javacardsecuritydomain

How to customize a newly installed supplementary security domain (SSD)?


I have a sample javacard supporting supplementary security domain (SSD), since it has an executable load file (i.e. package) with the AID A0 00 00 01 51 53 50 as described in Global Platform: Card Secure Element Configuration. So I can install an instance of this package by two privileges (Security Domain and Delegated Management) with AID A0 00 00 01 51 53 50 41.

My question arises after installing the SSD. I think first of all I have to set a key set to make this SSD independent from ISD. So I select SSD and use Global platform PUT KEY Command to set a key set with 3 keys and key type 80. What should be the old and new KVN values? ISD key set is with KVN 20, key index 01, 02, 03, key type 80, and key length 80, as I get key information template using pyResMan. Now, what should be the key information to PUT Key for SSD? How SSD is forced to use this new key set? what are other customizations needed?


Solution

  • Once you have your SSD installed. To be able to set the new default key set, you should do the following steps:

    1. Select your SSD to open a secure channel protocol (since no keys exist, this will use the key of ISD or SD ancestor to be able to open secure channel).
    2. Perform your Put-key command with P1=00 (which means you're adding new key). Then put the kvn to the value you want in the command data.

    Your put-key may look like this : 84D80081 + lc + kvn + 8010des-enckey + 8010des-mackey + 8010des-dekkey

    You can do the same using global platform pro as following

    gp --sdaid yourSDAID -lock key (if you use the same key or --lock-mac XXX, lock-dek XXX, lock-enc ...XXXX).
    

    Related references from GPC_Card specificationv2.3.1 : 11.8, 11.8.2.1