Skip to content

CP doesn't reset sequence on SCBK-D fallback #287

New issue
New issue
Open
Open
CP doesn't reset sequence on SCBK-D fallback#287
@IntrepidEnki

Description

@IntrepidEnki
IntrepidEnki
opened on Mar 19, 2026

During SC handshake between a LibOSDP CP and an HID reader in INSTALL_MODE, we observe the following:

  1. The CP provides a nonce to be used with the reader’s SCBK in the creation of a cryptogram
  2. The CP fails to verify the cryptogram and falls back to providing the nonce again to be used with the default key in the creation of a cryptogram (but does not change the sequence number)
  3. The HID reader replies with NAK (0x04)

From the v2.2 spec:

"Non-zero sequence numbers support error recovery: the ACU acknowledges the last reply by sending the next command with the incremented sequence number, or it repeats the command without changing the sequence number to request the repeat of the last reply."

and

"Zero forces the PD to discard its last reply and to accept and process the current command."

It seems like in this case, the appropriate action after an invalid cryptogram is to set the sequence number to zero, since we do not want a "repeat of the last reply."

I have attached the following logs as well:

Key exchange capture between CP and HID reader using 3.1.0 release of rust library:

------------------------------------------------------------------------------
Command: CMD_ID (0x61)
OSDP: SOM=0x53 ADDR=0x00 (PD=0, CP->PD) LEN=9 CTRL=0x04 SQN=0 SCB=no CHK=CRC16
SCB: (none)
Payload: 00
Trailer: C0 66
Raw: 53 00 09 00 04 61 00 C0 66
------------------------------------------------------------------------------
Response: REPLY_PDID (0x45)
OSDP: SOM=0x53 ADDR=0x80 (PD=0, PD->CP) LEN=20 CTRL=0x04 SQN=0 SCB=no CHK=CRC16
SCB: (none)
Payload: 00 06 8E 01 01 1D 59 00 7A 05 3E 00
Trailer: B6 C9
Raw: 53 80 14 00 04 45 00 06 8E 01 01 1D 59 00 7A 05 3E 00 B6 C9
------------------------------------------------------------------------------
Command: CMD_CAP (0x62)
OSDP: SOM=0x53 ADDR=0x00 (PD=0, CP->PD) LEN=9 CTRL=0x05 SQN=1 SCB=no CHK=CRC16
SCB: (none)
Payload: 00
Trailer: A3 04
Raw: 53 00 09 00 05 62 00 A3 04
------------------------------------------------------------------------------
Response: REPLY_PDCAP (0x46)
OSDP: SOM=0x53 ADDR=0x80 (PD=0, PD->CP) LEN=53 CTRL=0x05 SQN=1 SCB=no CHK=CRC16
SCB: (none)
Payload: 01 00 00 02 00 00 03 01 00 04 04 01 05 02 01 06 00 00 07 00 00 08 01 00 09 01 01 0A 92 03 0B 92 03 0C 00 00 0E 00 00 0F 00 00 10 01 00
Trailer: 4D 8F
Raw: 53 80 35 00 05 46 01 00 00 02 00 00 03 01 00 04 04 01 05 02 01 06 00 00 07 00 00 08 01 00 09 01 01 0A 92 03 0B 92 03 0C 00 00 0E 00 00 0F 00 00 10 01 00 4D 8F
------------------------------------------------------------------------------
Command: CMD_CHLNG (0x76)
OSDP: SOM=0x53 ADDR=0x00 (PD=0, CP->PD) LEN=19 CTRL=0x0E SQN=2 SCB=yes CHK=CRC16
SCB: 03 11 01
Payload: D7 64 C8 CC E9 32 55 C4
Trailer: 3B E7
Raw: 53 00 13 00 0E 03 11 01 76 D7 64 C8 CC E9 32 55 C4 3B E7
------------------------------------------------------------------------------
Response: REPLY_CCRYPT (0x76)
OSDP: SOM=0x53 ADDR=0x80 (PD=0, PD->CP) LEN=43 CTRL=0x0E SQN=2 SCB=yes CHK=CRC16
SCB: 03 12 01
Payload: 00 06 8E 01 01 59 00 7A F0 17 DC 76 76 87 47 BB 25 E9 22 81 DC 5F C1 3E 4D 76 60 C1 7E 58 64 B1
Trailer: 97 39
Raw: 53 80 2B 00 0E 03 12 01 76 00 06 8E 01 01 59 00 7A F0 17 DC 76 76 87 47 BB 25 E9 22 81 DC 5F C1 3E 4D 76 60 C1 7E 58 64 B1 97 39
------------------------------------------------------------------------------
Command: CMD_CHLNG (0x76)
OSDP: SOM=0x53 ADDR=0x00 (PD=0, CP->PD) LEN=19 CTRL=0x0E SQN=2 SCB=yes CHK=CRC16
SCB: 03 11 00
Payload: D7 64 C8 CC E9 32 55 C4
Trailer: 7E 88
Raw: 53 00 13 00 0E 03 11 00 76 D7 64 C8 CC E9 32 55 C4 7E 88
------------------------------------------------------------------------------
Response: REPLY_NAK (0x41)
OSDP: SOM=0x53 ADDR=0x80 (PD=0, PD->CP) LEN=9 CTRL=0x04 SQN=0 SCB=no CHK=CRC16
SCB: (none)
Payload: 04
Trailer: 82 F4
Raw: 53 80 09 00 04 41 04 82 F4
------------------------------------------------------------------------------

