc a5 a5 0d 18 d9 8e f8 5a
51 c3 47 80 26 c2 b0 7c be

GENERIC P21188 T31468 2024-03-08 : APDU:GeneralAuthenticate - Start

GENERIC P21188 T31468 2024-03-08 17:28:58.061: APDU: Request
10 86 00 00 45 7c 43 83 41 04 f0 d0 65 a4 16 54 a3 b7 91 20 38 3f df d6 5a 92 f0 8f
a1 db 77 29 85 bd f8 6c 95 20 d1 f6 6c fe 1b 10 4d 0d 4e 88 52 a0 a9 02 96 7d 14 87
bc a5 a5 0d 18 d9 8e f8 5a 51 c3 47 80 26 c2 b0 7c be 00
GENERIC P21188 T31468 2024-03-08 : APDU: Response
7c 43 84 41 04 18 2f f1 3b 46 7b ea e0 55 51 dc 1b d5 1b 2c 69 3a c4 c3 c7 71 aa dc
5f d3 15 29 a3 3f 72 9e a0 22 cd 80 60 1e 79 09 4f 89 90 5b b5 5d dc 47 d0 43 28 de
ad 9b 68 15 c1 88 d7 35 6b 05 77 2a a4 90 00
GENERIC P21188 T31468 2024-03-08 : APDU: GeneralAuthenticate - End
: Key: ~PK_PICC - DH ephemeral public key of passport (~PK_PICC [PACE])
04 18 2f f1 3b 46 7b ea e0 55 51 dc 1b d5 1b 2c 69 3a c4 c3 c7 71 aa dc 5f d3 15 29
a3 3f 72 9e a0 22 cd 80 60 1e 79 09 4f 89 90 5b b5 5d dc 47 d0 43 28 de ad 9b 68 15
c1 88 d7 35 6b 05 77 2a a4 .
GENERIC P21188 T31468 2024-03-08 : Key: K - DH shared secret (K [PACE])
ae 99 f4 dc f9 44 a4 59 7c 8d 58 bd 7b 32 94 63 c0 d3 eb 62 3d 43 9a 88 89 53 24 8f
93 8e c3 d3 
GENERIC P21188 T31468 2024-03-08 : Key: K_Enc - derived encryption key (K_Enc [PACE])
0d 88 f5 67 7a 4b 90 06 50 39 21 f5 4e e1 cf 50 
GENERIC P21188 T31468 2024-03-08 : Key: K_MAC - derived MAC key (K_MAC [PACE])
bb 65 75 d3 c8 11 d3 ec 1a d4 8e 81 1e ad 9b d4 
Operations: Passport::performPACE - Preparing exchange of PCD authentication tokens
Operations: Passport::performPACE - Preparing exchange of ICC authentication tokens
Key: T_PCD - PCD's calculated authentication token (T_PCD [PACE])
ac 21 04 5b bc 13 6e 3c
Key: T_PICC - PICC's calculated authentication token (T_PICC [PACE])
00 9a 51 40 9e a8 27 47
APDU: GeneralAuthenticate - Start
APDU: Request
00 86 00 00 0c 7c 0a 85 08 ac 21 04 5b bc 13 6e 3c 00                                           
APDU: Response
7c 0a 86 08 00 9a 51 40 9e a8 27 47 90 00
APDU: GeneralAuthenticate - End
Protocol: PACE - End
PACE processing time 00:00:00.281