How to choose Secure Channel Protocol to use?

Question

What does it mean that some smart card support SCP 01 and SCP02? And how to choose between those two? Is it predefined in security domain or there is some command to select one or other choice?

Answer 1

What does it mean that some smart card support SCP 01 and SCP02?

When you want to install an applet on the card or want to delete some applets and for some other sensitive operations (changing applets life-cycles for example), you need to prove that you are an authenticate guy first (i.e. you need to prove that you are owner of the card). And also when you want to have an encrypted communication with the card, you need to implement a secure channel. To do that you must do some cryptography operations. The steps and structure of these operations is mentioned in the Global-Platform specifications in details. Different versions of Global Platform specifications introduce different mechanism for authentication. SCP01, SCP02 and SCP03 are the name of these mechanism (Stands for Secure Channel Protocol 01, 02 and 03). (Other specifications such as ETSI, introduce other mechanism too).

And how to choose between those two?

Well, typically each card support only one of these authentication mechanisms after issuance. old cards support SCP01 and the newer ones support SCP02 or SCP03. refer to GlobalPlatform Card Specification in the Mutual Authentication and Secure Channel sections for details. Some card manufacturers provide an option to choose the protocol once, in the pre-personalization step. But it is not common for cards.

Answer 2

You can ask your card provider for the SCP change tool. Then use this tool to change SCP according to your requirement.

Answer 3

Unless you are talking about implementing the protocol yourself, you use what your card uses. These days either SCP02 or SCP03.

Answer 4

Commonly used protocols are SCP02, SCP03, SCP80 and SCP81. SCP02 and SCP03 are meant for data security. SCP80 and SCP81 are for transport security. Highly sensitive data such as keys information are firstly protected by the help of data security and then APDU(Application Protocol data unit) is sent using transport security.

Answer 5

As the question is a little blurred, I will add my own answer here as summary of the above great answers in order to cater to a wider audience.

The security scheme is first decided by the card provider and you have to talk to them in order to have your personal choice burned into the card. Once the security scheme is burned inside the card, it will be the card that will tell you about it. It will no longer be your choice.

If the security scheme is SCP01, SCP02 or SCP03, you will send an INITIALIZE_UPDATE + EXTERNAL_AUTHENTICATE bytes to the card. The card's specific security scheme will be revealed in the response bytes. After identifying the card's current security scheme, your next commands shall be in accordance to this scheme. The scheme's differences are technical and cryptographic in nature but the intention is the same. To protect what matters most.

The end result is that you will be able to send / receive data to / from the card as promised by the security scheme documentation. These promise boils down to the following basic (mostly human) needs:

• You need to prove your identity to the card and the card needs to prove its identity to you. Otherwise, you will be talking to a different card or the card will be talking to a different external entity. Conceptually like what https does.
• You (or the card) need to encrypt / decrypt whatever is sent / received to / from the card.