-
-
Notifications
You must be signed in to change notification settings - Fork 219
Keys
The gp command line tool (and all command samples) use the 40..4F test key by default. This is convenient for development and testing, as one does not need to specify the key information repeatedly, which facilitates simple and easy command line usage. For real life cards and real life usage scenarios you probably need to use real, per-card keys.
If you do not have the keys, do not ask for help, but ask your card vendor for the keys instead. Only the card vendor can help you.
You need three keys to make use of the card manager with SCP01, SCP02 or SCP03: ENC, MAC and DEK. If you have the actual keys and they are all different, you can specify them with -key-enc, -key-mac and -key-dek on the command line. Alternatively, if there is just a single key (like is assumed by the default test key with the value 40..4F) you can use -key to specify it. If using a single key, -kcv can be used to specify the Key Check Value, which is often provided by vendors.
Alternatively, if $GP_KEY_ENC, $GP_KEY_MAC and $GP_KEY_DEK are set in the environment, those values will be used. Specifying keys on the command line overrides the environment.
Key diversification is a process of deriving keys from a master key using some card specific unique data. This way each card has different keys.
While INITIALIZE UPDATE command includes key diversification data in the response, unique input can be chosen by card issuer - it could be the full name of the cardholder, for example. Similarly, the cryptographic algorithms and methods of shuffling and combining the card-specific data with some key type constants, is not strictly standardised. There are well known methods and also proprietary methods (security through obscurity). Thus, even if you know the master key but not the diversification method, it might not be very useful.
GlobalPlatformPro supports three diversification methods for plaintext keys:
- EMV (
-emv) - VISA2 (
-visa2) - SCP03 KDF (
-kdf3)
If you do not know the diversification algorithm, do not ask for help, but ask your card vendor for information and specification. Only the card vendor can help you.
For keeping master keys in a HSM, fetching per-card keys from a database or for implementing custom key diversification methods, subclass SessionKeyProvider. TODO: using custom providers from command line
javacard.pro - custom JavaCard applet development services · Editing locked due to malicious SPAM, sorry :(
Basic usage
- Getting Started
- Support GlobalPlatformPro development
- Glossary
- Environment variables
- Keys
- Secure Channel Establishment
- Application management
- Frequently Asked Questions
- Support & Questions
Advanced topics
- Lifecycle management
- Supplementary security domains
- DAP Verification
- Delegated management & receipts
- PACE
Development
JavaCard ecosystem