After applying the following patch to osdp_cp.c

+++ src/osdp_cp.c
@@ -1180,7 +1181,7 @@
 		if (!ISSET_FLAG(pd, PD_FLAG_SC_USE_SCBKD)) {
 			SET_FLAG(pd, PD_FLAG_SC_USE_SCBKD);
 			LOG_WRN("SC Failed. Retry with SCBK-D");
			return OSDP_CP_STATE_SC_CHLNG;
+			pd->seq_number = -1; osdp_phy_state_reset(pd, true); 
 			return OSDP_CP_STATE_SC_CHLNG;
 		}
 		CLEAR_FLAG(pd, PD_FLAG_SC_USE_SCBKD);

We observe the SC handshake complete successfully:

------------------------------------------------------------------------------
Command: CMD_ID (0x61)
OSDP: SOM=0x53 ADDR=0x00 (PD=0, CP->PD) LEN=9 CTRL=0x04 SQN=0 SCB=no CHK=CRC16
SCB: (none)
Payload: 00
Trailer: C0 66
Raw: 53 00 09 00 04 61 00 C0 66
------------------------------------------------------------------------------
Response: REPLY_PDID (0x45)
OSDP: SOM=0x53 ADDR=0x80 (PD=0, PD->CP) LEN=20 CTRL=0x04 SQN=0 SCB=no CHK=CRC16
SCB: (none)
Payload: 00 06 8E 01 01 1D 59 00 7A 05 3E 00
Trailer: B6 C9
Raw: 53 80 14 00 04 45 00 06 8E 01 01 1D 59 00 7A 05 3E 00 B6 C9
------------------------------------------------------------------------------
Command: CMD_CAP (0x62)
OSDP: SOM=0x53 ADDR=0x00 (PD=0, CP->PD) LEN=9 CTRL=0x05 SQN=1 SCB=no CHK=CRC16
SCB: (none)
Payload: 00
Trailer: A3 04
Raw: 53 00 09 00 05 62 00 A3 04
------------------------------------------------------------------------------
Response: REPLY_PDCAP (0x46)
OSDP: SOM=0x53 ADDR=0x80 (PD=0, PD->CP) LEN=53 CTRL=0x05 SQN=1 SCB=no CHK=CRC16
SCB: (none)
Payload: 01 00 00 02 00 00 03 01 00 04 04 01 05 02 01 06 00 00 07 00 00 08 01 00 09 01 01 0A 92 03 0B 92 03 0C 00 00 0E 00 00 0F 00 00 10 01 00
Trailer: 4D 8F
Raw: 53 80 35 00 05 46 01 00 00 02 00 00 03 01 00 04 04 01 05 02 01 06 00 00 07 00 00 08 01 00 09 01 01 0A 92 03 0B 92 03 0C 00 00 0E 00 00 0F 00 00 10 01 00 4D 8F
------------------------------------------------------------------------------
Command: CMD_CHLNG (0x76)
OSDP: SOM=0x53 ADDR=0x00 (PD=0, CP->PD) LEN=19 CTRL=0x0E SQN=2 SCB=yes CHK=CRC16
SCB: 03 11 01
Payload: 47 8D 7A A0 5D 83 F3 EA
Trailer: A1 76
Raw: 53 00 13 00 0E 03 11 01 76 47 8D 7A A0 5D 83 F3 EA A1 76
------------------------------------------------------------------------------
Response: REPLY_CCRYPT (0x76)
OSDP: SOM=0x53 ADDR=0x80 (PD=0, PD->CP) LEN=43 CTRL=0x0E SQN=2 SCB=yes CHK=CRC16
SCB: 03 12 01
Payload: 00 06 8E 01 01 59 00 7A 59 71 8E 91 50 BF 9C 4E 1F 21 A3 58 35 EC 2C 3A 4D AB 94 32 CF D8 3F 81
Trailer: C7 CB
Raw: 53 80 2B 00 0E 03 12 01 76 00 06 8E 01 01 59 00 7A 59 71 8E 91 50 BF 9C 4E 1F 21 A3 58 35 EC 2C 3A 4D AB 94 32 CF D8 3F 81 C7 CB
