Our Online Store have the new products: RFID antenna board. Currently it can work with JC10M24R and JCOP4 card chips.
Compared with normal cards, the antenna board module has a smaller size and fixed holes, which is easy to integrate in the IOT(Internet Of Things) project.

SCP02 Shared Secret Key Provisioning

Applets Development Guide

Moderator: product

openxdev
Posts: 7
Joined: Tue Jun 22, 2021 11:16 am
Points :158
Contact:

SCP02 Shared Secret Key Provisioning

Post by openxdev » Fri Sep 17, 2021 6:14 am

I have java card that supports SCP02. From what I read from Global platform specification, both host and applet must have the same 3DES key.
What is the right approach to provision the shared key into the applet ? Or supply a seed (e.g card uuid) to the applet during applet load/install and derive the shared secret key using Issuer Security Domain S-ENC key (if this is even possible) ? Thanks.

tay00000
Posts: 161
Joined: Tue Sep 27, 2016 10:58 am
Points :2324
Contact:

Re: SCP02 Shared Secret Key Provisioning

Post by tay00000 » Fri Oct 08, 2021 11:21 pm

It depends on the GP toolkit you are going to use to manage the applets and cards. Each toolkit have their own approaches. You can use open source or freeware GP toolkits (i.e. GlobalPlatformPro, GPShell, pyApdutoolkit) where you have to manually set the keys and decide how you want to derive them.

GlobalPlatformPro gives you access to a CLI interface or you can build a proprietary toolkit on top of GlobalPlatformPro by adding GlobalPlatformPro as a library dependency and then setup a HSM or smartcard to store your master key(s) and use the open source library API to utilize GlobalPlatformPro to derive your card keys and inject them into the card. This is very manual but this is open source project.

GPShell only offers command line toolkit so you have to write scripts manually to derive your own card keys (domain keys) and populate the card.

PyAPDUToolKit is a GUI tool for most part and I am not aware of any API that pyApdutoolkit offers to allow you to build your own toolkit on top of pyApdutoolKit.

If you are using NXP JCOP or Infineon's own proprietary toolkits, its a completely different world there. They offer "vaults" for you to create your own keystore and different automated approaches to populate your cards. The downside is you need to sign NDA with NXP and/or Infineon if you are using their proprietary developer environment and toolkits but they give you GUI and other convenience to diversify your keys and manage your keys for you. I should note that the GUI may require getting used to as I have used them before and decided to revert back to GlobalPlatformPro :S .

I have not mentioned ways to take a master key you have selected to diversify them using different types of key diversification methods. GlobalPlatformPro and may other tools may offer EMV KDF, VISA2 KDF and a whole different host of ways to diversify from a master key to an individual card key. You can even invent on your preferred diversifying method but this will require coding.

Essentially, there is no such thing as a 'right approach'. End of the day, when you communicate with your card over the SCP02/3 channel, you just need the correct card key to communicate and open a SCP channel. You can have a master key and then give your card a UUID or a CAN number which you use a secure hashing algorithm to derive via HMAC or some secure key derivation algorithm the card key using your own master key and the UUID/CAN and some version numbering you can invent.

Something like CardKey = HMAC(Hash=SHA256, Key=MasterKey..., CardID=YourCardID, CardIDVersion=VersionNum);

Then you change out the original card key with the new CardKey (i.e. GlobalPlatformPro offers the -lock option to change the card keys).

I do not go into specifics because different issuers and developers have different approaches so you will need to find your own approach. Either you have to conform to some specifications due to some project requirements or you are developing your own product or project will influence how you deploy your cards securely.

openxdev
Posts: 7
Joined: Tue Jun 22, 2021 11:16 am
Points :158
Contact:

Re: SCP02 Shared Secret Key Provisioning

Post by openxdev » Mon Oct 11, 2021 4:56 am

Thank you so much for the information. I am going with gppro and gpshell.

Post Reply Previous topicNext topic

Who is online

Users browsing this forum: No registered users and 5 guests

JavaCard OS : Disclaimer