6

In response field of Initialized Update command, Key Diversification data (which contains manufacture ID and last two bytes of security domain AID) is returned to Off Card entity.

I would like to know for what purpose this data is used ?

I read somewhere that, this key diversification data is used in derivation of base keys at Off Card end's. I don't know this is right or wrong.

If it is right then how can the base keys are derived at off card's end using this diversification data ??

Please provide your suggestion!!

Cœur
  • 37,241
  • 25
  • 195
  • 267
Bhanu
  • 663
  • 5
  • 13
  • You may have read things somewhere, but have you read the freely available Global Platform specifications? – Maarten Bodewes Mar 04 '14 at 21:58
  • Yes,i read and I am working on global platform specifications. Basically its a question of scp02 and I do not find its answer in that GP22 specification. – Bhanu Mar 06 '14 at 14:27

1 Answers1

6

Key Diversification Data is used to obtain keys for that card applying an algorithm to those bytes (which should be unique to the card) using a Master Key.

There are two widely used key derivation algorithms:

  • Visa2
  • EMV-CPS

They are very similar: they get a few of the 10-bytes of the Key Diversification Data from the response to INITIALIZE UPDATE, append a few fixed bytes and then encrypt them applying 3DES using the Master Key as encryption key.

The "fixed bytes" are different, so we get the three SCP02 keys we need:

  • 'F001' gives us the ENC key
  • 'F002' the MAC key
  • 'F003' the DEK key

Hope this helps! It is not described in the GlobalPlatform spec, so I takes a while to learn it.

mictter
  • 1,358
  • 1
  • 10
  • 13
  • Thank you for your answer dear mictter. Where does these derivation algorithms (EMV-CPS and Visa2) defined in details? What happens in a card that doesn't use any derivation algorithm? – Ebrahim Ghasemi Mar 12 '16 at 11:24
  • Hi Abraham, you can download the EMV-CPS specification from https://www.emvco.com/specifications.aspx?id=20 (it is section 4.1 in the long PDF). Both EMV-CPS and Visa2 are implemented in the open source Global Platform library, so you can check the implementation https://sourceforge.net/projects/globalplatform/files/GlobalPlatform%20Library/GlobalPlatform%20Library%206.0.0/ – mictter Mar 21 '16 at 16:05
  • Dear Mictter, the keys that you mentioned in your answer, are the session keys? or they are the static ENC, MAC and DEK keys that Secure Channel Session Keys are created from? – Ebrahim Ghasemi Jun 18 '16 at 14:44
  • Hi Abraham, They are the static ENC, MAC and DEK keys , session keys are further created from them. – stng Nov 17 '17 at 05:11