------------------------------------------------------------------------------
Command: CMD_CHLNG (0x76)
OSDP: SOM=0x53 ADDR=0x00 (PD=0, CP->PD) LEN=19 CTRL=0x0C SQN=0 SCB=yes CHK=CRC16
SCB: 03 11 00
Payload: 47 8D 7A A0 5D 83 F3 EA
Trailer: 22 93
Raw: 53 00 13 00 0C 03 11 00 76 47 8D 7A A0 5D 83 F3 EA 22 93
------------------------------------------------------------------------------
Response: REPLY_CCRYPT (0x76)
OSDP: SOM=0x53 ADDR=0x80 (PD=0, PD->CP) LEN=43 CTRL=0x0C SQN=0 SCB=yes CHK=CRC16
SCB: 03 12 00
Payload: 00 06 8E 01 01 59 00 7A 23 BB 0C 8D C9 E5 7F 23 5B 0B 9E D4 72 ED A7 43 FC 82 81 56 B4 B1 81 CF
Trailer: 7C F2
Raw: 53 80 2B 00 0C 03 12 00 76 00 06 8E 01 01 59 00 7A 23 BB 0C 8D C9 E5 7F 23 5B 0B 9E D4 72 ED A7 43 FC 82 81 56 B4 B1 81 CF 7C F2
------------------------------------------------------------------------------
Command: CMD_SCRYPT (0x77)
OSDP: SOM=0x53 ADDR=0x00 (PD=0, CP->PD) LEN=27 CTRL=0x0D SQN=1 SCB=yes CHK=CRC16
SCB: 03 13 00
Payload: 94 AE EC BF 1B 7C 29 0E BD 96 E2 22 4D C0 49 69
Trailer: D1 8E
Raw: 53 00 1B 00 0D 03 13 00 77 94 AE EC BF 1B 7C 29 0E BD 96 E2 22 4D C0 49 69 D1 8E
------------------------------------------------------------------------------
Response: REPLY_RMAC_I (0x78)
OSDP: SOM=0x53 ADDR=0x80 (PD=0, PD->CP) LEN=27 CTRL=0x0D SQN=1 SCB=yes CHK=CRC16
SCB: 03 14 01
Payload: F2 24 68 C0 36 24 F3 CD D6 B7 38 CA 32 66 B1 2E
Trailer: 75 93
Raw: 53 80 1B 00 0D 03 14 01 78 F2 24 68 C0 36 24 F3 CD D6 B7 38 CA 32 66 B1 2E 75 93
------------------------------------------------------------------------------
Command: CMD_KEYSET (0x75)
OSDP: SOM=0x53 ADDR=0x00 (PD=0, CP->PD) LEN=46 CTRL=0x0E SQN=2 SCB=yes CHK=CRC16
SCB: 02 17
Payload: 6F 22 05 33 C8 2F 57 85 AB 2C 27 DF 19 C0 CD 0D 67 7B B7 D5 B2 50 B2 95 A1 7B E0 2A DB 6B B3 DA 51 92 6B A3
Decrypted: 01 10 A7 68 7E 50 3F 69 7B B0 AA 16 FB EB 70 D3 CD FA  [key=SCBK-D]
Trailer: F8 46
Raw: 53 00 2E 00 0E 02 17 75 6F 22 05 33 C8 2F 57 85 AB 2C 27 DF 19 C0 CD 0D 67 7B B7 D5 B2 50 B2 95 A1 7B E0 2A DB 6B B3 DA 51 92 6B A3 F8 46
------------------------------------------------------------------------------
Response: REPLY_ACK (0x40)
OSDP: SOM=0x53 ADDR=0x80 (PD=0, PD->CP) LEN=8 CTRL=0x06 SQN=2 SCB=no CHK=CRC16
SCB: (none)
Payload: (none)
Trailer: 3B CA
Raw: 53 80 08 00 06 40 3B CA
------------------------------------------------------------------------------

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions